09-20-2022, 02:23 PM
(This post was last modified: 09-20-2022, 03:21 PM by CyberPentester.)
(09-20-2022, 08:13 AM)ZerBea Wrote: PM are disabled because I received too many cracking requests - all other questions should be answered publicly.
Fair enough.
(09-20-2022, 08:13 AM)ZerBea Wrote: tshark is not the best choice to get a handshake. It is a passive tool and doesn't take care about packet loss, EAPOL TIMER values and REPLAY COUNTER values (as all passive tools).
I forgot to mention that the AP is being created by me and tshark is being run with the same computer hosting the AP. Does this matter with tshark or is it the same anyway as you mentioned above and I would still need an active tool?
Just in case, I am using this tool for hosting the AP, if you have a better option please let me know:
https://github.com/oblique/create_ap
(09-20-2022, 08:13 AM)ZerBea Wrote: hcxpcapngtool (default options) didn't convert the handshake, because the criteria to calculate a valid MESSAGE PAIR are not met.
Criteria:
M1 M2 -> REPLAY COUNTER value must match and EAPOL TIME GAP between M1 and M2 must be <= 20000 msec!
If these conditions are not to be met it is not possible to get a valid handshake (valid = get a MESSAGEPAIR of which hashcat can get a PSK) by default options of hcxpcapngtool and hashcat (ignore REPLAY COUNTER value if NONCE ERROR CORRECTION is possible).
So let me see if I understand, even though I hosted the AP and captured the packets within the EAPOL TIME GAP 20000 msec limit from the same computer hosting the AP, since tshark does not save this information, then there is absolutely no way to get a valid handshake?
(09-20-2022, 08:13 AM)ZerBea Wrote: BTW:
This will not happen if you use an active tool that interacts with the target (calculate NONCEs, REPLAY COUNT and EAPOL TIME to retrieve a valid hash, detect packet loss).
hcxdumptool and hcxlabtool calculate all this values to get M1M2 challenges from a mobile target (a passive dumper not):
Code:ACCESS POINT (ROGUE)......: 3cb87af43ec0 (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 3cb87af43ec1 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 3cb87af43ec2 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: e00db925c846
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62144
ANONCE....................: 94b3fa60baf0817cf3c18357a018050c89589ef433cf1b0e5795eceddabae3f9
SNONCE....................: ab3e5f717975b4d98b869d936d2ddd9abf04b85ae5344c0f4fda6d8d06df47ec
How many (different) challenges should be received can be controlled by stop_client_m2_attacks (hcxdumptool):
Code:--stop_client_m2_attacks=<digit> : stop attacks against CLIENTS after 10 M2 frames received
affected: ap-less (EAPOL 2/4 - M2) attack
or m2attempt (hcxlabtool series):
Code:--m2attempt=<digit> : reject CLIENT request after n received M2 frames
default: 2 received M2 frames
I have a couple of questions regarding this:
1. Would I then need another interface (wlan1) to run hcxdumptool since I am already using wlan0 to host the fake AP?
2. Can I only use hcxdumptool to automate this attack? (host the fake AP AND capture M1M2 challenges with the required information for hcxpcapngtool) If so, what would be the full command so that it creates the AP and only targets that AP and clients authenticating to it exclusively?
This is the command I ran while I hosted the fake ap on wlan0. This required me to have another wireless interface:
hcxdumptool -o hash.pcap -i wlan1 --filterlist_ap=fakeapfilter.txt --filtermode=2 --enable_status 3
I am aware that with bettercap I can host a fake access point with wifi.ap.ssid and set the encryption with wifi.ap.encryption, but I have not tested this yet.