This short post goes over the workflow I use for the PMKID attack using an Alfa AC1200 (AWUS036ACH) card with a bootable Kali USB and bettercap + hcxdumptool. I have noticed more results using hcxdumptool compared to
wifi.assoc all in bettercap, but I still prefer to view and log the output in bettercap, so this workflow helps make the most of both tools.
There's plenty out there about this attack (see resources at bottom), so nothing particularly novel here.
As always, you must only execute this workflow on networks where you have permission.
- Boot into Kali.
- Connect to a network with Internet access to download packages.
- Ensure that the card is connected when prompted.
- Confirm that card is running in monitor mode with
- When complete, enter
wifi.show; wifi.recon off; qin bettercap.
- When script is finished, it will list all APs where PMKIDs were captured.
- Hashes will be found in the
- Session logs will be found in the
- Use hashcat with mode 16800, e.g.
hashcat -m16800 hashes.txt wordlist.txt --show --force.
- CVE-2019-9730: LPE in Synaptics Sound Device Driver
- CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver
- Understanding the Current Era of Binary Exploitation
- How-To Assess System Images: Overview
- Using Symbolic Execution to Recover IOCTLs in HEVD
- CVE-2017-11907 WPAD.dat Generator for Responder
- High-Level Approaches for Finding Vulnerabilities
- Resources for Learning Reverse Engineering
- CVE-2016-5563/4/5: RCE and Cardholder Data Exfiltration in Oracle OPERA
- java.lang.Runtime.exec() Payload Workarounds
- A Diagram for Sabotaging Cryptosystems
- PoliCTF 2015 Android Reversing Writeup