Posts: 1
Threads: 1
Joined: Jul 2020
07-18-2020, 07:18 PM
(This post was last modified: 07-18-2020, 07:20 PM by mike21.)
hello guys,
i need some help ,i am a newbie.and i want to learn how to use hashcat,my friends.
my problem is,I don't know what command to give to get a single pmkid.
i use The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux Live 64-bit version 2020.2
i give this commands to get a wpa pmkid
sudo hcxdumptool -I
sudo kill
sudo hcxdumptool -o test.pcapng -i wlp0s20f0u1 --enable_status 15
with this commands by default all APs are attacked,
but i want to attack only some or only one AP,not all APs my friends.
can someone please help me with the right commands,to attack only some or only one AP.
this would be really great.
thanks a lot for the help.
Posts: 803
Threads: 135
Joined: Feb 2011
07-19-2020, 01:18 PM
(This post was last modified: 07-19-2020, 01:20 PM by Mem5.)
Not related with hashcat.
hcxdumptool support is at
https://github.com/ZerBea/hcxdumptool
Posts: 1,044
Threads: 2
Joined: Jun 2017
07-20-2020, 09:17 AM
(This post was last modified: 07-20-2020, 09:24 AM by ZerBea.)
According to the help menu, you have to use either
--filtermode=2 in combination with --filterlist_ap=yourtargetmaclist
or create a Berkeley Packet Filter (attack MAC)
Code:
--filterlist_ap=<file> : ACCESS POINT MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file> : CLIENT MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
--filtermode=<digit> : mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
affected: only outgoing traffic
notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because some useful frames could be filtered out
--bpfc=<file> : input Berkeley Packet Filter (BPF) code
affected: incoming and outgoing traffic
steps to create a BPF (it only has to be done once):
set hcxdumptool monitormode
$ hcxumptool -m <interface>
create BPF to protect a MAC
$ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
or create BPF to attack a MAC
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf
not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs
use the BPF code
$ hcxumptool -i <interface> --bpfc=attack.bpf ...
see man pcap-filter for a list of all filter options
In addition to that, hashcat forum contain a complete thread how to use hcxdumptool/hcxtools (inclusive older versions of the tools):
https://hashcat.net/forum/thread-6661.html
and the PMKID attack vector, too:
https://hashcat.net/forum/thread-7717.html
Posts: 4
Threads: 1
Joined: Jul 2020
You can filter mac address or chose the pmkid by checking it's ssid and work on that one spesific hash.
Sample pmkid
aaaaaaaaaaaaaa*aaaaaaaaaaaa*aaaaaaaaaaaa*496c6f76654475636b73
You will copy the last part "496c6f76654475636b73" and convert it to ascii to read.
https://www.rapidtables.com/convert/numb...ascii.html
Posts: 1,044
Threads: 2
Joined: Jun 2017
07-22-2020, 11:41 AM
(This post was last modified: 07-22-2020, 11:49 AM by ZerBea.)
One of the major advantages of the new hash format (-m 22000) is, that it is not binary (hccapx) and every bash tool will work in it.
To get the ESSID in ASCII you can use hcxtools (whoismac):
Code:
$ whoismac -x 496c6f76654475636b73
IloveDucks
or hcxtools (hcxhashtool) an a -m 22000 has file:
Code:
$ hcxhashtool -i test.22000 --info=stdout
SSID.......: IloveDucks
MAC_AP.....: aaaaaaaaaaaa (unknown)
MAC_CLIENT.: aaaaaaaaaaaa (unknown)
PMKID......: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
HASHLINE...: WPA*01*aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*aaaaaaaaaaaa*aaaaaaaaaaaa*496c6f76654475636b73***
OUI information file...: /home/zerobeat/.hcxtools/oui.txt
OUI entires............: 27383
total lines read.......: 1
valid hash lines.......: 1
PMKID hash lines.......: 1
PMKID written..........: 1
or perl
Code:
$ echo "aaaaaaaaaaaaaa*aaaaaaaaaaaa*aaaaaaaaaaaa*496c6f76654475636b73" | awk 'BEGIN { FS = "*" } ; { print $4 }' | perl -pe 's/(..)/chr(hex($1))/ge'
IloveDucks
or whatever you like...
BTW:
Nearly everything is explained in this two threads:
https://hashcat.net/forum/thread-6661.html
https://hashcat.net/forum/thread-7717.html