Crack WPA2 (.hc22000 file) with list not completing
#11
Glad to hear that Windows now stopped sending faulty PMKIDs. Thanks for this information.
Unfortunately I found no pattern to distinguish between a faulty Windows 7 PMKID and a correct one.


Also thanks for reporting that log entry issue.
It is a nasty copy-and-paste error that should be fixed by this commit:
https://github.com/ZerBea/hcxdumptool/co...940087b3dc
and this commit:
https://github.com/ZerBea/hcxdumptool/co...56c817addf
Now, the log function calls are there where they belong - log entry only if we really transmit.

To answer your question:
2412 = Frequency in MHz
1 = Channel

Since this commit, the scan engine changed from channel scan to frequency scan.
https://github.com/ZerBea/hcxdumptool/co...1ec9365a4f
That was necessary because channel range (band 5 and band 6) is no longer unique:
https://en.wikipedia.org/wiki/List_of_WLAN_channels
From now on an information about frequency and channel is available and you you can use both as input. However, this will not work on 6GHz band, because nearly the same channel range is in use.

Frequency/channel behavior of ioctl(SIOCSIWFREQ) is referenced here:
https://github.com/torvalds/linux/blob/m...ess.h#L910

BTW:
I noticed that using frequencies instead of channels is a little bit faster.
Reply
#12
Quote:To answer your question:
2412 = Frequency in MHz
1 = Channel

Sure! I know that! But completely forgot this morning. Flew out of my head.
I think it's a good idea to add a header-reminder to logfile.
Besides, if you shift the internal status line slightly, it will be easier for eyes to find that line.
Especially if the logfile is quite large.
Please see examples below.

# hcxdumptool  -i wlan0  -o dump.pcapng  --silent  --enable_status=95  -c 1

initialization of hcxdumptool 6.2.5-7-g4d7c072...
start capturing (stop with ctrl+c)
...
...
ANONCE....................: d698dfa621a0743336e4e466397418a4e8caccf4ea6af648b14cdd68771677fd
SNONCE....................: cedb8eacf87de069139f3052457e1aee3e48f06d16de9dac2d1632965d0fbadf

--------+-------+-------------+------------+----------------------------------------
  Time  | Fr/Ch |  Dest. MAC  | Source MAC | SSID / Description
--------+-------+-------------+------------+----------------------------------------
23:05:56 2412/1  ffffffffffff 020000000001 ap01 [BEACON]
23:05:57 2412/1  506070abfedc 020000000001 ap01 [PROBERESPONSE]
23:06:00 2412/1    ERROR:0 INCOMING:304 AGE:1 OUTGOING:0 PMKIDROGUE:0 PMKID:0 M1M2ROGUE:0 M1M2:0 M2M3:0 M3M4:0 M3M4ZEROED:0 GPS:0
23:06:12 2412/1  020000000020 020000000001 ap01 [AUTHENTICATION]
23:06:12 2412/1  020000000020 020000000001 ap01 [ASSOCIATION]
23:06:12 2412/1  020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:1697 RC:0 KDV:2 PSK:12345678]
23:06:12 2412/1  020000000020 020000000001 ap01 [EAPOL:M2M3 EAPOLTIME:8516 RC:1 KDV:2 PSK:12345678]
23:06:12 2412/1  020000000020 020000000001 ap01 [EAPOL:M3M4ZEROED EAPOLTIME:67 RC:1 KDV:2]
23:07:00 2412/1    ERROR:0 INCOMING:5962 AGE:1 OUTGOING:0 PMKIDROGUE:0 PMKID:0 M1M2ROGUE:0 M1M2:1 M2M3:1 M3M4:0 M3M4ZEROED:1 GPS:0
23:07:02 2412/1  708070abab00 000bf4ad5401 To be, or not to be [ROGUE PROBERESPONSE]
Reply
#13
Nice feature requests.
Added header by this commit:
https://github.com/ZerBea/hcxdumptool/co...391360eb38
and shift internal messages/warnings by 2 spaces by this commit:
https://github.com/ZerBea/hcxdumptool/co...81d03d96ff

Please notice:
Every new feature has a price tag as well as every activated option:
It will slow down hcxdumptool.

Especially on headless operation (running on a Raspberry Pi Zero), I recommend to use hcxlabtool in combination with a modified Makefile (compile only what you really need).
There is a huge performance difference on all attack modes between hcxdumptool (beautiful status) and hcxlabtool series (high performance attack vector).
Reply
#14
(12-08-2021, 10:33 PM)v71221 Wrote: @ZerBea
Please see file Dumps.zip attached.
Concerning the PMKID-attack, are the following statements true ?
1. It doesn't matter if you capture PMKIDROGUE or PMKID. Both are suitable for PMKID-attacks.
2. In my case, pmkid-hash was not cracked (Status: Exhausted), probably due to a bug.

hi i sent you a pm, i need your help
Reply
#15
@ZerBea
Here is more information about Windows, Hosted Network and PMKID.

I have found that
  • Windows 7 sends PMKID
  • Windows 8 sends PMKID
  • Windows 10 doesn't send
  • Windows 11 doesn't send

Funny, but Windows 7 and 8 send different PMKIDs. Both are calculated incorrectly. This leads to a Hashcat Status of Exhausted, not Cracked.

Windows 7
Code:
TIME    FREQ/CH  MAC_DEST    MAC_SOURCE  ESSID [FRAME TYPE]
12:28:31 2412/1  020000000020 020000000001 ap01 [PMKID:f8dc238fb156874627b5ff251b8ab53c KDV:2]
12:28:31 2412/1  020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:18142 RC:0 KDV:2 PSK:12345678]

Windows 8
Code:
12:42:34 2412/1  020000000020 020000000001 ap01 [PMKID:6faf75249e6dcaa15d4b8a68a941fe54 KDV:2]
12:42:34 2412/1  020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:18275 RC:0 KDV:2 PSK:12345678]

The correct PMKID, as you mentioned, is ca5396d611cf330aebefd48ebbfb0e63

I prefer to use the older version of Hashcat (v5.1.0) because it runs much faster on my 10-year-old laptop than the newest version (v6.2.5)

it takes about 5 seconds
Code:
hashcat64.exe  -D 1  -a 3  -m 16800  "ca5396d611cf330aebefd48ebbfb0e63*020000000001*020000000020*61703031"  "12345678"

it takes about 16 minutes
Code:
hashcat.exe  -D 1  -a 3  -m 22000  "WPA*01*ca5396d611cf330aebefd48ebbfb0e63*020000000001*020000000020*61703031***"  "12345678"

P.S.
I tested
  • Windows 7 Enterprise
  • Windows 8 Single Language
  • Windows 10 Enterprise (Version 21H1)
  • Windows 11 Enterprise (Version 21H2)

With the wireless Hosted Network, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.
https://docs.microsoft.com/en-us/windows...ed-network
https://docs.microsoft.com/en-us/windows...on-sharing
Reply
#16
Good investigation. Thanks for sharing the results.
Now we exactly know that the PMKID calculated by Windows 7 and Windows 8 is garbage.

BTW:
No need to run hashcat to confirm a PSK or a PMK because hcxhashtool can do it

by PSK:
Code:
$ time hcxhashtool -i test.hc22000 --psk=12345678
020000000020:020000000001:ap01:5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93:12345678

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30753
total lines read..............: 1
valid hash lines..............: 1
PMKID hash lines..............: 1


real    0m0,152s
user    0m0,149s
sys    0m0,003s

or by PMK:
Code:
$ time hcxhashtool -i test.hc22000 --pmk=5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93
020000000020:020000000001:ap01:5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30753
total lines read..............: 1
valid hash lines..............: 1
PMKID hash lines..............: 1


real    0m0,157s
user    0m0,150s
sys    0m0,007s

hcxdumptool is able to confirm a PSK on-the-fly.
Just add --weakcandidate=test_psk (default: 12345678)
Reply
#17
@ZerBea
I have wpa2 hc22000 handshake file and I want pmkid so I can get psk from it it looks like
WPA-PBKDF2-PMKID+EAPOL¹
The messagepair is c2 in my case which means it is an authorised messagepair as per my knowledge.
So as per my research it is WPA-PBKDF2-PMKID+EAPOL¹ the PMKID s added with EAPOL so how to seperate PMKID from EAPOL to get pmkid so I can broot force it and get psk.
Plzz help ZerBea.
Sorry if I ask silly question as I am an biggner and forgive me.
Reply
#18
WPA-PBKDF2-PMKID+EAPOL means that it can either be a PMKID or an EAPOL MESSAGE PAIR from a4way handshake.
The format identifier at the beginning of the hash line show type:
Code:
WPA*01*..... == PMKID
WPA*02*..... == EAPOL MESSAGE PAIR from a 4way handshake

The hashes are taken from the dump file. WPA*01 if a PMKID is inside the dump file, WPA*02 if an EAPOL MESSAGE PAIR is inside the dump file.
How to filter the hash file by PMKID or by EAPOL MESSAGE PAIRs is described here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

It is not possible to calculate a PMKID from an EAPOL MESSAGE PAIR (WPA*02* hash line) if you don't know the PMK.
Reply
#19
@zebea how do I get psk from
WPA*02*8b01e5cdce2ceea155bab2d2c890bf6b*6c5940096fb6*8473033aba70*6c686c64*9914f0f49b7947142f74501c1f5dec2b859be7b56be607b8d4e0576acf3d6ffe*0103007502010a000000000000000000013384539f89fec79de93e258534c6bdded858b12fce70158d65841b31afd52ba7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*02
Is their any way because it is an authorised message pair will u explain it step by step plzzz ZerBea
Reply
#20
Basically this is the command line for a dictionary attack attack:
hashfile.hc22000 == your hc22000 hash file
wordlist == your word list

Code:
$ hashcat -m 22000 hashfile.hc22000 wordlist

BTW:
Please do not post hashes, because it is violating the forum rules.
Please do not ask the same question in different threads.


A step by step hashcat how-to and more attack modes (mask attack, rule attack) are explained here:
https://hashcat.net/wiki/
Reply