Plugins 2500/2501 and 16800/16801 are deprecated
#21
@ZerBea 

Thanks
Of course, we have to admit that your algorithm is the most accurate at present. It is estimated that no one has a better algorithm than yours, at least as far as I know.

Because I started from the hccap hccapx algorithm to 22000, and have been following up the test, it turns out that your algorithm is currently the most accurate
Reply
#22
I'm talking with Atom about the online converter and the info file.
Maybe it is possible to provide both of them on https://hashcat.net/cap2hashcat/
He will check this.

Detecting a valid message pair is a major challenge if doing this offline, because we don't know if we have a packet loss or if the authentication sequences are destroyed or if the timestamp is not correct.
Doing this online by the attack tool, is much better, because lost packets can be requested and deauthentications can be stopped if a valid message pairs is received.
Reply
#23
@ZerBea


Code:
WPA...0000fac028000*00
WPA...4000fac020000*02
WPA...0000fac020c00*a2
WPA...0000fac020c00*a0
WPA...0100000020000*c2


I see that after the conversion, these are marked with some codes in the last field. At present, some of them are not understood in the last field.

For example, I currently only understand the meaning of 00 and 02
The last field 00 represents: possible
The last field 02 represents: valid
And a0 a2 c2 don’t understand what it means ?

I want to know how many final field codes you have used in total? What are the specific fields marked ?

Excuse me, what does the last field code mean?


Thanks..
Reply
#24
The last field is the message pair field.
It contain detailed information about the endianess of the router and it inform hashcat how to handle the hash
(eg. NC not necessary, NC necessary, NC only on BE necessary, NC on LE necessary)
Code:
bitmask of message pair field:
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 if not zeroed (authorized)
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 if not zeroed (authorized)
3: reserved
4: ap-less attack (set to 1) - no nonce-error-corrections necessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

In your case:
Code:
WPA...0000fac028000*00
00000001
M1+M2, EAPOL from M2 (challenge)

WPA...4000fac020000*02
02 = 00000010
M2+M3, EAPOL from M2 (authorized)

WPA...0000fac020c00*a2
a2 = 10100010
M2+M3, EAPOL from M2 (authorized)
LE router detected (set to 1) - nonce-error-corrections only for LE necessary
not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

WPA...0000fac020c00*a0
a0 = 10100000
M1+M2, EAPOL from M2 (challenge),
LE router detected (set to 1) - nonce-error-corrections only for LE necessary
not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

WPA...0100000020000*c2
c2 = 11000010
M2+M3, EAPOL from M2 (authorized)
BE router detected (set to 1) - nonce-error-corrections only for BE necessary
not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

Here is a hex to binary converter:
https://www.binaryhexconverter.com/hex-t...-converter

Please notice the difference between: valid , invalid, challenge and authorized!

invalid = it is impossible to recover the PSK from this message pair, because the EAPOL messages don't match,
even though if you run hashcat with the correct PSK, it will exhausted
Mostly you will get invalid message pairs if you run passive dumpers in combination with stupid deauthentication tools.
They will not detect a packet loss or if the AP renew the authentication sequence.

challenge = the CLIENT may not belong to the target network and the PSK is recoverable
this message pair is valid!

authorized = the CLIENT belong to the target network and the PSK is recoverable
this message pair is valid!
Reply
#25
@ZerBea

ok.Thanks
Reply
#26
If you are interested to take a look behind the scenes:

The 4-way handshake is explained here:
https://wlan1nde.wordpress.com/2014/10/2...handshake/

Nonce error corrections is explained here:
https://hashcat.net/forum/thread-6361.html
Reply
#27
@atom    @ZerBea  Thanks

Online converter needs to add batch file conversion function


For example, some people need to batch convert 5000 files into hashes
It is currently unachievable
Reply
#28
You mentioned > 5k files.
That shouldn't be a big problem for hcxtools and hashcat:
Code:
$ time hcxpcapngtool -o test.22000 *.*
session summary
---------------
gzip compressed dump files............: 154
processed pcapng files................: 405
processed cap files...................: 7037

real    2m23,889s
user    1m45,791s
sys    0m37,856s

as well as pre-processing the hashes:
Code:
$ hcxhashtool -i analyzed.22000

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30555
total lines read..............: 888138
valid hash lines..............: 888138
PMKID hash lines..............: 280583
EAPOL hash lines..............: 607555

or as well as processing the hashes:
Code:
hashcat (v6.2.4-75-gc1fd42fe7) starting

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)
Hash.Target......: analyzed.hc22000
Time.Started.....: Fri Sep 24 08:10:34 2021 (49 mins, 51 secs)
Time.Estimated...: Fri Sep 24 09:00:25 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pmk)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 22647.9 kH/s (0.00ms) @ Accel:512 Loops:1024 Thr:512 Vec:1
Recovered........: 873443/888138 (98.35%) Digests, 272141/281518 (96.67%) Salts
Remaining........: 14695 (1.65%) Digests, 9377 (3.33%) Salts
Recovered/Time...: CUR:21807,N/A,N/A AVG:17516.25,N/A,N/A (Min,Hour,Day)
Progress.........: 108274074944/108274074944 (100.00%)
Rejected.........: 0/108274074944 (0.00%)
Restore.Point....: 384608/384608 (100.00%)
Restore.Sub.#1...: Salt:281517 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator

Started: Fri Sep 24 08:10:22 2021
Stopped: Fri Sep 24 09:00:27 2021

And it should work on much bigger files, too:
Code:
$ hcxhashtool -i analyze.22000

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30555
total lines read..............: 1519166
valid hash lines..............: 1519166
PMKID hash lines..............: 584237
EAPOL hash lines..............: 934929
Reply
#29
I fully agree. This wiki entry is outdated. Additional it referenced rockyou.txt, which is very old word list.
mobdro download
Reply
#30
Thanks.
Just removed a few "copy and paste errors" from the wiki that referred to old hccapx format and ancient rockyou.txt list
Now the wiki point to a small and daily updated list.
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Reply