New attack on WPA/WPA2 using PMKID
#81
(08-26-2018, 03:30 PM)ZerBea Wrote: Most output files will be appended to existing files (with the exception of .cap files).
Hi, ZerBea.
I mean if I run `hcxdumptool -o all.pcapng` many times I'd like to append the output in one all.pcapng file instead of creating all-XXX.pcapng files each time.
Sorry for the late reply.
#82
Hi dizcza.

hcapcaptool -o option will convert pcapng files to hccapx format (not to pcapng) and append the result to an existing hccapx file.

The command you're looking for (merging pcapng files) is:
mergecap -a -w concatenated.pcapng capture1.pcapng capture2.pcapng

Read more here:
https://www.wireshark.org/docs/man-pages/mergecap.html

But I don't recommand merging of pcapng files. It can leed to uncrackable handshakes if ESSIDs are damaged or network names changed or MACs changed . Also detection of ap-less attacks will not work on merged files.
Keep in mind: we use randomized MACs. So clear allocation of MAC and ESSID over more than one pcapng file isn't possible on merged files.
#83
Hi sao.
The answer of your question is here:
https://hashcat.net/forum/thread-7717-po...l#pid41675
#84
Now, wpa-sec running full PMKID support. ‎The success rate is very good:
https://wpa-sec.stanev.org/?stats
#85
It just misses a field to send a pmkid hash Smile
#86
Hi ZerBea,

I ran the hexdump pcap for almost >5hours and I get no PMKID's. Am I missing something?

summary:
--------
file name....................: test3.pcapng-0
file type....................: pcapng 1.0
file hardware information....: i686
file os information..........: Linux 4.12.0-kali2-686
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 4492
skipped packets..............: 0
packets with FCS.............: 760
WDS packets..................: 36
beacons (with ESSID inside)..: 2105
probe requests...............: 305
probe responses..............: 359
association responses........: 85
reassociation responses......: 62
authentications (UNKNOWN)....: 19
authentications (OPEN SYSTEM): 3
authentications (SHARED KEY).: 18
authentications (FILS).......: 1
EAPOL packets................: 205


=====

root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/wifi/new/hcxdumptool# hcxdumptool -o test3.pcapng -i wlan0mon --enable_status=1,2,4,8

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0mon
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc2335163d2 (client)
MAC ACCESS POINT.........: 00006c58d5fd (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 62470
ANONCE...................: 8eda9b07876621ccec2d0b89922536815831832d401cbf690448ee151d1e6a2b

INFO: cha=5, rx=245, rx(dropped)=1, tx=104, powned=0, err=0
INFO: cha=8, rx=2763, rx(dropped)=2, tx=683, powned=0, err=0
INFO: cha=8, rx=88385, rx(dropped)=64, tx=14220, powned=0, err=0
INFO: cha=1, rx=88565, rx(dropped)=64, tx=14240, powned=0, err=0
INFO: cha=10, rx=249627, rx(dropped)=167, tx=33360, powned=0, err=0
INFO: cha=2, rx=435034, rx(dropped)=267, tx=49707, powned=0, err=0

====

PS: I have more than 1k networks in the same pcapng file obtained from hexdump pcap tool.

1146 1B:05:45:B4:45:05 Unknown
1147 B4:BF:B0:9B:F5:56 Zoomwf�� No data - WEP or WPA
1148 00:00:6C:58Big Grin6:89 CCnDC No data - WEP or WPA
1149 E4:B7Big Grin3:A3:97:46 No data - WEP or WPA
1150 37:36:C5:E7Big Grin9:3F None (0.0.0.0)
1151 03:AC:21:50:18:99 HP-Print-99-Officejet Pro 8620 None (0.0.0.0)
1152 D8:C7:C8:78:B3:82 FC-Corporate No data - WEP or WPA
1153 42:5D:31:F6:74:44 OMG GUEST No data - WEP or WPA
1154 EC:5D:B8:58:11:3F No data - WEP or WPA
1155 D9:96:EE:A8:A2:FC WPA (0 handshake)
1156 86:AB:F7:E6:1C:38 WPA (0 handshake)
1157 6C:F3:3F:07:8B:53 No data - WEP or WPA
1158 6ABig GrinE:38:F6:8F:F4 None (0.0.0.0)
1159 B6:FF:FF:FF:FF:FF None (0.0.0.0)
1160 00:95:F3:2A:4A:FF No data - WEP or WPA
1161 6C:74:97:2E:2A:3B GGl ��mmunications Hub No data - WEP or WPA
1162 AC:8F:A4:FF:42:BC None (0.0.0.0)
1163 00:00:6C:58Big Grin6:8A Hitch1 No data - WEP or WPA
1164 00:00:6C:58Big Grin6:8B SBG6700AC-63297-5G No data - WEP or WPA
1165 F9:FB:B2:9B:3D:76 Zoom3d70 No data - WEP or WPA
1166 68:CF:BC:34:99:E8 usrc��taff None (0.0.0.0)
1167 91:80:AA:E7:9F:0C No data - WEP or WPA

Index number of target network ?

====
#87
(08-27-2018, 07:24 PM)Mem5 Wrote: It just misses a field to send a pmkid hash Smile

We still need raw captures, from which we'll extract whats interesting inside, including PMKIDs. This allows us to improve the toolset and dig valuable stuff later. For example, right now I'm reparsing caps and fetch PMKIDs, submitted back in 2011 and up Smile
#88
Hi ssswanil.
To answer your question, we need some more informations.
1) Do you run latest commit?
If not, please update!

2) Does your driver support full (injection is working!) monitor mode?
Not all driver are working like expected.

3) Is the device running in monitor mode?
iw dev <wlan interface> info
Interface <wlan interface>
ifindex 3
wdev 0x1
addr xx:xx:xx:xx:xx:xx
type monitor
wiphy 0
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm

4) Does hcxdumptool have full access to the device?
Stop all services running on that device, which prevent that hcxdumptool is able to change the channel!

5) Did you run airmon-ng?
hcxdumptool doesn't like to run on a virtual interface created by airmon-ng!

6) Your command line is ugly
Absolutely no-go for this: --enable_status=1,2,4,8
We are using a bitmask. That means you have to add(!) the switches
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
If you would like to see all status message then you must add the values: 1 +2 +4 +8 = 15
--enable_status=15 is you switch

7) Do you have access points in range?
sudo hcxdumptool -i wlp39s0f3u4u5 -t 5 --do_rcascan
xxxxxxxxxxxx <ESSID> [CHANNEL 1, AP IN RANGE]

8) How do you convert pcapng to cap? Is that list (after ===) from aircrack-ng?
aircrack-ng isn't able to read pcapng files! https://github.com/aircrack-ng/aircrack-ng/issues/1912
aircrack-ng isn't able to detect PMKIDs! https://github.com/aircrack-ng/aircrack-ng/issues/1937
#89
I have a problem after decoding to hash I find key is wrong and not true and when I use Wordlist, I extract it correctly without problems please help me .....
#90
To answer the question we need more informations:
Which tools do you use for capturing, conversation and cracking?
How is the commandline of the tools?
Which result do yo expect (exactly)?
Which result did you get (exactly)?