PMKID Generates Wrong ESSID And Password From Hash
#1
The PKMID that was generated is giving the wrong ESSID and password once the hash is cracked. I double checked when I ran airodump-ng and the ESSID and BSSID is no the right one once the PMKID hash is cracked. I'm trying to figure out why this is happening. Usually hashcat is accurate. I double checked everything before posting this.
Reply
#2
This is very difficult to answer, because your question is very imprecise.

A PMKID is transmitted by the access point (ap) or by a client.

There might be something wrong in your work flow. To get a PMKID you must:
1) capture traffic
2) convert to format hashcat understand (16800)
3) identify your target - remove unwanted PMKIDs from the hash file
4) run hashcat with your wordlist against the target PMKID

Keep in mind:
The ESSID in the hashline is HEX-ASCII format.
For example, the ESSID "default" is converted to "64656661756c74".
Reply
#3
I'm sorry for the mishap It also appeared to me after doing some research that sometimes when running the hcxdumptool command in terminal I wouldn't specify specific channels, AP, etc that I wanted so it would randomly just give me any PMKID from a network or channel that I wasn't targeting so I assumed that was the hash for the target I was targeting when it really wasn't and in essence causing the confusion on my end. I need to be more specific with running the hexdumptool command to generate the PMKID it seems. I've seen PKMID videos and this has occurred here and there when the hcxdumptool will give random PMKIDs once in a while if your not specific with the targeted AP.
Reply
#4
Yes you are quite right there, by default, hcxdumptool attacks everything in range.
You can either set a target (by filter option), or remove not wanted hashes by hand (PMKID hash file) or by wlanhcx2ssid (EAPOL hccapx file).
Fine that it works at least for you.
Reply
#5
I have a question though. Say I want to target a specific AP, what hcxdumptool command do I need to run so it targets that AP?
Reply
#6
1. create a filterlist.txt and add the target MAC: 112233445566
2. use options --filterlist=filterlist.txt --filtermode=2

--filterlist=<file> : mac filter list
format: 112233445566 + comment
maximum line length 255, maximum entries 64
run first --do_rcascan to retrieve information about the target

--filtermode=<digit> : mode for filter list
1: use filter list as protection list (default) in transmission branch
receive everything, interact with all APs and CLIENTs in range,
except(!) the ones from the filter list
2: use filter list as target list in transmission branch
receive everything, only interact with APs and CLIENTs in range,
from the filter list
3: use filter list as target list in receiving branch
only receive APs and CLIENTs in range,
from the filter list
Reply
#7
Ok what's in the filterlist.txt, isn't that the MAC address?
Reply
#8
Yes, that is the MAC of the access point.
Reply
#9
Ok I get it now, thanks for your patience and clarifying my issue.
Reply
#10
No problem, you're welcome.
Reply