Well, it is a new attack vector and a nice playground.
Take a look at the statistics of a typical hcxdumptool pcapng file. I got this one from a tester:
summary:
file name....................: fieldtest.pcapng
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.14.59-1-ARCH
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 609306
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 6
beacons (with ESSID inside)..: 136135
probe requests...............: 9628
probe responses..............: 110824
association requests.........: 23746
association responses........: 54904
reassociation requests.......: 123
reassociation responses......: 154
authentications..............: 4
authentications (OPEN SYSTEM): 244635
authentications (BROADCOM)...: 34232
authentications (SONOS)......: 4
authentications (APPLE)......: 24
EAPOL packets................: 20527
EAPOL PMKIDs.................: 147
EAP packets..................: 1056
EAP START packets............: 13
found........................: EAP type ID
found........................: PEAP Authentication
best handshakes..............: 210 (ap-less: 115)
The statistics shows that hcxdumptool got 147 PMKIDs (client-less) and 115 M2 from single clients (ap-less), but only 95 handshakes from old school attack vector (deauthentication). More and more VENDORs activated Protected Managament Frames (PMF), so deauthentication attacks no longer work.
With the latest commit, I changed handling of authentications. From now on hcxdumptool will only store variations of authentications. We do not need standard authentications (open system length 6) any longer for further going analysis.
That will reduce pcapng size from: 244635
authentications (OPEN SYSTEM): 244635
to: 4 +24232 +4 +24
authentications..............: 4
authentications (BROADCOM)...: 34232
authentications (SONOS)......: 4
authentications (APPLE)......: 24
We can reduce this size, too, if we will know all secrets about this VENDOR specific authentications.
Success rate of the PMKID attack vector? Read more here:
https://forum.hashkiller.co.uk/topic-vie...735#183735
Take a look at the statistics of a typical hcxdumptool pcapng file. I got this one from a tester:
summary:
file name....................: fieldtest.pcapng
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.14.59-1-ARCH
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 609306
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 6
beacons (with ESSID inside)..: 136135
probe requests...............: 9628
probe responses..............: 110824
association requests.........: 23746
association responses........: 54904
reassociation requests.......: 123
reassociation responses......: 154
authentications..............: 4
authentications (OPEN SYSTEM): 244635
authentications (BROADCOM)...: 34232
authentications (SONOS)......: 4
authentications (APPLE)......: 24
EAPOL packets................: 20527
EAPOL PMKIDs.................: 147
EAP packets..................: 1056
EAP START packets............: 13
found........................: EAP type ID
found........................: PEAP Authentication
best handshakes..............: 210 (ap-less: 115)
The statistics shows that hcxdumptool got 147 PMKIDs (client-less) and 115 M2 from single clients (ap-less), but only 95 handshakes from old school attack vector (deauthentication). More and more VENDORs activated Protected Managament Frames (PMF), so deauthentication attacks no longer work.
With the latest commit, I changed handling of authentications. From now on hcxdumptool will only store variations of authentications. We do not need standard authentications (open system length 6) any longer for further going analysis.
That will reduce pcapng size from: 244635
authentications (OPEN SYSTEM): 244635
to: 4 +24232 +4 +24
authentications..............: 4
authentications (BROADCOM)...: 34232
authentications (SONOS)......: 4
authentications (APPLE)......: 24
We can reduce this size, too, if we will know all secrets about this VENDOR specific authentications.
Success rate of the PMKID attack vector? Read more here:
https://forum.hashkiller.co.uk/topic-vie...735#183735