New attack on WPA/WPA2 using PMKID - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html) |
RE: New attack on WPA/WPA2 using PMKID - dizcza - 08-27-2018 (08-26-2018, 03:30 PM)ZerBea Wrote: Most output files will be appended to existing files (with the exception of .cap files).Hi, ZerBea. I mean if I run `hcxdumptool -o all.pcapng` many times I'd like to append the output in one all.pcapng file instead of creating all-XXX.pcapng files each time. Sorry for the late reply. RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-27-2018 Hi dizcza. hcapcaptool -o option will convert pcapng files to hccapx format (not to pcapng) and append the result to an existing hccapx file. The command you're looking for (merging pcapng files) is: mergecap -a -w concatenated.pcapng capture1.pcapng capture2.pcapng Read more here: https://www.wireshark.org/docs/man-pages/mergecap.html But I don't recommand merging of pcapng files. It can leed to uncrackable handshakes if ESSIDs are damaged or network names changed or MACs changed . Also detection of ap-less attacks will not work on merged files. Keep in mind: we use randomized MACs. So clear allocation of MAC and ESSID over more than one pcapng file isn't possible on merged files. RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-27-2018 Hi sao. The answer of your question is here: https://hashcat.net/forum/thread-7717-post-41675.html#pid41675 RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-27-2018 Now, wpa-sec running full PMKID support. The success rate is very good: https://wpa-sec.stanev.org/?stats RE: New attack on WPA/WPA2 using PMKID - Mem5 - 08-27-2018 It just misses a field to send a pmkid hash RE: New attack on WPA/WPA2 using PMKID - ssswanil - 08-28-2018 Hi ZerBea, I ran the hexdump pcap for almost >5hours and I get no PMKID's. Am I missing something? summary: -------- file name....................: test3.pcapng-0 file type....................: pcapng 1.0 file hardware information....: i686 file os information..........: Linux 4.12.0-kali2-686 file application information.: hcxdumptool 4.2.1 network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: little endian read errors..................: flawless packets inside...............: 4492 skipped packets..............: 0 packets with FCS.............: 760 WDS packets..................: 36 beacons (with ESSID inside)..: 2105 probe requests...............: 305 probe responses..............: 359 association responses........: 85 reassociation responses......: 62 authentications (UNKNOWN)....: 19 authentications (OPEN SYSTEM): 3 authentications (SHARED KEY).: 18 authentications (FILS).......: 1 EAPOL packets................: 205 ===== root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/wifi/new/hcxdumptool# hcxdumptool -o test3.pcapng -i wlan0mon --enable_status=1,2,4,8 start capturing (stop with ctrl+c) INTERFACE:...............: wlan0mon FILTERLIST...............: 0 entries MAC CLIENT...............: fcc2335163d2 (client) MAC ACCESS POINT.........: 00006c58d5fd (start NIC) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 62470 ANONCE...................: 8eda9b07876621ccec2d0b89922536815831832d401cbf690448ee151d1e6a2b INFO: cha=5, rx=245, rx(dropped)=1, tx=104, powned=0, err=0 INFO: cha=8, rx=2763, rx(dropped)=2, tx=683, powned=0, err=0 INFO: cha=8, rx=88385, rx(dropped)=64, tx=14220, powned=0, err=0 INFO: cha=1, rx=88565, rx(dropped)=64, tx=14240, powned=0, err=0 INFO: cha=10, rx=249627, rx(dropped)=167, tx=33360, powned=0, err=0 INFO: cha=2, rx=435034, rx(dropped)=267, tx=49707, powned=0, err=0 ==== PS: I have more than 1k networks in the same pcapng file obtained from hexdump pcap tool. 1146 1B:05:45:B4:45:05 Unknown 1147 B4:BF:B0:9B:F5:56 Zoomwf�� No data - WEP or WPA 1148 00:00:6C:586:89 CCnDC No data - WEP or WPA 1149 E4:B73:A3:97:46 No data - WEP or WPA 1150 37:36:C5:E79:3F None (0.0.0.0) 1151 03:AC:21:50:18:99 HP-Print-99-Officejet Pro 8620 None (0.0.0.0) 1152 D8:C7:C8:78:B3:82 FC-Corporate No data - WEP or WPA 1153 42:5D:31:F6:74:44 OMG GUEST No data - WEP or WPA 1154 EC:5D:B8:58:11:3F No data - WEP or WPA 1155 D9:96:EE:A8:A2:FC WPA (0 handshake) 1156 86:AB:F7:E6:1C:38 WPA (0 handshake) 1157 6C:F3:3F:07:8B:53 No data - WEP or WPA 1158 6AE:38:F6:8F:F4 None (0.0.0.0) 1159 B6:FF:FF:FF:FF:FF None (0.0.0.0) 1160 00:95:F3:2A:4A:FF No data - WEP or WPA 1161 6C:74:97:2E:2A:3B GGl ��mmunications Hub No data - WEP or WPA 1162 AC:8F:A4:FF:42:BC None (0.0.0.0) 1163 00:00:6C:586:8A Hitch1 No data - WEP or WPA 1164 00:00:6C:586:8B SBG6700AC-63297-5G No data - WEP or WPA 1165 F9:FB:B2:9B:3D:76 Zoom3d70 No data - WEP or WPA 1166 68:CF:BC:34:99:E8 usrc��taff None (0.0.0.0) 1167 91:80:AA:E7:9F:0C No data - WEP or WPA Index number of target network ? ==== RE: New attack on WPA/WPA2 using PMKID - RealEnder - 08-28-2018 (08-27-2018, 07:24 PM)Mem5 Wrote: It just misses a field to send a pmkid hash We still need raw captures, from which we'll extract whats interesting inside, including PMKIDs. This allows us to improve the toolset and dig valuable stuff later. For example, right now I'm reparsing caps and fetch PMKIDs, submitted back in 2011 and up RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-28-2018 Hi ssswanil. To answer your question, we need some more informations. 1) Do you run latest commit? If not, please update! 2) Does your driver support full (injection is working!) monitor mode? Not all driver are working like expected. 3) Is the device running in monitor mode? iw dev <wlan interface> info Interface <wlan interface> ifindex 3 wdev 0x1 addr xx:xx:xx:xx:xx:xx type monitor wiphy 0 channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz txpower 20.00 dBm 4) Does hcxdumptool have full access to the device? Stop all services running on that device, which prevent that hcxdumptool is able to change the channel! 5) Did you run airmon-ng? hcxdumptool doesn't like to run on a virtual interface created by airmon-ng! 6) Your command line is ugly Absolutely no-go for this: --enable_status=1,2,4,8 We are using a bitmask. That means you have to add(!) the switches 1: EAPOL 2: PROBEREQUEST/PROBERESPONSE 4: AUTHENTICATON 8: ASSOCIATION If you would like to see all status message then you must add the values: 1 +2 +4 +8 = 15 --enable_status=15 is you switch 7) Do you have access points in range? sudo hcxdumptool -i wlp39s0f3u4u5 -t 5 --do_rcascan xxxxxxxxxxxx <ESSID> [CHANNEL 1, AP IN RANGE] 8) How do you convert pcapng to cap? Is that list (after ===) from aircrack-ng? aircrack-ng isn't able to read pcapng files! https://github.com/aircrack-ng/aircrack-ng/issues/1912 aircrack-ng isn't able to detect PMKIDs! https://github.com/aircrack-ng/aircrack-ng/issues/1937 RE: New attack on WPA/WPA2 using PMKID - assanux - 08-30-2018 I have a problem after decoding to hash I find key is wrong and not true and when I use Wordlist, I extract it correctly without problems please help me ..... RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-31-2018 To answer the question we need more informations: Which tools do you use for capturing, conversation and cracking? How is the commandline of the tools? Which result do yo expect (exactly)? Which result did you get (exactly)? |