New attack on WPA/WPA2 using PMKID

[JCas]

What's the best practice to feed old pcaps through these tools to scan for PMKIDs? I'm going to add this capability to one of my wifi defeat tools that I'm working on.

[ZerBea]

$ hcxpcaptool -z hash.16800 -E wordlist -I identitylist -U usernamelist *.pcap

Works on all pcaps, but do not expect good results if
- the pcaps are cleaned
- the pcap are merged and contains ESSID changes and/or damaged frames
- the capture tool dosn't support PMKID capturing (only EAPOL 2/4 and EAPOL 3/4 stored)

[wakawaka]

Filter lists are only used in the transmission branch. Using a filter list means, that we run active attacks against the entries (filtermode=2) or do not run active attacks against them (filtermode=1). But nevertheless hcxdumptool is still a passive dumper and will capture all informations it received.

Hi Zerbea,
using filtermode=1 to block an AP and its clients, and running hcxdumptool. will we still capture PMKID's and handshakes of the filtered list ?  It shouldn't right ?

confused with this statement "nevertheless hcxdumptool is still a passive dumper and will capture all informations it received"

[ZerBea]

Hi wakawaka
We can control the transmission branch, because we send only a few packets.
But we are not able to control the receiving branch. If we are in range of hundreds of access points and hundreds of clients, we can't go through the entire filter list on every received packet.
hcxdumptool claimes to be fast:
"But woah this thing is FAST! "
https://forums.hak5.org/topic/44213-pmki...ent-310558
"It can easily get the PMKID's from an entire neighbourhood in a minute or less."
https://forums.hak5.org/topic/44213-pmki...ent-310561
We will lose this ability!

Anyway you can filter out unwanted hashes in an easy way with wlanhcx2ssid (for hccapx files) or an editor (Geany) for all other hashfiles.

> confused with this statement "nevertheless hcxdumptool is still a passive dumper and will capture all informations it received"
Why? If something's in the air, I want to know what it is!
https://en.wikipedia.org/wiki/Signals_Intelligence

[lint]

thank you ZerBea

I have the same result replacing line 21 simply by:
cat /tmp/PSK

saludos Diego

I've beefed your shellscript up a little, hope you like it: https://pastebin.com/6zLH3jD7

Now it displays the whole potfile content instead of just the last line, plus no need for any support files.
And should also display different (-m 2500) potfile results.

[dafez]

Thanks for this tool.

I wrote i little snippet in python ( Nothing fancy ) to show the SSID from a pmkid (.16800) file. Just change the name to what the file is saved as. I couldn't find anyway to see them without using wireshark and i just wanted something easy.

It should work in both python2 and python3 because i've tested in both versions

Code:

import re, binascii

FILE_NAME = "" # Change this to the name of the file
with open(FILE_NAME) as f:
  pmkids = re.findall(r".+(?<=[*])(.+)", f.read(), re.M|re.I)

for p in pmkids:
  print("SSID: %s" % binascii.a2b_hex(p).decode())

@ZerBea Would it be possible to add this to hcxpcaptool so we can see the SSID's for the PMKID's that have been dumped without having to use external tools? Because when i use it to dump the SSID's it shows every AP it sees regardless if it captured data or not thanks.

[diegodieguex]

maybe this help

whoismac -p 69d4ec91a19657d64d4ccc869c229bbe*9e3dcf272236*f0a225dab76d*53696c7665724d61676e6f6c6961

ESSID..: SilverMagnolia
MAC_AP.: 9e3dcf272236
VENDOR.: unknown
MAC_STA: f0a225dab76d
VENDOR.: Private

or:

for i in $(cat 16800.txt ); do whoismac -p $i; done

ESSID..: Fibertel WiFi1
MAC_AP.: 8c10d4fc55xx
VENDOR.: Sagemcom Broadband SAS
MAC_STA: 58c5cbe342xx
VENDOR.: Samsung Electronics Co.,Ltd


ESSID..: Fibertel WiFi2
MAC_AP.: 0025f1859exx
VENDOR.: ARRIS Group, Inc.
MAC_STA: a49a5846aaxx
VENDOR.: Samsung Electronics Co.,Ltd


ESSID..: Fibertel WiFi3
MAC_AP.: 4c72b952fexx
VENDOR.: PEGATRON CORPORATION
MAC_STA: 60427fa493xx
VENDOR.: SHENZHEN CHUANGWEI-RGB ELECTRONICS CO.,LTD

[ZerBea]

As diegodieguex noticed, that function is allready in hcxtools (whoismac) implemented. hcxpcaptool is a conversion tool, only. It will show basic informations about the capture file. But I think about a new hcxpmktool.
Right now I'm preparing hcxdumptool/hcxtools 5.0.0. That that has priority.

[wakawaka]

As diegodieguex noticed, that function is allready in hcxtools (whoismac) implemented. hcxpcaptool is a conversion tool, only. It will show basic informations about the capture file. But I think about a new hcxpmktool.
Right now I'm preparing hcxdumptool/hcxtools 5.0.0. That that has priority.

thanks for all your work on this tool Zerbea

[slyexe]

Just installed this on my Ubiquiti Nano M2 with OpenWRT 15.0.5 Chaos Calmer and ran a few test. Everything ran flawlessly other than an EAPOL request popping up that was about 100 pages long causing the cpu to have a little hissy fit. Otherwise, no issues occurred and was able to run both hcxtools & hcxdumptool perfectly fine on the radio. Copied over the 16800 PMKID file onto the hashing machine to run it with hashcat and encountered nothing but success.

Great job everyone involved.