New attack on WPA/WPA2 using PMKID

[ZerBea]

That are some good news.
Well, UBUNTU is recommended by hashcat team and is an easy to use distribution. I share that opinion. Designed for complete novices, UBUNTU teaches a beginner everything he need to know to enjoy Linux. He will get help in the forums (https://ubuntuforums.org/) and here, too.
Nevertheless, I prefer Arch Linux, because it does exactly what I configured. But I really do not understand, why so many novices run K*A*L*I. That is an extremely stripped down version of Debian and not usable for novices.
The same applies for using hcxdumptool/hcxtools/hcxkeys. This tools are designed to perform analysis and to find weak points (like the PMKID attack vector) in combination with a hashcracker (hashcat) and a database (wpa-sec). Goal is not to crack a single PSK! Goal is to find the weak point within the system! So this tools are completely different to aircrack-ng. If ‎someone needs a script of 1491 lines (as of today) to put his device into monitor mode, he shouldn't use hcxtools!

[Kangaroot]

ZerBea, I wouldn't say Ubuntu teaching anyone anything unless user wants to learn, but surely it is the easiest way to start using GNU/Linux. Same with K*A*L*I - easiest way to get into hacking.

[kevtheskin]

Hello all,
Can someone tell me why am only getting Found handshake AP-LESS ,EAPOL TIMEOUT
I have not seen PMKID Found only handshake found

Thanks Kev

[ZerBea]

hcxdumptool is able to run different attack vectors. And the client-less (PMKID) attack vector is only one of them:

ap-less:
Only one packet (M2) from a client required. You do not need to hunt for access points. Just wait until the clients come to you. Have patience - some clients will give you their PSK in the clear (hcxpcaptool -E -I -U)!
This attack vector is the most important one, because clients are weak! Try to annoy them!
You can run --nonce-error-corrections=0 on that handshake!

client-less:
Only one packet (M1 - PMKID) from an access point is required.
You have to hunt for access points (usually access points don't move). It's hard to annoy an access point.
You need to have a good antenna (high gain)!

m4 - retry:
After receipt of a single M4, M1, M2, M3 are requested as long as we didn't successfull captured an authorized handshake (M2/M3).
A client and an access point are required for this attack vector! You need to have a good antenna!

deauthentication (old school):
Disconnect a client from the network and capture the following authentication.
A client and an access point are required for this attack vector!
You need to have a good antenna (high gain)!
Attack vector will not work if PMF is enabled


Possible reason why you didn't receive a PMKID:
No access point with activated roaming is in range.

But so what:
A client is in range - play with him!

[LoZio]

Sorry to bother but I think I'm loosing something obvious here, please be kind
I capture and obtain a file. I export hashes and get:

file name....................: home.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.15.0-32-generic
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 2781
skipped packets..............: 0
packets with FCS.............: 1571
beacons (with ESSID inside)..: 11
probe requests...............: 4
probe responses..............: 15
association requests.........: 701
association responses........: 1037
authentications (OPEN SYSTEM): 792
authentications (BROADCOM)...: 289
EAPOL packets................: 222
EAPOL PMKIDs.................: 4
4 PMKID(s) written to home.16800

I suppose I have some valid PMKIDs here. The AP is mine, so I know the key and put it in a file with a dozen other fake passwords.
I would like to password guess my password, to test all the process so I run:

./hashcat64.bin -m 16800 /Work/cap/home.16800 /Work/cap/t.txt

It runs but gets no password at all:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: \Work\cap\home.16800
Time.Started.....: Fri Aug 17 13:44:49 2018 (1 sec)
Time.Estimated...: Fri Aug 17 13:44:50 2018 (0 secs)
Guess.Base.......: File (\Work\cap\t.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#3.....: 279 H/s (0.34ms) @ Accel:32 Loops:16 Thr:256 Vec:1
Recovered........: 0/4 (0.00%) Digests, 0/4 (0.00%) Salts
Progress.........: 156/156 (100.00%)
Rejected.........: 0/156 (0.00%)
Restore.Point....: 39/39 (100.00%)
Candidates.#3....: djshhjshjVolumeindr -> 9Dir(s)219.174.809.600bytesfree
HWMon.Dev.#3.....: Temp: 56c Fan: 0% Util: 63% Core:1070MHz Mem: 900MHz Bus:4

What am I missing in the process? (/Work/cap/t.txt is my dictionary with the correct PSK)
Thanks

[ZerBea]

That's interesting:
You received 4 PMKIDs for a single network (I assume that it isn't an ENTERPRISE network). So there must be 4 clients.
How is the commandline for hcxdumptool?

A hashfile should look like this:
PMKID*MAC_AP*MAC_STA:ESSID (hex)

If you have 4 PMKIDs:
PMKID*MAC_AP*MAC_STA1:ESSID (hex)
PMKID*MAC_AP*MAC_STA2:ESSID (hex)
PMKID*MAC_AP*MAC_STA3:ESSID (hex)
PMKID*MAC_AP*MAC_STA4:ESSID (hex)

MAC_AP (your BSSID) and ESSID should be the same.

[awdmesh]

I’ve captured the same pmkid two or three times amongst others in hashfile. I’m still learning the ins and outs of hashcat but I have noticed that in case i missed something or don’t see that it looked to be successful - I’ll  run the hashcat command again with —show to see if there was any results/password.

@ZerBea
If say I want to keep my rf signature at a minimum I would need to use —disable deauthicatuons and disassociations, possibly disable client attacks and active scan? I want to try and be as passive as possible and not disturb clients. I’m assuming you’ll always need to transmit some in order to get the pmkid.

Is it correct to say that by default without disable arguments that hcxdumptool is doing deauth and disassociation against clients? Thanks

[ZerBea]

Correct. Running hcxdumptool without disable arguments and/or setting a filterlist is the most aggressive mode.
hcxdumptool will run deauthentications against established connections and disassociations if a M4 was received.
You can view your RF-signature here (tx=xxx) and control it via switches:
INFO: cha=3, rx=3315, rx(dropped)=832, tx=311, powned=4, err=0

--disable_ap_attacks --disable_deauthentications:
INFO: cha=1, rx=799, rx(dropped)=12, tx=1, powned=0, err=0

--disable_ap_attacks --disable_deauthentications --disable_client_attacks --disable_active_scan:
INFO: cha=5, rx=1403, rx(dropped)=11, tx=0, powned=0, err=0

[kevtheskin]

hcxdumptool is able to run different attack vectors. And the client-less (PMKID) attack vector is only one of them:

ap-less:
Only one packet (M2) from a client required. You do not need to hunt for access points. Just wait until the clients come to you. Have patience - some clients will give you their PSK in the clear (hcxpcaptool -E -I -U)!
This attack vector is the most important one, because clients are weak! Try to annoy them!
You can run --nonce-error-corrections=0 on that handshake!

client-less:
Only one packet (M1 - PMKID) from an access point is required.
You have to hunt for access points (usually access points don't move). It's hard to annoy an access point.
You need to have a good antenna (high gain)!

m4 - retry:
After receipt of a single M4, M1, M2, M3 are requested as long as we didn't successfull captured an authorized handshake (M2/M3).
A client and an access point are required for this attack vector! You need to have a good antenna!

deauthentication (old school):
Disconnect a client from the network and capture the following authentication.
A client and an access point are required for this attack vector!
You need to have a good antenna (high gain)!
Attack vector will not work if PMF is enabled


Possible reason why you didn't receive a PMKID:
No access point with activated roaming is in range.

But so what:
A client is in range - play with him!

Thanks for the info. Not sure it answered my question?
Can someone tell me why am only getting Found handshake AP-LESS ,EAPOL TIMEOUT
I have not seen PMKID Found only handshake found

Thanks Kev

[slyexe]

Thanks for the info. Not sure it answered my question?
Can someone tell me why am only getting Found handshake AP-LESS ,EAPOL TIMEOUT
I have not seen PMKID Found only handshake found

Thanks Kev

 

Its because you're not in range of any Routers which broadcast the PMK  just as zerobeat has told you. 
This attack does not enable clientless attacks on ALL MAKES OF ROUTERS. It's only available if the router is setup to provide you with the proper information for the PMK. The data you have is telling you that you have obtained an AP-Less Handshake, meaning you are only able to receive a signal strong enough to the client and not the router.