By default, Kali is set to global regulatory domain (00).
To change or set the regulatory domain, run iw reg set <COUNTRY> where “COUNTRY” is the 2-letter code for the country we are currently in. For the US, run iw reg set US.
The change is not permanent as the setting is only in memory.
└─$ sudo iw reg set US
[sudo] password for lab:
└─$ iw reg get
global
country US: DFS-FCC
(902 - 904 @ 2), (N/A, 30), (N/A)
(904 - 920 @ 16), (N/A, 30), (N/A)
(920 - 928 @ 8), (N/A, 30), (N/A)
(2400 - 2472 @ 40), (N/A, 30), (N/A)
(5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
(5250 - 5350 @ 80), (N/A, 24), (0 ms), DFS, AUTO-BW
(5470 - 5730 @ 160), (N/A, 24), (0 ms), DFS
(5730 - 5850 @ 80), (N/A, 30), (N/A), AUTO-BW
(5850 - 5895 @ 40), (N/A, 27), (N/A), NO-OUTDOOR, AUTO-BW, PASSIVE-SCAN
(5925 - 7125 @ 320), (N/A, 12), (N/A), NO-OUTDOOR, PASSIVE-SCAN
(57240 - 71000 @ 2160), (N/A, 40), (N/A)
TR mangled word list
Edit the john.conf file. Make a copy of the file first.
cd /etc/john
cp john.conf john.conf.original
nano john.conf
add the following to the Word List section of the file and save.
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]
Test the rule
└─$ sudo john --wordlist=/home/lab/wifi-training/rockyou.txt --rules --stdout | grep -i Password123
Using default input encoding: UTF-8
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
password123
password1234
Password123
password12345
PASSWORD123
password123456789
password123456
mypassword123
password1234567
Test the list on the .cap file
└─$ sudo john --wordlist=/home/lab/rockyou.txt --rules --stdout | aircrack-ng -e SSID -w - SSID.0-01.cap
Reading packets, please wait…
Opening SSID.0-01.cap
Using default input encoding: UTF-8
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Reading packets, please wait…
Opening SID.0-01.cap
1 potential targets
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
[00:00:00] 24 keys tested (53.95 k/s)
[00:00:00] 66 keys tested (186.91 k/s)
Current passphrase: Appl3123
Master Key : 9B F0 72 A3 5F 1A 99 02 4A 2D 80 47 AE 10 C1 34
KEY FOUND! [ Appl3123 ]
Transient Key : DD 35 B9 86 AD 31 36 95 4B D3 0E E5 0D A7 6B DC
APOL HMAC : 76 09 38 2A 1E 81 6F CE 8E 9D BD BF 38 EF 1F D6
RSMangler
RSMangler will take a wordlist and perform various manipulations on it similar to those done by John the Ripper, the main difference being that it will first take the input words and generate all permutations and the acronym of the words (in order they appear in the file) before it applies the rest of the mangles.
~$ echo password> example.txt
~$ echo secure>> example.txt
~$ echo cantbecracked>> example.txt
Verify the contents of the example.txt file
└─$ cat example.txt
password
secure
cantbecracked
└─$ rsmangler
No input file specified
rsmangler v 1.5 Robin Wood (robin@digi.ninja) <https://digi.ninja>
Basic usage:
rsmangler --file wordlist.txt
To pass the initial words in on standard in do:
└─$ rsmangler --file example.txt
By default, the RSMangler results are output to the screen (STDOUT). We use the– output option to save the RSMangler results to a file.
$ rsmangler --file example.txt --output final-mangled-wordlist.txt
└─$ ls -lthr
-rw-r--r-- 1 lab lab 30 Mar 20 15:50 example.txt
-rw-r--r-- 1 lab lab 135K Mar 20 16:03 final-mangled-wordlist.txt
Hashcat
Hashcat is a password recovery tool.
─$ hashcat -I
hashcat (v6.2.6) starting in backend information mode
OpenCL Info:
============
OpenCL Platform ID #1
Vendor..: The pocl project
Name....: Portable Computing Language
Version.: OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG
Backend Device ID #1
Type...........: CPU
Vendor.ID......: 128
Vendor.........: GenuineIntel
Name...........: pthread-haswell-Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz
Version........: OpenCL 3.0 PoCL HSTR: pthread-x86_64-pc-linux-gnu-haswell
Processor(s)...: 8
Clock..........: 3600
Memory.Total...: 13696 MB (limited to 2048 MB allocatable in one block)
Memory.Free....: 6816 MB
Local.Memory...: 256 KB
OpenCL.Version.: OpenCL C 1.2 PoCL
Driver.Version.: 3.1+debian
Finding WPA modules
└─$ hashcat --help | grep WPA
2500 | WPA-EAPOL-PBKDF2 | Network Protocol
2501 | WPA-EAPOL-PMK | Network Protocol
22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocol
22001 | WPA-PMK-PMKID+EAPOL| Network Protocol
16800 | WPA-PMKID-PBKDF2 | Network Protocol
16801 | WPA-PMKID-PMK| Network Protocol
Note: The plugin 2500 is deprecated and was replaced with plugin 22000. For more details, please read: https://hashcat.net/forum/thread-10253.html
└─$ hashcat --help | grep 220
22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocol
22001 | WPA-PMK-PMKID+EAPOL | Network Protocol
hashcat -b -m 22000
hashcat -b -m 22001
Format overview
hccapx files are binary files (not plain text files). If you want to inspect this type of file, you should use a hex editor (like xxd on Linux). If you try to open .hccapx files directly with your text editor, you will only stare at a seemingly random set of bytes.
└─$ sudo apt-cache search xxd
xxd - tool to make (or reverse) a hex dump
└─$ sudo apt-get install xxd
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
xxd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 72.4 kB of archives.
After this operation, 126 kB of additional disk space will be used.
Get:1 http://mirrors.jevincanders.net/kali kali-rolling/main amd64 xxd amd64 2:9.0.1000-4 [72.4 kB]
Fetched 72.4 kB in 0s (152 kB/s)
Convert the capture file to hccapx format
└─$ /usr/lib/hashcat-utils/cap2hccapx.bin SSID.0-01.cap SSID.0.hccapx
Networks detected: 1
[*] BSSID=10:0c:6b:55:7d:2d ESSID=SSID (Length: 9)
--> STA=8c:c6:81:24:2d:d1, Message Pair=0, Replay Counter=1
--> STA=8c:c6:81:24:2d:d1, Message Pair=2, Replay Counter=1
--> STA=fc:f5:c4:24:8e:8c, Message Pair=0, Replay Counter=4
--> STA=fc:f5:c4:24:8e:8c, Message Pair=0, Replay Counter=4
--> STA=a2:08:ad:11:30:fb, Message Pair=0, Replay Counter=1
--> STA=a2:08:ad:11:30:fb, Message Pair=0, Replay Counter=0
--> STA=a2:08:ad:11:30:fb, Message Pair=2, Replay Counter=0
--> STA=a2:08:ad:11:30:fb, Message Pair=0, Replay Counter=0
--> STA=a2:08:ad:11:30:fb, Message Pair=2, Replay Counter=0
Written 9 WPA Handshakes to: SSID.0.hccapx
View the contents of the .hccapx file
└─$ sudo xxd SSID.0.hccapx
00000000: 4843 5058 0400 0000 0009 4249 5445 4d45 HCPX......SSID
00000010: 322e 3000 0000 0000 0000 0000 0000 0000 2.0.............
00000020: 0000 0000 0000 0000 0000 0225 6729 0b11 ...........%g)..
00000030: 15e0 dcbd 9844 f6e1 5729 f910 0c6b 557d .....D..W)...kU}
00000040: 2d36 af65 7e11 9578 7a9a 70a0 a708 de6d -6.e~..xz.p....m
00000050: 2ea8 81b0 3a91 25bd 4851 fde8 5667 4671 ....:.%.HQ..VgFq
00000060: f38c c681 242d d107 efd0 6c8f 7ba7 ca30 ....$-....l.{..0
00000070: db5e 716e 34d2 206b fd99 ea27 8d8a 32fe .^qn4. k...'..2.
00000080: 8939 9c33 a6c9 5679 0001 0300 7502 010a .9.3..Vy....u...
00000090: 0000 0000 0000 0000 0001 07ef d06c 8f7b .............l.{
000000a0: a7ca 30db 5e71 6e34 d220 6bfd 99ea 278d ..0.^qn4. k...'.
000000b0: 8a32 fe89 399c 33a6 c956 0000 0000 0000 .2..9.3..V......
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0016 3014 0100 ............0...
000000f0: 000f ac04 0100 000f ac04 0100 000f ac02 ................
00000100: 8000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180: 0000 0000 0000 0000 0048 4350 5804 0000 .........HCPX...
Convert the .pcapng file to a crackable .hc22000 file. To do that, use the following command.
└─$ hcxpcapngtool -o hash.hc22000 -E ssidname TEST.0-01.cap
hcxpcapngtool 6.2.7 reading from TEST.0-01.cap...
summary capture file
--------------------
file name................................: TEST.0-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 18.03.2023 18:35:44
timestamp maximum (GMT)..................: 18.03.2023 21:20:08
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)...............: little endian
packets inside...........................: 3209353
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 6
ACTION (total)...........................: 95
ACTION (containing ESSID)................: 1
PROBERESPONSE (total)....................: 5322
DEAUTHENTICATION (total).................: 526
DISASSOCIATION (total)...................: 118
AUTHENTICATION (total)...................: 11
AUTHENTICATION (OPEN SYSTEM).............: 11
ASSOCIATIONREQUEST (total)...............: 6
ASSOCIATIONREQUEST (PSK).................: 6
WPA encrypted............................: 6795
EAPOL messages (total)...................: 43
EAPOL RSN messages.......................: 43
EAPOLTIME gap (measured maximum usec)....: 775041955
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 3
EAPOL M1 messages (total)................: 28
EAPOL M2 messages (total)................: 5
EAPOL M3 messages (total)................: 6
EAPOL M4 messages (total)................: 4
EAPOL pairs (total)......................: 22
EAPOL pairs (best).......................: 3
EAPOL pairs written to 22000 hash file...: 3 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 2
PMKID (total)............................: 28
PMKID (best).............................: 3
PMKID written to 22000 hash file.........: 3
frequency statistics from radiotap header (frequency: received packets)
Convert the .pcapng file to a crackable .hc22000 file
─$ hashcat -m 22000 hash.hc22000 rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 6816/13696 MB (2048 MB allocatable), 8MCU
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 12 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 2 MB
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344394
* Bytes.....: 139921517
* Keyspace..: 14344387
* Runtime...: 1 sec
ea8f4c036cd7fcc:100c6b557d2d:fcf5c4248e8c:TEST:Appl3123
2567290b1115e0d:100c6b557d2d:8cc681242dd1:TEST:Appl3123
5cf61321c769df6:100c6b557d2d:8cc681242dd1:TEST:Appl3123
464c0580f2cfac0:100c6b557d2d:fcf5c4248e8c:TEST:Appl3123
28fa2816858def3:100c6b557d2d:a208ad1130fb:TEST:Appl3123
7609382a1e816fc:100c6b557d2d:a208ad1130fb:TEST:Appl3123
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: hash.hc22000
Time.Started.....: Mon Mar 20 17:39:41 2023 (1 sec)
Time.Estimated...: Mon Mar 20 17:39:42 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 5334 H/s (9.82ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 6/6 (100.00%) Digests (total), 6/6 (100.00%) Digests (new)
Progress.........: 12212/14344387 (0.09%)
Rejected.........: 8116/12212 (66.46%)
Restore.Point....: 0/14344387 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:5-11
Candidate.Engine.: Device Generator
Candidates.#1....: 123456789 -> cocktail
Hardware.Mon.#1..: Temp: 79c Util: 97%
Started: Mon Mar 20 17:38:59 2023
Stopped: Mon Mar 20 17:39:43 2023
Airolib-ng
Airolib-ng is an aircrack-ng suite tool designed to store and manage ESSID and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. The program uses the lightweight SQLite3 database as the storage mechanism, which is available on most platforms. The SQLite3 database was selected, taking into consideration platform availability plus management, memory, and disk overhead.
WPA/WPA2 cracking involves calculating the pairwise master key, from which the private transient key (PTK) is derived. Using the PTK, we can compute the frame message identity code (MIC) for a given packet and will potentially find the MIC to be identical to the packet’s thus, the PTK was correct, and therefore the PMK was correct as well.
Calculating the PMK is very slow since it uses the pbkdf2 algorithm. Yet the PMK is always the same for a given ESSID and password combination. This allows us to pre-compute the PMK for given combinations and speed up cracking the WPA/WPA2 handshake. Tests have shown that using this technique in aircrack-ng can check more than 50 000 passwords per second using pre-computed PMK tables.
Computing the PMK is still required, yet we can:
- Precompute it for later and/or shared use.
- Use distributed machines to generate the PMK and use their value elsewhere.