Your question is already answered here:
https://hashcat.net/forum/thread-10557-p...l#pid54451
MICs of 4way handshakes or PMKIDs are not(!) MD5 or MD4.
Don't (never, under no circumstances) trust a google search result!!!
It take much more than a single PMKID or a MIC copied from a Wireshark field to recover the PSK. Depending on PMKID or 4way handshake, additional information like ESSID, MAC AP, MAC CLIENT, ANONCE, SNONCE and at least a complete M2 (or M3 or not zeroed M4) EAPOL MESSAGE are mandatory.
Here is an example EAPOL PMKID from the example hashes:
https://hashcat.net/wiki/doku.php?id=example_hashes
22000 WPA-PBKDF2-PMKID+EAPOL WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
The PMKID is definitely not MD5 or MD4
run it through an online analyzer, e.g.:
https://www.tunnelsup.com/hash-analyzer/
Hash: 4d4fe7aac3a2cecab195321ceb99a7d0
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal
and it failed epically!!!
Looks like this hash-analyzer only take the length of the hash to identify the type.
While hashcat is able to recover the PSK:
The same applies to a MIC of a 4way handshake as described here:
https://hashcat.net/forum/thread-10496-p...l#pid54230
The MIC is definitely not MD5 or MD4
run it through the same online analyzer:
https://www.tunnelsup.com/hash-analyzer/
Hash: 6ec572e97e2ede5a6099bf964fa880fd
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal
and as expected, it failed again (epically).
https://hashcat.net/forum/thread-10557-p...l#pid54451
MICs of 4way handshakes or PMKIDs are not(!) MD5 or MD4.
Don't (never, under no circumstances) trust a google search result!!!
It take much more than a single PMKID or a MIC copied from a Wireshark field to recover the PSK. Depending on PMKID or 4way handshake, additional information like ESSID, MAC AP, MAC CLIENT, ANONCE, SNONCE and at least a complete M2 (or M3 or not zeroed M4) EAPOL MESSAGE are mandatory.
Here is an example EAPOL PMKID from the example hashes:
https://hashcat.net/wiki/doku.php?id=example_hashes
22000 WPA-PBKDF2-PMKID+EAPOL WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
The PMKID is definitely not MD5 or MD4
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)run it through an online analyzer, e.g.:
https://www.tunnelsup.com/hash-analyzer/
Hash: 4d4fe7aac3a2cecab195321ceb99a7d0
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal
and it failed epically!!!
Looks like this hash-analyzer only take the length of the hash to identify the type.
While hashcat is able to recover the PSK:
Code:
$ hashcat -m 22000 "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" -a 3 hashcat!
hashcat (v6.2.5-52-g806257f2e) starting
4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid
Time.Started.....: Thu Jan 6 07:32:28 2022 (0 secs)
Time.Estimated...: Thu Jan 6 07:32:28 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 35 H/s (0.74ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 32c Util: 7% Core:1770MHz Mem:3500MHz Bus:8
Started: Thu Jan 6 07:32:26 2022
Stopped: Thu Jan 6 07:32:30 2022The same applies to a MIC of a 4way handshake as described here:
https://hashcat.net/forum/thread-10496-p...l#pid54230
The MIC is definitely not MD5 or MD4
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PTK = PRF(PMK + ANONCE + SNONCE + MAC AP + MAC CLIENT)run it through the same online analyzer:
https://www.tunnelsup.com/hash-analyzer/
Hash: 6ec572e97e2ede5a6099bf964fa880fd
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal
and as expected, it failed again (epically).