New attack on WPA/WPA2 using PMKID
#21
(08-08-2018, 11:16 AM)atom Wrote: From what I've seen roaming one of the big new features in Fritz!OS7. Older versions Fritz!Box routers may not be vulnerable but new ones maybe. Since I do not have access to such a router I can't test myself.

However, my Speedport (w724v) from german Telekom is vulnerable. Works on first try.

Thanks for sharing ... so there is consumer grade HW as well, that behaves badly Smile
However, my original statement is still valid: PMKID caching does not make sense in combination with WPA2 PERSONAL networks* (no functional benefit). The vendors should disable the announcement of PMKIDs in these SSID to mitigate this exploit (although the traditional "4-way handshake" capture exploit is still there).

(*) Except a small benefit when using 802.11r
#22
I am still amazed by atom's full disclosure... 
Thinking that all world experts did have this just right under their  eyes for years and that a single enthusiastic man put the finger into this is tremendous... I hope people do realize how amazing it is... Smile 
I could sucessfuly get a PMKID on the very last SFR box (french ISP)
Some friend (Xavi and josep345, thanks to them for their feedback) did some testing in Spain and untill now it is... 
100% of tested models are vulnerable... (for us) Big Grin
They tested 4 models used by different ISP and all of them are vulnerable to the new method
  • NB6VAC-FCX-r0 manufactured by SFR   /  ISP = SFR (France)
  • F680 manufactured by ZTE  /  ISP =  Jaztel + Masmovil (Spain)
  • GPT2451-AC manufactured by Mitrastar  /  ISP = Telefonica (Spain)
  • CG6640E or CH6643E (model to be confirmed) manufactured by Compai  / ISP  =  OnO (Spain)
  • PRV3399B-B-LT by Arcadyan  /  ISP = Orange (Spain)  
And the list will be for sure most longer... If you want to check by yourself and follow the reports form spain:  Revolución en el crack WPA: Ataque por diccionario contra PMKID
Notice for example that the last model in the list is known as "livebox "Mi fibra"" and it  is the router that uses orange for all its customers with optic fiber... we are speaking about more than one million of box like this... 
For those who have a chipset that is not supported by the hashcat tools, it is very easy to get the PMKID with wpa_supplicant itself 
It takes a couple of seconds to get the PMKID
[Image: 1533844281.png]
#23
Hi all. When I try and run this I get "hcxdumptool: command not found". Is this likely to be a chipset issue or a Layer 8 issue?!
#24
(08-09-2018, 04:36 PM)anonymousy Wrote: Hi all. When I try and run this I get "hcxdumptool: command not found". Is this likely to be a chipset issue or a Layer 8 issue?!

typical case of PEBKAC
#25
Hi
 
Hopefully not the wrong place to ask this but I cant get hashcat to decrypt the PSK.
 
I have to use the windows version of hashcat as my linux box doesnt have GPUs in it.
 
Anyhow my PSK is 8 characters long and I use the following to try crack it
hashcat64.exe -m 16800 test.16800 -a 3 -w 3 '?d?d?d?d?d?d?d?d'
The candidates are all 8 digits long so i am (wrongfully?) assuming the guess mask is right but it never finds it.
 
fyi my psk is 11111111
 
Any ideas would be appreciated.
#26
(08-04-2018, 06:50 PM)atom Wrote: The content of the written file will look like this:

Quote:2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

The columns are the following (all hex encoded):
  • PMKID
  • MAC AP
  • MAC Station
  • ESSID

I tried the above WPA Supplicant method of obtaining the PMKID (which worked beautifully), so now I have the 32 char PMKID, and have the MAC of both the AP and the STA, but for some reason I can't figure out the format of the ESSID.

My assumption is that it's the string of the SSID converted to hex, but I tried converting ed487162465a774bfba60eb603a39f3a back to a readable string to no success.  


Any suggestions on converting my known SSID (for example Linksys) to the right format for that final hex encoded bit?
#27
My testing area has lots of Netgear and TpLink routers. By using either hcxdumptool or wpa_supplicant, I was unable to capture a single PMKID. So the vulnerability rate is 0% here.

In case I'm being doing it wrong, here are the commands in use:
hcxdumptool:
hcxdumptool -o pca.pcapng -i wlan0mon --enable_status 15

wpa_supplicant:
wpa_supplicant -c wpa.conf -i wlan0 -dd
the wpa.conf is a blank file.
#28
A quick note about 802.11r... the new trend is "mesh" networking. Lots of homes are popping up with 2-3 APs all linked together so I guess it kinda does make sense. And I guess vendors would want to have seamless handoffs with repeaters as well (which they try to push so hard).
#29
(08-05-2018, 12:54 AM)BeanBagKing Wrote: This looks amazing.

When trying to target a specific AP (making sure I only hit mine, not my neighbors), I'm trying to use --filtermode=2 and --filterlist=filter.txt. filter.txt consists of a single line containing my AP's address in the form "05D2BA2B8CD". This consistently returns segmentation fault. Remove just the --filterlist and everything appears to work fine, though I'm not sure how filtermode=2 works with no list, but it runs.

The exact line is:
root@notka1i:~/Desktop/PMKID# hcxdumptool -o test.pcapng -i wlan0 --enable_status --filtermode=2 --filterlist=filter.txt

I've tried several variants (e.g. --filterlist ./filter.txt, full path, etc.) with the same results.

Am I using these flags correctly? That is, both in the intended manner (to target a specific AP) and not doing something stupid with the syntax to create a segfault?

Trying it out now against Ubiquity gear and it doesn't seem to work. I'm not sure yet if this is my fault, or if Ubiquity isn't vulnerable, or if my AP settings just don't allow this (not roaming). Working on setting up a wireless lab next to try out a few older all-in-one router/AP's.

Edit: No issues capturing PMKID from an old Netgear WNR1000v3 I had laying around. Still not getting anything from the Ubiquity.

Thanks again for the work you guys do!


did you ever get this to work with the --filterlist=<text file> ? I have been playing around with this and I discovered that if you remove the quotes in your text file, you can use the filter option without any issue. thought I would update if anyone else has run into this issue using the --filterlist option.
#30
(08-11-2018, 07:21 AM)octf Wrote: My testing area has lots of Netgear and TpLink routers.  By using either hcxdumptool or wpa_supplicant, I was unable to capture a single PMKID. So the vulnerability rate is 0% here.

In case I'm being doing it wrong, here are the commands in use:
hcxdumptool:
hcxdumptool -o pca.pcapng -i wlan0mon --enable_status 15

wpa_supplicant:
wpa_supplicant -c wpa.conf -i wlan0 -dd
the wpa.conf is a blank file.

  1. does your driver support full monitor mode?
  2. is the interface set to monitormode?
  3. are services like NetworkManager and wpa_supplicant stopped?
  4. do you use the latest commit of hcxdumptool?
  5. did you read help menu and README.md?