22000 - PMKID and EAPOL for same network - two different keys recovered ?
#1
Hello,

I have some 22000 hashes for a single network (same SSID, same BSSID).  I have both WPA*01 + WPA*02.  Each is from a different client though.

Hashcat has cracked both of them, but with different passwords.  This is a consumer grade AP.  

I'm a bit confused as to how/why I'm getting two different passwords.  Do consumer grade AP's support multiple PSK per SSID nowadays ?  This doesn't seem likely to me...

Or is something else going on that I'm not understanding ?

Thanks in advance.
Reply
#2
The last field of an EAPOL MESSAGEPAIR hash line (WPA*02) will give you an information about the status of the AUTHENTICATION as described here:
https://hashcat.net/forum/thread-10253-p...l#pid53255
https://hashcat.net/forum/thread-10253-p...l#pid53634
I recommend to read the whole thread.

The EAPOL MESSAGEPAIR could be recorded/requested from a CLIENT that doesn't belong to the target NETWORK.

The PMKID (WPA*01) is transmitted by the ACCESS POINT. The PSK, calculated from this hash line should be the one that belong to the target NETWORK.

Example from here:
https://github.com/hashcat/hashcat/files...eless1.zip
as mentioned here:
https://hashcat.net/forum/thread-10253-p...l#pid53255
Code:
$ hcxpcapngtool -o test.22000 corp_question1-01.cap
hcxpcapngtool 6.2.4-28-g56174da reading from corp_question1-01.cap...
...
EAPOL pairs (best).......................: 2
EAPOL pairs written to combi hash file...: 2 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 1

I use hcxhashtool do analyze the hash file, rather than adding Wireshark screen shots:
Code:
$ hcxhashtool -i test.22000 --info=stdout
SSID.......: CORP-WIFI
MAC_AP.....: removed (NETGEAR)
MAC_CLIENT.: removed (Hon Hai Precision Ind. Co.,Ltd.)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
RC INFO....: NC not required
MP M2M3 E2.: authorized
MIC........: removed
HASHLINE...: WPA*02*removed*02

SSID.......: CORP-WIFI
MAC_AP.....: removed (NETGEAR)
MAC_CLIENT.: removed (Apple, Inc.)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 3
RC INFO....: NC not required
MP M1M2 E2.: challenge
MIC........: removed
HASHLINE...: WPA*02*removed*00

The first CLIENT belong to the target NETWORK, the second one not.
hcxpcapngtool convert challenges, too, because it is a good way to detect which kind of PSKs a not authorized CLIENT tried to get access to a target NETWORK.

Please notice:
Due to reuse of PBKDF2, you got two PSKs for the price of one (PBKDF2 calculation using the same SALT).
How to filter challenges out (if you don't need them) is also described in the thread mentioned above.
Reply
#3
Wow - great work as always and excellent explanation.  Thanks much.
Reply
#4
That is only one of the advantages of hc22000 format. The last field of an EAPOL hash line (WPA*02) give you a detailed information about the kind of the converted MESSAGEPAIR.

Explanation of the MESSAGEPAIR field and examples are added to hashcat wiki "Cracking WPA/WPA2 with hashcat":
https://hashcat.net/wiki/doku.php?id=cra...hash_files
Reply