![]() |
New attack on WPA/WPA2 using PMKID - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html) |
RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-08-2018 No, the PMKID is not encrypted garbage and can be usefull (in some cases). Running WPA2, the PMKID is calculated by this function: PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA) The PMK is calculated: PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256) Running SAE MESH, the PMKID is calculated by this function: PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128) The PMK is calculated: PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r) Both of them (PMKID and PMK) are secured by KCK algorithm. ...will say, that there is a relationship between PMKID and PMK, regardless of PBKDF2, EAP, SAE and the PMKID is not garbage. And you're absolutely right: We must beat the EAP negotiation and/or we must beat the SAE authentication (which is really hard core). RE: New attack on WPA/WPA2 using PMKID - codeme - 11-09-2018 (11-08-2018, 06:22 PM)ZerBea Wrote: No, the PMKID is not encrypted garbage and can be usefull (in some cases). Gotcha! We cannot compute the PMK because the HMAC-SHA1 is computed on the EAPOL header? ![]() RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-10-2018 If you mean, that we have two steps, you got it: step1 = derivation of Plainmasterkey (PMK), for example by PBKFD2 step2 = derivation of Pairwise Transient Key (PTK) to get access to the network (EAPOL 4/4 handshake) Let's take a look at SAE (sae4way.pcapng): packet 4 and 5 contain the commit messages from client (4) and access point (5) packet 6 and 7 contain the confirm messages from client (6) and access point (7) the PMK is calculated from packet 6 and 7 (PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)) and used by the following EAPOL handshake (packet 10, 11, 12, 13) packet 10 contain a PMKID calculated by PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128) Laboratoy environment: $ hcxdumptool -I wlan interfaces: c83a35c24fbc wlp39s0f3u4u4 (rt2800usb) = SAE client c83a35ce463f wlp39s0f3u4u1 (rt2800usb) = SAE access point c83a35cc88c9 wlp3s0f0u1 (rt2800usb) = hcxdumptool used adapters: TENDA W311U+ (cheaper than ALFAs, less power consumption, driver well suported, and more... - I like them) latest hcxdumptool is used to capture traffic: ![]() Latest hcxpcaptool is able to parse a SAE4way handshake to hashcat. So please use it for this example $ hcxpcaptool -o saetest.hccapx -z saetest.16800 sae4way.pcapng summary: file name....................: sae4way.pcapng file type....................: pcapng 1.0 file hardware information....: x86_64 file os information..........: Linux 4.18.16-arch1-1-ARCH file application information.: hcxdumptool 5.0.0 network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: little endian read errors..................: flawless packets inside...............: 15 skipped packets..............: 0 packets with GPS data........: 0 packets with FCS.............: 0 beacons (with ESSID inside)..: 1 probe requests...............: 1 probe responses..............: 1 association requests.........: 1 association responses........: 1 authentications (SAE)........: 4 EAPOL packets................: 7 EAPOL PMKIDs.................: 1 best handshakes..............: 1 (ap-less: 0) 1 handshake(s) written to saetest.hccapx 1 PMKID(s) written to saetest.16800 The calculated PMK (PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)) from the SAE authentication is: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b we store it in our wordlist (sae4way.pmkfile) Let's verfify the PMK by hashcat using hashmode 2501: $ hashcat -m 2501 saetest.hccapx sae4way.pmkfile hashcat (v5.0.0-52-g2aff01b2) starting... Session..........: hashcat Status...........: Cracked Hash.Type........: WPA-EAPOL-PMK Hash.Target......: mynet (AP:c8:3a:35:ce:46:3f STA:c8:3a:35:c2:4f:bc) Time.Started.....: Sat Nov 10 10:29:28 2018 (0 secs) Time.Estimated...: Sat Nov 10 10:29:28 2018 (0 secs) Guess.Base.......: File (sae4way.pmkfile) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1603 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 1/1 (100.00%) Rejected.........: 0/1 (0.00%) Restore.Point....: 0/1 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b Hardware.Mon.#1..: Temp: 44c Fan: 29% Util: 52% Core:1657MHz Mem:5005MHz Bus:16 c073532f1526da27c4c96b6f8031a027:c83a35ce463f:c83a35c24fbc:mynet:3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b hashcat verified the PMK, succefully! Let's verify the PMKID by hashcat suing hashmode 16801 (we will fail epically...): $ hashcat -m 16801 saetest.16800 sae4way.pmkfile hashcat (v5.0.0-52-g2aff01b2) starting... Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA-PMKID-PMK Hash.Target......: ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a3...6e6574 Time.Started.....: Sat Nov 10 10:28:12 2018 (1 sec) Time.Estimated...: Sat Nov 10 10:28:13 2018 (0 secs) Guess.Base.......: File (sae4way.pmkfile) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2459 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 1/1 (100.00%) Rejected.........: 0/1 (0.00%) Restore.Point....: 1/1 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b Hardware.Mon.#1..: Temp: 39c Fan: 29% Util: 1% Core:1911MHz Mem:5005MHz Bus:16 As expected, we failed to verify the PMKID, because it is not calculated by PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA) Keep in mind: This example is not(!) a SAE crack! This example is not(!) a WPA3 crack! RE: New attack on WPA/WPA2 using PMKID - SoulScavenger - 11-11-2018 (10-30-2018, 11:02 PM)ZerBea Wrote: This questions are allready answered: Okay. So if i capture PMKID how can i know from which AP is it? RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-11-2018 All informations are stored in the hashline: PMKID*MAC_AP*MAC_STA*ESSID If we use the hashline from this thread: https://hashcat.net/forum/thread-7717-post-42759.html#pid42759 ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a35c24fbc*6d796e6574 and feed it to whoismac: $ whoismac -p ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a35c24fbc*6d796e6574 ESSID..: mynet MAC_AP.: c83a35ce463f VENDOR.: Tenda Technology Co., Ltd. MAC_STA: c83a35c24fbc VENDOR.: Tenda Technology Co., Ltd. you will get all the informations you need. BTW: Added also an improved filter mode (3) to latest hcxdumptool: 3: use filter list as target list in receiving branch only receive APs and CLIENTs in range, from the filter list You will see only the networks from the filter list... RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-15-2018 If anyone is interested in SAE example (sae4way.pcapng) from here: https://hashcat.net/forum/thread-7717-post-42759.html#pid42759 This are the SAE keys to calculate it "by hand": Password: password KeySeed:1a18989a424cdc2d510a49d87b6d064bf09f195b22efc61d12b4c879fbf72da4 K:a256ed5947222f09e2a01b949b922a62df41273169a21e1dc004f495463f3675 KCK:50e887ab00ddf30e8ed0c89ab9d670c1e1256817ecd76f7180c83ee36ce82788 and the resulting PMK and PMKID: PMK:3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b PMKID:ea5aad4e27b22c46f883737ca5a058bd And keep in mind: This example is not(!) a SAE crack! This example is not(!) a WPA3 crack! it's just mathematics... RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-16-2018 Super stuck on this, after spending hours trying to crack a simple 123456789 wifi password I had no luck. Then I realized when I convert my dump file I get this. Code: summary: Im guessing read errors = yes is a bad thing, that would explain why the hashes are uncrackable. I am currently creating the dump from my wifi pineapple, I formatted the SD and also reinstalled all the packages with no luck, any advice at all? RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-16-2018 Read errors mean that the pineapple possible not shutting down correctly. We miss the final interface statistics block. It doesn't mean that the hash is uncrackable. To find out, what's going wrong, we need the pcapng file. Please attach it. RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-16-2018 (11-16-2018, 10:20 PM)ZerBea Wrote: Read errors mean that the pineapple possible not shutting down correctly. We miss the final interface statistics block. It doesn't mean that the hash is uncrackable. To find out, what's going wrong, we need the pcapng file. Please attach it. I am new to using hashcat as a whole so that might be the reason Im not getting any results cracking these hashes. Do pcapng files include the IP addresses or any sensitive data apart from the handshake? Haha wouldn't want to upload a file publicly broadcasting my exact IP or anything Also this:
EDIT: I created a one time download link http://www.mediafire.com/?1e7rebw2y2sbtz8ov1c6njbcsce446s here RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-16-2018 No, the pcapng doesn't contain IP addresses. But it contain MAC addresses of access points and clients and network names. If you run hcapcaptool you will get four PMKIDs (two networks with one client and one network with 2 clients) and two handshakes (one network with 2 clients). The pcapng file is flawless! $ hcxpcaptool -o test.hccapx -z test.16800 -E essid v1.pcapng reading from v1.pcapng summary: file name....................: v1.pcapng file type....................: pcapng 1.0 file hardware information....: unknown file os information..........: unknown file application information.: unknown network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: big endian read errors..................: flawless packets inside...............: 286 skipped packets..............: 0 packets with GPS data........: 0 packets with FCS.............: 259 beacons (with ESSID inside)..: 7 probe requests...............: 8 probe responses..............: 10 association requests.........: 7 association responses........: 13 reassociation requests.......: 1 reassociation responses......: 1 authentications (OPEN SYSTEM): 160 authentications (BROADCOM)...: 7 EAPOL packets................: 78 EAPOL PMKIDs.................: 4 best handshakes..............: 2 (ap-less: 0) 2 handshake(s) written to test.hccapx 4 PMKID(s) written to test.16800 Which of the networks do you assume use the key 123456789? SHAW-84AA55 (2 handshakes) Slow Wifi (PMKID) Birdy (2 PMKIDs) TELUS3748 (PMKID) Tested them and none of them use this key. |