Crack WPA2 (.hc22000 file) with list not completing
#11
Glad to hear that Windows now stopped sending faulty PMKIDs. Thanks for this information.
Unfortunately I found no pattern to distinguish between a faulty Windows 7 PMKID and a correct one.


Also thanks for reporting that log entry issue.
It is a nasty copy-and-paste error that should be fixed by this commit:
https://github.com/ZerBea/hcxdumptool/co...940087b3dc
and this commit:
https://github.com/ZerBea/hcxdumptool/co...56c817addf
Now, the log function calls are there where they belong - log entry only if we really transmit.

To answer your question:
2412 = Frequency in MHz
1 = Channel

Since this commit, the scan engine changed from channel scan to frequency scan.
https://github.com/ZerBea/hcxdumptool/co...1ec9365a4f
That was necessary because channel range (band 5 and band 6) is no longer unique:
https://en.wikipedia.org/wiki/List_of_WLAN_channels
From now on an information about frequency and channel is available and you you can use both as input. However, this will not work on 6GHz band, because nearly the same channel range is in use.

Frequency/channel behavior of ioctl(SIOCSIWFREQ) is referenced here:
https://github.com/torvalds/linux/blob/m...ess.h#L910

BTW:
I noticed that using frequencies instead of channels is a little bit faster.
Reply
#12
Quote:To answer your question:
2412 = Frequency in MHz
1 = Channel

Sure! I know that! But completely forgot this morning. Flew out of my head.
I think it's a good idea to add a header-reminder to logfile.
Besides, if you shift the internal status line slightly, it will be easier for eyes to find that line.
Especially if the logfile is quite large.
Please see examples below.

# hcxdumptool  -i wlan0  -o dump.pcapng  --silent  --enable_status=95  -c 1

initialization of hcxdumptool 6.2.5-7-g4d7c072...
start capturing (stop with ctrl+c)
...
...
ANONCE....................: d698dfa621a0743336e4e466397418a4e8caccf4ea6af648b14cdd68771677fd
SNONCE....................: cedb8eacf87de069139f3052457e1aee3e48f06d16de9dac2d1632965d0fbadf

--------+-------+-------------+------------+----------------------------------------
  Time  | Fr/Ch |  Dest. MAC  | Source MAC | SSID / Description
--------+-------+-------------+------------+----------------------------------------
23:05:56 2412/1  ffffffffffff 020000000001 ap01 [BEACON]
23:05:57 2412/1  506070abfedc 020000000001 ap01 [PROBERESPONSE]
23:06:00 2412/1    ERROR:0 INCOMING:304 AGE:1 OUTGOING:0 PMKIDROGUE:0 PMKID:0 M1M2ROGUE:0 M1M2:0 M2M3:0 M3M4:0 M3M4ZEROED:0 GPS:0
23:06:12 2412/1  020000000020 020000000001 ap01 [AUTHENTICATION]
23:06:12 2412/1  020000000020 020000000001 ap01 [ASSOCIATION]
23:06:12 2412/1  020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:1697 RC:0 KDV:2 PSK:12345678]
23:06:12 2412/1  020000000020 020000000001 ap01 [EAPOL:M2M3 EAPOLTIME:8516 RC:1 KDV:2 PSK:12345678]
23:06:12 2412/1  020000000020 020000000001 ap01 [EAPOL:M3M4ZEROED EAPOLTIME:67 RC:1 KDV:2]
23:07:00 2412/1    ERROR:0 INCOMING:5962 AGE:1 OUTGOING:0 PMKIDROGUE:0 PMKID:0 M1M2ROGUE:0 M1M2:1 M2M3:1 M3M4:0 M3M4ZEROED:1 GPS:0
23:07:02 2412/1  708070abab00 000bf4ad5401 To be, or not to be [ROGUE PROBERESPONSE]
Reply
#13
Nice feature requests.
Added header by this commit:
https://github.com/ZerBea/hcxdumptool/co...391360eb38
and shift internal messages/warnings by 2 spaces by this commit:
https://github.com/ZerBea/hcxdumptool/co...81d03d96ff

Please notice:
Every new feature has a price tag as well as every activated option:
It will slow down hcxdumptool.

Especially on headless operation (running on a Raspberry Pi Zero), I recommend to use hcxlabtool in combination with a modified Makefile (compile only what you really need).
There is a huge performance difference on all attack modes between hcxdumptool (beautiful status) and hcxlabtool series (high performance attack vector).
Reply
#14
(12-08-2021, 10:33 PM)v71221 Wrote: @ZerBea
Please see file Dumps.zip attached.
Concerning the PMKID-attack, are the following statements true ?
1. It doesn't matter if you capture PMKIDROGUE or PMKID. Both are suitable for PMKID-attacks.
2. In my case, pmkid-hash was not cracked (Status: Exhausted), probably due to a bug.

hi i sent you a pm, i need your help
Reply
#15
@ZerBea
Here is more information about Windows, Hosted Network and PMKID.

I have found that
  • Windows 7 sends PMKID
  • Windows 8 sends PMKID
  • Windows 10 doesn't send
  • Windows 11 doesn't send

Funny, but Windows 7 and 8 send different PMKIDs. Both are calculated incorrectly. This leads to a Hashcat Status of Exhausted, not Cracked.

Windows 7
Code:
TIME    FREQ/CH  MAC_DEST    MAC_SOURCE  ESSID [FRAME TYPE]
12:28:31 2412/1  020000000020 020000000001 ap01 [PMKID:f8dc238fb156874627b5ff251b8ab53c KDV:2]
12:28:31 2412/1  020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:18142 RC:0 KDV:2 PSK:12345678]

Windows 8
Code:
12:42:34 2412/1  020000000020 020000000001 ap01 [PMKID:6faf75249e6dcaa15d4b8a68a941fe54 KDV:2]
12:42:34 2412/1  020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:18275 RC:0 KDV:2 PSK:12345678]

The correct PMKID, as you mentioned, is ca5396d611cf330aebefd48ebbfb0e63

I prefer to use the older version of Hashcat (v5.1.0) because it runs much faster on my 10-year-old laptop than the newest version (v6.2.5)

it takes about 5 seconds
Code:
hashcat64.exe  -D 1  -a 3  -m 16800  "ca5396d611cf330aebefd48ebbfb0e63*020000000001*020000000020*61703031"  "12345678"

it takes about 16 minutes
Code:
hashcat.exe  -D 1  -a 3  -m 22000  "WPA*01*ca5396d611cf330aebefd48ebbfb0e63*020000000001*020000000020*61703031***"  "12345678"

P.S.
I tested
  • Windows 7 Enterprise
  • Windows 8 Single Language
  • Windows 10 Enterprise (Version 21H1)
  • Windows 11 Enterprise (Version 21H2)

With the wireless Hosted Network, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.
https://docs.microsoft.com/en-us/windows...ed-network
https://docs.microsoft.com/en-us/windows...on-sharing
Reply
#16
Good investigation. Thanks for sharing the results.
Now we exactly know that the PMKID calculated by Windows 7 and Windows 8 is garbage.

BTW:
No need to run hashcat to confirm a PSK or a PMK because hcxhashtool can do it

by PSK:
Code:
$ time hcxhashtool -i test.hc22000 --psk=12345678
020000000020:020000000001:ap01:5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93:12345678

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30753
total lines read..............: 1
valid hash lines..............: 1
PMKID hash lines..............: 1


real    0m0,152s
user    0m0,149s
sys    0m0,003s

or by PMK:
Code:
$ time hcxhashtool -i test.hc22000 --pmk=5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93
020000000020:020000000001:ap01:5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30753
total lines read..............: 1
valid hash lines..............: 1
PMKID hash lines..............: 1


real    0m0,157s
user    0m0,150s
sys    0m0,007s

hcxdumptool is able to confirm a PSK on-the-fly.
Just add --weakcandidate=test_psk (default: 12345678)
Reply