Closed LLH-l closed 1 year ago
When using hcxpcapngtool -- all -- ignore ie - o Generate unbreakable hash 'FT PSK'
Yes. That is mentioned in -h menu:
--ignore-ie : do not use CIPHER and AKM information
this will convert all frames regadless of
CIPHER and/or AKM information,
and can lead to uncrackable hashes
Usually this option is only useful if you have a "deadly" cleaned dump file (1 BEACON, EAPOL M1, EAPOL M2 and ASSOCIATIONREQUEST or REASSOCIATIONREQUEST is missing). There is absolutely no need to use this option on pcpng dump files recorded by hcxdumptool/hcxlabtool.
Use the same command "hcxpcapngtool -- all -- ignore ie - o" Fortunately, this ' FT PSK ' packet skipped, not generated FtPsk.zip
Please take a look at the status output:
EAPOL M2 messages (oversized)............: 1
EAPOL M3 messages (oversized)............: 1
Because hashcat can't handle oversized EAPOL messages, they will not be converted.
Wireshark confirms that the packets are oversized and truncated. packet 1114 EAPOL M2
WPA Key Data [truncated]: 30260100000fac020100000fac040100000fac0400000100d196452e3be7e8c85c75604eca5e839d3603525403377400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Tag: RSN Information
Tag: Mobility Domain
Tag: Fast BSS Transition
packet 1116 EAPOL M3
WPA Key Data [truncated]: 12542eca77f1c8787b159b848568f87834e2517af03e34bbdaa7f72696bab7ff978011fcc5eee63f3f1bac77d1dc9ebf5cc23db401fbc15b768546179e094b20169bb7dcef21ffe11a1b298e3da2916c5f22d6695994c01ed8199d09136d832890830e2302397ef15f319
I think, should reject unbreakable hashes, regardless of using any parameters, refuse conver it
They have been rejected:
EAPOL M2 messages (oversized)............: 1
EAPOL M3 messages (oversized)............: 1
...
Information: no hashes written to hash files
I think, should reject unbreakable hashes, regardless of using any parameters, refuse convert it By default options, this hashes will not be converted. Using additional options is a decision of the user. After reading -h menu he should be warned that this can lead to invalid hashes. Every additional option added to the command line may lead to invalid hashes! But it also could make it possible to recover the PSK from crappy dump files (cap/pcap).
Neither hcxdumptool/hcxlabtool nor hcxtools knows that a hash is crackable or not. None of this tools is able to recover a PSK because there are absolutely no functions inside this tools to recover a PSK. Only the big GPU tools (hashcat/JtR) can do this.
BTW: Status of hcxpcapngtool shows the AKM:
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (FT using PSK)........: 1
Adding "--ignore-ie" to the command line doesn't make sense as well as "--all, --eapoltimeout, --nonce-error-corrections".
Hi, ZerBea... your collect have these types of data packets? you can share it ? Thanks
I'm not sure what you mean by "you can share it ? "
hcxcapngtool detect all common Authentication Key Management (AKM) suites and all common Cipher suites. This information is shown in the status and it can be printed to a csv file (if needed). But it handles only the AKMs and Cipher suites which hashcat and JtR can work on. E.g. SAE256 (WPA3) is ignored as long as hashcat and JtR have no hash mode for it.
An example:
$ hcxpcapngtool aircrack-ng/test/wpa3-psk.pcap --csv=tab.csv
hcxpcapngtool 6.3.4-45-gfb039b5 reading from wpa3-psk.pcap...
summary capture file
--------------------
file name................................: wpa3-psk.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (timestamp)............: 16.04.2019 23:55:58 (1555458958)
timestamp maximum (timestamp)............: 16.04.2019 23:56:02 (1555458962)
duration of the dump tool (seconds)......: 3
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 24
packets received on 2.4 GHz..............: 24
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 1
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 4
AUTHENTICATION (SAE).....................: 4
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (SAE SHA256)..........: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M1 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
EAPOL M2 messages (total)................: 1
EAPOL M2 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
EAPOL M3 messages (total)................: 1
EAPOL M3 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
RSN PMKID (total)........................: 1
RSN PMKID (KDV:0 AKM defined)............: 1 (PMK not recoverable)
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 24
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.
Information: no hashes written to hash files
session summary
---------------
processed cap files...................: 1
$ cat tab.csv
2019-04-16 23:55:58 02:00:00:00:00:00 WPA3-Network [WPA2] [CCMP] [SAE_SHA256] 00 1 0 0.000000 E 0.000000 S 0.000000 0.000000 0 0 0.000000 0.000000 M
2019-04-16 23:55:58 02:00:00:00:00:00 WPA3-Network [WPA2] [CCMP] [SAE_SHA256] 00 1 0 0.000000 E 0.000000 S 0.000000 0.000000 0 0 0.000000 0.000000 M
Example is from here: https://github.com/aircrack-ng/aircrack-ng/tree/master/test
I'm not sure what you mean by "you can share it ? " Example is from here:
Thanks, I need are these types of cap files
No, these are encryption types used by the ACCESS POINT. The are located e.g. in the RSN-IE of an ASSOCIATIONREQUEST:
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 26
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Group Cipher Suite OUI: 00:0f:ac (Ieee 802.11)
Group Cipher Suite type: AES (CCM) (4)
Pairwise Cipher Suite Count: 1
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
Pairwise Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) SAE (SHA256)
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) SAE (SHA256)
RSN Capabilities: 0x00c0
.... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
.... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
.... .... .... 00.. = RSN PTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
.... .... ..00 .... = RSN GTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
.... .... .1.. .... = Management Frame Protection Required: True
.... .... 1... .... = Management Frame Protection Capable: True
.... ...0 .... .... = Joint Multi-band RSNA: False
.... ..0. .... .... = PeerKey Enabled: False
..0. .... .... .... = Extended Key ID for Individually Addressed Frames: Not supported
.0.. .... .... .... = OCVC: False
PMKID Count: 0
PMKID List
Group Management Cipher Suite: 00:0f:ac (Ieee 802.11) BIP (128)
Group Management Cipher Suite OUI: 00:0f:ac (Ieee 802.11)
Group Management Cipher Suite type: BIP (128) (6)
This should be a rare type of data packet. Are you sure hashcat supports it I tried to restore it using 150GB dict, but failed
I am very skeptical if there are any packets of this type that match the PSK ? This should be the best proof or have any link to technical description ? thanks
hcxpcapngtool convert it and hashcat is able to recover the PSK: https://github.com/hashcat/hashcat/issues/1300
Thanks
I'm a little curious. it conversion style is hc22000 format, PSKSHA256 and PSK use different algorithms. How does hashcat recognize it and switch to the PSKSHA256 algorithm to work? Thanks
As of today hashcat is able to recover the PSK of WPA1, WPA2 and WPA2 key version 3 (PSKSHA256) networks. hcxdumptool/hcxpcapngtool/hashcat/JtR take this information from an EAPOL MESSAGE (Key Information field):
WPA1 (key version 1):
.... .... .... .001 = Key Descriptor Version: RC4 Cipher, HMAC-MD5 MIC (1)
WPA2 (key version 2):
.... .... .... .010 = Key Descriptor Version: AES Cipher, HMAC-SHA1 MIC (2)
WPA2 (key version 3):
.... .... .... .011 = Key Descriptor Version: AES Cipher, AES-128-CMAC MIC (3)
Sorry , I mean How to distinguish whether hc22000 is of CMAC/PSKSHA256 or HMAC/PSK hash type Additionally, seems AES-028-CMAC type PMKID crack is not supported ?
e.g Can distinguish which type it belongs to by the following hash ? CMAC/PSKSHA256 or HMAC/PSK type ?
EAPOL:0203007502010b001000000000000000036467233e730767c33e1df875c3ad0eb58a51ad704a3fae06b818c0c5fcebf3af000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac068c00
EAPOL:020300b70213cb001000000000000000040218c7b64ecef40c4f15915fbceb19c8d62608387eb6b986d9599a8bd70dc85d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000582e09cd25683d452ad1bc92dffe0be5b022873e359dbb413b9d888c90266fe67a0fed2684a98e3bdddf70bbbc1d21af00a0b8cade7814d09c105058a288c2df8ff57582a84d0e8b960b66612e71ad64afffa200e5f72ea120
EAPOL:0203007502010a00100000000000000001f958cb60172650bec86d21ce7d943734d917dcd4e2098f6ee91f0e39427496ea000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00
EAPOL:020300af0213ca001000000000000000029042a988b62c3d4d6eaf53437ebd3726a88f1a100ae0b9d654bac089396b49a9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005090db2493ef20933ec64f8e9f564f029bdf00ed5e7519444c8ff935693a5da8f8c8e74e2ddc33030c7777541e897b14aa22cad2fcb6ac44f31cf6cb57ae2d3e3d4d596bd1593f4a2ed63eed37ef807a45
Please keep in mind, we are talking about verifying the MIC of an EAPOL MESSAGE.
Please use hcxhashtool to identify the key version:
$ hcxhashtool -i test.22000 --info=stdout
The first 2: VERSION....: 802.1X-2004 (2) KEY VERSION: WPA2 key version 3
The last 2: VERSION....: 802.1X-2004 (2) KEY VERSION: WPA2
The first 18 bytes of the EAPOL MESSAGE field of a hcx22000 line:
*0203007502010b0010...
02 = Version: 802.1X-2004 (2)
03 = Type: Key (3)
0075 = Length: 117
02 = Key Descriptor Type: EAPOL RSN Key (2)
010b =Key Information: 0x010b
.... .... .... .011 = Key Descriptor Version: AES Cipher, AES-128-CMAC MIC (3)
.... .... .... 1... = Key Type: Pairwise Key
.... .... ..00 .... = Key Index: 0
.... .... .0.. .... = Install: Not set
.... .... 0... .... = Key ACK: Not set
.... ...1 .... .... = Key MIC: Set
.... ..0. .... .... = Secure: Not set
.... .0.. .... .... = Error: Not set
.... 0... .... .... = Request: Not set
...0 .... .... .... = Encrypted Key Data: Not set
..0. .... .... .... = SMK Message: Not set
0010 = Key Length: 16
About PMKIDs: hashcat is able to verify this PMKID type (used on standard wpa2 and wpa2 key version 3): PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA))
Not implemented in hashcat is:
rsn_pmkid_suite_b (EAP)
PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
and
rsn_pmkid_suite_b_192 (FILS)
PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
``
Well good thanks
Use compiled hcxpmktool hcxpmktool.zip seems calculating CMAC/SHA256 hash line on WINDOWS 22H2 has failed, why
But calculation of HAMC/SHA1 hash line is normal
Thanks for reporting that issue. It should be fixed now. Please try latest git head.
Ok, returning some prompts in cygwin compilation during But seem not affect use of the tool
$ make
fatal: not a git repository (or any of the parent directories): .git
mkdir -p .deps
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxpcapngtool.d -o hcxpcapngtool hcxpcapngtool.c -lssl -lcrypto -lz -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from hcxpcapngtool.c:2:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxhashtool.d -o hcxhashtool hcxhashtool.c -lssl -lcrypto -lcurl -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from hcxhashtool.c:2:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxpsktool.d -o hcxpsktool hcxpsktool.c -lssl -lcrypto -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from hcxpsktool.c:2:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxpmktool.d -o hcxpmktool hcxpmktool.c -lssl -lcrypto -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from include/strings.c:2,
from hcxpmktool.c:26:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxeiutool.d -o hcxeiutool hcxeiutool.c -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from hcxeiutool.c:2:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxwltool.d -o hcxwltool hcxwltool.c -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from hcxwltool.c:2:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxhash2cap.d -o hcxhash2cap hcxhash2cap.c -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from hcxhash2cap.c:2:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/wlancap2wpasec.d -o wlancap2wpasec wlancap2wpasec.c -lssl -lcrypto -lcurl -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/whoismac.d -o whoismac whoismac.c -lssl -lcrypto -lcurl -DVERSION_TAG=\"6.3.4\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
In file included from whoismac.c:2:
include/strings.c: In function 'ishexvalue':
include/strings.c:47:25: warning: array subscript has type 'char' [-Wchar-subscripts]
47 | if(!isxdigit(str[i])) return false;
| ~~~^~~
By this commit https://github.com/ZerBea/hcxtools/commit/18238fcfe1aae4ee379c9b40f652cdc869c59e76 the warning should not longer appear.
why not convert hcxpcapngtool ? 12.zip
Unsupported Authentication Key Management (AKM) Please take a look at the RSN-IE of the BEACON:
Frame 1: 292 bytes on wire (2336 bits), 292 bytes captured (2336 bits)
IEEE 802.11 Beacon frame, Flags: ........
IEEE 802.11 Wireless Management
Fixed parameters (12 bytes)
Tagged parameters (256 bytes)
Tag: SSID parameter set: "LianLian_CD_Employee"
Tag: Supported Rates 6(B), 9, 12(B), 18, 24(B), 36, 48, 54, [Mbit/sec]
Tag: Traffic Indication Map (TIM): DTIM 0 of 1 bitmap
Tag: Country Information: Country Code CN, Environment All
Tag: HT Capabilities (802.11n D1.10)
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 24
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite Count: 2
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM) 00:0f:ac (Ieee 802.11) TKIP
Pairwise Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Pairwise Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) WPA
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) WPA
Auth Key Management (AKM) OUI: 00:0f:ac (Ieee 802.11)
Auth Key Management (AKM) type: WPA (1)
RSN Capabilities: 0x0000
Tag: HT Information (802.11n D1.10)
Tag: Extended Capabilities (10 octets)
Tag: VHT Capabilities
Tag: VHT Operation
Ext Tag: HE Capabilities
Ext Tag: HE Operation
Tag: Vendor Specific: Microsoft Corp.: WPA Information Element
Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
AKM is PMKSA and not PSK. This is not supported by hashcat and JtR so there is no need to convert it:
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) WPA
These AKs are supported by hashcat and JtR:
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK (SHA256)
There is a feature request to support this one:
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) FT using PSK
This is an example of a by hashcat or JtR supported AKM:
BTW: The dump file is deadly cleaned. Important frames like AUTHENTICATION and ASSOCIATION frames are completely. missing.That is the reason why hcxpcapngtool can't give you additional information about the exact used encryption system.
I want to understand if AKM will affect its M1 PMKID algorithm ?
Its M1 PMKID version key is: HMAC-SHA1 MIC (2) It should belong to WPA2 PMKID, hashcat and JtR supported
Key Information: 0x008a
.... .... .... .010 = Key Descriptor Version: AES Cipher, HMAC-SHA1 MIC (2)
.... .... .... 1... = Key Type: Pairwise Key
.... .... ..00 .... = Key Index: 0
.... .... .0.. .... = Install: Not set
.... .... 1... .... = Key ACK: Set
.... ...0 .... .... = Key MIC: Not set
.... ..0. .... .... = Secure: Not set
.... .0.. .... .... = Error: Not set
.... 0... .... .... = Request: Not set
...0 .... .... .... = Encrypted Key Data: Not set
..0. .... .... .... = SMK Message: Not set
Here's a problem need be clarified here AKM will affect its M1 PMKID "HMAC-SHA1" algorithm crack ?
On WPA-PSK or WPA_PSK256 the PMK is calculated by PBKDF2 (from ESSID and PASSWORD). hashcat and JtR are able to recover the PMK and the PSK from a PMKID or from an EAPOL MESSAGE PAIR.
That is not the case on e.g. EAP related authentications as the one you attached. Get this example and take a look at it. It is a complete authentication and not deadly cleaned by a crappy tool: https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-eap-tls.pcap.gz
$ hcxpcapngtool wpa-eap-tls.pcap.gz
decompressing wpa-eap-tls.pcap.gz to /tmp/wpa-eap-tls.pcap.gz.tmp
hcxpcapngtool 6.3.4-65-g82461bd reading from wpa-eap-tls.pcap.gz.tmp...
summary capture file
--------------------
file name................................: wpa-eap-tls.pcap.gz
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (timestamp)............: 03.05.2015 14:19:18 (1430662758)
timestamp maximum (timestamp)............: 03.05.2015 14:23:34 (1430663014)
duration of the dump tool (minutes)......: 4
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 86
packets received on 2.4 GHz..............: 86
WPA encrypted............................: 61
IDENTITIES...............................: 1
EAP (total)..............................: 21
EAP CODE request.........................: 11
EAP CODE response........................: 9
EAP ID...................................: 4
EAP-TLS messages.........................: 17
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
RSN PMKID (total)........................: 1
The ACCESS key is generated by TLS. It doesn't use a PSK!
EAP (total)..............................: 21
EAP CODE request.........................: 11
EAP CODE response........................: 9
EAP ID...................................: 4
EAP-TLS messages.........................: 17
The traffic itself is WPA encrypted:
WPA encrypted............................: 61
hashcat and JtR can't crack it because the PMK is calculated from TLS AUTHENTICATION (which is removed in your dump files) and not from a PSK via PBKDF2!
For all other readers: Do not clean dump files, because this information will be removed. Do not use tools that do not record this information.
On overview of the CIPHER suites and the AKM suites is here: https://mentor.ieee.org/802.11/dcn/04/11-04-0588-01-000i-tutorial-using-ouis-to-identify-cipher-and-akm-suites.doc
To answer your question: I want to understand if AKM will affect its M1 PMKID algorithm ? The AKM defines how the PMK is calculated.
Another example: https://github.com/vanhoefm/wifi-example-captures/blob/master/wpa3.pcapng This time SAE authentication. Before the 4way handshake is done, four AUTHENTICATION packets (packets 80, 82, 84, 86) are used to calculate the PMK. This PMK is used to do the following 4way handshake.
Well thanks, AKM will affect M1 and M2 PMKID
Hi. .ZerBea Does hashcat/john support this type of PMKID?
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK (SHA256)
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) PSK (SHA256)
Auth Key Management (AKM) OUI: 00:0f:ac (Ieee 802.11)
Auth Key Management (AKM) type: PSK (SHA256) (6)
May I ask if your have found or received this type of file (with PMKID and password) can upload these type 6 file ? Thank a lot
PSK SHA256 is WPA2 keyversion 3. As of today I have seen only one 4way handshake and no PMKID. I someone has one, an upload is very appreciated (BEACON & ASSOCIATION REQUEST & EAPOL M1,M2,M3,M4 & password).
I find an file with FT and PSK types, which has M2 FT type PMKID I use dictionary find one PSK type handshakes password This should meet the experimental conditions for crack PMKID/handshakes algorithm Wishing success test.zip
Thanks. This is a great example why it is mandatory to record the entire AUTHENTICATION. The AP offers PSK and FT using PSK in transition mode. Packet 16:
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK 00:0f:ac (Ieee 802.11) FT using PSK
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) PSK
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) FT using PSK
One CLIENT wants to ASSOCIATE running PSK mode. Packet 7832
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) PSK
Your PSK is from the following handshake.
I've analyzed FT using PSK already and there is a hashcat and JtR feature request: https://github.com/hashcat/hashcat/issues/3887 https://github.com/openwall/john/issues/5365
When using hcxpcapngtool -- all -- ignore ie - o Generate unbreakable hash 'FT PSK' Please fix it
test.zip