hashcat Forum
can a WPA hash be cracked with other than "2500" hash mode? - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: can a WPA hash be cracked with other than "2500" hash mode? (/thread-7308.html)



can a WPA hash be cracked with other than "2500" hash mode? - basskleff - 02-15-2018

Hi,

Did some thread-reading, found some leads, but not quite there yet.
 
I am testing cracking of WPA/WPA2 access point passwords.
My question is if one of the other hashcat md5 or sha1 hashing modes ( e.g. "-m 10 : md5($pass.$salt)" ; "-m 110 : sha1($pass.$salt)") can emulate and be used in lieu of the straight WPA (-m 2500) hash mode method, if one is able to extract the md5/sha1 hash and the access point salt (essid) from the hccpa or hccpax capture file?  And if so, how does one compose the right argument?

The reason behind the question is speed of recovery.
I had researched the format of the hccpa/hccpax hashcat file, and I found that I could identify within there, the 32bit (16 hex pairs) md5 hash of the password/passphrase using the unix xxd hex editor.  
Well, I thought, great! Just attack the raw md5, and you'll get the right password, because of md5 speeds like:

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 980 Ti, 1536/6144 MB allocatable, 22MCU
* Device #2: GeForce GTX 980 Ti, 1536/6144 MB allocatable, 22MCU
Benchmark relevant options:
===========================
* --optimized-kernel-enable
Hashmode: 0 - MD5
Speed.Dev.#1.....: 18560.3 MH/s (39.66ms)
Speed.Dev.#2.....: 17836.5 MH/s (41.41ms)
Speed.Dev.#*.....: 36396.8 MH/s

versus wpa mode:

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 980 Ti, 1536/6144 MB allocatable, 22MCU
* Device #2: GeForce GTX 980 Ti, 1536/6144 MB allocatable, 22MCU
Benchmark relevant options:
===========================
* --optimized-kernel-enable
Hashmode: 2500 - WPA/WPA2
Speed.Dev.#1.....:   316.8 kH/s (70.56ms)
Speed.Dev.#2.....:   305.2 kH/s (73.41ms)
Speed.Dev.#*.....:   622.0 kH/s

But, alas, I'm still learning, and it was invalid.  Only the wpa hash mode was able to recover my test acces point password from a test dictionary.  I used jtr to generate an 18MB dictionary, and then I vi edited and buried my actual a.p. password in there.
So, in the following, "junk" is my dictionary with actual password spliced in.
"myap-hex-hash" is a 1 line 32-character,hex md5 hash file. The rest should make sense.

hashcat64  -m 0 myap-hex-hash -D 2 junk  <- Did not work
hashcat64  -m 2500  myap.hccapx -D 2 junk  <-WORKED and FOUND

What would be the right command to do this with 1 of the other faster MD5/SHA1 hash modes?  Is it possible?

Thanks,

BK


RE: can a WPA hash be cracked with other than "2500" hash mode? - undeath - 02-15-2018

(02-15-2018, 04:01 PM)basskleff Wrote: I had researched the format of the hccpa/hccpax hashcat file, and I found that I could identify within there, the 32bit (16 hex pairs) md5 hash of the password/passphrase using the unix xxd hex editor.

Your research abilities suck. There is a reason hashcat has different hash modes. You could spend your time on researching how the WPA handshake works. No, there is no magic way to speed up WPA cracking. Yes, there is indeed a reason for different hash modes and the developers are not retarded.


RE: can a WPA hash be cracked with other than "2500" hash mode? - atom - 02-15-2018

Why MD5? MD4!