01-28-2019, 10:43 PM
Hello guys
Please tell me if this if the wrong forum -> first post.
I am writing a scientific paper for my University (TUM) about the PMKID attack [https://hashcat.net/forum/thread-7717.html]. My paper goes quite in depth about the attack and I would like some input if my thoughts are correct.
As far as I understand:
The 802.11i-2004 standard states that PMKID = HMAC-SHA1-128(PMK, "PMK Name" || MAC_AP || MAC_STA), where the PMK is the password for the WPA/WPA2 PSK network.
And that hcxpcaptool extracts the PMKID to <PMKID>⁎<MAC_AP>⁎<MAC_Station>⁎<ESSID>, where <PMKID> is the hashed form of the password or PMK.
hashcat then inserts the chosen PMK/password from a dictionary/password list into HMAC-SHA1-128(<1. password>, "[b]<1. password>" || MAC_AP || MAC_STA) [/b]and from there check if the calculated PMKID equals the PMKID received from the AP. If it does not match, retry with the next password. I would like your thoughts if I am on the correct track or completely off.
I further see that the PMKID is cracked with hash type WPA-PMKID-PBKDF2 which is a network protocol. Can anyone tell me if this protocol or how you can look at it uses HMAC-SHA1-128 to hash a PMKID as stated in the previous paragraph?
As far I have seen there is no documentation on how the PMKID is actually cracked and that is why I am asking in this forum.
My last question is about the benchmark function in hashcat. The results from the benchmark show how many passwords to hash conversions are done per second (H/s). This is normal when cracking in a high-end rig, but the goal of the attack is to crack the PMKID in a laptop, which does not pack that much power. In this case, the hash mode 16801 is used which need a premade hashed password list.
My question and wondering here is if H/s is still valid because passwords are not hashed, but only checked against each other, meaning faster checking time. I would think that H/s is not valid, because there is no hashing, but only simply string checking taking place.
Cheers and thanks for replies!
Please tell me if this if the wrong forum -> first post.
I am writing a scientific paper for my University (TUM) about the PMKID attack [https://hashcat.net/forum/thread-7717.html]. My paper goes quite in depth about the attack and I would like some input if my thoughts are correct.
As far as I understand:
The 802.11i-2004 standard states that PMKID = HMAC-SHA1-128(PMK, "PMK Name" || MAC_AP || MAC_STA), where the PMK is the password for the WPA/WPA2 PSK network.
And that hcxpcaptool extracts the PMKID to <PMKID>⁎<MAC_AP>⁎<MAC_Station>⁎<ESSID>, where <PMKID> is the hashed form of the password or PMK.
hashcat then inserts the chosen PMK/password from a dictionary/password list into HMAC-SHA1-128(<1. password>, "[b]<1. password>" || MAC_AP || MAC_STA) [/b]and from there check if the calculated PMKID equals the PMKID received from the AP. If it does not match, retry with the next password. I would like your thoughts if I am on the correct track or completely off.
I further see that the PMKID is cracked with hash type WPA-PMKID-PBKDF2 which is a network protocol. Can anyone tell me if this protocol or how you can look at it uses HMAC-SHA1-128 to hash a PMKID as stated in the previous paragraph?
As far I have seen there is no documentation on how the PMKID is actually cracked and that is why I am asking in this forum.
My last question is about the benchmark function in hashcat. The results from the benchmark show how many passwords to hash conversions are done per second (H/s). This is normal when cracking in a high-end rig, but the goal of the attack is to crack the PMKID in a laptop, which does not pack that much power. In this case, the hash mode 16801 is used which need a premade hashed password list.
My question and wondering here is if H/s is still valid because passwords are not hashed, but only checked against each other, meaning faster checking time. I would think that H/s is not valid, because there is no hashing, but only simply string checking taking place.
Cheers and thanks for replies!