hashcat Forum
can't crack wpa even if key is in dictionary - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Ancient Versions (https://hashcat.net/forum/forum-46.html)
+--- Forum: Very old oclHashcat-plus Support (https://hashcat.net/forum/forum-23.html)
+--- Thread: can't crack wpa even if key is in dictionary (/thread-2207.html)



can't crack wpa even if key is in dictionary - Ajeje - 04-05-2013

Hi, i've used hashcat for a while and i'm super-happy with it, it worked several times for me.

However, on this specific network, it can't find the wpa key even if it is in the dictionary. It goes through the dictionary then says "Exhausted"

[Image: THBgvCW.jpg]

The WPA key is "mercedes1" (no quotes).. Here's the .hccap file: https://mega.co.nz/#!dBRlgRaD!ed3mxHF6NUyMCRODSNQis245JmVRDfnk-Pt8Ljkl6F4

Thank you for your help.


RE: can't crack wpa even if key is in dictionary - Rolf - 04-06-2013

I have tried to reproduce using plus and hc, and also with third party software.
None found the password as "mercedes1"
Mayhaps its not "mercedes1" ?
Or the hccap is corrupted.


RE: can't crack wpa even if key is in dictionary - atom - 04-06-2013

cant crack it either. i agree to what rolf said


RE: can't crack wpa even if key is in dictionary - Ajeje - 04-06-2013

An online hash cracking service found the password for me, and it is indeed "mercedes1".

Here is a screenshot from the router configuration file [Image: GWcd7Lk.jpg]

I submitted the .cap file to the site (not the .hccap), maybe that's the problem?

Here's the .cap file I submitted to the service:

https://mega.co.nz/#!sBoWzYxK!CH98XwYbB6uGQ7054_1MpAlQ8KpUQMNv_I-ElOdTVag


RE: can't crack wpa even if key is in dictionary - Hash-IT - 04-06-2013

(04-06-2013, 12:54 PM)Ajeje Wrote: An online hash cracking service found the password for me, and it is indeed "mercedes1".

I submitted the .cap file to the site (not the .hccap), maybe that's the problem?

Try making a new password in your router 0123456789 for example. Re capture it and test that.


RE: can't crack wpa even if key is in dictionary - The Mechanic - 04-06-2013

Way to many captures in that file, aircrack didnt find it, pyrit missed it until --all-handshakes was used. Get a clean capture then convert the file

Code:
#1: AccessPoint 02:24:01:4e:f6:22 ('business'):
  #1: Station 00:1f:c0:cb:64:cd
  #2: Station 00:1a:73:08:f3:09, 13 handshake(s):
    #1: HMAC_MD5_RC4, bad, spread 5
    #2: HMAC_MD5_RC4, bad, spread 6
    #3: HMAC_MD5_RC4, bad, spread 6
    #4: HMAC_MD5_RC4, bad, spread 7
    #5: HMAC_MD5_RC4, bad, spread 7
    #6: HMAC_MD5_RC4, bad, spread 7
    #7: HMAC_MD5_RC4, bad, spread 7
    #8: HMAC_MD5_RC4, bad, spread 8
    #9: HMAC_MD5_RC4, bad, spread 8
    #10: HMAC_MD5_RC4, bad, spread 8
    #11: HMAC_MD5_RC4, bad, spread 9
    #12: HMAC_MD5_RC4, bad, spread 9
    #13: HMAC_MD5_RC4, bad, spread 10
  #3: Station 00:3c:f0:83:07:54
  #4: Station 00:16:37:44:0d:f2
  #5: Station 00:96:28:c8:63:89
  #6: Station 00:b8:ae:cd:61:7f
  #7: Station 00:cb:7b:69:35:7b
  #8: Station 00:48:4f:c3:3b:21
  #9: Station 00:0a:cd:04:8b:f5
  #10: Station 00:79:3e:80:f4:4d
  #11: Station 00:c4:63:6a:00:3a
  #12: Station 00:38:89:f3:d2:64
  #13: Station 00:bd:e8:87:e9:90
  #14: Station 00:84:ba:2b:a8:2b
  #15: Station 00:26:38:ab:aa:94
  #16: Station 00:cd:8a:ff:6c:84
  #17: Station 00:66:1c:80:70:2d
  #18: Station 00:27:92:e2:6f:1a
  #19: Station 00:ef:e4:31:f3:70
  #20: Station 00:1d:6f:9a:da:64
  #21: Station f0:1c:13:cc:d6:bd, 52 handshake(s):
    #1: HMAC_MD5_RC4, good, spread 1
    #2: HMAC_MD5_RC4, good, spread 1
    #3: HMAC_MD5_RC4, good, spread 1
    #4: HMAC_MD5_RC4, good, spread 1
    #5: HMAC_MD5_RC4, good, spread 1
    #6: HMAC_MD5_RC4, good, spread 1
    #7: HMAC_MD5_RC4, good, spread 1
    #8: HMAC_MD5_RC4, good, spread 1
    #9: HMAC_MD5_RC4, good, spread 3
    #10: HMAC_MD5_RC4, good, spread 3
    #11: HMAC_MD5_RC4, good, spread 3
    #12: HMAC_MD5_RC4, good, spread 4
    #13: HMAC_MD5_RC4, good, spread 4
    #14: HMAC_MD5_RC4, good, spread 5
    #15: HMAC_MD5_RC4, good, spread 5
    #16: HMAC_MD5_RC4, good, spread 6
    #17: HMAC_MD5_RC4, good, spread 6
    #18: HMAC_MD5_RC4, good, spread 6
    #19: HMAC_MD5_RC4, good, spread 7
    #20: HMAC_MD5_RC4, good, spread 9
    #21: HMAC_MD5_RC4, good, spread 10
    #22: HMAC_MD5_RC4, good, spread 10
    #23: HMAC_MD5_RC4, good, spread 10
    #24: HMAC_MD5_RC4, good, spread 10
    #25: HMAC_MD5_RC4, good, spread 10
    #26: HMAC_MD5_RC4, good, spread 11
    #27: HMAC_MD5_RC4, good, spread 11
    #28: HMAC_MD5_RC4, good, spread 11
    #29: HMAC_MD5_RC4, good, spread 14
    #30: HMAC_MD5_RC4, good, spread 15
    #31: HMAC_MD5_RC4, good, spread 15
    #32: HMAC_MD5_RC4, good, spread 17
    #33: HMAC_MD5_RC4, good, spread 17
    #34: HMAC_MD5_RC4, good, spread 17
    #35: HMAC_MD5_RC4, good, spread 18
    #36: HMAC_MD5_RC4, good, spread 21
    #37: HMAC_MD5_RC4, good, spread 21
    #38: HMAC_MD5_RC4, good, spread 21
    #39: HMAC_MD5_RC4, good, spread 22
    #40: HMAC_MD5_RC4, good, spread 23
    #41: HMAC_MD5_RC4, good, spread 23
    #42: HMAC_MD5_RC4, good, spread 23
    #43: HMAC_MD5_RC4, good, spread 25
    #44: HMAC_MD5_RC4, good, spread 28
    #45: HMAC_MD5_RC4, good, spread 29
    #46: HMAC_MD5_RC4, good, spread 33
    #47: HMAC_MD5_RC4, bad, spread 23
    #48: HMAC_MD5_RC4, bad, spread 29
    #49: HMAC_MD5_RC4, bad, spread 34
    #50: HMAC_MD5_RC4, bad, spread 41
    #51: HMAC_MD5_RC4, bad, spread 45
    #52: HMAC_MD5_RC4, bad, spread 53
  #22: Station 00:18:cd:c4:17:39
  #23: Station 00:90:9d:6f:13:a5
  #24: Station 00:50:c5:3c:d7:ae
  #25: Station 00:b2:51:9f:fa:39
  #26: Station 00:47:f3:26:b7:06
  #27: Station 00:75:61:bd:f5:55
  #28: Station 00:d8:af:81:28:22
  #29: Station 00:26:19:a8:d1:c3
  #30: Station 00:68:0e:47:e8:7e
  #31: Station 00:ad:b6:84:5b:74
  #32: Station 00:57:c1:48:88:b4



RE: can't crack wpa even if key is in dictionary - atom - 04-07-2013

I cant say it often enough.

Use the "wpaclean" utility before converting!

See how it works afterwards:

Code:
root@sf:~/crackers/aircrack-ng/src# ./wpaclean x.cap /root/sniff_dump-11.cap
Pwning /root/sniff_dump-11.cap (1/1 100%)
Net 02:24:01:4e:f6:22 business
Done
root@sf:~/crackers/aircrack-ng/src# ./aircrack-ng -J x x.cap
Opening x.cap
Read 3 packets.

   #  BSSID              ESSID                     Encryption

   1  02:24:01:4E:F6:22  business                  WPA (1 handshake)

Choosing first network as target.

Opening x.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 8): business
[*] Key version: 1
[*] BSSID: 02:24:01:4E:F6:22
[*] STA: F0:1C:13:CC:D6:BD
[*] anonce:
    23 7E AE 2C 9F 6F 54 78 1A 95 D3 4C 18 B2 1D A8
    A6 C5 8F D1 80 F6 A5 EE 64 E7 29 49 65 82 FB A5
[*] snonce:
    64 08 6B F3 EA D0 EE 92 33 26 33 30 AC 84 5F 1B
    54 50 82 9C EE 86 F3 45 47 53 D6 C0 1D BE A5 99
[*] Key MIC:
    27 51 A2 9D 08 83 A0 98 BB 11 AF F5 4D E8 95 5D
[*] eapol:
    01 03 00 77 FE 01 09 00 20 00 00 00 00 00 00 00
    02 64 08 6B F3 EA D0 EE 92 33 26 33 30 AC 84 5F
    1B 54 50 82 9C EE 86 F3 45 47 53 D6 C0 1D BE A5
    99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 18 DD 16 00 50 F2 01 01 00 00 50 F2 02 01
    00 00 50 F2 02 01 00 00 50 F2 02

Successfully written to x.hccap


Quitting aircrack-ng...
root@sf:~/crackers/aircrack-ng/src# cp x.hccap /root/xy/oclHashcat-plus-0.15
root@sf:~/crackers/aircrack-ng/src# cd /root/xy/oclHashcat-plus-0.15/
root@sf:~/xy/oclHashcat-plus-0.15# echo mercedes1 > testdict
root@sf:~/xy/oclHashcat-plus-0.15# ./oclHashcat-plus64.bin -m 2500 x.hccap testdict        
oclHashcat-plus v0.15 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
Workload: 16 loops, 8 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Cayman, 1024MB, 830Mhz, 24MCU
Device #2: Cayman, 1024MB, 830Mhz, 24MCU
Device #3: Cayman, 1024MB, 830Mhz, 24MCU
Device #4: Cayman, 1024MB, 830Mhz, 24MCU
Device #1: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)
Device #2: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)
Device #3: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)
Device #4: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)

Cache-hit dictionary stats testdict: 10 bytes, 1 words, 1 keyspace

business:mercedes1                          
                                            
Session.Name...: oclHashcat-plus
Status.........: Cracked
Input.Mode.....: File (testdict)
Hash.Target....: business (02:24:01:4e:f6:22 <-> f0:1c:13:cc:d6:bd)
Hash.Type......: WPA/WPA2
Time.Started...: Sun Apr  7 09:47:08 2013 (1 sec)
Speed.GPU.#1...:        0/s
Speed.GPU.#2...:        0/s
Speed.GPU.#3...:        0/s
Speed.GPU.#4...:        0/s
Speed.GPU.#*...:        0/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1/1 (100.00%)
Rejected.......: 0/1 (0.00%)
HWMon.GPU.#1...:  0% Util, 43c Temp, 29% Fan
HWMon.GPU.#2...:  0% Util, 41c Temp, N/A Fan
HWMon.GPU.#3...:  0% Util, 40c Temp, 29% Fan
HWMon.GPU.#4...:  0% Util, 38c Temp, N/A Fan

Started: Sun Apr  7 09:47:08 2013
Stopped: Sun Apr  7 09:47:09 2013



RE: can't crack wpa even if key is in dictionary - Ajeje - 04-09-2013

Thanks a lot guys! Smile