hashcat Forum
WPA/WPA2 batch processing - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: WPA/WPA2 batch processing (/thread-7833.html)



WPA/WPA2 batch processing - v00razz - 09-26-2018

Hello,
I heard I can batch process hccapx files to make cracking same-name APs faster, but I got questions
Does it really work for different APs but with same name?
Should I use airolib-ng for batching, or should I use something else?
How can I batch process PMKID (.16800) files? If not, then how do I convert .16800 to .hccapx?


RE: WPA/WPA2 batch processing - Mem5 - 09-26-2018

By 'name' you mean ESSID I guess. ESSID is the salt to the WPA algorithm, so yes you can 'merge' packets if they have exactly the same ESSID.
See wlanhcx2essid at https://github.com/ZerBea/hcxtools
You'll need to have hccapx files, not pmkid.


RE: WPA/WPA2 batch processing - v00razz - 09-26-2018

(09-26-2018, 04:03 PM)Mem5 Wrote: By 'name' you mean ESSID I guess. ESSID is the salt to the WPA algorithm, so yes you can 'merge' packets if they have exactly the same ESSID.
See wlanhcx2essid at https://github.com/ZerBea/hcxtools
You'll need to have hccapx files, not pmkid.

Damn, I hoped for PMKIDs because PMKID attack is more successful than deauthing. AFAIK hccapx is obtainable only by deauthing, or is there another way?


RE: WPA/WPA2 batch processing - ZerBea - 09-27-2018

Working on hashfile.16800 is easy to handle (much easier than working on hccapx files), as it is a txt file.
That means, every bash command is working on that file.
For example: get all ESSIDs with network name ASUS
cat hashfile.16800 | grep *41535553 | awk 'length($0) == 67' > ASUS.16800


RE: WPA/WPA2 batch processing - v00razz - 09-27-2018

(09-27-2018, 10:58 AM)ZerBea Wrote: Working on hashfile.16800 is easy to handle (much easier than working on hccapx files), as it is a txt file.
That means, every bash command is working on that file.
For example: get all ESSIDs with network name ASUS
cat hashfile.16800 | grep *41535553 | awk 'length($0) == 67' > ASUS.16800

What did that do? How do I put that infomation to use? DId that scan the whole folder for .16800 files with same ESSID and join them in 1 file? And that's supposed to make it faster right? Please explain.

Also, I've seen that you can precompute password lists for a specific ESSID with airolib-ng, which allows x9 greater speeds in my case, but it requires .cap files i think, how to do it with .16800 files??


RE: WPA/WPA2 batch processing - ZerBea - 09-27-2018

Ok, now I know what you mean with "batch processing". That is aircrack-ng and/or pyrit style.
hashcats provides this feature with hashmode 2501 (for hccapx) and 16801 for (PMKID).
In both cases you must use a PMK (plainmasterkey) file as wordlist. It is for both hashmodes the same! You can pre-calculate PMKs from ESSID and PSK using PBKDF2 algorithm.

hcxkeys will do this for you (on GPU):
https://github.com/ZerBea/hcxkeys

That mode is very fast using hashcat:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: hashfile.16801
Time.Started.....: Thu Sep 27 15:13:24 2018 (21 secs)
Time.Estimated...: Thu Sep 27 15:13:45 2018 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 115.2 MH/s (0.00ms) @ Accel:128 Loops:1024 Thr:1024 Vec:1
Recovered........: 435/25676 (1.69%) Digests, 433/24808 (1.75%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:1282,76947,1846729 (Min,Hour,Day)
Progress.........: 2288091456/2288091456 (100.00%)
Rejected.........: 0/2288091456 (0.00%)
Restore.Point....: 92232/92232 (100.00%)
Restore.Sub.#1...: Salt:24807 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Hardware.Mon.#1..: Temp: 51c Fan: 36% Util: 47% Core:1898MHz Mem:5005MHz Bus:16
Started: Thu Sep 27 15:12:43 2018
Stopped: Thu Sep 27 15:13:46 2018

Take a look at the hashfiles for mode 16800 and 16801.
16801 doesn't have an ESSID and doesn't need an ESSID!
And again: bash commands (cat, cut, tail, grep, awk, split, sort, ...) are your friends.
You can use them to generate the basic input wordlists.
You can use them to split potfiles into parts/columns you need for a later calculation.
-h option of the tools is your friend, too. The same applies to readme files.


RE: WPA/WPA2 batch processing - v00razz - 09-27-2018

(09-27-2018, 03:15 PM)ZerBea Wrote: Ok, now I know what you mean with "batch processing". That is aircrack-ng and/or pyrit style.
hashcats provides this feature with hashmode 2501 (for hccapx) and 16801 for (PMKID).
In both cases you must use a PMK (plainmasterkey) file as wordlist. It is for both hashmodes the same! You can pre-calculate PMKs from ESSID and PSK using PBKDF2 algorithm.

hcxkeys will do this for you (on GPU):
https://github.com/ZerBea/hcxkeys

That mode is very fast using hashcat:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: hashfile.16801
Time.Started.....: Thu Sep 27 15:13:24 2018 (21 secs)
Time.Estimated...: Thu Sep 27 15:13:45 2018 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   115.2 MH/s (0.00ms) @ Accel:128 Loops:1024 Thr:1024 Vec:1
Recovered........: 435/25676 (1.69%) Digests, 433/24808 (1.75%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:1282,76947,1846729 (Min,Hour,Day)
Progress.........: 2288091456/2288091456 (100.00%)
Rejected.........: 0/2288091456 (0.00%)
Restore.Point....: 92232/92232 (100.00%)
Restore.Sub.#1...: Salt:24807 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Hardware.Mon.#1..: Temp: 51c Fan: 36% Util: 47% Core:1898MHz Mem:5005MHz Bus:16
Started: Thu Sep 27 15:12:43 2018
Stopped: Thu Sep 27 15:13:46 2018

Take a look at the hashfiles for mode 16800 and 16801.
16801 doesn't have an ESSID and doesn't need an ESSID!
And again: bash commands (cat, cut, tail, grep, awk, split, sort, ...) are your friends.
You can use them to generate the basic input wordlists.
You can use them to split potfiles into parts/columns you need for a later calculation.
-h option of the tools is your friend, too. The same applies to readme files.

Thank you so much for that reply.
I've downloaded this tool and I tried making it work. THis is how far I got.
I ran:
wlangenpmkocl -e Katarina -i wordlist -A pmkfile



cat wordlist:
katarina
passw123

I get pmkfile..

cat pmkfile:
181ad8169bf942af7d05a3cbd4f200f5f958ea8db4b5a768e17c716a30f61ff5:katarina
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f:passw123

cat Katarina.16800: (original PMKID capture)
7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd*4b61746172696e61

I already cracked Katarina.16800 with dictionary so I know its a valid hash.

then I ran:
hashcat -m 16801 Katarina.16800 pmkfile

But I get this error:
Hashfile 'Katarina.16800' on line 1 (7ffb1e...23*28cfe951c5fd*4b61746172696e61): Token length exception
No hashes loaded.

Please provide step by step solution. Thanks a lot!


RE: WPA/WPA2 batch processing - ZerBea - 09-27-2018

Great, 99% of your workflow is ok.

A valid PMK file includes only PMKs:
181ad8169bf942af7d05a3cbd4f200f5f958ea8db4b5a768e17c716a30f61ff5
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f

First, calculate your keyfile with
wlangenpmkocl -e Katarina -i wordlist -A pmkfile

Now remove the PSK
cut -c -64 foundpmk > pmklist

and feed hashcat with pmklist
If hashcat is able to crack the network, it will show you the correct PMK.
Now search your calculated pmkfile for the cracked PMK
cat pmkfile | grep d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f
it will show you
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f:passw123


RE: WPA/WPA2 batch processing - v00razz - 09-27-2018

(09-27-2018, 04:59 PM)v00razz Wrote:
(09-27-2018, 03:15 PM)ZerBea Wrote: Ok, now I know what you mean with "batch processing". That is aircrack-ng and/or pyrit style.
hashcats provides this feature with hashmode 2501 (for hccapx) and 16801 for (PMKID).
In both cases you must use a PMK (plainmasterkey) file as wordlist. It is for both hashmodes the same! You can pre-calculate PMKs from ESSID and PSK using PBKDF2 algorithm.

hcxkeys will do this for you (on GPU):
https://github.com/ZerBea/hcxkeys

That mode is very fast using hashcat:
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: hashfile.16801
Time.Started.....: Thu Sep 27 15:13:24 2018 (21 secs)
Time.Estimated...: Thu Sep 27 15:13:45 2018 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   115.2 MH/s (0.00ms) @ Accel:128 Loops:1024 Thr:1024 Vec:1
Recovered........: 435/25676 (1.69%) Digests, 433/24808 (1.75%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:1282,76947,1846729 (Min,Hour,Day)
Progress.........: 2288091456/2288091456 (100.00%)
Rejected.........: 0/2288091456 (0.00%)
Restore.Point....: 92232/92232 (100.00%)
Restore.Sub.#1...: Salt:24807 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Hardware.Mon.#1..: Temp: 51c Fan: 36% Util: 47% Core:1898MHz Mem:5005MHz Bus:16
Started: Thu Sep 27 15:12:43 2018
Stopped: Thu Sep 27 15:13:46 2018

Take a look at the hashfiles for mode 16800 and 16801.
16801 doesn't have an ESSID and doesn't need an ESSID!
And again: bash commands (cat, cut, tail, grep, awk, split, sort, ...) are your friends.
You can use them to generate the basic input wordlists.
You can use them to split potfiles into parts/columns you need for a later calculation.
-h option of the tools is your friend, too. The same applies to readme files.

Thank you so much for that reply.
I've downloaded this tool and I tried making it work. THis is how far I got.
I ran:
wlangenpmkocl -e Katarina -i wordlist -A pmkfile



cat wordlist:
katarina
passw123

I get pmkfile..

cat pmkfile:
181ad8169bf942af7d05a3cbd4f200f5f958ea8db4b5a768e17c716a30f61ff5:katarina
d99893b4593b3abc4c1179bd70c6244072ae4521047d4c449ecf90e8b2b3501f:passw123

cat Katarina.16800: (original PMKID capture)
7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd*4b61746172696e61

I already cracked Katarina.16800 with dictionary so I know its a valid hash.

then I ran:
hashcat -m 16801 Katarina.16800 pmkfile

But I get this error:
Hashfile 'Katarina.16800' on line 1 (7ffb1e...23*28cfe951c5fd*4b61746172696e61): Token length exception
No hashes loaded.

Please provide step by step solution. Thanks a lot!

I figured it out! I got it... 
I take the original hash and remove everything after the 3rd wildcard *.
7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd*4b61746172696e61

I get:

7ffb1ec865bf3df4f2567ac4664f8c82*e8cd2da9ae23*28cfe951c5fd
I save that to newKatarina.16800

now i run:
wlangenpmkocl -e Katarina -i wordlist -a pmkfile

and lastly:
hashcat -m 16801 newKatarina.16800 pmkfile

It works. Thank you so so much Big Grin