Understanding EAPOL 4-Way Handshake and PMKID cracking
#1
Hello!

I read how cracking WPA2PSK works and it seems to boil down to either capture the entire 4-way handshake or just the PMKID, if the access point broadcasts it, and then run hashcat. Now, I have a few questions.

#1: Is capturing the PMKID preferable over capturing the entire 4-way handshake? From what I understand, both provide you enough information for cracking the PMK (which is the actual access key if I'm not mistaken) and that means you'll find the PSK (the secret passphrase) once hashcat is finished. The PMKID is much easier to get since it doesn't require any clients to connect to the access point. If in both cases I only need to crack the PMK, does that mean that it takes the same amount of time with both attacks, or is the handshake method slower to crack because I need to feed hashcat more data?

#2: It seems that in the end capturing an handshake or PMKID is just to have a file to let hashcat work on. I mean, one could also stand in front of the access point and try connecting with all possible password combinations but I guess that would take much longer, hence why having a capture file to crack offline is much more convenient. Is this correct?

#3: If an access point doesn't broadcast the PMKID, a 4-way handshake attack is always viable unless the access point is using enterprise security protocols, right? Also, I suppose that to improve my defense against this type of attack, using a complex long passphrase helps a lot.

Please, correct me if I'm wrong. Thanks in advance!
Reply
#2
1.
faster
you don't need a CLIENT
works if MFP is activated
not susceptible for packet loss

2.
No. hascat is working on the captured hash and the result is the PMK and the PSK.
Yes. Searching the PSK by trying to connect the AP with all combinations can take more than a human life time.

3.
Yes, you can recover PMK/PSK from a 4-way handshake. Make sure you have no packet loss.

4.
You can retrieve a PMK/PSK also from a CLIENT (AP-LESS) attack.

That are only short answers. Please read more here:
https://hashcat.net/forum/thread-7717.html
and here:
https://hashcat.net/forum/thread-6661.html
Reply
#3
Thanks for the clarification, I'll check out those threads.
Reply
#4
Kiwil3mon, let me use your post for asking about something that I dont know of how Hashcat works with PMKIDs or HandShakes.
when I place on a file a PMKID or HS that I want to break using a mask of 10 digits, Hashcat shows a remaining time of 7 hours, If a place another handshake of PMKID from the same AP, Hashcat keep showing the same time for both of them.
So my question.. Does Hashcat read the BSSIDs and ESSIDs of avoiding double, triple, etc work?


Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: /home/powermi/WPA/hashes/ONOE25.22000
Time.Started.....: Wed Apr 1 16:48:24 2020 (1 sec)
Time.Estimated...: Wed Apr 1 23:18:57 2020 (6 hours, 30 mins)
Guess.Mask.......: ?d?d?d?d?d?d?d?d?d?d [10]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 426.8 kH/s (70.92ms) @ Accel:64 Loops:64 Thr:1024 Vec:1
Recovered........: 0/10 (0.00%) Digests
Progress.........: 0/10000000000 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/1000000000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1216-1280
Candidates.#1....: 1234567899 -> 1791464345
Hardware.Mon.#1..: Temp: 52c Fan: 30% Util:100% Core:1950MHz Mem:6801MHz Bus:16
Reply
#5
Correct: reuse PBKDF2
That means that a PMK is calculated only once for an ESSID-PSK combination and compared against all hashes using the same ESSID.

This line will give you information about it:
Recovered........: 0/10 (0.00%) Digests
10 hashes using the same ESSID (salt)

Running hashcat against test.22000 file converted by hcxpcapngtool --all:
Recovered........: 69/35766 (0.19%) Digests, 10/631 (1.58%) Salts
35766 hashes using 631 ESSIDs (salts)
Please keep in mind:
That (--all) is an analysis mode (as well as hashcat modes 22001 and deprecated 2501 and 16801)

BTW:
Time.Estimated...: Wed Apr 1 23:18:57 2020 (6 hours, 30 mins)
is an average value. It may change during runtime.

To determine the exact time (inclusive init and de-init) "time" should be the first choice:
Code:
$ time hashcat -m 22000 ......

BTW 2:
--nonce-error-corrections have a deep impact on hashcat speed
Reply
#6
Thanks a lot for the explanation. about the --nonca-error-corrections values.. I use what hcxpcapng suggests to use, could I go down to 2 if have various PMKIDs or Handshakes from same AP?
Reply
#7
Running this combination:
Code:
hcxdumptool  ->  hcxpcapngtool  ->  hashcat
nonce-error-corrections is in automatic mode. Mostly it is set to 0 by automatic on hcxdumptool captured traffic.
The last field of a 22000 hash line will show you this.

You can override the automatic on all three tools running:
Code:
hcxdumptool --eapoltimeout > 20000  ->  hcxpcapngtool --nonce-error-corrections > 0  ->  hashcat --nonce-error-corrections > 0
Or you can disable the automatic, running hashcat --nonce-error-corrections=0

Additional, you can use the suggested (measured) value from hcxpcapngtool to override the automatic:
Code:
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 81

hashcat -m 22000 --nonce-error-corrections=81

Please keep in mind:
This will work in combination of hcxdumptool/hcxtools/hashcat only! Running other tools (especially for capturing WiFi traffic), you should enable hashcat --nonce-error-corrections >= 8!
As an alternative to hcxpcapngtool you can use multicapconverter:
https://github.com/s77rt/multicapconverter
Less options, but more portable than hcxpcapngtool.
Reply
#8
thanks a lot.. As I'm following the first combination of hcxdumptool -> hcxpcapngtool -> hashcat. I think I'll set up to =2 or could I just simply skip the --nonce-error-corrections when writing the Hashcat command line?
Reply
#9
(04-01-2020, 05:35 PM)ZerBea Wrote: Correct: reuse PBKDF2

That means that a PMK is calculated only once for an ESSID-PSK combination and compared against all hashes using the same ESSID.



This line will give you information about it:

Recovered........: 0/10 (0.00%) Digests

10 hashes using the same ESSID (salt)
.
[/code]

Should I get the same salts calue if I mix =1 if mix a PMKID and a handshake?
Reply
#10
Running that combination nc=2 doesn't make sense.
Either use the automatic or run nc=0.
That depend on the quality of your captured traffic and the sensitivity of your device (PLCP errors).
You can do a simple test to check this:

Get wordlist from here:
https://wpa-sec.stanev.org/dict/cracked.txt.gz

$ hcxpcangtool -o test 22000 dumpfile.pcapng

$ time hashcat -m 22000 --potfile-disable test.22000 cracked.txt
compare recovered PSKs and time with
$ time hashcat -m 22000 --potfile-disable test.22000 --nonce-error-corrections=0 cracked.txt
and compare recovered PSKs and time with
$ time hashcat -m 22000 --potfile-disable test.22000 --nonce-error-corrections=8 cracked.txt
Now you should have the best option(s).
Reply