Jump to content
Hak5 Forums
Zylla

PMKID Attack on WiFi Pineapples

Recommended Posts

8 hours ago, g0blin said:

I've finally gotten around to updating the PMKID module with a couple of new features. v0.3 includes the following additions.

  • Changes to config (specifically the command line args) are now persisted (cc: @PixL)
  • The ability to switch between include and exclude as the filter mode is provided (cc: @Just_a_User)

Great work!

1. If I select exclude and select nothing do I get the functionality from v0.1?  I liked the ability to leave it running and collect new PMKID's as they appeared.

2. Has the command changed in hcxdumptool?  Is it --enable_status 3  or --enable_status=3 ?

Share this post


Link to post
Share on other sites
Posted (edited)
36 minutes ago, PixL said:

Great work!

1. If I select exclude and select nothing do I get the functionality from v0.1?  I liked the ability to leave it running and collect new PMKID's as they appeared.

2. Has the command changed in hcxdumptool?  Is it --enable_status 3  or --enable_status=3 ?

Thank you!

1. You'll need to gather your APs to target before you start capturing. In 0.1 I monitored for APs indirectly via the output from the tooling, however in more recent versions of the tools that proved to be extremely ineffective. If you have your target APs discovered and switch to exclude (without selecting any APs), it should then include all APs listed.

2. These are essentially the same ? You can either provide the equals symbol or not, it should not make any difference. If this is not the case let me know, and I can update the default settings.

edit: I may look in to monitoring the tooling output for new APs which were not previously included in the list. I did quite like that feature over discovering APs for targeting.

Edited by g0blin

Share this post


Link to post
Share on other sites

So hcxcaptool still isnt working after upgrade to v16. Now I am getting:

-ash: hcxcaptool: not found

 

Share this post


Link to post
Share on other sites
1 hour ago, skylark said:

So hcxcaptool still isnt working after upgrade to v16. Now I am getting:

-ash: hcxcaptool: not found

 

You seem to have entered the wrong command. 

It's hcxpcaptool, not hcxcaptool. 

Share this post


Link to post
Share on other sites

Sorry same error using the correct command!

-ash: hcxpcaptool : not found

I also tried to re-install it. No luck.

 

Share this post


Link to post
Share on other sites
33 minutes ago, skylark said:

Sorry same error using the correct command!

-ash: hcxpcaptool : not found

I also tried to re-install it. No luck.

 

Strange. After installing, try this:

find / -name hcxpcaptool

Typing from my cellphone, so sorry for not formating the post correctly. 

Share this post


Link to post
Share on other sites

root@Pineapple:/sd/hcx# opkg install hcxtools_4.2.1-16_ar71xx.ipk
Installing hcxtools (4.2.1-16) to root...
Configuring hcxtools.
root@Pineapple:/sd/hcx# find / -name hcxpcaptool
find: unrecognized: ��

---

root@Pineapple:/sd/hcx# find / -name hcxdumptool
/overlay/upper/sbin/hcxdumptool
/sbin/hcxdumptool

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, skylark said:

root@Pineapple:/sd/hcx# opkg install hcxtools_4.2.1-16_ar71xx.ipk
Installing hcxtools (4.2.1-16) to root...
Configuring hcxtools.
root@Pineapple:/sd/hcx# find / -name hcxpcaptool
find: unrecognized: ��

---

root@Pineapple:/sd/hcx# find / -name hcxdumptool
/overlay/upper/sbin/hcxdumptool
/sbin/hcxdumptool

If you read the output carefully from your first find attempt: "find: unrecognized: ��" at means that there's a symbol in your input that it doesn't recognize. (They don't appear on the screen, so everything looks ok, but is not)
Try typing it again.

As for me, i just tested the package on my Nano, and it's working perfectly fine. It gets installed to /sbin, or /sd/sbin (if you install to the SD-card)
Screenshot of my attempt below

:nano.png.07812e1743c2751212eebe5028e85929.png

Edited by Zylla

Share this post


Link to post
Share on other sites
Posted (edited)

What the??!! I ran the search again and it located it.

Then I ran the tool and it actually worked! weird.

Thanks for the help.

 

Edited by skylark
accidental paste

Share this post


Link to post
Share on other sites

just upgraded my kali machine yesterday been foolin around take a look at wifite

root@citzonparole:/# wifite
   .               .    
 .´  ·  .     .  ·  `.  wifite 2.2.5
 :  :  :  (¯)  :  :  :  automated wireless auditor
 `.  ·  ` /¯\ ´  ·  .´  https://github.com/derv82/wifite2
   `     /¯¯¯\     ´    

 [!] Warning: Recommended app hcxdumptool was not found. install @ https://github.com/ZerBea/hcxdumptool
 [!] Warning: Recommended app hcxpcaptool was not found. install @ https://github.com/ZerBea/hcxtools
 [!] Conflicting processes: NetworkManager (PID 459), wpa_supplicant (PID 546), dhclient (PID 1971)
 [!] If you have problems: kill -9 PID or re-run wifite with --kill)


KOOL|

 

also been getting make errors for somereason any special way to do this

iv

cd /root/hcxtools-hcxdumptool-openwrt-master/net/hcxdumptool into unzipped file in my home dercxtory

now i exicute the make commad

root@citzonparole:~/hcxtools-hcxdumptool-openwrt-master/net/hcxdumptool# make
Makefile:25: /package.mk: No such file or directory
make: *** No rule to make target '/package.mk'.  Stop.

 

please anyone know

 

Share this post


Link to post
Share on other sites

@Bigbiz

If you're trying to install both hcxtools and hcxdumptool I suggest you read the first post in this thread. 

You can install the latest version of both tools automatically by issuing the command I have presented in said post. 

But please remember, you need to SSH into the Pineapple before running the command. 

PS. The reason you're make command failed is because there is no Makefile, and no need for it. 

PSS. If you're trying to install/compile the tools for usage on your Kali machine, take a look at ZerBea's github repo. As my repo is solely for the Pineapples. 

Edited by Zylla

Share this post


Link to post
Share on other sites

Oke I got some weird stuff. I updated the pineapple (did not use it for a few months) got everything up and running, had some issues with internet so refreshed the firmware now that is all nice and working. But installing/upgrading via opkg is not doing what it should...

So I tried first install your app. Got the following:

root@Pineapple:/tmp# wget -qO- https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/INSTALL.sh | bash -s -- -v -v
--2018-10-15 09:26:23--  https://github.com/adde88/hcxtools-hcxdumptool-openwrt/tree/master/bin/ar71xx/packages/base
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: '/tmp/HcxTools/base'

base                                             [   <=>                                                                                        ]  39.58K  31.3KB/s    in 1.3s    

2018-10-15 09:26:25 (31.3 KB/s) - '/tmp/HcxTools/base' saved [40532]

Installing: hcxdumptool  and hcxtools.
Go grab a cup of coffee, this will take a while...

Downloading https://www.wifipineapple.com/nano/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_pineapple.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_base.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_packages.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_management.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_routing.
--2018-10-15 09:26:36--  https://github.com/adde88/hcxtools-hcxdumptool-openwrt/raw/master/bin/ar71xx/packages/base/hcxtools_4.2.1-16_ar71xx.ipk
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxtools_4.2.1-16_ar71xx.ipk [following]
--2018-10-15 09:26:37--  https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxtools_4.2.1-16_ar71xx.ipk
Resolving raw.githubusercontent.com... 151.101.192.133, 151.101.128.133, 151.101.64.133, ...
Connecting to raw.githubusercontent.com|151.101.192.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104209 (102K) [application/octet-stream]
Saving to: 'hcxtools_4.2.1-16_ar71xx.ipk'

hcxtools_4.2.1-16_ar71xx.ipk                 100%[=============================================================================================>] 101.77K  93.4KB/s    in 1.1s    

2018-10-15 09:26:38 (93.4 KB/s) - 'hcxtools_4.2.1-16_ar71xx.ipk' saved [104209/104209]

--2018-10-15 09:26:38--  https://github.com/adde88/hcxtools-hcxdumptool-openwrt/raw/master/bin/ar71xx/packages/base/hcxdumptool_4.2.1-17_ar71xx.ipk
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxdumptool_4.2.1-17_ar71xx.ipk [following]
--2018-10-15 09:26:39--  https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxdumptool_4.2.1-17_ar71xx.ipk
Resolving raw.githubusercontent.com... 151.101.0.133, 151.101.192.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27641 (27K) [application/octet-stream]
Saving to: 'hcxdumptool_4.2.1-17_ar71xx.ipk'

hcxdumptool_4.2.1-17_ar71xx.ipk              100%[=============================================================================================>]  26.99K  94.1KB/s    in 0.3s    

2018-10-15 09:26:39 (94.1 KB/s) - 'hcxdumptool_4.2.1-17_ar71xx.ipk' saved [27641/27641]

Installing hcxtools (4.2.1-16) to sd...
Installing hcxdumptool (4.2.1-17) to sd...
Configuring hcxdumptool.
grep: /usr/lib/opkg/info/hcxdumptool.control: No such file or directory
cat: can't open '/usr/lib/opkg/info/hcxdumptool.list': No such file or directory
Configuring hcxtools.
grep: /usr/lib/opkg/info/hcxtools.control: No such file or directory
cat: can't open '/usr/lib/opkg/info/hcxtools.list': No such file or directory
Installation completed!
root@Pineapple:/tmp# hcxtools
-ash: hcxtools: not found

When I run the find command I get:

root@Pineapple:/# find -name hcxdumptool
./sbin/hcxdumptool

Now where I follow the syslink I get the following path:

/sd/sbin/hcxdumptool

What is going on here?


Fixed it with with a path update:

 /sd/usr/sbin > /etc/profile
 /sd/usr/bin > /etc/profile

 

Edited by nivong

Share this post


Link to post
Share on other sites
1 hour ago, DoJo_Mast3r said:

So far so good, but it's taking forever, I used the example command to create the file. Still logging after a few hours, that normal?

When hcxdumptool successfully gets a PMKID it will display a message in the terminal. 

If the Pineapple is within reach of any AP's or clients, it normally takes just a few seconds to get a PMKID. 

My record was 11 successfuly PMKID's in under a minute. (I did have authorization from the owners) 

Read the help message, read the github page for hcxdumptool, and try playing with different "enable_status" variables. 

  • Like 1

Share this post


Link to post
Share on other sites

Hmmm, I think ive done everything correctly however I cant crack any hashes, i've tried the:

hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

As Well as using some massive wordlist files however after hours of cracking I get no where, could be the wifi connections being targeted have some crazy passwords but I highly doubt that.

(Side note: are you planning to update the wifiphisher addon for the pineapple? I'm still stuck on that XD)

Share this post


Link to post
Share on other sites

Think I found the reason why my hashes are uncrackable haha

file name....................: v4.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: yes
packets inside...............: 55
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 50
beacons (with ESSID inside)..: 7
probe requests...............: 3
probe responses..............: 5
association requests.........: 1
association responses........: 2
authentications (OPEN SYSTEM): 21
authentications (BROADCOM)...: 4
EAPOL packets................: 16
EAPOL PMKIDs.................: 3
best handshakes..............: 1 (ap-less: 0)

I'm guessing read errors yes is a bad thing... Something might have gone wrong during the conversion process and that's why my hashes are uncrackable

(note: I literally made my wifi password 123456789) 
 

Share this post


Link to post
Share on other sites

Alright, so I installed ubuntu desktop with hcxpcaptool and performed the file conversion, this time I get "flawless" I then compared the hashes from my pineapple and it seems they are exactly the same. So the read errors yes seams to be a text glitch or something. However trying to use hashcat once again I still can't crack it with the password of 123456789, something must be going on when creating the dump file, have a look at this new dump if you want I also installed a new router and triple checked that the password was indeed 123456789.

I'm guessing at this point it's specifically a pineapple problem and not a hashcat issue, I restored the pineapple and formatted the sd I even tried older builds with no luck at all.

This here is the hash

ac20d69c3f1cf3c11309fc9f306cd9e7*e84e063b1484*fcc233ee3edd*736869742077696669
It SHOULD be 123465789

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×