New attack on WPA/WPA2 using PMKID - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html) |
RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-16-2018 That are some good news. Well, UBUNTU is recommended by hashcat team and is an easy to use distribution. I share that opinion. Designed for complete novices, UBUNTU teaches a beginner everything he need to know to enjoy Linux. He will get help in the forums (https://ubuntuforums.org/) and here, too. Nevertheless, I prefer Arch Linux, because it does exactly what I configured. But I really do not understand, why so many novices run K*A*L*I. That is an extremely stripped down version of Debian and not usable for novices. The same applies for using hcxdumptool/hcxtools/hcxkeys. This tools are designed to perform analysis and to find weak points (like the PMKID attack vector) in combination with a hashcracker (hashcat) and a database (wpa-sec). Goal is not to crack a single PSK! Goal is to find the weak point within the system! So this tools are completely different to aircrack-ng. If someone needs a script of 1491 lines (as of today) to put his device into monitor mode, he shouldn't use hcxtools! RE: New attack on WPA/WPA2 using PMKID - Kangaroot - 08-16-2018 ZerBea, I wouldn't say Ubuntu teaching anyone anything unless user wants to learn, but surely it is the easiest way to start using GNU/Linux. Same with K*A*L*I - easiest way to get into hacking. RE: New attack on WPA/WPA2 using PMKID - kevtheskin - 08-17-2018 Hello all, Can someone tell me why am only getting Found handshake AP-LESS ,EAPOL TIMEOUT I have not seen PMKID Found only handshake found Thanks Kev RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-17-2018 hcxdumptool is able to run different attack vectors. And the client-less (PMKID) attack vector is only one of them: ap-less: Only one packet (M2) from a client required. You do not need to hunt for access points. Just wait until the clients come to you. Have patience - some clients will give you their PSK in the clear (hcxpcaptool -E -I -U)! This attack vector is the most important one, because clients are weak! Try to annoy them! You can run --nonce-error-corrections=0 on that handshake! client-less: Only one packet (M1 - PMKID) from an access point is required. You have to hunt for access points (usually access points don't move). It's hard to annoy an access point. You need to have a good antenna (high gain)! m4 - retry: After receipt of a single M4, M1, M2, M3 are requested as long as we didn't successfull captured an authorized handshake (M2/M3). A client and an access point are required for this attack vector! You need to have a good antenna! deauthentication (old school): Disconnect a client from the network and capture the following authentication. A client and an access point are required for this attack vector! You need to have a good antenna (high gain)! Attack vector will not work if PMF is enabled Possible reason why you didn't receive a PMKID: No access point with activated roaming is in range. But so what: A client is in range - play with him! RE: New attack on WPA/WPA2 using PMKID - LoZio - 08-17-2018 Sorry to bother but I think I'm loosing something obvious here, please be kind I capture and obtain a file. I export hashes and get: file name....................: home.pcapng file type....................: pcapng 1.0 file hardware information....: x86_64 file os information..........: Linux 4.15.0-32-generic file application information.: hcxdumptool 4.2.1 network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: little endian read errors..................: flawless packets inside...............: 2781 skipped packets..............: 0 packets with FCS.............: 1571 beacons (with ESSID inside)..: 11 probe requests...............: 4 probe responses..............: 15 association requests.........: 701 association responses........: 1037 authentications (OPEN SYSTEM): 792 authentications (BROADCOM)...: 289 EAPOL packets................: 222 EAPOL PMKIDs.................: 4 4 PMKID(s) written to home.16800 I suppose I have some valid PMKIDs here. The AP is mine, so I know the key and put it in a file with a dozen other fake passwords. I would like to password guess my password, to test all the process so I run: ./hashcat64.bin -m 16800 /Work/cap/home.16800 /Work/cap/t.txt It runs but gets no password at all: Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA-PMKID-PBKDF2 Hash.Target......: \Work\cap\home.16800 Time.Started.....: Fri Aug 17 13:44:49 2018 (1 sec) Time.Estimated...: Fri Aug 17 13:44:50 2018 (0 secs) Guess.Base.......: File (\Work\cap\t.txt) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#3.....: 279 H/s (0.34ms) @ Accel:32 Loops:16 Thr:256 Vec:1 Recovered........: 0/4 (0.00%) Digests, 0/4 (0.00%) Salts Progress.........: 156/156 (100.00%) Rejected.........: 0/156 (0.00%) Restore.Point....: 39/39 (100.00%) Candidates.#3....: djshhjshjVolumeindr -> 9Dir(s)219.174.809.600bytesfree HWMon.Dev.#3.....: Temp: 56c Fan: 0% Util: 63% Core:1070MHz Mem: 900MHz Bus:4 What am I missing in the process? (/Work/cap/t.txt is my dictionary with the correct PSK) Thanks RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-17-2018 That's interesting: You received 4 PMKIDs for a single network (I assume that it isn't an ENTERPRISE network). So there must be 4 clients. How is the commandline for hcxdumptool? A hashfile should look like this: PMKID*MAC_AP*MAC_STA:ESSID (hex) If you have 4 PMKIDs: PMKID*MAC_AP*MAC_STA1:ESSID (hex) PMKID*MAC_AP*MAC_STA2:ESSID (hex) PMKID*MAC_AP*MAC_STA3:ESSID (hex) PMKID*MAC_AP*MAC_STA4:ESSID (hex) MAC_AP (your BSSID) and ESSID should be the same. RE: New attack on WPA/WPA2 using PMKID - awdmesh - 08-17-2018 I’ve captured the same pmkid two or three times amongst others in hashfile. I’m still learning the ins and outs of hashcat but I have noticed that in case i missed something or don’t see that it looked to be successful - I’ll run the hashcat command again with —show to see if there was any results/password. @ZerBea If say I want to keep my rf signature at a minimum I would need to use —disable deauthicatuons and disassociations, possibly disable client attacks and active scan? I want to try and be as passive as possible and not disturb clients. I’m assuming you’ll always need to transmit some in order to get the pmkid. Is it correct to say that by default without disable arguments that hcxdumptool is doing deauth and disassociation against clients? Thanks RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-17-2018 Correct. Running hcxdumptool without disable arguments and/or setting a filterlist is the most aggressive mode. hcxdumptool will run deauthentications against established connections and disassociations if a M4 was received. You can view your RF-signature here (tx=xxx) and control it via switches: INFO: cha=3, rx=3315, rx(dropped)=832, tx=311, powned=4, err=0 --disable_ap_attacks --disable_deauthentications: INFO: cha=1, rx=799, rx(dropped)=12, tx=1, powned=0, err=0 --disable_ap_attacks --disable_deauthentications --disable_client_attacks --disable_active_scan: INFO: cha=5, rx=1403, rx(dropped)=11, tx=0, powned=0, err=0 RE: New attack on WPA/WPA2 using PMKID - kevtheskin - 08-18-2018 (08-17-2018, 10:51 AM)ZerBea Wrote: hcxdumptool is able to run different attack vectors. And the client-less (PMKID) attack vector is only one of them:Thanks for the info. Not sure it answered my question? Can someone tell me why am only getting Found handshake AP-LESS ,EAPOL TIMEOUT I have not seen PMKID Found only handshake found Thanks Kev RE: New attack on WPA/WPA2 using PMKID - slyexe - 08-19-2018 Quote:Thanks for the info. Not sure it answered my question? Its because you're not in range of any Routers which broadcast the PMK just as zerobeat has told you. This attack does not enable clientless attacks on ALL MAKES OF ROUTERS. It's only available if the router is setup to provide you with the proper information for the PMK. The data you have is telling you that you have obtained an AP-Less Handshake, meaning you are only able to receive a signal strong enough to the client and not the router. |