06-08-2019, 09:57 AM
By this hcxtools commit
https://github.com/ZerBea/hcxtools/commi...0da23ddbcb
we detect and convert PMKIDs from clients, too. Therefore we use the RSN information field of the client.
The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID. Reassociationrequest and EAPOL M2 frames of clients can contain a PMKIDLIST at the end of the RSN IE.
Wireshark will show you this information:
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 38
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Pairwise Cipher Suite Count: 1
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x24ac
PMKID Count: 1
PMKID List
In case of a reassociationrequest frame, only one(!) packet is needed to retrieve all the information we need to recover the password. A reassociationrequest contain ESSID, MAC_AP, MAC_STA and it may contain the PMKID (keep in mind: not all clients will do this).
In case of an EAPOL M2, we need a second frame, too, which contain the ESSID (proberequest, proberesponse, associationrequest, beacon). That is similar to the method to retrieve a PMKID from an access point. In that case we use the EAPOL M1 to get the PMKID (keep in mind: not all access points will do this).
New status output of hcxpcaptool looks like that:
PMKIDs (WPA1)................: 5
PMKIDs (WPA2)................: 193
PMKIDs (WPA2 keyv 3).........: 72
PMKIDs from access points....: 258
PMKIDs from stations.........: 19
https://github.com/ZerBea/hcxtools/commi...0da23ddbcb
we detect and convert PMKIDs from clients, too. Therefore we use the RSN information field of the client.
The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID. Reassociationrequest and EAPOL M2 frames of clients can contain a PMKIDLIST at the end of the RSN IE.
Wireshark will show you this information:
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 38
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Pairwise Cipher Suite Count: 1
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x24ac
PMKID Count: 1
PMKID List
In case of a reassociationrequest frame, only one(!) packet is needed to retrieve all the information we need to recover the password. A reassociationrequest contain ESSID, MAC_AP, MAC_STA and it may contain the PMKID (keep in mind: not all clients will do this).
In case of an EAPOL M2, we need a second frame, too, which contain the ESSID (proberequest, proberesponse, associationrequest, beacon). That is similar to the method to retrieve a PMKID from an access point. In that case we use the EAPOL M1 to get the PMKID (keep in mind: not all access points will do this).
New status output of hcxpcaptool looks like that:
PMKIDs (WPA1)................: 5
PMKIDs (WPA2)................: 193
PMKIDs (WPA2 keyv 3).........: 72
PMKIDs from access points....: 258
PMKIDs from stations.........: 19