https://github.com/n0mi1k/pmkidcracker

A tool to crack WPA2 passphrase with PMKID value without clients or de-authentication
https://github.com/n0mi1k/pmkidcracker

pentesting-tools pmkid pmkid-attack redteam-tools wifi-hacking wifi-password wifi-security wpa2-cracker wpa2-cracking

Last synced: 3 months ago
JSON representation

A tool to crack WPA2 passphrase with PMKID value without clients or de-authentication

• Host: GitHub
• URL: https://github.com/n0mi1k/pmkidcracker
• Owner: n0mi1k
• License: mit
• Created: 2023-04-17T16:51:00.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2023-06-10T17:18:03.000Z (over 2 years ago)
• Last Synced: 2024-11-25T16:39:28.241Z (10 months ago)
• Topics: pentesting-tools, pmkid, pmkid-attack, redteam-tools, wifi-hacking, wifi-password, wifi-security, wpa2-cracker, wpa2-cracking
• Language: Python
• Homepage:
• Size: 10.7 KB
• Stars: 183
• Watchers: 3
• Forks: 25
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          

# PMKID WPA2 Cracker

This program is a tool written in Python to recover the pre-shared key of a WPA2 WiFi network without any de-authentication or requiring any clients to be on the network. It targets the weakness of certain access points advertising the PMKID value in EAPOL message 1.

## Program Usage

```

python pmkidcracker.py -s  -ap  -c  -p  -w  -t 

```



**NOTE:** *apmac, clientmac, pmkid must be a hexstring, e.g b8621f50edd9*

## How PMKID is Calculated

The two main formulas to obtain a PMKID are as follows: 

1. **Pairwise Master Key (PMK) Calculation:** passphrase + salt(ssid) => PBKDF2(HMAC-SHA1) of 4096 iterations

2. **PMKID Calculation:** HMAC-SHA1[pmk + ("PMK Name" + bssid + clientmac)]

This is just for understanding, both are already implemented in `find_pw_chunk` and `calculate_pmkid`.

## Obtaining the PMKID

Below are the steps to obtain the PMKID manually by inspecting the packets in WireShark. 

*\***You may use Hcxtools or Bettercap to quickly obtain the PMKID without the below steps. The manual way is for understanding.*** 

To obtain the PMKID manually from wireshark, put your wireless antenna in monitor mode, start capturing all packets with airodump-ng or similar tools. Then connect to the AP **using an invalid password** to capture the EAPOL 1 handshake message. Follow the next 3 steps to obtain the fields needed for the arguments.

**Open the pcap in WireShark:**

- Filter with `wlan_rsna_eapol.keydes.msgnr == 1` in WireShark to display only EAPOL message 1 packets.

- In EAPOL 1 pkt, Expand IEEE 802.11 QoS Data Field to obtain AP MAC, Client MAC

- In EAPOL 1 pkt, Expand 802.1 Authentication > WPA Key Data > Tag: Vendor Specific > PMKID is below

**If access point is vulnerable, you should see the PMKID value like the below screenshot:**



## Demo Run



## Disclaimer

This tool is for educational and testing purposes only. Do not use it to exploit the vulnerability on any network that you do not own or have permission to test. The authors of this script are not responsible for any misuse or damage caused by its use.