If you mean, that we have two steps, you got it:
step1 = derivation of Plainmasterkey (PMK), for example by PBKFD2
step2 = derivation of Pairwise Transient Key (PTK) to get access to the network (EAPOL 4/4 handshake)
Let's take a look at SAE (sae4way.pcapng):
packet 4 and 5 contain the commit messages from client (4) and access point (5)
packet 6 and 7 contain the confirm messages from client (6) and access point (7)
the PMK is calculated from packet 6 and 7 (PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)) and used by the following EAPOL handshake (packet 10, 11, 12, 13)
packet 10 contain a PMKID calculated by PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
Laboratoy environment:
$ hcxdumptool -I
wlan interfaces:
c83a35c24fbc wlp39s0f3u4u4 (rt2800usb) = SAE client
c83a35ce463f wlp39s0f3u4u1 (rt2800usb) = SAE access point
c83a35cc88c9 wlp3s0f0u1 (rt2800usb) = hcxdumptool
used adapters:
TENDA W311U+ (cheaper than ALFAs, less power consumption, driver well suported, and more... - I like them)
latest hcxdumptool is used to capture traffic:
sae4way.pcapng.zip (Size: 1.57 KB / Downloads: 23)
Latest hcxpcaptool is able to parse a SAE4way handshake to hashcat. So please use it for this example
$ hcxpcaptool -o saetest.hccapx -z saetest.16800 sae4way.pcapng
summary:
file name....................: sae4way.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.16-arch1-1-ARCH
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
probe requests...............: 1
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
EAPOL packets................: 7
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 0)
1 handshake(s) written to saetest.hccapx
1 PMKID(s) written to saetest.16800
The calculated PMK
(PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r))
from the SAE authentication is:
3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
we store it in our wordlist (sae4way.pmkfile)
Let's verfify the PMK by hashcat using hashmode 2501:
$ hashcat -m 2501 saetest.hccapx sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-EAPOL-PMK
Hash.Target......: mynet (AP:c8:3a:35:ce:46:3f STA:c8:3a:35:c2:4f:bc)
Time.Started.....: Sat Nov 10 10:29:28 2018 (0 secs)
Time.Estimated...: Sat Nov 10 10:29:28 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1603 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 44c Fan: 29% Util: 52% Core:1657MHz Mem:5005MHz Bus:16
c073532f1526da27c4c96b6f8031a027:c83a35ce463f:c83a35c24fbc:mynet:3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
hashcat verified the PMK, succefully!
Let's verify the PMKID by hashcat suing hashmode 16801 (we will fail epically...):
$ hashcat -m 16801 saetest.16800 sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a3...6e6574
Time.Started.....: Sat Nov 10 10:28:12 2018 (1 sec)
Time.Estimated...: Sat Nov 10 10:28:13 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2459 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 39c Fan: 29% Util: 1% Core:1911MHz Mem:5005MHz Bus:16
As expected, we failed to verify the PMKID, because it is not calculated by PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
Keep in mind:
This example is not(!) a SAE crack!
This example is not(!) a WPA3 crack!
step1 = derivation of Plainmasterkey (PMK), for example by PBKFD2
step2 = derivation of Pairwise Transient Key (PTK) to get access to the network (EAPOL 4/4 handshake)
Let's take a look at SAE (sae4way.pcapng):
packet 4 and 5 contain the commit messages from client (4) and access point (5)
packet 6 and 7 contain the confirm messages from client (6) and access point (7)
the PMK is calculated from packet 6 and 7 (PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)) and used by the following EAPOL handshake (packet 10, 11, 12, 13)
packet 10 contain a PMKID calculated by PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
Laboratoy environment:
$ hcxdumptool -I
wlan interfaces:
c83a35c24fbc wlp39s0f3u4u4 (rt2800usb) = SAE client
c83a35ce463f wlp39s0f3u4u1 (rt2800usb) = SAE access point
c83a35cc88c9 wlp3s0f0u1 (rt2800usb) = hcxdumptool
used adapters:
TENDA W311U+ (cheaper than ALFAs, less power consumption, driver well suported, and more... - I like them)
latest hcxdumptool is used to capture traffic:
sae4way.pcapng.zip (Size: 1.57 KB / Downloads: 23)
Latest hcxpcaptool is able to parse a SAE4way handshake to hashcat. So please use it for this example
$ hcxpcaptool -o saetest.hccapx -z saetest.16800 sae4way.pcapng
summary:
file name....................: sae4way.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.16-arch1-1-ARCH
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
probe requests...............: 1
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
EAPOL packets................: 7
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 0)
1 handshake(s) written to saetest.hccapx
1 PMKID(s) written to saetest.16800
The calculated PMK
(PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r))
from the SAE authentication is:
3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
we store it in our wordlist (sae4way.pmkfile)
Let's verfify the PMK by hashcat using hashmode 2501:
$ hashcat -m 2501 saetest.hccapx sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-EAPOL-PMK
Hash.Target......: mynet (AP:c8:3a:35:ce:46:3f STA:c8:3a:35:c2:4f:bc)
Time.Started.....: Sat Nov 10 10:29:28 2018 (0 secs)
Time.Estimated...: Sat Nov 10 10:29:28 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1603 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 44c Fan: 29% Util: 52% Core:1657MHz Mem:5005MHz Bus:16
c073532f1526da27c4c96b6f8031a027:c83a35ce463f:c83a35c24fbc:mynet:3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
hashcat verified the PMK, succefully!
Let's verify the PMKID by hashcat suing hashmode 16801 (we will fail epically...):
$ hashcat -m 16801 saetest.16800 sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a3...6e6574
Time.Started.....: Sat Nov 10 10:28:12 2018 (1 sec)
Time.Estimated...: Sat Nov 10 10:28:13 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2459 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 39c Fan: 29% Util: 1% Core:1911MHz Mem:5005MHz Bus:16
As expected, we failed to verify the PMKID, because it is not calculated by PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
Keep in mind:
This example is not(!) a SAE crack!
This example is not(!) a WPA3 crack!