hashcat Forum
New attack on WPA/WPA2 using PMKID - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-16-2018

(11-16-2018, 11:42 PM)ZerBea Wrote: No, the pcapng doesn't contain IP addresses. But it contain MAC addresses of access points and clients and network names.
If you run hcapcaptool you will get four PMKIDs (two networks with one client and one network with 2 clients) and two handshakes (one network with 2 clients). The pcapng file is flawless!
$ hcxpcaptool -o test.hccapx -z test.16800 -E essid v1.pcapng
reading from v1.pcapng
summary:                                        
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 286
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 259
beacons (with ESSID inside)..: 7
probe requests...............: 8
probe responses..............: 10
association requests.........: 7
association responses........: 13
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 160
authentications (BROADCOM)...: 7
EAPOL packets................: 78
EAPOL PMKIDs.................: 4
best handshakes..............: 2 (ap-less: 0)

2 handshake(s) written to test.hccapx
4 PMKID(s) written to test.16800

Which of the networks network do you assume use the key 123456789?
SHAW-84AA55 (2 handshakes)
Slow Wifi (PMKID)
Birdy (2 PMKIDs)
TELUS3748 (PMKID)

Hmmm I don't actually see the network there... Here is a better file, sorry about that http://www.mediafire.com/?jy2ok3ebrqdzlrcl3qpxp9rz5f275yc Ive been making so many dumps I trying to fix this that I mixed up the file.

The wifi Im targeting is "Shit Wifi" with the password of 123456789

Im thinking the pcap is "flawless" however maby in the conversion process something is getting stuck

EDIT: Here is the new summary is this is a new file

Code:
summary:
--------
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: yes
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 13
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 6
authentications (BROADCOM)...: 2



RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-17-2018

v2.pcapng doesn't contain PMKIDs or handshakes and it is flawless:
$ hcxpcaptool -o test.hccapx -z test.16800 v2.pcapng
reading from v2.pcapng
summary:                                        
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

Nevertheless, I'm not able to read hardware informations or file os or application information from this bid endian pcapng file on my little endian system. That need to be fixed.


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-17-2018

(11-17-2018, 12:01 AM)ZerBea Wrote: v2.pcapng doesn't contain PMKIDs or handshakes and it is flawless:
$ hcxpcaptool -o test.hccapx -z test.16800 v2.pcapng
reading from v2.pcapng
summary:                                        
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

...and it is either not from hcxdumptool or modified by user or destroyed!

Oh weird, are you saying it doesnt actually contain any hashes? Did the other file contain some? Im trying to keep up, network hacking is a bit new for me. I get the fastest results from using enable status 2, however maby thats effecting my results? Should I try I different message mode?

I keep rereading the first page along with any other info I can get on pcapng but maby this is a bit too advanced, I dont want to waste any of your time either.

EDIT: Just did another dump this time with enable_status 3, once again during the conversion it says read errors are found


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-17-2018

But both pcapng files are usefull for me. I noticed an issue in combination with mips and will try to fix it. Please give me a few minutes to fix it. v2.pcapng doesn't contain handshakes or PMKIDs.


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-17-2018

(11-17-2018, 12:28 AM)ZerBea Wrote: But both pcapng files are usefull for me. I noticed an issue in combination with mips and will try to fix it. Please give me a day... v2.pcapng doesn't contain hanshakes or PMKIDs.

Huh, would there be a specific reason why v2 doesnt contain any handshake data? I could try to recreate it again, strange...


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-17-2018

Ok, fixed that ugly big endian issue when we are doing an option walk through the pcapng options:
https://github.com/ZerBea/hcxtools/commit/4babccca3789efd0a8aa7d70fdff7a8548768110
Thanks for reporting this and the test pcapng files. Now hcxpcaptool will show correct informations about big endian pcapng file on little endian systems. But nevertheless, v2.pcapng doesn't contain handshakes or PMKIDs.

$ hcxpcaptool -V v1.pcapng
reading from v1.pcapng
summary:
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 286
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 259
beacons (with ESSID inside)..: 7
probe requests...............: 8
probe responses..............: 10
association requests.........: 7
association responses........: 13
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 160
authentications (BROADCOM)...: 7
EAPOL packets................: 78
EAPOL PMKIDs.................: 4
best handshakes..............: 2 (ap-less: 0)


$ hcxpcaptool -V v2.pcapng
reading from v2.pcapng
summary:
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

Now let's identify the next issue. Therefore we need a pcapng which contains a handshake or a PMKID from your target.


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-17-2018

(11-17-2018, 12:50 AM)ZerBea Wrote: Ok, fixed that ugly big endian issue when we are doing an option walk through the pcapng options:
https://github.com/ZerBea/hcxtools/commit/4babccca3789efd0a8aa7d70fdff7a8548768110
Thanks for reporting this and the test pcapng files. Now hcxpcaptool will show correct informations about big endian pcapng file on little endian systems. But nevertheless, v2.pcapng doesn't contain handshakes or PMKIDs.

$ hcxpcaptool -V v1.pcapng
reading from v1.pcapng
summary:                                        
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 286
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 259
beacons (with ESSID inside)..: 7
probe requests...............: 8
probe responses..............: 10
association requests.........: 7
association responses........: 13
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 160
authentications (BROADCOM)...: 7
EAPOL packets................: 78
EAPOL PMKIDs.................: 4
best handshakes..............: 2 (ap-less: 0)


$ hcxpcaptool -V v2.pcapng
reading from v2.pcapng
summary:                                        
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

Now let's identify the next issue. Therefore we need a pcapng which contains a handshake or a PMKID from your target.

Alright so I tried another dump this time with enable_status 1, see if that worked at all

Code:
[23:05:49 - 006] 2c3033f3f889 -> f0a22504c0b1 [FOUND PMKID CLIENT-LESS]
[23:05:51 - 006] 2c3033f3f889 -> e8617eb9ac97 [FOUND PMKID]
[23:06:01 - 011] 9c1e958f2ea2 -> f0a22504c0b1 [FOUND PMKID CLIENT-LESS]

Im not exactly sure what wifi clients these are as mode 1 doesnt show the ID's but editing it in notepad shows the "shit wifi" and Im seeing [FOUND PMKID] in the console, does that mean it worked? Still learning how to interpolate this

v3 is here http://www.mediafire.com/?bqos57dnnf4kn8cqad0nvsocgondcui


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-17-2018

No, this PMKIDs belong to this ESSIDs:
Birdy
Slow Wifi
Your target network wasn't captured.
You can run whoismac to get informations about the 16800 hashline:
whoismac -p <complete 16800 hashline here>


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-17-2018

(11-17-2018, 01:27 AM)ZerBea Wrote: No, this PMKIDs belong to this ESSIDs:
Birdy
Slow Wifi
YOur target network wasn't captured.
You can run whoismac to get informations about the 16800 hashline:
whoismac -p <complete 16800 hashline here>

Thanks Ill run it again sorry about that, it seems all the other wifis get dumped but I cant get my dummy connection to work! 

Alright so with this version I setup 3 separate connections all on different routers/devices using the same password (nice security risk I know) 

I think I got one of em, but out of curiosity why is it that only some wifi connections are getting dumped?
v4 here http://www.mediafire.com/?uadb9yot35dn061cmg9bula5l2nw1je


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-17-2018

Latest link is expired, so I can't download the file.
hcxdumptool attack and dump modes depend on filter list and filter mode option. Running without this options, hcxdumptool will attack all and capture all!.
If you want to attack a single access point (and you do not want to receive other traffic), add this mac to your filter list. Then use --filterlist=<your filterlist> and filtermode=3
Usage is explained in changelog and -h (menu).

BTW:
I found another issue in big endian conversation in pcapng option fields and fixed it with latest hcxtools commit (I hope so...). Big - little endian conversation is really ugly stuff, because I have no big endian machine here. So your pcapng files are really, really appreciated!