Mode 22000 format question - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: Mode 22000 format question (/thread-9712.html) |
Mode 22000 format question - s3in!c - 12-20-2020 Hi everyone I have a specific question regarding the 22000 mode. The input hash looks like that: Code: WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** When cracked, hashcat delivers a completely differently formatted output: Code: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat! I'm wondering if there is a specific reason for this? Because IMHO this is not good to have hashes printed differently when they are cracked than how the were put into hashcat. RE: Mode 22000 format question - ZerBea - 12-20-2020 Maybe a good idea to add an option to hashcat - [ Outfile Formats ] - to print either the short form: Code: MIC/PMKID:MAC_AP:MAC_CLIENT:ESSID:PSK Code: complete hash line:PSK Most parts of the WPA*02* hash line are zeroed. To save disk space, for me, the short form is enough to identify and find the hash via MIC or PMKID running bash tools. I strongly recommend to archive the pcapng files, because they contain much more information than a hash file. Also you should know, that in case of hcxdumptool attacks neither MAC_AP, nor MAC_CLIENT, nor ANONCE, nor SNONCE, nor EAPOL data, nor PMKID nor MIC is unique! We are talking about hash files > 1GB (and more). Code: Session..........: hashcat That is the main reason why hashcat stores only the PBKDF2 data (PMK, ESSID, PSK) in the potfile. That will keep the potfile small in case of really big hash files. If you are experienced, the PBKDF2 result is all you need, because the PMK is uniq on a WPA1/WPA2/WPA2 keyver 3 network that uses this algo to calculate the PMK from a PSK. Please read more here (why we came to this decision): https://github.com/hashcat/hashcat/issues/1816 Please do not wonder about the low hash rate. I prefer running more machines with a single small and cheap GPU running smaller wordlists calculated by hcxtools, than one machine with 8 big GPUs running on an excessive wordlists downloaded from the internet. BTW: Please use the example hashes from here if you post an example: https://hashcat.net/wiki/doku.php?id=example_hashes because it is against the forum rules to comment real hashes RE: Mode 22000 format question - s3in!c - 12-21-2020 Thanks for the detailed explanation, WPA seems to be a hassle all the time in different variants and formats I think in that case I'll have to adjust that in Hashtopolis, as it seems that it's much more complicated to adjust in hashcat. Also, having a separate flag to print the full output would help a bit, but I would still need to add the special case, so better not spend time on doing that in hashcat. RE: Mode 22000 format question - ZerBea - 12-21-2020 Yes, you're absolutely right, when you mention the different variants and formats of WPA. Compared to md5 or sha1, EAPOL message pairs and PMKIDs of a network are not unique. This hashes depend on the current session to secure the traffic. That will lead to many, many different hashes on a single network, because every connection attempt will result in a new hash. This will increase the size of the hash files and the outfiles enormous. Luckily the PMK on a network is static. As long as the admin doesn't change ESSID (SALT) or PSK the PMK will be the same on this network. The calculation of a PMK by PBKDF2 is very GPU cycle intensive. If you take a look at the potfile, you'll see exactly the result of the PBKDF2 calculation (all parameters to reproduce it: HASH, SALT, PASSWORD). You can try wlangenpmk (-e -p) to verify the hash. It will save much GPU time, if you set your focus on the PMK, because PBKDF2 calculation was already done. On networks, running the same ESSID you will get the results for the "price" of one (PBKDF2 calculation). The same applies to different networks, using the same ESSID if you captured a PMKID from the first network and an EAPOL message pair from the second network. In that case you will also get 2 results for the "price" of one calculation. This verification/evaluation/calculation is running in the background on wpa-sec (https://wpa-sec.stanev.org/?). It is extreme fast. It would be great to see this in Hashtopolis, too. BTW: The source is here: https://github.com/RealEnder/dwpa Stay healthy cheers Mike Interested in more? Discussion is moved to this place: https://github.com/s3inlc/hashtopolis/issues/678 |