Some IoT devices transmit the PSK in the clear.
If a user made a type (PSK instead ESSID), the device transmit the PSK in the clear.
A misconfigured device can cause that the PSK is transmitted in the clear.
-E will store them to a list
-I will store received identities (that include IMEIs) to a list
-U will store received usernames to a list
All this lists can be used to create new wordlists.
BTW:
I decided to make my test tool (hcxpmktool) public.
It provide various tests on a single hash line (-m 22000 WPA 01 and WPA 02) in combination with ESSIDs, PSKs and PMKs. It will help you to understand better how things (PBKDF2) relate. Nearly every PBKDF2 combination (used in WPA) is possible:
ESSID + PSK
ESSID + PMK
ESSID + PSK + 22000 hash line
PSK + 22000 hash line
PMK + 22000 hash line
Some examples (22000 example hash taken from here: https://hashcat.net/wiki/doku.php?id=example_hashes)
If a user made a type (PSK instead ESSID), the device transmit the PSK in the clear.
A misconfigured device can cause that the PSK is transmitted in the clear.
-E will store them to a list
-I will store received identities (that include IMEIs) to a list
-U will store received usernames to a list
All this lists can be used to create new wordlists.
BTW:
I decided to make my test tool (hcxpmktool) public.
It provide various tests on a single hash line (-m 22000 WPA 01 and WPA 02) in combination with ESSIDs, PSKs and PMKs. It will help you to understand better how things (PBKDF2) relate. Nearly every PBKDF2 combination (used in WPA) is possible:
ESSID + PSK
ESSID + PMK
ESSID + PSK + 22000 hash line
PSK + 22000 hash line
PMK + 22000 hash line
Some examples (22000 example hash taken from here: https://hashcat.net/wiki/doku.php?id=example_hashes)
Code:
$ hcxpmktool -i WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -p 'hashcat!'
ESSID.............: hashcat-essid
PSK .............: hashcat!
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)
$ hcxpmktool -i WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
ESSID.............: hashcat-essid
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)
$ hcxpmktool -e hashcat-essid -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
ESSID............: hashcat-essid
PMK..............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PBKDF2-HMAC-SHA1.: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=
use hashcat -m 12000 to recover the PSK
$ hashcat -m 12000 sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw= -a 3 'hashcat!'
hashcat (v6.1.1-120-g15bf8b730) starting...
sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=:hashcat!
Session..........: hashcat
Status...........: Cracked
Hash.Name........: PBKDF2-HMAC-SHA1
Hash.Target......: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnn...OVNdw=
Time.Started.....: Sun Feb 28 17:03:42 2021 (0 secs)
Time.Estimated...: Sun Feb 28 17:03:42 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 49 H/s (0.22ms) @ Accel:16 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4032-4095
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 50c Fan: 34% Util: 31% Core:1506MHz Mem:5005MHz Bus:16
Started: Sun Feb 28 17:03:41 2021
Stopped: Sun Feb 28 17:03:44 2021