(02-27-2021, 06:00 PM)ZerBea Wrote: Yes. It's an ugly copy and paste error:
$ hashcat --stdout -r "hcxessid.rule" raw.list | sort | uniq > word.list
The hcxessid.rule will append some digits (1..9999, 123, 1234, ...) to the cleaned -E output of hcxpcapngtool.
BTW:
hcxtools are running in back ground of several online WPA PSK auditoring services, e.g.:
https://wpa-sec.stanev.org/
To see how they are implemented, take a look at the source:
https://github.com/RealEnder/dwpa
Hey how's it going ?
I'm studying your method and I'm having quite some trouble understanding, maybe when you've got some time if you would shed some light:
hcxdumptool -i iface -o dump.pcagng --enable_status=1
So this is self explanatory also what a nice little tool. May I ask you how long you've been doing this ?
hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
This is where I start to raise an eyebrow. Now technically I don't need -E if I want to substitute my own wordlist correct? We'll discuss that further down the line as it come sup again. Right now I'm curious to see why you generate your wordlist this way. I definitely think it's intelligent, but what is the reasoning, to the untrained eye like mine feels like you're really limiting your possibilities there.
hcxeiutool -i trafficwords -s raw.list
So here I can just say -i /usr/share/wordlists/whatever -s raw.list Correct ? From what I see the format isn't changed so it should be legit.
hashcat --stdout -r "hcxessid.rule" raw.list | sort | uniq > word.list
Instead let's say I do
hashcat --stdout -r dive.rule raw.list ....
Now we move over to the cracking rig: (win7 12cpu/32gb ram/gtx680)
hashcat -m 22000 -w 4 --nonce-error-corrections=0 hash.22000 word.list
This is where things get complicated.
First of all what happens if I do
hashcat -m 22000 -r rules\base64.rule -w 4 --nonce-error-corrections=0 hash.22000
Notice that I've changed the ruleset
or what happens if I do something even crazier like this ?
hashcat -a 6 -m 22000 -w 4 --nonce-error-corrections=0 hash.22000 word.list rockyou-1-60.hcmask
So now we have the embedded rule from the earlier hashcat on top of the hybrid mask.
I'm going to try all these possibilities now and share the results, but wondering if you have any comments.
If this works though it would have to be with a PMK as I anticipate plaintext will take several revolutions of time. So will need to integrate that into your method which shouldn't be a big deal looks like your tool support all this stuff and more.
Anyway once I'm done testing I'll be lookin over those sources. I still don't fully understand how all this works if you sat me down in front of a paper I would fail.
fyi attached the NSA rule keys I stumbled on and testing with. It was from a hashcat lecture. They seem pretty good I like how they mangle the words. Forgive me if they're deprecated or everyone already knows about it. Thought it would be useful for those that don't have 'em.
https://filebin.net/oaqo19oqthhrizh0