+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: WPA/WPA2 batch processing (/thread-7833.html)
WPA/WPA2 batch processing - v00razz - 09-26-2018
Hello,
I heard I can batch process hccapx files to make cracking same-name APs faster, but I got questions
Does it really work for different APs but with same name?
Should I use airolib-ng for batching, or should I use something else?
How can I batch process PMKID (.16800) files? If not, then how do I convert .16800 to .hccapx?
RE: WPA/WPA2 batch processing - Mem5 - 09-26-2018
By 'name' you mean ESSID I guess. ESSID is the salt to the WPA algorithm, so yes you can 'merge' packets if they have exactly the same ESSID.
See wlanhcx2essid at https://github.com/ZerBea/hcxtools
You'll need to have hccapx files, not pmkid.
RE: WPA/WPA2 batch processing - v00razz - 09-26-2018
(09-26-2018, 04:03 PM)Mem5 Wrote: By 'name' you mean ESSID I guess. ESSID is the salt to the WPA algorithm, so yes you can 'merge' packets if they have exactly the same ESSID.
See wlanhcx2essid at https://github.com/ZerBea/hcxtools
You'll need to have hccapx files, not pmkid.
Damn, I hoped for PMKIDs because PMKID attack is more successful than deauthing. AFAIK hccapx is obtainable only by deauthing, or is there another way?
RE: WPA/WPA2 batch processing - ZerBea - 09-27-2018
Working on hashfile.16800 is easy to handle (much easier than working on hccapx files), as it is a txt file.
That means, every bash command is working on that file.
For example: get all ESSIDs with network name ASUS
cat hashfile.16800 | grep *41535553 | awk 'length($0) == 67' > ASUS.16800
RE: WPA/WPA2 batch processing - v00razz - 09-27-2018
(09-27-2018, 10:58 AM)ZerBea Wrote: Working on hashfile.16800 is easy to handle (much easier than working on hccapx files), as it is a txt file.
That means, every bash command is working on that file.
For example: get all ESSIDs with network name ASUS
cat hashfile.16800 | grep *41535553 | awk 'length($0) == 67' > ASUS.16800
What did that do? How do I put that infomation to use? DId that scan the whole folder for .16800 files with same ESSID and join them in 1 file? And that's supposed to make it faster right? Please explain.
Also, I've seen that you can precompute password lists for a specific ESSID with airolib-ng, which allows x9 greater speeds in my case, but it requires .cap files i think, how to do it with .16800 files??
RE: WPA/WPA2 batch processing - ZerBea - 09-27-2018
Ok, now I know what you mean with "batch processing". That is aircrack-ng and/or pyrit style.
hashcats provides this feature with hashmode 2501 (for hccapx) and 16801 for (PMKID).
In both cases you must use a PMK (plainmasterkey) file as wordlist. It is for both hashmodes the same! You can pre-calculate PMKs from ESSID and PSK using PBKDF2 algorithm.
hcxkeys will do this for you (on GPU):
https://github.com/ZerBea/hcxkeys
That mode is very fast using hashcat:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: hashfile.16801
Time.Started.....: Thu Sep 27 15:13:24 2018 (21 secs)
Time.Estimated...: Thu Sep 27 15:13:45 2018 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 115.2 MH/s (0.00ms) @ Accel:128 Loops:1024 Thr:1024 Vec:1
Recovered........: 435/25676 (1.69%) Digests, 433/24808 (1.75%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:1282,76947,1846729 (Min,Hour,Day)
Progress.........: 2288091456/2288091456 (100.00%)
Rejected.........: 0/2288091456 (0.00%)
Restore.Point....: 92232/92232 (100.00%)
Restore.Sub.#1...: Salt:24807 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Hardware.Mon.#1..: Temp: 51c Fan: 36% Util: 47% Core:1898MHz Mem:5005MHz Bus:16
Started: Thu Sep 27 15:12:43 2018
Stopped: Thu Sep 27 15:13:46 2018
Take a look at the hashfiles for mode 16800 and 16801.
16801 doesn't have an ESSID and doesn't need an ESSID!
And again: bash commands (cat, cut, tail, grep, awk, split, sort, ...) are your friends.
You can use them to generate the basic input wordlists.
You can use them to split potfiles into parts/columns you need for a later calculation.
-h option of the tools is your friend, too. The same applies to readme files.
RE: WPA/WPA2 batch processing - v00razz - 09-27-2018
(09-27-2018, 03:15 PM)ZerBea Wrote: Ok, now I know what you mean with "batch processing". That is aircrack-ng and/or pyrit style.
hashcats provides this feature with hashmode 2501 (for hccapx) and 16801 for (PMKID).
In both cases you must use a PMK (plainmasterkey) file as wordlist. It is for both hashmodes the same! You can pre-calculate PMKs from ESSID and PSK using PBKDF2 algorithm.
hcxkeys will do this for you (on GPU):
https://github.com/ZerBea/hcxkeys
That mode is very fast using hashcat:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: hashfile.16801
Time.Started.....: Thu Sep 27 15:13:24 2018 (21 secs)
Time.Estimated...: Thu Sep 27 15:13:45 2018 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 115.2 MH/s (0.00ms) @ Accel:128 Loops:1024 Thr:1024 Vec:1
Recovered........: 435/25676 (1.69%) Digests, 433/24808 (1.75%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:1282,76947,1846729 (Min,Hour,Day)
Progress.........: 2288091456/2288091456 (100.00%)
Rejected.........: 0/2288091456 (0.00%)
Restore.Point....: 92232/92232 (100.00%)
Restore.Sub.#1...: Salt:24807 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Hardware.Mon.#1..: Temp: 51c Fan: 36% Util: 47% Core:1898MHz Mem:5005MHz Bus:16
Started: Thu Sep 27 15:12:43 2018
Stopped: Thu Sep 27 15:13:46 2018
Take a look at the hashfiles for mode 16800 and 16801.
16801 doesn't have an ESSID and doesn't need an ESSID!
And again: bash commands (cat, cut, tail, grep, awk, split, sort, ...) are your friends.
You can use them to generate the basic input wordlists.
You can use them to split potfiles into parts/columns you need for a later calculation.
-h option of the tools is your friend, too. The same applies to readme files.
Thank you so much for that reply.
I've downloaded this tool and I tried making it work. THis is how far I got.
I ran:
wlangenpmkocl -e Katarina -i wordlist -A pmkfile
cat wordlist:
katarina
passw123
I get pmkfile..
cat pmkfile:
181ad8169bf942af7d05a3cbd4f200f5f958ea8db4b5a768e17c716a30f61ff5:katarina
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f:passw123
cat Katarina.16800: (original PMKID capture)
7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd*4b61746172696e61
I already cracked Katarina.16800 with dictionary so I know its a valid hash.
then I ran:
hashcat -m 16801 Katarina.16800 pmkfile
But I get this error:
Hashfile 'Katarina.16800' on line 1 (7ffb1e...23*28cfe951c5fd*4b61746172696e61): Token length exception
No hashes loaded.
Please provide step by step solution. Thanks a lot!
RE: WPA/WPA2 batch processing - ZerBea - 09-27-2018
Great, 99% of your workflow is ok.
A valid PMK file includes only PMKs:
181ad8169bf942af7d05a3cbd4f200f5f958ea8db4b5a768e17c716a30f61ff5
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f
First, calculate your keyfile with
wlangenpmkocl -e Katarina -i wordlist -A pmkfile
Now remove the PSK
cut -c -64 foundpmk > pmklist
and feed hashcat with pmklist
If hashcat is able to crack the network, it will show you the correct PMK.
Now search your calculated pmkfile for the cracked PMK
cat pmkfile | grep d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f
it will show you
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f:passw123
RE: WPA/WPA2 batch processing - v00razz - 09-27-2018
(09-27-2018, 04:59 PM)v00razz Wrote:(09-27-2018, 03:15 PM)ZerBea Wrote: Ok, now I know what you mean with "batch processing". That is aircrack-ng and/or pyrit style.
hashcats provides this feature with hashmode 2501 (for hccapx) and 16801 for (PMKID).
In both cases you must use a PMK (plainmasterkey) file as wordlist. It is for both hashmodes the same! You can pre-calculate PMKs from ESSID and PSK using PBKDF2 algorithm.
hcxkeys will do this for you (on GPU):
https://github.com/ZerBea/hcxkeys
That mode is very fast using hashcat:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: hashfile.16801
Time.Started.....: Thu Sep 27 15:13:24 2018 (21 secs)
Time.Estimated...: Thu Sep 27 15:13:45 2018 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 115.2 MH/s (0.00ms) @ Accel:128 Loops:1024 Thr:1024 Vec:1
Recovered........: 435/25676 (1.69%) Digests, 433/24808 (1.75%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:1282,76947,1846729 (Min,Hour,Day)
Progress.........: 2288091456/2288091456 (100.00%)
Rejected.........: 0/2288091456 (0.00%)
Restore.Point....: 92232/92232 (100.00%)
Restore.Sub.#1...: Salt:24807 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Hardware.Mon.#1..: Temp: 51c Fan: 36% Util: 47% Core:1898MHz Mem:5005MHz Bus:16
Started: Thu Sep 27 15:12:43 2018
Stopped: Thu Sep 27 15:13:46 2018
Take a look at the hashfiles for mode 16800 and 16801.
16801 doesn't have an ESSID and doesn't need an ESSID!
And again: bash commands (cat, cut, tail, grep, awk, split, sort, ...) are your friends.
You can use them to generate the basic input wordlists.
You can use them to split potfiles into parts/columns you need for a later calculation.
-h option of the tools is your friend, too. The same applies to readme files.
Thank you so much for that reply.
I've downloaded this tool and I tried making it work. THis is how far I got.
I ran:
wlangenpmkocl -e Katarina -i wordlist -A pmkfile
cat wordlist:
katarina
passw123
I get pmkfile..
cat pmkfile:
181ad8169bf942af7d05a3cbd4f200f5f958ea8db4b5a768e17c716a30f61ff5:katarina
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f:passw123
cat Katarina.16800: (original PMKID capture)
7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd*4b61746172696e61
I already cracked Katarina.16800 with dictionary so I know its a valid hash.
then I ran:
hashcat -m 16801 Katarina.16800 pmkfile
But I get this error:
Hashfile 'Katarina.16800' on line 1 (7ffb1e...23*28cfe951c5fd*4b61746172696e61): Token length exception
No hashes loaded.
Please provide step by step solution. Thanks a lot!
I figured it out! I got it...
I take the original hash and remove everything after the 3rd wildcard *.
7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd*4b61746172696e61
I get:
7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd
I save that to newKatarina.16800
now i run:
wlangenpmkocl -e Katarina -i wordlist -a pmkfile
and lastly:
hashcat -m 16801 newKatarina.16800 pmkfile
It works. Thank you so so much
