hashcat Forum
New attack on WPA/WPA2 using PMKID - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-14-2018

Hi Kangaroot.
You're running an old version. Latest commit is v 4.2.1:
https://github.com/ZerBea/hcxdumptool/commit/95ef2951c5da7eec9d5469d43fc0851522a2d9d0
several bugfixes and new/changed options


RE: New attack on WPA/WPA2 using PMKID - Kangaroot - 08-15-2018

Hi ZerBea, thanks for quick reply, didn't notice a newer version. Works better now.

Although, --enable-status now accepts only one of four options, not all of them as it used to.


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-15-2018

Well, rolling release principle....


RE: New attack on WPA/WPA2 using PMKID - awdmesh - 08-15-2018

(08-06-2018, 01:47 PM)undeath Wrote:
(08-06-2018, 01:43 PM)awdmesh Wrote: Just curious - can you somehow run a word list against the PMKID?

hashcat usage for this hash mode is the same as for every other mode.

Finally got around to trying out a word list. I have no issues running hashcat like this 

Code:

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

However running like this leads to an immediate segmentation fault 

hashcat -a 0 -m 16800 test.16800 example.dict

It’ll load the word list and say dictionary cache built and right after that it’ll show the options to pause status etc with the error right after [quit] => Segmentation Fault. Anyone try a word list with this mode and have any issues?


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-15-2018

This bug was fixed last week! Do you use the latest commit?


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-15-2018

Hi Kangaroot.
Forgot to answer to this:
Although, --enable-status now accepts only one of four options, not all of them as it used to.
-> No, now we use a bitmask.
- you can run --enable-status=1 --enable-status=2 --enable-status=4 --enable-status=8
- or use the bitmask: --enable-status3 (= --enable-status=1 + --enable-status=2)


RE: New attack on WPA/WPA2 using PMKID - awdmesh - 08-15-2018

(08-15-2018, 07:57 PM)ZerBea Wrote: This bug was fixed last week! Do you use the latest commit?

Double checked, updated to the latest commit as of now. Uninstalled, cleaned, make/make install. Still the same segmentation fault as before using the same command/options. If I change attack mode to 3 it’ll run but obviously not as intended for use with word file. I’ll keep trying.

-update

If I use attack mode 7 and specify two dictionaries hashcat will run and combine my sample test dictionary with a larger one. Some progress. Just doesn’t like one single dictionary for some reason.

Hashcat -a 7 -m 16800 test.16800 example.dict rockyou.txt


RE: New attack on WPA/WPA2 using PMKID - Kangaroot - 08-15-2018

ZerBea, great, thanks for all your help. I'm currently enjoying testing different routers and it seems consumer market is also heavily vulnerable, not just corporate.


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 08-16-2018

Well, it is a new attack vector and a nice playground.

Take a look at the statistics of a typical hcxdumptool pcapng file. I got this one from a tester:

summary:
file name....................: fieldtest.pcapng
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.14.59-1-ARCH
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 609306
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 6
beacons (with ESSID inside)..: 136135
probe requests...............: 9628
probe responses..............: 110824
association requests.........: 23746
association responses........: 54904
reassociation requests.......: 123
reassociation responses......: 154
authentications..............: 4
authentications (OPEN SYSTEM): 244635
authentications (BROADCOM)...: 34232
authentications (SONOS)......: 4
authentications (APPLE)......: 24
EAPOL packets................: 20527
EAPOL PMKIDs.................: 147
EAP packets..................: 1056
EAP START packets............: 13
found........................: EAP type ID
found........................: PEAP Authentication
best handshakes..............: 210 (ap-less: 115)

The statistics shows that hcxdumptool got 147 PMKIDs (client-less) and 115 M2 from single clients (ap-less), but only 95 handshakes from old school attack vector (deauthentication). More and more VENDORs activated Protected Managament Frames (PMF), so deauthentication attacks no longer work.


With the latest commit, I changed handling of authentications. From now on hcxdumptool will only store variations of authentications. We do not need standard authentications (open system length 6) any longer for further going analysis.
That will reduce pcapng size from: 244635
authentications (OPEN SYSTEM): 244635
to: 4 +24232 +4 +24
authentications..............: 4
authentications (BROADCOM)...: 34232
authentications (SONOS)......: 4
authentications (APPLE)......: 24

We can reduce this size, too, if we will know all secrets about this VENDOR specific authentications.

Success rate of the PMKID attack vector? Read more here:
https://forum.hashkiller.co.uk/topic-view.aspx?t=25374&m=183735#183735


RE: New attack on WPA/WPA2 using PMKID - awdmesh - 08-16-2018

@ ZerBea

Switched to one of my Ubuntu servers and running hashcat with one wordlist using -m 16800 works fine. Figured out that in K*A*L*I without a gpu that by installing the open-cL with GUI and selecting the second cpu listing shown by hashcat -I and -d 2 it runs just fine in that OS too.