Hashcat + wlangenpmkocl how to convert back to plaintext ?
#3
(02-21-2021, 02:08 AM)ZerBea Wrote: Hash mode 2501, 16801 and 22001 are designed to verify an existing Plain Master Key PMK. That can be a PMK from a rainbow table, e.g. calculated by wlangenpmkocl.
Workflow:
calculate PMK list
$ wlangenpmkocl -e network-essid -i passwordlist -A combi.list
The combi.list contain PMK and PSK

Now get the PMKs and feed hascat with them:
$ cut -c -64 > pmk.list

run ahshcat to find the PMK
$ hashcat -m 2501 hash.hccapx pmk.list

if the PMK is verified by hashcat,  grep for it in the combi.list
$ cat combi.list | grep e02ede2909ac91cd095ce1fc469f6990a6d
and you will see the matching PSK.

BTW1:
Due to the length of the PMK it is impossible to run a mask or a rule to find a new one.

BTW2:
Hash mode 250x and 1680x are deprecated. You should use hash mode 2200x instead.

Hello !

Thanks for answering

I made a batchfile testing ALL hash modes on my test network with plan text, the only that worked was 2500, with the PMK the only one that worked was 2501.

The 22000s don't work for me. Am I misunderstanding something ? I thought the -m was the type of hash you're dealing with ?

Also what's wrong with adding the -r RULE with hashcat ? Technically that'll brute it no ? Or you're saying time-wise it isn't worth it ?

EDIT: Allow me to explain my philosophy.
I'm assuming I don't know the password. Masks take too long but technically more guaranteed I guess if you had a datacenter at your disposal they would be feasible or if you had a lot of clues to the password. Dictionary I find it's unlikely will contain the password. But using a rule like say NSA_dive rule I find would HOPEFULLY make it more likely. However it takes much more time. That's where the PMK comes in. I was hoping to run advanced rules on the PMK to kind of cheat instead of using masking because I can search PMKs much faster. Crunching ?x?x?x?x?x?x?x?x? or whatever though is like a pentabyte so that's not feasible either (in case you were going to suggest appending). Also I have 3 rigs for the job:

Laptop1: general purpose, Vegas10,6gbRAM,8CPU,The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)
Laptop2: workhorse, shittygfx,4CPU,6gbRAM This makes the PMKs all day, takes a day to make a PMK from a 3GB wordlist,The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)
Gaming rig: 32gbram,12CPU,GTX680. I use this to hashcat the hashes,windows

my password (I've changed the digits obviously but the positions are the same) a1yqfu1746
So not knowing anything about this pass, what would be the correct philosphy to adopt ? Or do I have the right mindset, just not the processing power *sad face*

Btw if anybody wants the handshake to experiment it's no problem, this is perfectly legal and it's my router promise (I can prove this obviously as I have the real password).

FYI, to me 'too long' is anything that exceeds 3-5 days
Reply


Messages In This Thread
RE: Hashcat + wlangenpmkocl how to convert back to plaintext ? - by pr0ph3t - 02-21-2021, 02:14 AM