Posts: 4
Threads: 1
Joined: Jun 2022
Currently learning HashCat. Working on a project where the goal is to access the router’s admin settings. In hashcat I was able to run my hash file which returned the phrases in [Hex] format. I was able to decode those to get the text phrases.
My question is, are the phrases obtained from the [Hex] the user name and password of the router? If so, then my next challenge would be to get the WiFi password to actually be able to get o to the network to then use the IP address to access the router.
How do I go about getting the WiFi password by using hashcat or another program? Any advice will be a huge help.
Posts: 64
Threads: 1
Joined: Mar 2017
(06-21-2022, 01:14 PM)Redleg101 Wrote: Currently learning HashCat. Working on a project where the goal is to access the router’s admin settings. In hashcat I was able to run my hash file which returned the phrases in [Hex] format. I was able to decode those to get the text phrases.
My question is, are the phrases obtained from the [Hex] the user name and password of the router? If so, then my next challenge would be to get the WiFi password to actually be able to get o to the network to then use the IP address to access the router.
How do I go about getting the WiFi password by using hashcat or another program? Any advice will be a huge help.
Lots of details missing here: where did the hash you cracked come from?
Posts: 4
Threads: 1
Joined: Jun 2022
The hash I got was from a handshake capture using a WiFi pineapple. I copied the hash out of the hashcat file that was provided by the pineapple and then entered it in quotes.
Example:
sudo hashcat -a 0 -w 0 “[hash]” rockyou.txt
The last line returned [Hex] 123456789 —> [Hex]123456789
I copied each of the numbers and pasted them in an online Hex converter that gave me two phrases (one for each Hex).
Posts: 64
Threads: 1
Joined: Mar 2017
(06-21-2022, 05:08 PM)Redleg101 Wrote: The hash I got was from a handshake capture using a WiFi pineapple. I copied the hash out of the hashcat file that was provided by the pineapple and then entered it in quotes.
Example:
sudo hashcat -a 0 -w 0 “[hash]” rockyou.txt
The last line returned [Hex] 123456789 —> [Hex]123456789
I copied each of the numbers and pasted them in an online Hex converter that gave me two phrases (one for each Hex).
By "the last line" do you mean the line in the status that says "Candidates"? They're *possible* plaintexts, not the actual plaintext for your hash.
When you get a crack, hashcat prints out the entire hashline with the plaintext (the password) at the end after a colon
Posts: 4
Threads: 1
Joined: Jun 2022
Ah ha!! Ok, thank you.
Yes, The last line is "Candidates". So the two [Hex] numbers are only possible passwords for the wifi network and not the admin user name and password for the router? I had seen examples where the hashline would appear with the plaintext password at the end as you had mentioned but when mine returned the [Hex] results, I wasn't sure what I was looking at. I kinda felt like it was a bit premature to get the admin user and password before actually getting the wifi password to get onto the network first. If one of the possibles is in fact the wifi password and I can then get onto the network, what would I use to actually crack the router admin? I know I could try going directly to the ip address of the router and entering default credentials, but if the defaults were changed, is there another program out there that can crack those credentials to get into admin?
Thanks for your help on this. I'm learning more and more everyday.
Posts: 64
Threads: 1
Joined: Mar 2017
(06-21-2022, 06:05 PM)Redleg101 Wrote: Ah ha!! Ok, thank you.
Yes, The last line is "Candidates". So the two [Hex] numbers are only possible passwords for the wifi network and not the admin user name and password for the router? I had seen examples where the hashline would appear with the plaintext password at the end as you had mentioned but when mine returned the [Hex] results, I wasn't sure what I was looking at. I kinda felt like it was a bit premature to get the admin user and password before actually getting the wifi password to get onto the network first. If one of the possibles is in fact the wifi password and I can then get onto the network, what would I use to actually crack the router admin? I know I could try going directly to the ip address of the router and entering default credentials, but if the defaults were changed, is there another program out there that can crack those credentials to get into admin?
Thanks for your help on this. I'm learning more and more everyday.
Right, when you crack a WPA hash you get the password for the wireless network, not the username or password for the admin interface. Cracking the web interface is out-of-scope for hashcat.
Posts: 1,042
Threads: 2
Joined: Jun 2017
06-22-2022, 10:58 AM
(This post was last modified: 06-22-2022, 11:19 AM by ZerBea.)
(06-21-2022, 05:08 PM)Redleg101 Wrote: The hash I got was from a handshake capture using a WiFi pineapple. I copied the hash out of the hashcat file that was provided by the pineapple and then entered it in quotes.
Example:
sudo hashcat -a 0 -w 0 “[hash]” rockyou.txt
The last line returned [Hex] 123456789 —> [Hex]123456789
I copied each of the numbers and pasted them in an online Hex converter that gave me two phrases (one for each Hex).
WiFi (802.11) hashes are not(!) md5 (hash mode -m 0)! They look like this (hash mode -m 22000) :
22000 WPA-PBKDF2-PMKID+EAPOL in case a PMKID was captured:
Code:
WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
22000 WPA-PBKDF2-PMKID+EAPOL in case a 4way handshake was captured:
Code:
WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2
Both taken from:
https://hashcat.net/wiki/doku.php?id=example_hashes
Read more here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
and related to WiFi Pineapples:
https://forums.hak5.org/topic/44213-pmki.../#comments
Rockyou list is very old and not related to WiFi. There are much better lists:
https://wpa-sec.stanev.org/dict/cracked.txt.gz
https://3wifi.stascorp.com/3wifi-dic-2022-06-03.7z
https://hashmob.net/research/hashmob
and hashcat attack modes:
https://hashcat.net/wiki/
BTW:
Do not run "sudo" on hashcat. That is neither mandatory nor necessary.
Posts: 4
Threads: 1
Joined: Jun 2022
Thank you so much for that info and those links. The second example with 22000 WPA*02 is exactly what I got from my captured handshakes. I'll read through the links you provided..
Thanks again