08-22-2018, 03:48 PM
08-26-2018, 10:23 AM
Pushed a small update hcxdumptool. From now on we parse SAE completely:
[10:10:20 - 005] c83a35000002 -> c83a35000001 [AUTHENTICATION, SAE COMMIT, STATUS 0, SEQUENCE 304]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [AUTHENTICATION, SAE COMMIT, STATUS 0, SEQUENCE 337]
[10:10:20 - 005] c83a35000002 -> c83a35000001 [AUTHENTICATION, SAE CONFIRM, STATUS 0, SEQUENCE 305]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [AUTHENTICATION, SAE CONFIRM, STATUS 0, SEQUENCE 338]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND PMKID]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 3741]
as you can see here:
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND PMKID]
We are not able to attack SAE yet...
Remarks:
SAE = Simultaneous authentication of equals
pre-shared password-based authentication with stronger security than WPA-PSK (as known as WPA3-Personal)
struct sae_commit_authentication_frame
{
uint16_t group_id;
uint8_t scalar[32];
uint8_t commit_element_x[32];
uint8_t commit_element_y[32];
} __attribute__((__packed__));
struct sae_confirm_authentication_frame
{
uint16_t send_confirm;
uint8_t confirm[32];
} __attribute__((__packed__));
read more about the status codes (reason codes) here:
https://community.cisco.com/t5/wireless-...-p/3148055
read more about WPA3-Personal and WPA3-Enterprise here:
https://blogs.cisco.com/wireless/greater...r-security
[10:10:20 - 005] c83a35000002 -> c83a35000001 [AUTHENTICATION, SAE COMMIT, STATUS 0, SEQUENCE 304]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [AUTHENTICATION, SAE COMMIT, STATUS 0, SEQUENCE 337]
[10:10:20 - 005] c83a35000002 -> c83a35000001 [AUTHENTICATION, SAE CONFIRM, STATUS 0, SEQUENCE 305]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [AUTHENTICATION, SAE CONFIRM, STATUS 0, SEQUENCE 338]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND PMKID]
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 3741]
as you can see here:
[10:10:20 - 005] c83a35000001 -> c83a35000002 [FOUND PMKID]
We are not able to attack SAE yet...
Remarks:
SAE = Simultaneous authentication of equals
pre-shared password-based authentication with stronger security than WPA-PSK (as known as WPA3-Personal)
struct sae_commit_authentication_frame
{
uint16_t group_id;
uint8_t scalar[32];
uint8_t commit_element_x[32];
uint8_t commit_element_y[32];
} __attribute__((__packed__));
struct sae_confirm_authentication_frame
{
uint16_t send_confirm;
uint8_t confirm[32];
} __attribute__((__packed__));
read more about the status codes (reason codes) here:
https://community.cisco.com/t5/wireless-...-p/3148055
read more about WPA3-Personal and WPA3-Enterprise here:
https://blogs.cisco.com/wireless/greater...r-security
08-26-2018, 02:22 PM
Is there a way to append or concatenate results from multiple hcxdumptool sessions?
08-26-2018, 02:59 PM
Hello. I've noticed that --do_rcascan never shows AP's where SSID is hidden/not broadcast. I believe these AP's should be in range. Is there a fix or workaround for this?
Thank you
Thank you
08-26-2018, 03:30 PM
Hi dizcza.
Yes, there is a way. From the README.md:
Notice
Most output files will be appended to existing files (with the exception of .cap files).
You can/should cat all outputs from hcxpcaptool to build up your cracking envirnoment as here described:
https://hashcat.net/forum/thread-6661-po...l#pid36274
cap files can be merged by wireshark tools, but I do not recommend this.
Yes, there is a way. From the README.md:
Notice
Most output files will be appended to existing files (with the exception of .cap files).
You can/should cat all outputs from hcxpcaptool to build up your cracking envirnoment as here described:
https://hashcat.net/forum/thread-6661-po...l#pid36274
cap files can be merged by wireshark tools, but I do not recommend this.
08-26-2018, 03:59 PM
Hi sl0badob
That is correct. An access point is detected to be in our range, if he responds to our request using his ESSID. We are not able to associate to an access point without this information. As long as we didn't receive this information, the access point is not in our protocol layer 2 range for a successful authentication.
I do not plan to change this behavior, because I do not want to fight windmills.
from hostapd.conf:
# Send empty SSID in beacons and ignore probe request frames that do not
# specify full SSID, i.e., require stations to know SSID.
# default: disabled (0)
# 1 = send empty (length=0) SSID in beacon and ignore probe request for
# broadcast SSID
# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
# with some clients that do not support empty SSID) and ignore probe
# requests for broadcast SSID
ignore_broadcast_ssid=0
BTW:
The access point is detected, if it responds to an authorized client who knows the ESSID.
That is correct. An access point is detected to be in our range, if he responds to our request using his ESSID. We are not able to associate to an access point without this information. As long as we didn't receive this information, the access point is not in our protocol layer 2 range for a successful authentication.
I do not plan to change this behavior, because I do not want to fight windmills.
from hostapd.conf:
# Send empty SSID in beacons and ignore probe request frames that do not
# specify full SSID, i.e., require stations to know SSID.
# default: disabled (0)
# 1 = send empty (length=0) SSID in beacon and ignore probe request for
# broadcast SSID
# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
# with some clients that do not support empty SSID) and ignore probe
# requests for broadcast SSID
ignore_broadcast_ssid=0
BTW:
The access point is detected, if it responds to an authorized client who knows the ESSID.
08-26-2018, 04:47 PM
this script read the last line of 16800.pot and show this info:
https://i.imgur.com/wtjETyq.png
https://nofile.io/f/gWSNdP7RBCN/16800-info_v2.7z
mirrors:
https://www27.zippyshare.com/v/JRr6stg3/file.html
https://www.sendspace.com/file/2zu15c
saludos Diego
https://i.imgur.com/wtjETyq.png
https://nofile.io/f/gWSNdP7RBCN/16800-info_v2.7z
mirrors:
https://www27.zippyshare.com/v/JRr6stg3/file.html
https://www.sendspace.com/file/2zu15c
saludos Diego
08-26-2018, 05:24 PM
Hi diegodieguex.
Nice improvement. Now we can retrieve the ESSID (in ASCII) and the VENDOR information from the hashline.
Nice improvement. Now we can retrieve the ESSID (in ASCII) and the VENDOR information from the hashline.
08-26-2018, 05:44 PM
thank you ZerBea
I have the same result replacing line 21 simply by:
cat /tmp/PSK
saludos Diego
I have the same result replacing line 21 simply by:
cat /tmp/PSK
saludos Diego
08-27-2018, 06:10 AM
Hi,
I'm also getting only FOUND AUTHORIZED HANDSHAKE but not PMKID FOUND:
[23:42:51 - 001] 6872321b37b7 -> b065bddf493a [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 1712]
[23:42:54 - 001] 6872321b37b7 -> 3ca3080633f0 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 1383]
FYI: I'm near my router
What can I do?
I'm also getting only FOUND AUTHORIZED HANDSHAKE but not PMKID FOUND:
[23:42:51 - 001] 6872321b37b7 -> b065bddf493a [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 1712]
[23:42:54 - 001] 6872321b37b7 -> 3ca3080633f0 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 1383]
FYI: I'm near my router
What can I do?