View Full Version : Generating pmk - techniques for storing, starting, stopping and restarting

2014-09-23, 03:31
In general we do not suggest pre-computing pmk except in very special circumstances - those are:
1. A wifi target exists that has already been cracked.
2. This target has historically been seen to change the WPA key but keeps the ESSID constant. Remember if the owner changes the ESSID then the pmk(aka rainbow tables) becomes worthless. Warning - pick your pmk targets carefully.

You are only going to crack cryptographically weak keys. We suggest the best path to a successful WPA crack is to complete the following in this order:

1 Numeric strings 8 thru 10
2. Common password and alterations
3. Large dictionary files and permutations
4. Letter frequency analysis etaoin shrdlu cmfwyp vbgkjq xz

The following is meant to be used with large usb hardrives(USB-HD) to store the pmk files. Users can stop and restart these computations. Hence anytime the computer is not being used, pmk can be computed. We include examples in these terminal window (TW) command lines(CL) on how to connect to your usb drive.

Connecting to the usb drive.

In this example we use a 1 terabyte mybook external USB-HD

1. Plug in your USB-HD. Once kali-linux accepts this usb connection type:
cd /media
/media ls

We get:
cdrom usb usb0 usb1 WD Smartdrive

To find which of these entries is the path first pick the lighter seagreen entry.
/media cd usb
/media/usb ls

If the ls command gives you no root structure try another entry. Once you have the path to your USB-HD you are ready to start computing pmk against your target. If you unplug your usb and then plug the usb back in, kali-linux may change the path. We have seen usb mybook mybook_ suddenly appear of which only one(1) showed the path to the files. So recheck and alter your paths in the CL as required.

Computing pmk against numeric strings 8 to 10. The TWCL is as follows. We will use a crunch genpmk pass thru. This saves you from having to pre-compute a dictionary and storie this dictionary on a device thus taking up space.

crunch 8 10 0123456789 | genpmk -d /media/usb/pmk/wifihome8thu10 -s "Wifi Home" -f -w -

The crunch side of the pipe says to generate numeric only strings lengths 8 to 10 with the characters 0123456789

The genpmk side says generate pmk, Output the hash file –d to/media/usb/pmk/wifihome8thru10. Use the ESSID name "Wifi Home". The -f -w - tells the computer to get its data from the passthru not a stored file.

WARNING Make sure you spell your wifi target's’ name (ie ESSID) correctly. Check the name carefully to make sure there are no spaces at the end of the name. Character case is important. If you misspell the name or enter incorrect case your pmk is worthless!!!

You can stop this computation anytime just type Ctrl -c and wait till the crunch-genpmk pipe terminates. You will get a crunch notification:

Crunch ending at 00018206

The 00018206 is the point where crunch stopped. Mark it down and do not loose this. We prefer to rename the pmk file being written by appending this stop point at the end of the file being written by genpmk. Therefore the file being written would be given the new name wifihome8thu10-00018206.

Now to restart this computation add a -s and the crunch ending point to the crunch side of the CL ie -s 00018206. And add the same number to the –d file being written on the genpmk side. The complete TWCL is as follows:

crunch 8 10 0123456789 -s 00018206 | genpmk -d /media/usb/pmk/wifihome8thu10-00018206 -s "Wifi Home" -f -w -

This will restart at the point where crunch stopped. The genpmk program will look for the file it has written and append the computed pmk to it. Just keep moving the stop number forward each time you begin the computation till the process is complete.

Most WPA passwords that are more than numeric strings are usually based on an existing word in language. Crunch can generate random characters but not specific words used in human communication. Therefore to generate pmk bassed on common alfa passwords or large dictionary lists we will need to use John the Ripper(JTR).

Here is a TWCL using JTR and genpmk. This can also be stopped and restarted as required. Examples are show below

john --session=commonpass --wordlist=/media/usb/wordlists/commonpasswords.txt --rules --stdout | genpmk -d /media/usb/pmk/comonpasswords -s "Wifi Home" -f -w -

To stop the computation use Ctrl - C and wait for JTR to stop

To restart

john --restore=commonpass | genpmk -d /media/usb/pmk/comonpasswords -s "Wifi Home" -f -w -

You can use a more advanced word mangling routine with JTR. See the thread :

To change your JTR conf file in the /etc/john/ folder easily, try this program

Further crunch commands see:

2014-09-23, 04:39
Thanks for the writeup!!

2014-09-23, 08:10
Protecting your work progress when using John The Ripper

It is very easy to overwrite your john.rec file which tells John where to restart. We suggest you occassionally make a copy of this file. The file is stored in a hidden folder in root therefore use:

Applications>Files>view>show hidden files.

Open the .john folder and you will see the john.rec file. Make a copy of the file just ctrl -c ctrl-v over the file. If you make a mistake erase the john.rec, rename your copy to john.rec make another copy of the backup good file and restart.


2014-09-25, 03:21
!!!Correction to the above thread!!!

Although there is a john.rec file in the etc/john folder it appears that when giving a session name a rec file is written to the same folder where the wordlist is found. Hence for:

john --session=commonpass --wordlist=/media/usb/wordlists/commonpasswords.txt --rules --stdout

a file called commonpass.rec will be written and updated every approx ten minutes to the /media/usb/wordlists/

We suggest you make backups of this file in case you make a mistake in restarting

Our Mistake