How to emit PMKIDs?

opensesame · October 18, 2020, 4:31pm

I want to test hcxdumptool, a tool that elicits and captures PMKIDs for use in password cracking.

I want to test this responsibly on my own hardware. However, I can't seem to convince my router to give out valid PMKIDs!

The router is configured for WPA2-PSK. I have tried various combinations of 802.11r settings that I thought might make a difference, but nothing has worked for me.

Here is my current wireless config:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option htmode 'HT20'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'PMKID Test'
	option key 'password'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option ieee80211r '1'
	option ieee80211w '2'
	option encryption 'psk2'

Any ideas?

ergamus · October 18, 2020, 4:39pm

I'd set ieee80211w to 0, to disable MFP.

opensesame · October 18, 2020, 5:15pm

Thanks for your reply!

I have tried with every possible combination of ieee80211w: 0, 1, and 2, with no result.

ergamus · October 18, 2020, 5:23pm

Do you have two APs running in tandem (both have the same SSID, same pass, identical 802.11r settings)? As far as I can read, the attack in question relies on the PMKID which should be sent via management frames during a client roam.

Maybe the magic here is that you need to actually roam at least once with a client device during your monitoring? I don't know if any countermeasures are included in OpenWRT for this.

opensesame · October 18, 2020, 5:32pm

I do not, no. You're right, that is the intent of the PMKID caching.

However, some devices will emit the PMKID even when operating as a standalone AP and with no clients attached. That's what I'm trying to replicate with OpenWrt.

hcxdumptool performs a partial connection to an AP that causes the AP to emit a PMKID on those routers. I've seen it demonstrated on another router, stand-alone AP with no clients, not part of a larger network -- I just can't seem to get OpenWrt to do it. My best guess is that there's some hostapd setting that needs to be overridden, but I have no idea what...

opensesame · October 19, 2020, 5:27pm

I've also tried setting rsn_preauth '1', but that didn't make any difference either.