Extreme NewBie here - Oyama - 06-26-2024
Hi all,
i captured a handshake all good, used aircrack password revealed in 3sec via rockyou.txt. Great.
aircrack-ng -b 10:13:31:X:X:X Hash-01.cap -w rockyou.txt
now for hashcat.....
convert cap https://hashcat.net/cap2hashcat/
Tried the following commands..
hashcat -m 22000 hash.hc22000 rockyou.txt
hashcat -m 22000 hash.hc22000 rockyou.txt -a 0
returns exhausted
Any Idea's what im doing wrong
Thanks in advance
RE: Extreme NewBie here - ZerBea - 06-26-2024
Without additional information, this question cannot be answered.
Please attach original dump (cap) file.
The wiki might be helpful, too:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
RE: Extreme NewBie here - Oyama - 06-26-2024
thanks for getting back to me, im happy to provide any info, not sure which?
Forgot to add using windows 10 and Hashcat 6.2.6
RE: Extreme NewBie here - ZerBea - 06-26-2024
Thanks.
The attached hash.hc22000 file does not belong to the dump file Hash-01.cap!
attached hash file:
Code: $ hcxhashtool -i hash.hc22000 --info=stdout
SSID.......: WiFi-2XDJ
MAC_AP.....: c486e9a51414 (HUAWEI TECHNOLOGIES CO.,LTD)
MAC_CLIENT.: 7cb37b743032 (Qingdao Intelligent&Precise Electronics Co.,Ltd.)
PMKID......: 506e98076dc071bd5409a669613af0ba
HASHLINE...: WPA*01*506e98076dc071bd5409a669613af0ba*c486e9a51414*7cb37b743032*576946692d3258444a***
SSID.......: WiFi-2XDJ
MAC_AP.....: c486e9a51414 (HUAWEI TECHNOLOGIES CO.,LTD)
MAC_CLIENT.: 985fd3290ad0 (Microsoft Corporation)
PMKID......: 60fbeee3ab7f89fbcb4944de59204c6f
HASHLINE...: WPA*01*60fbeee3ab7f89fbcb4944de59204c6f*c486e9a51414*985fd3290ad0*576946692d3258444a***
SSID.......: WiFi-2XDJ
MAC_AP.....: c486e9a51414 (HUAWEI TECHNOLOGIES CO.,LTD)
MAC_CLIENT.: 985fd3290ad0 (Microsoft Corporation)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: NC not detected
EAPOL MSG..: 2
MP M2M3 E2.: authorized
MIC........: 4f1640c74e9630e699ce68f8e4d65372
HASHLINE...: WPA*02*4f1640c74e9630e699ce68f8e4d65372*c486e9a51414*985fd3290ad0*576946692d3258444a*742a957ce0c51ee58129345dddda249712b701547bbf8cb994e966536614e82f*0103007502010a00000000000000000001045fe84dd4c4a498551d939f0dc062c6e18862490f8eba22eb9567cc71697e51000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac022800*a2
hash file calculated from the dump file:
Code: $ hcxpcapngtool Hash-01.cap -o test.hc22000
hcxpcapngtool 6.3.4-25-gc910c18 reading from Hash-01.cap...
summary capture file
--------------------
file name.................................: Hash-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 26.06.2024 02:23:45
timestamp maximum (GMT)..................: 26.06.2024 02:24:25
duration of the dump tool (seconds)......: 39
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 3351
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 11
ACTION (total)...........................: 8
ACTION (containing ESSID)................: 1
PROBERESPONSE (total)....................: 24
DEAUTHENTICATION (total).................: 384
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
WPA encrypted............................: 753
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 43
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER, renew ANONCE and set PMKID to zero. This could prevent to calculate a valid EAPOL MESSAGE PAIR, to get a valid PMKID or to decrypt the traffic.
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.
session summary
---------------
processed cap files...................: 1
$ hcxhashtool -i test.hc22000 --info=stdout
SSID.......: ripsnorter
MAC_AP.....: 10133161d40b (Technicolor Delivery Technologies Belgium NV)
MAC_CLIENT.: 28c21f943ced (SAMSUNG ELECTRO-MECHANICS(THAILAND))
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: hashcat default NC activated
EAPOL MSG..: 2
MP M2M3 E2.: authorized
MIC........: 87ae84defb09695745b9caf69f1d6abd
HASHLINE...: WPA*02*87ae84defb09695745b9caf69f1d6abd*10133161d40b*28c21f943ced*726970736e6f72746572*08abf5b83d3f681fbdd36c1eb19f7dedd35c2eeac21be77e08bf1a7ef9f5ff48*0103007502010a000000000000000000016e1ccb7281fbb93d342c7cf14d59178afef2cf48ede984d3d7ddc0a98b4496da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028c00*82
running hashcat on this file, the PSK will be recovered:
Code: Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: /tmp/test.hc22000
Time.Started.....: Wed Jun 26 07:36:48 2024 (1 sec)
Time.Estimated...: Wed Jun 26 07:36:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/tmp/rockyou.txt.tar.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 165.8 kH/s (11.46ms) @ Accel:256 Loops:64 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 314567/14344383 (2.19%)
Rejected.........: 183495/314567 (58.33%)
Restore.Point....: 0/14344383 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456789 -> brownie01
Hardware.Mon.#1..: Temp: 45c Util: 48% Core:1530MHz Mem:3500MHz Bus:8
RE: Extreme NewBie here - ZerBea - 06-26-2024
BTW:
hascat is also able to recover the PSK from the first hash file (hash.hc22000):
Code: Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: /tmp/hash.hc22000
Time.Started.....: Wed Jun 26 07:42:39 2024 (3 mins, 33 secs)
Time.Estimated...: Wed Jun 26 07:46:12 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: removed
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 160.1 kH/s (11.51ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered........: 3/3 (100.00%) Digests (total), 3/3 (100.00%) Digests (new)
Progress.........: 33980416/100000000 (33.98%)
Rejected.........: 0/33980416 (0.00%)
Restore.Point....: 3375104/10000000 (33.75%)
Restore.Sub.#1...: Salt:0 Amplifier:6-7 Iteration:2-5
Candidate.Engine.: Device Generator
Candidates.#1....: removed
Hardware.Mon.#1..: Temp: 64c Util: 94% Core:1755MHz Mem:4001MHz Bus:8
Started: Wed Jun 26 07:42:36 2024
Stopped: Wed Jun 26 07:46:13 2024
RE: Extreme NewBie here - ZerBea - 06-26-2024
To answer your question: Any Idea's what I'm doing wrong?
Check you environment and your workflow.
Make sure all important information is captured -> no warnings and error messages from hcxpcapngtool.
Make sure the dump files contain the traffic of the target.
Make sure the converted hash files belong to the dump files.
If you decide to use airodump-ng / besside-ng to capture the traffic -> stay inside the aircrack-ng suite and use aircrack-ng
If you decide to use hashcat -> this is the recommended way https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
RE: Extreme NewBie here - Oyama - 06-26-2024
(06-26-2024, 07:58 AM)ZerBea Wrote: To answer your question: Any Idea's what I'm doing wrong?
Check you environment and your workflow.
Make sure all important information is captured -> no warnings and error messages from hcxpcapngtool.
Make sure the dump files contain the traffic of the target.
Make sure the converted hash files belong to the dump files.
If you decide to use airodump-ng / besside-ng to capture the traffic -> stay inside the aircrack-ng suite and use aircrack-ng
If you decide to use hashcat -> this is the recommended way https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
my bad i archive the wrong file,
RE: Extreme NewBie here - ZerBea - 06-26-2024
That can happen.
BTW:
It's one of the reasons why we moved from binary hccapx file to ASCII hash file. The new format is much better to handle / readable by common bash tools.
RE: Extreme NewBie here - Oyama - 06-27-2024
(06-26-2024, 08:31 AM)ZerBea Wrote: That can happen.
BTW:
It's one of the reasons why we moved from binary hccapx file to ASCII hash file. The new format is much better to handle / readable by common bash tools.
Thanks for all the recommendations, i have a bit to learn..
RE: Extreme NewBie here - Oyama - 06-28-2024
(06-27-2024, 05:22 AM)Oyama Wrote: (06-26-2024, 08:31 AM)ZerBea Wrote: That can happen.
BTW:
It's one of the reasons why we moved from binary hccapx file to ASCII hash file. The new format is much better to handle / readable by common bash tools.
Thanks for all the recommendations, i have a bit to learn..
Well i found the culprit......
turns out all my issues ended up being HIP API (HIP 4.4), even tho i receive no errors whats so ever.
many may hours playing with commands etc...
D:\hashcat-6.2.6>hashcat.exe -d 2 -m 22000 -w 2 43897582.hc22000 rockyou.txt --advice-disable --status --status-timer=5
HIP API (HIP 4.4)
=================
* Device #1: Radeon RX 580 Series, skipped
OpenCL API (OpenCL 2.1 AMD-APP (3380.6)) - Platform #1 [Advanced Micro Devices, Inc.]
=====================================================================================
* Device #2: Radeon RX 580 Series, 8064/8192 MB (6745 MB allocatable), 36MCU
a8b0ddb0fc0dc4d30c0fe3e085b2e9c7:10133161d40b:28c21f943ced:U_Found_Me:43897582
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: 43897582.hc22000
Time.Started.....: Fri Jun 28 20:32:33 2024 (1 sec)
Time.Estimated...: Fri Jun 28 20:32:34 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 213.3 kH/s (10.49ms) @ Accel:16 Loops:64 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 147457/20217108 (0.73%)
Rejected.........: 1/147457 (0.00%)
Restore.Point....: 0/20217108 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: 12345678 -> 045702513
Hardware.Mon.#2..: Temp: 63c Fan: 41% Util: 4% Core:1385MHz Mem:2000MHz Bus:16
Started: Fri Jun 28 20:32:29 2024
Stopped: Fri Jun 28 20:32:35 2024
hope this may help others .
|