09-05-2018, 10:13 AM
Hi slyexe.
Do you you use the latest commit? I did a complete refactoring. The Raspberry PI A+, B+ is able to handle 4096 access points and/or 4096 clients simultaneously in a very fast way.
"This thing is so fast it can pick up car AP;s before they are out of range if your not careful"
https://forums.hak5.org/topic/44213-pmki...ent-310848
I'll do some more tests, maybe we can increase this value.
I got also some feature requests to handle beacons and networks using beacons with hidden ESSIDs and implemented this it. Also the refactoring was necessary to handle WPA3 in future times. Next step is to handle Protected Management Frames (PMF). They are part of WPA3. Deauthentication attacks against this networks are useless so we have to add a new attack vector. The disassociation attack vector (EAPOL 4/4) will still work, because it's done before the access point activate PMF. (BTW: If we run this attack continuously, the client is no longer able to connect to his access point).
Also I added a feature to mask our authentication request. Now you can choose a VENDOR information which hcxdumptool adds to the authentication.
New features:
improved rcascan (show time and access points which hide their ESSID)
prepare detection of PMF
refactored access point handling
handle 4096 access points simultaneously
refactored client handling
handle 4096 clients simultaneously
speed up retrieving PMKIDs (< 1 minute)
attack access points which hide their ESSID
increased filter list line length
increased filter list maximum entries
added option to show beacons in status output:
--enable_status=<digit>: enable status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
16: BEACON
added option to choose station VENDOR information:
--station_vendor=<digit>: use this VENDOR information for station
0: transmit no VENDOR information (default)
1: Broadcom
2: Apple-Broadcom
3: Sonos
Do not wonder about many authentication frames in your capture file. We store all frames with length greater than default payload (6 bytes) to retrieve more VENDOR informations.
You can identify them with wireshark (filter: wlan.fc.type_subtype == 0x0b)
We are not interested in the default value:
Fixed parameters (6 bytes)
But we are interested in additional VENDOR informations. So please right klick on this field:
Tag: Vendor Specific: Broadcom
and do a "copy as a Hex Stream"
dd090010180202000c0000
If you got some new VENDOR informations, please post them here. I'll add them to hcxdumptool.
Please upload your uncleaned pcapng (cap, pcap, .gz) files also to https://wpa-sec.stanev.org. They are useful for an analyze. You can compress them with gzip; hcxtools support gzip compressed files. As a nice gift, you will receive the PSK, if wpa-sec is able to recover it (service is free and results will be included in hcxtools/hcxdumptool and hashcat. nonce-error-corrections, hashmode 2501, PMKID attack vector are some examples for that procedure, a.k.a Intellingece Cycle).
Do you you use the latest commit? I did a complete refactoring. The Raspberry PI A+, B+ is able to handle 4096 access points and/or 4096 clients simultaneously in a very fast way.
"This thing is so fast it can pick up car AP;s before they are out of range if your not careful"
https://forums.hak5.org/topic/44213-pmki...ent-310848
I'll do some more tests, maybe we can increase this value.
I got also some feature requests to handle beacons and networks using beacons with hidden ESSIDs and implemented this it. Also the refactoring was necessary to handle WPA3 in future times. Next step is to handle Protected Management Frames (PMF). They are part of WPA3. Deauthentication attacks against this networks are useless so we have to add a new attack vector. The disassociation attack vector (EAPOL 4/4) will still work, because it's done before the access point activate PMF. (BTW: If we run this attack continuously, the client is no longer able to connect to his access point).
Also I added a feature to mask our authentication request. Now you can choose a VENDOR information which hcxdumptool adds to the authentication.
New features:
improved rcascan (show time and access points which hide their ESSID)
prepare detection of PMF
refactored access point handling
handle 4096 access points simultaneously
refactored client handling
handle 4096 clients simultaneously
speed up retrieving PMKIDs (< 1 minute)
attack access points which hide their ESSID
increased filter list line length
increased filter list maximum entries
added option to show beacons in status output:
--enable_status=<digit>: enable status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
16: BEACON
added option to choose station VENDOR information:
--station_vendor=<digit>: use this VENDOR information for station
0: transmit no VENDOR information (default)
1: Broadcom
2: Apple-Broadcom
3: Sonos
Do not wonder about many authentication frames in your capture file. We store all frames with length greater than default payload (6 bytes) to retrieve more VENDOR informations.
You can identify them with wireshark (filter: wlan.fc.type_subtype == 0x0b)
We are not interested in the default value:
Fixed parameters (6 bytes)
But we are interested in additional VENDOR informations. So please right klick on this field:
Tag: Vendor Specific: Broadcom
and do a "copy as a Hex Stream"
dd090010180202000c0000
If you got some new VENDOR informations, please post them here. I'll add them to hcxdumptool.
Please upload your uncleaned pcapng (cap, pcap, .gz) files also to https://wpa-sec.stanev.org. They are useful for an analyze. You can compress them with gzip; hcxtools support gzip compressed files. As a nice gift, you will receive the PSK, if wpa-sec is able to recover it (service is free and results will be included in hcxtools/hcxdumptool and hashcat. nonce-error-corrections, hashmode 2501, PMKID attack vector are some examples for that procedure, a.k.a Intellingece Cycle).