(02-22-2021, 12:29 PM)ZerBea Wrote: It would be much appreciated if you share your experience with us.
Hash mode 2501 (16801, 22001) doesn't make me wince.
I really love this "verification" modes and that is exactly the reason, why I explained the purpose of them to Atom and asked him to add this modes (apart from this, it was also the reason for me to code hcxdumptool and hcxtools).
That include hash mode 22000 to get full benefit of reuse of PBKDF2 over PMKID end EAPOL.
https://github.com/hashcat/hashcat/issues/1816
This are my experiences (PMK verification) on hash mode 2200x:
Code:$ hashcat -m 22001 -w4 --nonce-error-corrections=0 hash.22000 pmk.list -o found
hashcat (v6.1.1-120-g15bf8b730) starting...
CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1080 Ti, 10859/11175 MB, 28MCU
OpenCL API (OpenCL 1.2 CUDA 11.2.136) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1080 Ti, skipped
Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64
Hashes: 699380 digests; 699380 unique digests, 221559 unique salts
Bitmaps: 17 bits, 131072 entries, 0x0001ffff mask, 524288 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 491 MB
Dictionary cache built:
* Filename..: pmk.list
* Passwords.: 299836
* Bytes.....: 19489282
* Keyspace..: 299836
* Runtime...: 1 sec
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PMK-PMKID+EAPOL
Hash.Target......: hash.22000
Time.Started.....: Mon Feb 22 10:52:46 2021 (34 mins, 16 secs)
Time.Estimated...: Mon Feb 22 11:27:02 2021 (0 secs)
Guess.Base.......: File (pmk.list)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 43622.5 kH/s (0.00ms) @ Accel:64 Loops:1024 Thr:1024 Vec:1
Recovered........: 686597/699380 (98.17%) Digests, 213641/221559 (96.43%) Salts
Remaining........: 12783 (1.83%) Digests, 7918 (3.57%) Salts
Recovered/Time...: CUR:21229,N/A,N/A AVG:20035,1202122,28850930 (Min,Hour,Day)
Progress.........: 66431364324/66431364324 (100.00%)
Rejected.........: 221559/66431364324 (0.00%)
Restore.Point....: 299836/299836 (100.00%)
Restore.Sub.#1...: Salt:221558 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Hardware.Mon.#1..: Temp: 74c Fan: 59% Util: 76% Core:1847MHz Mem:5005MHz Bus:16
Started: Mon Feb 22 10:52:34 2021
Stopped: Mon Feb 22 11:27:03 2021
Please notice:
This is only a demonstration.
To save time, I used --nonce-error-corrections=0 (NC).
Due to packet loss during capturing (some of the capturing tools are not able to detect this), a few of the hashes require a higher NC to recover the PSK. Unfortunately this will increase task time, too. For a demonstration it is not worth it.
BTW:
I don't use the ancient modes 250x and 1680x any longer since Atom added 2200x to hashcat.
oh don't you worry I have a full treatise in preparation
I'm actually enjoying t his very much. Once all this is laid out the ultimate objective is to see if it's possible to guess part of the password.btw I was saying mode 2501 makes you wince hehe the 22ks I know you like. What do I have to do just convert the hccapx to 22000 mode or something ?
(and if I'm using a PMK it's 22001 I'm assuming ?)
So yeah I've been reading the information you've posted and it's a little hard to understand so I need to ask, is it possible to extract PART of a password ?
What would happen if I took a hash, and only removed say the first 2 characters, and tried to brute force that ? I know I'm not wording it properly yet but you get what I'm trying to say. Maybe the whole problem here is trying to guess the entire password at once.
Meanwhile the PMK is at 80 million out of 90 so in a couple hours it'll be ready for testing we'll see what happens
EDIT: Forgot to mention, I have this little superstition that the needle is always at the bottom of the haystack so to speak. Is there a way to search backwards wit hthe masks and dictionnaries ? Dicts I suppose I can just reverse the order and pipe it or whatever but what about the masks ? Without rules preferably sounds needlessly tedious for this specific task unless I'm off base of course.