I want to test hcxdumptool, a tool that elicits and captures PMKIDs for use in password cracking.
I want to test this responsibly on my own hardware. However, I can't seem to convince my router to give out valid PMKIDs!
The router is configured for WPA2-PSK. I have tried various combinations of 802.11r settings that I thought might make a difference, but nothing has worked for me.
Here is my current wireless config:
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/10300000.wmac'
option htmode 'HT20'
option disabled '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'PMKID Test'
option key 'password'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option ieee80211r '1'
option ieee80211w '2'
option encryption 'psk2'
Any ideas?
I'd set ieee80211w to 0, to disable MFP.
Thanks for your reply!
I have tried with every possible combination of ieee80211w
: 0
, 1
, and 2
, with no result.
Do you have two APs running in tandem (both have the same SSID, same pass, identical 802.11r settings)? As far as I can read, the attack in question relies on the PMKID which should be sent via management frames during a client roam.
Maybe the magic here is that you need to actually roam at least once with a client device during your monitoring? I don't know if any countermeasures are included in OpenWRT for this.
I do not, no. You're right, that is the intent of the PMKID caching.
However, some devices will emit the PMKID even when operating as a standalone AP and with no clients attached. That's what I'm trying to replicate with OpenWrt.
hcxdumptool
performs a partial connection to an AP that causes the AP to emit a PMKID on those routers. I've seen it demonstrated on another router, stand-alone AP with no clients, not part of a larger network -- I just can't seem to get OpenWrt to do it. My best guess is that there's some hostapd
setting that needs to be overridden, but I have no idea what...
I've also tried setting rsn_preauth '1'
, but that didn't make any difference either.