hashcat Forum
New attack on WPA/WPA2 using PMKID - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19


RE: New attack on WPA/WPA2 using PMKID - SP2005 - 08-22-2018

(08-22-2018, 02:54 PM)undeath Wrote: No. Please review hashcat's attack modes and their usages.

Thanks. I'll take a look at what you suggest.


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-26-2018

Pushed a small update hcxdumptool. From now on we parse SAE completely:

[10:10:20 - 005] c83a35000002 -> c83a35000001 [AUTHENTICATION, SAE COMMIT, STATUS 0, SEQUENCE 304]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [AUTHENTICATION, SAE COMMIT, STATUS 0, SEQUENCE 337]
[10:10:20 - 005] c83a35000002 -> c83a35000001 [AUTHENTICATION, SAE CONFIRM, STATUS 0, SEQUENCE 305]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [AUTHENTICATION, SAE CONFIRM, STATUS 0, SEQUENCE 338]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND PMKID]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 3741]

as you can see here:
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND PMKID]
We are not able to attack SAE yet...

Remarks:
SAE = Simultaneous authentication of equals
pre-shared password-based authentication with stronger security than WPA-PSK (as known as WPA3-Personal)


struct sae_commit_authentication_frame
{
 uint16_t    group_id;
 uint8_t    scalar[32];
 uint8_t    commit_element_x[32];
 uint8_t    commit_element_y[32];
} __attribute__((__packed__));


struct sae_confirm_authentication_frame
{
 uint16_t    send_confirm;
 uint8_t    confirm[32];
} __attribute__((__packed__));


read more about the status codes (reason codes) here:
https://community.cisco.com/t5/wireless-mobility-documents/802-11-association-status-802-11-deauth-reason-codes/ta-p/3148055

read more about WPA3-Personal and WPA3-Enterprise here:
https://blogs.cisco.com/wireless/greater-wi-fi-adoption-brings-the-need-of-higher-security


RE: New attack on WPA/WPA2 using PMKID - dizcza - 08-26-2018

Is there a way to append or concatenate results from multiple hcxdumptool sessions?


RE: New attack on WPA/WPA2 using PMKID - sl0badob - 08-26-2018

Hello. I've noticed that --do_rcascan never shows AP's where SSID is hidden/not broadcast. I believe these AP's should be in range. Is there a fix or workaround for this?
Thank you


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-26-2018

Hi dizcza.
Yes, there is a way. From the README.md:
Notice
Most output files will be appended to existing files (with the exception of .cap files).
You can/should cat all outputs from hcxpcaptool to build up your cracking envirnoment as here described:
https://hashcat.net/forum/thread-6661-post-36274.html#pid36274

cap files can be merged by wireshark tools, but I do not recommend this.


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-26-2018

Hi sl0badob
That is correct. An access point is detected to be in our range, if he responds to our request using his ESSID. We are not able to associate to an access point without this information. As long as we didn't receive this information, the access point is not in our protocol layer 2 range for a successful authentication.
I do not plan to change this behavior, because I do not want to fight windmills.

from hostapd.conf:
# Send empty SSID in beacons and ignore probe request frames that do not
# specify full SSID, i.e., require stations to know SSID.
# default: disabled (0)
# 1 = send empty (length=0) SSID in beacon and ignore probe request for
# broadcast SSID
# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
# with some clients that do not support empty SSID) and ignore probe
# requests for broadcast SSID
ignore_broadcast_ssid=0

BTW:
The access point is detected, if it responds to an authorized client who knows the ESSID.


RE: New attack on WPA/WPA2 using PMKID - diegodieguex - 08-26-2018

this script read the last line of 16800.pot and show this info:

https://i.imgur.com/wtjETyq.png

https://nofile.io/f/gWSNdP7RBCN/16800-info_v2.7z
mirrors:
https://www27.zippyshare.com/v/JRr6stg3/file.html
https://www.sendspace.com/file/2zu15c

saludos Diego


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-26-2018

Hi diegodieguex.
Nice improvement. Now we can retrieve the ESSID (in ASCII) and the VENDOR information from the hashline.


RE: New attack on WPA/WPA2 using PMKID - diegodieguex - 08-26-2018

thank you ZerBea

I have the same result replacing line 21 simply by:
cat /tmp/PSK

saludos Diego


RE: New attack on WPA/WPA2 using PMKID - sao - 08-27-2018

Hi,

I'm also getting only FOUND AUTHORIZED HANDSHAKE but not PMKID FOUND:

[23:42:51 - 001] 6872321b37b7 -> b065bddf493a [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 1712]
[23:42:54 - 001] 6872321b37b7 -> 3ca3080633f0 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 1383]

FYI: I'm near my router

What can I do? Sad