(06-03-2023, 07:59 AM)ZerBea Wrote: A promising attack always starts with a state of the art tool to attack the target over the air.
Dumping a BEACON and a 4way handshake or a PMKID only is far from that.
Once you got a pcapng dump file that contain all this information you have to analyze it.
https://github.com/ZerBea/hcxtools/issues/265
First test if the PSK is inside the pcapng file. Some CLIENTs transmit it in the clear.
Now test if the PSK is calculated from the BSSID (or part of the BSSID).
Than test if the PSK is calculated from the ESSID (or part of the ESSID).
https://forum.hashkiller.io/index.php?th...ost-332565
Check if a keygen exists:
https://github.com/routerkeygen/routerkeygenPC
Check if the key space is known (hcxpsktool):
https://github.com/ZerBea/hcxtools
Than try some common wordlists:
https://wpa-sec.stanev.org
https://hashmob.net/resources/hashmob
Generate a base list from known PSKs (hcxeiutool) and run a rule on it.
Find a pattern and run a mask (e.g. AndroidAP: ?l?l?l?l?d?d?d?d).
With regard to running wordlist attacks (such as using the one's you suggested, or the 3wifi dict) what, in your experience, are the best rules to run in congruence with these? I've recently been trying best64 with both wpa-sec's 'cracked' and 3wifi's key/pass dict and have had less than desirable results (only cracking 2 out of 48 WPA/WPA2-PSK hashes from a testing environment) in both cases; and the two which cracked could have been cracked with rockyou...
Any advice much appreciated.