hashcat Forum
Learning hashcat - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Learning hashcat (/thread-9639.html)

Pages: 1 2


Learning hashcat - n0ss - 11-15-2020

Hello to all of you,

For the past week I have been able to :
  • Learn that The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) is actually rubbish
  • Install proper CUDA driver in Parrot Security
  • Verify that "clinfo" and "hashcat -I" correctly use CUDA
  • Take my hands on aircrack-ng suite to capture multiple 4way-Handshake successfully
So, as of today, I do not have any hardware issues, which is great actually.
SETUP : i7 6700k ; 32GB RAM ; 970 GTX STRIX ; SAMSUNG SSD

I have a few general questions about hashcat which do not to seem so obvious reading docs :
  1. Can we use i7 4GhZ Intel with OpenCL, how "good" is it ?
  2. How does it compare to GTX dedicated graphics in general ?
  3. Should you recommend using both in parallel ?
Also, I have some questions about hashcat specifically, since I've read so many things :
  1. Regarding 4way-handshake, is it useful to capture the same handshake multiple times in the same capture file ?
  2. I'm trying to learn about dictionnaries, rules, I've found many things, how could I start simple ?
  3. What do you recommend, big dicos, smalls rules, ... ?
  4. How can I gather information about the AP/router ? (manufacturer, version, password generation algorythm, etc)



RE: Learning hashcat - undeath - 11-15-2020

1.1.1 Yes
1.1.2 depends on the hash type
1.2 in general: poorly. depends on the hash type
1.3 usually not worth it, depends on the hash type

2.1 to avoid transmission errors, yes
2.2 start with a simple mask attack or a straight dictionary attack. Later add rules for the dict attack or use more complicated masks
2.3 small-ish dicts with rules are usually the most efficient
2.4 You can look up the manufacturer from the MAC address, use your favourite search engine for anything else

pro tip: don't use the aircrack-ng suite but hcxtools instead.


RE: Learning hashcat - n0ss - 11-15-2020

Thanks for this awesome response.

Just to be clear, how is hcxtools better than aircrack-ng (since it's just for packet capturing) ?

So just to summarize, NEO Intel OpenCL is not worth going into (also I might be able to get my hands on 1 or 2 more GTX 970 which I suppose would improve things a lot).

What do you mean by small-ish ? (I'm in European country so I would need to make my own dico, I guess everything on the web is very basic when it's not english dictionnaries) Are hashcat pre-configured rules (/usr/share/hashcat-utils/rules/) any good or a little outdated ?


RE: Learning hashcat - undeath - 11-15-2020

hcxtools (or rather, hcxdumptool) include lots of features surpassing a simple dump tool. It can actively probe found APs and perform non-intrusive active attacks to convince routers to supply attackable data besides a full handshake.

Installing the Intel OpenCL runtime shouldn't be much trouble. But for WPA you're probably not missing much by going GPU-only.

By small-ish dicts I mean dicts up to a size of maybe 100-200mb (possibly that's already too much for WPA even). If you have more targeted, smaller wordlists, even better!

The rulesets hashcat ships are quite good. Some have very specific purposes (eg toggles) but others are very useful generic ones (best64/T0XlC/d3ad0ne/generated/dive/…).


RE: Learning hashcat - ZerBea - 11-15-2020

Just to be clear, how is hcxtools better than aircrack-ng (since it's just for packet capturing) ?

hcxdumptool/hcxtools is designed to work with hashcat and JtR. It control hashcat behavior via pcapng comment fields and message_pair field.
Code:
hcxdumptool -> hcxpcapngtool -> hcxhashtool/hcxpsktool -> hashcat
you can use hashcat hash mode 22000 to get full advantage of reuse of PBKDF2 on PMKID and EAPOL. There is no need to run deprecated hash modes 2500 or 16800 any longer.
Code:
$ hashcat --help | grep 2200
  22000 | WPA-PBKDF2-PMKID+EAPOL                           | Network Protocols
  22001 | WPA-PMK-PMKID+EAPOL                              | Network Protocols
read more about the PMKID attack here:
https://hashcat.net/forum/thread-7717.html

while aircrack-ng suite use its own cracker:
Code:
aireplay-ng + airodump-ng -> aircrack-ng

but running this "mixed" combination is not a good idea:
Code:
aireplay-ng + airodump-ng -> aircrack-ng -> hashcat
as well as
Code:
hcxdumptool -> aircrack-ng

BTW:
In attack mode, hcxdumptool control AP and CLIENT behavior, too. That include the request of a PMKID if target AP and/or target CLIENT support this.
If the AP is not in your range, but the CLIENT is, hcxdudmptool will request all information from the CLIENT only. You don't to need to receive the AP.
There is no need to run an additional deauthentication tool (like mdk3/mdk4 or aireplay-ng).

All important frames are stored into the pcapng file as well as additional hash values.
A nice example is here:
https://github.com/evilsocket/pwnagotchi/issues/835#issuecomment-598597214


RE: Learning hashcat - n0ss - 11-15-2020

Well thanks again, it's great to have so many things to learn during this time of year (lock-down came back here).

Last question but not least, I am actually trying for "educational purposes" to use hashcat combined with WPA2-PSK because I will soon run out of LTE data, and I need proper internet access to work.
Most of the routers in my scope have default password that are : 18 characters in length, lower-UPPER-DIGIT only.

Is this out my reach ? I have only 1 970GTX for now (2nd is not sure yet)

And just to make myself clear, I was not using aircrack-ng tool, only some tools in the suite so it is :
Code:
airmon-ng --> airodump-ng --> aireplay-ng --> cap2hccapx --> hashcat

I WILL follow your advices and learn hcxtools, but just to be sure, was I doing things correctly ?

You mentionned John the Ripper, do you recommend I dig into it ?

BTW, this is awesome, when I tried backtrack more than 10 years ago on WEP, with Alfa Network cards that are actually still available, things were not so deep and we did not have this massive GPU power to rely on. I will not hesitate to make a GitHub repo if I succeed in anything.

ALSO, I just realised by looking at the GitHub repo that you are the actual coder (maybe not the only one IDK) behind hcxtools. Thanks for all the work ! And for your time.


RE: Learning hashcat - ZerBea - 11-15-2020

Both of the GPU recovery tools (hashcat and JtR) doesn't have an own WiFi parser. That was the major reason for me to code one.
JtR is a nice tool. Using it, will help understanding how things are working. The same applies to hashcat.

"I will follow your advices and learn hcxtools, but just to be sure, was I doing things correctly ?"
Are you successful doing this workflow?
Code:
airmon-ng -> airodump-ng -> aireplay-ng -> cap2hccapx -> hashcat
If not, you should try a new approach.
You should now that running too many deauthentications will destroy authentication sequences (aireplay-ng doesn't take care about this).
Running your workflow, you should also know that you will not retrieve a PMKID!

Please notice:
hcxdumptool/hcxtools are analysis tools - so you're right, when you say you have to learn how to use them.
Nearly everything you should know (inclusive examples) is explained in this thread:
https://hashcat.net/forum/thread-6661-page-69.html

Additional I recommend to read the issue reports (open and closed) here:
https://github.com/aircrack-ng/aircrack-ng/issues
and here:
https://github.com/ZerBea/hcxtools/issues
https://github.com/ZerBea/hcxdumptool/issues
You'll get some good information about limitations and issues.

To verify the dump files, I recommend tshark and/or Wireshark.
To see how hcxpcapngtool works read more here:
https://wpa-sec.stanev.org/?

To get an overview of the complexity of the recovered PSKs, download C-nets from here:
https://wpa-sec.stanev.org/?dicts
decompress and show results (you mentioned length 18):
Code:
$ gunzip cracked.txt.gz
$ cat cracked.txt | awk 'length($1)>=18'

BTW:
Discovering a weak point (and retrieving the PSK) start with a successful attack vector against the target (first step). Running hashcat is the last step in the chain. If the first step failed, the last step will fail, too. That isn't an issue of hashcat!
Please notice:
The target is not a single ACCESS POINT (old school). The target is the whole NETWORK. That include the ACCESS POINT and all(!) CLIENTs. Also, it include PROBEREQUEST frames, AUTHENTICATION frames, ASSOCIATION frames, REASSOCIATION frames and of course EAPOL/EAP frames. All this frames contain useful information you can feed to hashcat.
Capturing a single BEACON and an EAPOL handshake (old school) is not enough.


RE: Learning hashcat - n0ss - 11-16-2020

Code:
To verify the dump files, I recommend tshark and/or Wireshark.
To see how hcxpcapngtool works read more here:
https://wpa-sec.stanev.org/?


Is this the good link ? I'm confused


RE: Learning hashcat - n0ss - 11-16-2020

Anyway, I am getting into hcxdumptool now.

From the many many posts I've read so far, I'm trying to target a few specific APs, no targeting on clients because of MAC randomization, using status 15 (maybe I should go up to 31 ?)
I intend to run this for 24h+, and then see what I captured.

Code:
sudo hcxdumptool -i wlanX --enable_status=15 --filterlist_ap=MAC1 --filtermode=2 -o testdump.pcapng

Also I tested full injection with hcxdumptool first, and force manual mode on my monitor card using this :
https://github.com/ZerBea/hcxtools/issues/40#issuecomment-399211804

And do know if what I'm doing is too "agressive" ?
You mentioned somewhere that it was recommended to use --disable options...

I would like to make sure my capture is going in the right direction, before going any further.

I could also try :
Code:
sudo hcxdumptool -i wlanX --enable_status=15 --filterlist_ap=MAC1 --filtermode=2 -o testdump.pcapng --disable_deauthentication --disable_client_attacks

That would target only AP attacks based on the PMKID attack, right ?


RE: Learning hashcat - ZerBea - 11-16-2020

I recommend to attack in 2 phases:

1. aggressive attack vector to get as much as possible unfiltered hash data from ACCESS POINTs in 10 minutes (extreme intrusive):
Code:
$ sudo hcxdumptool -i WLANDEV -o vector1.pcapng --stop_ap_attacks=6000 --resume_ap_attacks=12000 --bpfc=own.bpfc --active_beacon --tot=10 --enable_status=1

2. get as much as possible information from CLIENTs over a period of a day:
Code:
$ sudo hcxdumptool -i WLANDEV -o vector2.pcapng --tot=1440 --bpfc=own.bpfc --disable_deauthentication --disable_ap_attacks --active_beacon -c 1,9,6,3,11, -t 3600 --enable_status=1



On both modes, I recommend to protect own devices by a BPF on both attack vectors.

Do not merge the pcapng files.
Use hcxpcapngtool to convert all hashes to a single hash list (22000 format) and all other information to wordlists hashcat can work on (pure or in combination with masks and/or rules):
Code:
$ hcxpcapngtool -o test.22000 -E list1 -I list2 -U list3 *.pcapng

To determine that PSKs based on BSSID or ESSID are in use, feed hashcat with output of hcxpsktool and/or output of hcxeiutool (option -d -x -c -s).
You can expand wordlists converted by hcxpcapngtool, and feed hashcat + rule with output of hcxeiutool (option -s).

To select single NETWORKS, use hcxhashtool to get information about the content of the whole hash file.
It is also possible to use simple bash tools to get some if this information and to filter the hash list, because has format 22000 is not longer binary (like hccapx).