New attack on WPA/WPA2 using PMKID
(3 hours ago)ZerBea Wrote: No, the pcapng doesn't contain IP addresses. But it contain MAC addresses of access points and clients and network names.
If you run hcapcaptool you will get four PMKIDs (two networks with one client and one network with 2 clients) and two handshakes (one network with 2 clients). The pcapng file is flawless!
$ hcxpcaptool -o test.hccapx -z test.16800 -E essid v1.pcapng
reading from v1.pcapng
summary:                                        
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 286
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 259
beacons (with ESSID inside)..: 7
probe requests...............: 8
probe responses..............: 10
association requests.........: 7
association responses........: 13
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 160
authentications (BROADCOM)...: 7
EAPOL packets................: 78
EAPOL PMKIDs.................: 4
best handshakes..............: 2 (ap-less: 0)

2 handshake(s) written to test.hccapx
4 PMKID(s) written to test.16800

Which of the networks network do you assume use the key 123456789?
SHAW-84AA55 (2 handshakes)
Slow Wifi (PMKID)
Birdy (2 PMKIDs)
TELUS3748 (PMKID)

Hmmm I don't actually see the network there... Here is a better file, sorry about that http://www.mediafire.com/?jy2ok3ebrqdzlr...9rz5f275yc Ive been making so many dumps I trying to fix this that I mixed up the file.

The wifi Im targeting is "Shit Wifi" with the password of 123456789

Im thinking the pcap is "flawless" however maby in the conversion process something is getting stuck

EDIT: Here is the new summary is this is a new file

Code:
summary:
--------
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: yes
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 13
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 6
authentications (BROADCOM)...: 2
Reply
v2.pcapng doesn't contain PMKIDs or handshakes and it is flawless:
$ hcxpcaptool -o test.hccapx -z test.16800 v2.pcapng
reading from v2.pcapng
summary:                                        
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

Nevertheless, I'm not able to read hardware informations or file os or application information from this bid endian pcapng file on my little endian system. That need to be fixed.
Reply
(3 hours ago)ZerBea Wrote: v2.pcapng doesn't contain PMKIDs or handshakes and it is flawless:
$ hcxpcaptool -o test.hccapx -z test.16800 v2.pcapng
reading from v2.pcapng
summary:                                        
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

...and it is either not from hcxdumptool or modified by user or destroyed!

Oh weird, are you saying it doesnt actually contain any hashes? Did the other file contain some? Im trying to keep up, network hacking is a bit new for me. I get the fastest results from using enable status 2, however maby thats effecting my results? Should I try I different message mode?

I keep rereading the first page along with any other info I can get on pcapng but maby this is a bit too advanced, I dont want to waste any of your time either.

EDIT: Just did another dump this time with enable_status 3, once again during the conversion it says read errors are found
Reply
But both pcapng files are usefull for me. I noticed an issue in combination with mips and will try to fix it. Please give me a few minutes to fix it. v2.pcapng doesn't contain handshakes or PMKIDs.
Reply
(2 hours ago)ZerBea Wrote: But both pcapng files are usefull for me. I noticed an issue in combination with mips and will try to fix it. Please give me a day... v2.pcapng doesn't contain hanshakes or PMKIDs.

Huh, would there be a specific reason why v2 doesnt contain any handshake data? I could try to recreate it again, strange...
Reply
Ok, fixed that ugly big endian issue when we are doing an option walk through the pcapng options:
https://github.com/ZerBea/hcxtools/commi...8548768110
Thanks for reporting this and the test pcapng files. Now hcxpcaptool will show correct informations about big endian pcapng file on little endian systems. But nevertheless, v2.pcapng doesn't contain handshakes or PMKIDs.

$ hcxpcaptool -V v1.pcapng
reading from v1.pcapng
summary:
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 286
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 259
beacons (with ESSID inside)..: 7
probe requests...............: 8
probe responses..............: 10
association requests.........: 7
association responses........: 13
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 160
authentications (BROADCOM)...: 7
EAPOL packets................: 78
EAPOL PMKIDs.................: 4
best handshakes..............: 2 (ap-less: 0)


$ hcxpcaptool -V v2.pcapng
reading from v2.pcapng
summary:
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

Now let's identify the next issue. Therefore we need a pcapng which contains a handshake or a PMKID from your target.
Reply
(2 hours ago)ZerBea Wrote: Ok, fixed that ugly big endian issue when we are doing an option walk through the pcapng options:
https://github.com/ZerBea/hcxtools/commi...8548768110
Thanks for reporting this and the test pcapng files. Now hcxpcaptool will show correct informations about big endian pcapng file on little endian systems. But nevertheless, v2.pcapng doesn't contain handshakes or PMKIDs.

$ hcxpcaptool -V v1.pcapng
reading from v1.pcapng
summary:                                        
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 286
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 259
beacons (with ESSID inside)..: 7
probe requests...............: 8
probe responses..............: 10
association requests.........: 7
association responses........: 13
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 160
authentications (BROADCOM)...: 7
EAPOL packets................: 78
EAPOL PMKIDs.................: 4
best handshakes..............: 2 (ap-less: 0)


$ hcxpcaptool -V v2.pcapng
reading from v2.pcapng
summary:                                        
file name....................: v2.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 14
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 14
beacons (with ESSID inside)..: 3
probe requests...............: 1
probe responses..............: 3
authentications (OPEN SYSTEM): 7
authentications (BROADCOM)...: 2

Now let's identify the next issue. Therefore we need a pcapng which contains a handshake or a PMKID from your target.

Alright so I tried another dump this time with enable_status 1, see if that worked at all

Code:
[23:05:49 - 006] 2c3033f3f889 -> f0a22504c0b1 [FOUND PMKID CLIENT-LESS]
[23:05:51 - 006] 2c3033f3f889 -> e8617eb9ac97 [FOUND PMKID]
[23:06:01 - 011] 9c1e958f2ea2 -> f0a22504c0b1 [FOUND PMKID CLIENT-LESS]

Im not exactly sure what wifi clients these are as mode 1 doesnt show the ID's but editing it in notepad shows the "shit wifi" and Im seeing [FOUND PMKID] in the console, does that mean it worked? Still learning how to interpolate this

v3 is here http://www.mediafire.com/?bqos57dnnf4kn8...socgondcui
Reply
No, this PMKIDs belong to this ESSIDs:
Birdy
Slow Wifi
Your target network wasn't captured.
You can run whoismac to get informations about the 16800 hashline:
whoismac -p <complete 16800 hashline here>
Reply
(1 hour ago)ZerBea Wrote: No, this PMKIDs belong to this ESSIDs:
Birdy
Slow Wifi
YOur target network wasn't captured.
You can run whoismac to get informations about the 16800 hashline:
whoismac -p <complete 16800 hashline here>

Thanks Ill run it again sorry about that, it seems all the other wifis get dumped but I cant get my dummy connection to work! 

Alright so with this version I setup 3 separate connections all on different routers/devices using the same password (nice security risk I know) 

I think I got one of em, but out of curiosity why is it that only some wifi connections are getting dumped?
v4 here http://www.mediafire.com/?uadb9yot35dn06...la5l2nw1je
Reply