pmkid PMKID Attack on WiFi Pineapples

[PixL]

8 hours ago, g0blin said:

I've finally gotten around to updating the PMKID module with a couple of new features. v0.3 includes the following additions.

• Changes to config (specifically the command line args) are now persisted (cc: @PixL)
• The ability to switch between include and exclude as the filter mode is provided (cc: @Just_a_User)

Great work!

1. If I select exclude and select nothing do I get the functionality from v0.1?  I liked the ability to leave it running and collect new PMKID's as they appeared.

2. Has the command changed in hcxdumptool?  Is it --enable_status 3  or --enable_status=3 ?

[g0blin]

36 minutes ago, PixL said:

Great work!

1. If I select exclude and select nothing do I get the functionality from v0.1?  I liked the ability to leave it running and collect new PMKID's as they appeared.

2. Has the command changed in hcxdumptool?  Is it --enable_status 3  or --enable_status=3 ?

Thank you!

1. You'll need to gather your APs to target before you start capturing. In 0.1 I monitored for APs indirectly via the output from the tooling, however in more recent versions of the tools that proved to be extremely ineffective. If you have your target APs discovered and switch to exclude (without selecting any APs), it should then include all APs listed.

2. These are essentially the same ? You can either provide the equals symbol or not, it should not make any difference. If this is not the case let me know, and I can update the default settings.

edit: I may look in to monitoring the tooling output for new APs which were not previously included in the list. I did quite like that feature over discovering APs for targeting.

[skylark]

So hcxcaptool still isnt working after upgrade to v16. Now I am getting:

-ash: hcxcaptool: not found

 

[Zylla]

1 hour ago, skylark said:

So hcxcaptool still isnt working after upgrade to v16. Now I am getting:

-ash: hcxcaptool: not found

 

You seem to have entered the wrong command. 

It's hcxpcaptool, not hcxcaptool. 

[skylark]

Sorry same error using the correct command!

-ash: hcxpcaptool : not found

I also tried to re-install it. No luck.

 

[Zylla]

33 minutes ago, skylark said:

Sorry same error using the correct command!

-ash: hcxpcaptool : not found

I also tried to re-install it. No luck.

 

Strange. After installing, try this:

find / -name hcxpcaptool

Typing from my cellphone, so sorry for not formating the post correctly. 

[skylark]

root@Pineapple:/sd/hcx# opkg install hcxtools_4.2.1-16_ar71xx.ipk
Installing hcxtools (4.2.1-16) to root...
Configuring hcxtools.
root@Pineapple:/sd/hcx# find / -name hcxpcaptool
find: unrecognized: ��

---

root@Pineapple:/sd/hcx# find / -name hcxdumptool
/overlay/upper/sbin/hcxdumptool
/sbin/hcxdumptool

[Zylla]

2 hours ago, skylark said:

root@Pineapple:/sd/hcx# opkg install hcxtools_4.2.1-16_ar71xx.ipk
Installing hcxtools (4.2.1-16) to root...
Configuring hcxtools.
root@Pineapple:/sd/hcx# find / -name hcxpcaptool
find: unrecognized: ��

---

root@Pineapple:/sd/hcx# find / -name hcxdumptool
/overlay/upper/sbin/hcxdumptool
/sbin/hcxdumptool

If you read the output carefully from your first find attempt: "find: unrecognized: ��" at means that there's a symbol in your input that it doesn't recognize. (They don't appear on the screen, so everything looks ok, but is not)
Try typing it again.

As for me, i just tested the package on my Nano, and it's working perfectly fine. It gets installed to /sbin, or /sd/sbin (if you install to the SD-card)
Screenshot of my attempt below

:

[skylark]

What the??!! I ran the search again and it located it.

Then I ran the tool and it actually worked! weird.

Thanks for the help.

 

[Bigbiz]

just upgraded my kali machine yesterday been foolin around take a look at wifite

root@citzonparole:/# wifite
   .               .    
 .´  ·  .     .  ·  `.  wifite 2.2.5
 :  :  :  (¯)  :  :  :  automated wireless auditor
 `.  ·  ` /¯\ ´  ·  .´  https://github.com/derv82/wifite2
   `     /¯¯¯\     ´    

 [!] Warning: Recommended app hcxdumptool was not found. install @ https://github.com/ZerBea/hcxdumptool
 [!] Warning: Recommended app hcxpcaptool was not found. install @ https://github.com/ZerBea/hcxtools
 [!] Conflicting processes: NetworkManager (PID 459), wpa_supplicant (PID 546), dhclient (PID 1971)
 [!] If you have problems: kill -9 PID or re-run wifite with --kill)

KOOL|

 

also been getting make errors for somereason any special way to do this

iv

cd /root/hcxtools-hcxdumptool-openwrt-master/net/hcxdumptool into unzipped file in my home dercxtory

now i exicute the make commad

root@citzonparole:~/hcxtools-hcxdumptool-openwrt-master/net/hcxdumptool# make
Makefile:25: /package.mk: No such file or directory
make: *** No rule to make target '/package.mk'.  Stop.

 

please anyone know

 

[Zylla]

@Bigbiz

If you're trying to install both hcxtools and hcxdumptool I suggest you read the first post in this thread. 

You can install the latest version of both tools automatically by issuing the command I have presented in said post. 

But please remember, you need to SSH into the Pineapple before running the command. 

PS. The reason you're make command failed is because there is no Makefile, and no need for it. 

PSS. If you're trying to install/compile the tools for usage on your Kali machine, take a look at ZerBea's github repo. As my repo is solely for the Pineapples. 

[Bigbiz]

Makes senSe now.

[wqevwevqwevqwrevwfd]

Oke I got some weird stuff. I updated the pineapple (did not use it for a few months) got everything up and running, had some issues with internet so refreshed the firmware now that is all nice and working. But installing/upgrading via opkg is not doing what it should...

So I tried first install your app. Got the following:

root@Pineapple:/tmp# wget -qO- https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/INSTALL.sh | bash -s -- -v -v
--2018-10-15 09:26:23--  https://github.com/adde88/hcxtools-hcxdumptool-openwrt/tree/master/bin/ar71xx/packages/base
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: '/tmp/HcxTools/base'

base                                             [   <=>                                                                                        ]  39.58K  31.3KB/s    in 1.3s    

2018-10-15 09:26:25 (31.3 KB/s) - '/tmp/HcxTools/base' saved [40532]

Installing: hcxdumptool  and hcxtools.
Go grab a cup of coffee, this will take a while...

Downloading https://www.wifipineapple.com/nano/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_pineapple.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_base.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_packages.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_management.
Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/chaos_calmer_routing.
--2018-10-15 09:26:36--  https://github.com/adde88/hcxtools-hcxdumptool-openwrt/raw/master/bin/ar71xx/packages/base/hcxtools_4.2.1-16_ar71xx.ipk
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxtools_4.2.1-16_ar71xx.ipk [following]
--2018-10-15 09:26:37--  https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxtools_4.2.1-16_ar71xx.ipk
Resolving raw.githubusercontent.com... 151.101.192.133, 151.101.128.133, 151.101.64.133, ...
Connecting to raw.githubusercontent.com|151.101.192.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104209 (102K) [application/octet-stream]
Saving to: 'hcxtools_4.2.1-16_ar71xx.ipk'

hcxtools_4.2.1-16_ar71xx.ipk                 100%[=============================================================================================>] 101.77K  93.4KB/s    in 1.1s    

2018-10-15 09:26:38 (93.4 KB/s) - 'hcxtools_4.2.1-16_ar71xx.ipk' saved [104209/104209]

--2018-10-15 09:26:38--  https://github.com/adde88/hcxtools-hcxdumptool-openwrt/raw/master/bin/ar71xx/packages/base/hcxdumptool_4.2.1-17_ar71xx.ipk
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxdumptool_4.2.1-17_ar71xx.ipk [following]
--2018-10-15 09:26:39--  https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/bin/ar71xx/packages/base/hcxdumptool_4.2.1-17_ar71xx.ipk
Resolving raw.githubusercontent.com... 151.101.0.133, 151.101.192.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27641 (27K) [application/octet-stream]
Saving to: 'hcxdumptool_4.2.1-17_ar71xx.ipk'

hcxdumptool_4.2.1-17_ar71xx.ipk              100%[=============================================================================================>]  26.99K  94.1KB/s    in 0.3s    

2018-10-15 09:26:39 (94.1 KB/s) - 'hcxdumptool_4.2.1-17_ar71xx.ipk' saved [27641/27641]

Installing hcxtools (4.2.1-16) to sd...
Installing hcxdumptool (4.2.1-17) to sd...
Configuring hcxdumptool.
grep: /usr/lib/opkg/info/hcxdumptool.control: No such file or directory
cat: can't open '/usr/lib/opkg/info/hcxdumptool.list': No such file or directory
Configuring hcxtools.
grep: /usr/lib/opkg/info/hcxtools.control: No such file or directory
cat: can't open '/usr/lib/opkg/info/hcxtools.list': No such file or directory
Installation completed!
root@Pineapple:/tmp# hcxtools
-ash: hcxtools: not found

When I run the find command I get:

root@Pineapple:/# find -name hcxdumptool
./sbin/hcxdumptool

Now where I follow the syslink I get the following path:

/sd/sbin/hcxdumptool

What is going on here?

Fixed it with with a path update:

 /sd/usr/sbin > /etc/profile
 /sd/usr/bin > /etc/profile

 

[DoJo_Mast3r]

So far so good, but it's taking forever, I used the example command to create the file. Still logging after a few hours, that normal?

[Zylla]

1 hour ago, DoJo_Mast3r said:

So far so good, but it's taking forever, I used the example command to create the file. Still logging after a few hours, that normal?

When hcxdumptool successfully gets a PMKID it will display a message in the terminal. 

If the Pineapple is within reach of any AP's or clients, it normally takes just a few seconds to get a PMKID. 

My record was 11 successfuly PMKID's in under a minute. (I did have authorization from the owners) 

Read the help message, read the github page for hcxdumptool, and try playing with different "enable_status" variables. 

[DoJo_Mast3r]

Hmmm, I think ive done everything correctly however I cant crack any hashes, i've tried the:

hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

As Well as using some massive wordlist files however after hours of cracking I get no where, could be the wifi connections being targeted have some crazy passwords but I highly doubt that.

(Side note: are you planning to update the wifiphisher addon for the pineapple? I'm still stuck on that XD)

[DoJo_Mast3r]

Think I found the reason why my hashes are uncrackable haha

file name....................: v4.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: yes
packets inside...............: 55
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 50
beacons (with ESSID inside)..: 7
probe requests...............: 3
probe responses..............: 5
association requests.........: 1
association responses........: 2
authentications (OPEN SYSTEM): 21
authentications (BROADCOM)...: 4
EAPOL packets................: 16
EAPOL PMKIDs.................: 3
best handshakes..............: 1 (ap-less: 0)

I'm guessing read errors yes is a bad thing... Something might have gone wrong during the conversion process and that's why my hashes are uncrackable

(note: I literally made my wifi password 123456789) 
 

[DoJo_Mast3r]

Alright, so I installed ubuntu desktop with hcxpcaptool and performed the file conversion, this time I get "flawless" I then compared the hashes from my pineapple and it seems they are exactly the same. So the read errors yes seams to be a text glitch or something. However trying to use hashcat once again I still can't crack it with the password of 123456789, something must be going on when creating the dump file, have a look at this new dump if you want I also installed a new router and triple checked that the password was indeed 123456789.

I'm guessing at this point it's specifically a pineapple problem and not a hashcat issue, I restored the pineapple and formatted the sd I even tried older builds with no luck at all.

This here is the hash

ac20d69c3f1cf3c11309fc9f306cd9e7*e84e063b1484*fcc233ee3edd*736869742077696669
It SHOULD be 123465789

[aethernaut]

Just to double check for you I have run your hashfile through hashcat and 123456789 (or 123465789) did not work. Just for the hell of it I also tried brute-forcing all 9-digit numbers. That too was unsuccessful. Unfortunately I cannot test the Pineapple PMKID module as it seems that I do not have an AP that uses it.

BTW, very descriptive ESSID!!

[DoJo_Mast3r]

40 minutes ago, aethernaut said:

Just to double check for you I have run your hashfile through hashcat and 123456789 (or 123465789) did not work. Just for the hell of it I also tried brute-forcing all 9-digit numbers. That too was unsuccessful. Unfortunately I cannot test the Pineapple PMKID module as it seems that I do not have an AP that uses it.

BTW, very descriptive ESSID!!

Yep thats my issue, I set everything up to be 123456789 but for some reason its uncrackable

[Zylla]

16 hours ago, DoJo_Mast3r said:

Alright, so I installed ubuntu desktop with hcxpcaptool and performed the file conversion, this time I get "flawless" I then compared the hashes from my pineapple and it seems they are exactly the same. So the read errors yes seams to be a text glitch or something. However trying to use hashcat once again I still can't crack it with the password of 123456789, something must be going on when creating the dump file, have a look at this new dump if you want I also installed a new router and triple checked that the password was indeed 123456789.

I'm guessing at this point it's specifically a pineapple problem and not a hashcat issue, I restored the pineapple and formatted the sd I even tried older builds with no luck at all.

This here is the hash

ac20d69c3f1cf3c11309fc9f306cd9e7*e84e063b1484*fcc233ee3edd*736869742077696669
It SHOULD be 123465789

Have you tried using hcxdumptool on the desktop to get the same PMKID, just to see if you can produce the same result there? 

Also. Could you share your pcap file?Just email it to me if you don't want it to be public: (adde88@gmail.com) 

[Zylla]

@DoJo_Mast3r

I did some testing on the pcapng file you mailed me.
I also took a look in Wireshark manually.

It doesn't seem to contain any PMKID's.
(Total of 9 packets. 3 Beacons, 2 Probe Requests, and 4 Probe Responses.)

[DoJo_Mast3r]

8 hours ago, Zylla said:

@DoJo_Mast3r

I did some testing on the pcapng file you mailed me.
I also took a look in Wireshark manually.

It doesn't seem to contain any PMKID's.
(Total of 9 packets. 3 Beacons, 2 Probe Requests, and 4 Probe Responses.)

I realize that now, I'm having trouble getting proper handshakes

[nikmel420]

On 8/21/2018 at 4:56 PM, Zylla said:

im no expert with command line. im getting much better just having one windows laptop i dont turn on unless i cant figure out how to do on linux. ive got as far as getting the attack to show up under modules but shows no dependencies. i have both a tetra and a nano ive tryed sshng in with that command in first post. dam i should of woke up and drank a monster before asking a question i forget were i left off last night. ok  for now what should i have in the directores i see in ssh so when i go to landing page it will install dependencies. id like to get on nano first. so lets say i have nothing but an andriod and nano . do i clone or down load zip from git hub it doesnt seem you can use git clone on the pineapples. if i go tough a computer. im most familiar with my gdp pocket running parrot os. but have fullsize with ubuntu. i hate asking questions i confuse my self reading them and spell like crap. im sorry ill figure out an actual question not type my thought i should just not post this but maybe ill get someone to laff

 

[Zylla]

3 hours ago, nikmel420 said:

 

I haven't tested the module in a while. I'll see if I can test it today. 🙂

 

Git can be used on the Pineapples, you just need to install it first. 

Which can be done using opkg. (Update it first, then install)