About

This short post goes over the workflow I use for the PMKID attack using an Alfa AC1200 (AWUS036ACH) card with a bootable Kali USB and bettercap + hcxdumptool. I have noticed more results using hcxdumptool compared to wifi.assoc all in bettercap, but I still prefer to view and log the output in bettercap, so this workflow helps make the most of both tools.

There's plenty out there about this attack (see resources at bottom), so nothing particularly novel here.

As always, you must only execute this workflow on networks where you have permission.

Setup

1. Laptop
2. Kali Live USB
3. Alfa AC1200 (AWUS036ACH)

Installation

1. Boot into Kali.
2. Connect to a network with Internet access to download packages.
3. Execute install.sh script.
4. Ensure that the card is connected when prompted.
5. Confirm that card is running in monitor mode with iwconfig.

Capturing Hashes

1. Execute capture.sh script.
2. When complete, enter wifi.show; wifi.recon off; q in bettercap.
3. When script is finished, it will list all APs where PMKIDs were captured.
4. Hashes will be found in the *.pmkid.txt files.
5. Session logs will be found in the *-session_{TOOL}.log files.

Cracking Hashes

1. Use hashcat with mode 16800, e.g. hashcat -m16800 hashes.txt wordlist.txt --show --force.

Resources

• hashcat.net: New attack on WPA/WPA2 using PMKID
• evilsocket.net: Pwning WPA/WPA2 Networks With Bettercap and the PMKID Client-Less Attack
• Adam Toscher: New attack on WPA/WPA2 using PMKID