g0blin Posted September 7, 2018 Share Posted September 7, 2018 Sorry @Zylla - scratch that. It does appear to be working, but I may need to adjust how I'm parsing the logs in order to marry up captures with APs. Stand down! ? Link to comment Share on other sites More sharing options...
Zylla Posted September 7, 2018 Author Share Posted September 7, 2018 1 hour ago, g0blin said: Sorry @Zylla - scratch that. It does appear to be working, but I may need to adjust how I'm parsing the logs in order to marry up captures with APs. Stand down! ? Phew. I know the last update from ZerBea fixed some bugs with direct probe-request handling. So i got worried something was wrong on my part. ? Glad to hear everything's good! ? Link to comment Share on other sites More sharing options...
cheeto Posted September 8, 2018 Share Posted September 8, 2018 18 hours ago, Zylla said: Kali is based on Debian, the only "modified versions" I can think of is the images you can download containing the Nexmon patches, making you able to run wlan0 in monitor-mode (and AP mode at the same time) But that's just a kernel patch. Here's link for a great version: https://re4son-kernel.com/re4son-pi-kernel/ And yeah, same with the Pineapple. You don't use hashcat on these devices to crack the PMKID, you transfer the captures from the device to your desktop which hopefully has a GPU or something ? Yes, the one I have on my RP3b+ is an image version. The link you sent me doesn't seem to be an image file. I'm going to do some reading up on how to install it. Have you tried getting PMKID on Rasberrian? thank you! Link to comment Share on other sites More sharing options...
Zylla Posted September 8, 2018 Author Share Posted September 8, 2018 9 hours ago, cheeto said: Yes, the one I have on my RP3b+ is an image version. The link you sent me doesn't seem to be an image file. I'm going to do some reading up on how to install it. Have you tried getting PMKID on Rasberrian? thank you! Haven't tested it, but since Raspberrien is also based on Debian I don't see any reasons for it to not work if you have all the dependencies installed. But you would need to patch the kernel to get monitor-mode on wlan0. Link to comment Share on other sites More sharing options...
g0blin Posted September 8, 2018 Share Posted September 8, 2018 @cheeto Check out nexmon for getting monitor-mode on the Pi - I've found it very reliable: https://github.com/seemoo-lab/nexmon Link to comment Share on other sites More sharing options...
kleo Posted September 10, 2018 Share Posted September 10, 2018 @Zylla, @g0blin, is there a way to whitelist access points from getting deauth by hcxdumptool? For example the Pineapple's mgmt ap and controller. Link to comment Share on other sites More sharing options...
Just_a_User Posted September 10, 2018 Share Posted September 10, 2018 3 minutes ago, kbeflo said: @Zylla, @g0blin, is there a way to whitelist access points from getting deauth by hcxdumptool? For example the Pineapple's mgmt ap and controller. Hi @kbeflo you can whitelist with the filters from cli - I havent used whitlist/protection mode but have tried blacklist/target and works well. --filterlist=<file> : mac filter list format: 112233445566 + comment maximum line lenght 128, maximum entries 32 --filtermode=<digit> : mode for filter list 1: use filter list as protection list (default) 2: use filter list as target list Link to comment Share on other sites More sharing options...
kleo Posted September 10, 2018 Share Posted September 10, 2018 @Just_a_User, definitely missed that while reading through its options, though I was looking for whitelisting essid's. Thanks! Link to comment Share on other sites More sharing options...
kleo Posted September 10, 2018 Share Posted September 10, 2018 For those having trouble getting a flashdrive mounted on boot. I hope this would help you out https://gist.github.com/kbeflo/8c85c084e9c5ae86b3367716a463e793 Link to comment Share on other sites More sharing options...
PixL Posted September 10, 2018 Share Posted September 10, 2018 On 9/6/2018 at 11:06 PM, g0blin said: Had a go at creating a Module that makes use of these binaries - here's what I came up with: https://github.com/hackthebox/PMKID All feedback appreciate! Thanks to @Zylla! ? This works great, well done! Link to comment Share on other sites More sharing options...
g0blin Posted September 12, 2018 Share Posted September 12, 2018 I've updated the module to 0.2, this includes a few new features. * Scan for APs using airodump, instead of relying upon output of hcxdumptool to discover APs * Provide "inclusion" list in order to target specific APs (there you go @Just_a_User!) * Retain various pieces of scan data, including the capture, log and AP list from scans * Improved dependency script (thanks @Zylla!) I've a bit of cleaning up to do, as it's gotten a little out of hand. I'd like to unify the API methods for loading scan/capture data, as well as get myself up to speed on Angular so that I can use its features a bit more optimally, but for the moment the module should work as intended. Link to comment Share on other sites More sharing options...
Just_a_User Posted September 12, 2018 Share Posted September 12, 2018 46 minutes ago, g0blin said: * Provide "inclusion" list in order to target specific APs (there you go ? that's great, thank you. there may be occasions where the inverse may be required. protecting the Pineapples management AP and targeting all others. Any chance you can make the inclusion target or exclusion protection modes switchable by user? if not no worries. I will give this a test drive later for sure. thank you for the contribution EDIT - I just installed it the targeted allows you to avoid your management network so no need .this is great! thanks again EDIT EDIT ? i get an error on converting Link to comment Share on other sites More sharing options...
g0blin Posted September 12, 2018 Share Posted September 12, 2018 D'oh - sorry! I'll get on fixing that after this mornings round of meetings! edit: Hmm, I tried to convert a saved capture from yesterday and it appeared to work. I'm at work and only have 5ghz networks here, so will need to investigate further when I get home this evening. As for inverting the inclusion rule, that's something I can cover off this evening also. Link to comment Share on other sites More sharing options...
Just_a_User Posted September 12, 2018 Share Posted September 12, 2018 2 hours ago, g0blin said: As for inverting the inclusion rule, that's something I can cover off this evening also. Super nice ? finishing touches (for me at least) would be a delete button for selected log and maybe a download converted file - next to load and convert. It could be the download happens after the convert?, if so that's great. I just cant see that yet with my error. I have to factory reset my tetra soon as i have been messing a lot with lib's recently so might be causing this issue myself. EDIT - i just managed a conversion, which does indeed pop up as a download. I can repeat the error on one log file so its something in there. I will have a better poke about and report back. Link to comment Share on other sites More sharing options...
g0blin Posted September 12, 2018 Share Posted September 12, 2018 25 minutes ago, Just_a_User said: Super nice ? finishing touches (for me at least) would be a delete button for selected log and maybe a download converted file - next to load and convert. It could be the download happens after the convert?, if so that's great. I just cant see that yet with my error. I have to factory reset my tetra soon as i have been messing a lot with lib's recently so might be causing this issue myself. Great, thank you for the feedback! I'll try to get these features in this evening, as well as diagnosing the issue you found with downloading the converted results. Link to comment Share on other sites More sharing options...
Just_a_User Posted September 12, 2018 Share Posted September 12, 2018 14 minutes ago, g0blin said: Great, thank you for the feedback! I'll try to get these features in this evening, as well as diagnosing the issue you found with downloading the converted results. I think i might have it (at least in part), I can repeat it if i try and convert an empty log file, so my guess is the log i tried to convert is possibly empty even though shows up green/powned. Link to comment Share on other sites More sharing options...
g0blin Posted September 12, 2018 Share Posted September 12, 2018 Interesting! I'll see if I can reproduce it locally. If I can't I may have to ask you to send over any (redacted) logs that you're able to, if you're willing? If not no problem - I can always step through it and try to spot where I've messed up. Thanks Link to comment Share on other sites More sharing options...
Just_a_User Posted September 12, 2018 Share Posted September 12, 2018 2 hours ago, g0blin said: Interesting! I'll see if I can reproduce it locally. If I can't I may have to ask you to send over any (redacted) logs that you're able to, if you're willing? If not no problem - I can always step through it and try to spot where I've messed up. Thanks I had removed the logs and files from /tmp/ before i saw your request. I have since had 2x log files with no marked powned networks, both were targeting my test AP,, one runs ok the other JSON erros - the only difference i can see is if it contains a PMKID or not. This one JSON's errors. root@Pineapple:/pineapple/modules/PMKID/capture# hcxpcaptool -z test.16800 capture_ 1536756737 start reading from capture_1536756737 summary: -------- file name....................: capture_1536756737 file type....................: pcapng 1.0 file hardware information....: mips file os information..........: Linux 3.18.84 file application information.: hcxdumptool 4.2.1 network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: big endian read errors..................: flawless packets inside...............: 45 skipped packets..............: 0 packets with FCS.............: 45 beacons (with ESSID inside)..: 18 probe requests...............: 2 probe responses..............: 5 authentications (OPEN SYSTEM): 14 authentications (BROADCOM)...: 1 EAPOL packets................: 5 EAPOL PMKIDs.................: 1 0 PMKID(s) written to test.16800 root@Pineapple:/pineapple/modules/PMKID/capture# This one works fine root@Pineapple:/pineapple/modules/PMKID/capture# hcxpcaptool -z test2.16800 capture _1536756628 start reading from capture_1536756628 summary: -------- file name....................: capture_1536756628 file type....................: pcapng 1.0 file hardware information....: mips file os information..........: Linux 3.18.84 file application information.: hcxdumptool 4.2.1 network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: big endian read errors..................: flawless packets inside...............: 48 skipped packets..............: 0 packets with FCS.............: 48 beacons (with ESSID inside)..: 13 probe requests...............: 2 probe responses..............: 4 association requests.........: 3 association responses........: 1 authentications (OPEN SYSTEM): 19 authentications (BROADCOM)...: 2 EAPOL packets................: 5 EAPOL PMKIDs.................: 1 1 PMKID(s) written to test2.16800 root@Pineapple:/pineapple/modules/PMKID/capture# I got to do some stuff so wont be able to look at it again for a few hours. maybe this gives some clues? Link to comment Share on other sites More sharing options...
g0blin Posted September 12, 2018 Share Posted September 12, 2018 3 hours ago, Just_a_User said: I had removed the logs and files from /tmp/ before i saw your request. I have since had 2x log files with no marked powned networks, both were targeting my test AP,, one runs ok the other JSON erros - the only difference i can see is if it contains a PMKID or not. Thanks, that gives me plenty to go on! I'm currently packing to move house, so won't be checking this out until later this evening. I'll keep you updated ? At a guess, if no PMKIDs are written, perhaps the file does not get created. That'd explain why the Pineapple API is complaining about the file being invalid, however I suppose in this case we should at least return an empty file. Link to comment Share on other sites More sharing options...
g0blin Posted September 15, 2018 Share Posted September 15, 2018 Sorry, real life has gotten in the way so a bit behind with the updates. Will try and get some time to work on this tonight ? Link to comment Share on other sites More sharing options...
PixL Posted September 15, 2018 Share Posted September 15, 2018 14 minutes ago, g0blin said: Sorry, real life has gotten in the way so a bit behind with the updates. Will try and get some time to work on this tonight ? Is it possible to have a "save settings option" to remember the command line options for next time? I like to use --disable_deauthentications --disable_disassociations as correct me if I am wrong disconnecting clients is not needed to capture PMKIDs and simply leads to being noticed by users. Link to comment Share on other sites More sharing options...
g0blin Posted September 15, 2018 Share Posted September 15, 2018 38 minutes ago, PixL said: Is it possible to have a "save settings option" to remember the command line options for next time? I like to use --disable_deauthentications --disable_disassociations as correct me if I am wrong disconnecting clients is not needed to capture PMKIDs and simply leads to being noticed by users. Sure thing, I can see about adding that in the next version - nice suggestion! Link to comment Share on other sites More sharing options...
PixL Posted September 15, 2018 Share Posted September 15, 2018 I have also updated my simple button script so that it stores captured data to /pineapple/modules/PMKID/capture, you can then use g0blin's module to view the data. #!/bin/bash #PixL file="/tmp/handshake" capture="`head -30 /dev/urandom | tr -dc "0123456789" | head -c3`" if [ -f "$file" ] then killall hcxdumptool led YELLOW off rm -rf /tmp/handshake hcxpcaptool -z test.16800 test.pcapng > test.conlog mv test.pcapng /pineapple/modules/PMKID/capture/$capture mv test.16800 /pineapple/modules/PMKID/capture/$capture.16800 mv test.conlog /pineapple/modules/PMKID/capture/$capture.conlog mv test.log /pineapple/modules/PMKID/capture/$capture.log else touch /tmp/handshake led YELLOW on hcxdumptool -o test.pcapng -t 2 -i wlan1mon --enable_status=3 --disable_deauthentications --disable_disassociations > test.log & fi Link to comment Share on other sites More sharing options...
Arch Posted September 25, 2018 Share Posted September 25, 2018 I've been having some trouble installing the ipk files on my NANO. Looks like they may be corrupt or otherwise. root@Pineapple:/sd# opkg --dest sd install hcxdump*.ipk Collected errors: * deb_extract: hcxdumptool_4.2.1-12_ar71xx.ipk: invalid magic * pkg_init_from_file: Failed to extract control file from hcxdumptool_4.2.1-12_ar71xx.ipk. Is there a version I should try to download and install? Thanks Link to comment Share on other sites More sharing options...
Zylla Posted September 26, 2018 Author Share Posted September 26, 2018 13 hours ago, Arch said: I've been having some trouble installing the ipk files on my NANO. Looks like they may be corrupt or otherwise. root@Pineapple:/sd# opkg --dest sd install hcxdump*.ipk Collected errors: * deb_extract: hcxdumptool_4.2.1-12_ar71xx.ipk: invalid magic * pkg_init_from_file: Failed to extract control file from hcxdumptool_4.2.1-12_ar71xx.ipk. Is there a version I should try to download and install? Thanks The NANO always gives some "errors" when trying to install IPK's about missing. control files etc. Which usually can be safely ignored. First try seeing if you can locate the binary on the SD-card, and then try to simply launch it. To locate it, do this: "find /sd -name hcxdumptool" Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.