New 22000 mode is USELESS GARBAGE
#7
Environment 1:
Client: Lenovo T440s
Adapter : ALFA AWUS036AC
Router: Archer C6 v2.0 1.3.6 Build 20200902 rel.65591(4555)
Encryption: AUTO
Channel: AUTO (2.4 on c1 in the scenario)
BSSID: /'"'''
Password: hashcat!



Getting the target BSSID:
Code:
BSSID        FREQ  CH RSSI BEACON RESPONSE ESSID  SCAN-FREQ: 5018 INJECTION-RATIO:  29% [17:08:12]
-----------------------------------------------------------------------------------------------------
cc32e562b757 5009    1  -40    246      27 /'"'''

(Verifying its correct)
Code:
$ sudo tcpdump -i wlan1 wlan addr1 cc32e562b757 or wlan addr2 cc32e562b757 or wlan addr3 cc32e562b757 -ddd > target.bpfc
                                                                                       
$ cat target.bpfc           
33
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
64 0 0 6
21 0 2 3848451927
72 0 0 4
21 20 0 52274
80 0 0 0
84 0 0 12
21 0 6 4
80 0 0 0
84 0 0 240
21 15 0 192
80 0 0 0
84 0 0 240
21 12 0 208
64 0 0 12
21 0 2 3848451927
72 0 0 10
21 7 0 52274
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 3848451927
72 0 0 16
21 0 1 52274
6 0 0 262144
6 0 0 0

Obtaining the hash:
Code:
$ sudo hcxdumptool -i wlan1 -o TEST.pcapng -c1 --enable_status=15 --bpfc=target.bpfc --active_beacon
initialization of hcxdumptool 6.2.6 (depending on the capabilities of the device, this may take some time)...
interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls

start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
PHYSICAL INTERFACE........: phy3
INTERFACE NAME............: wlan1
INTERFACE PROTOCOL........: IEEE 802.11b
INTERFACE TX POWER........: 0 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 00c0cab018d5 (not used for the attack)
INTERFACE VIRTUAL MAC.....: 00c0cab018d5 (not used for the attack)
DRIVER....................: rtl88XXau
DRIVER VERSION............: 5.16.0-kali7-amd64
DRIVER FIRMWARE VERSION...:
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 33
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 0022f1c3cf6f (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 0022f1c3cf70 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 0022f1c3cf71 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: a4a6a932d16b
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 64526
ANONCE....................: 7a855d431690aed0b6ad0000c0b8afa34038d8ab8f3a2d3a4054ecb01bbfd4f3
SNONCE....................: d48eb08d934b717cb4f004efc5916ba9a81dfbee3cbd0be3e740542d694ae294

TIME    FREQ/CH  MAC_DEST    MAC_SOURCE  ESSID [FRAME TYPE]
17:15:05 2412/1  ffffffffffff cc32e562b757 [WILDCARD BEACON]
17:20:45 2412/1  daa119b0c26c cc32e562b757 /'"''' [PROBERESPONSE]
17:20:46 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [AUTHENTICATION]
17:20:46 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [ASSOCIATION]
17:20:46 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [EAPOL:M1M2 EAPOLTIME:12719 RC:1 KDV:2]
17:20:48 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [EAPOL:M1M2 EAPOLTIME:4046 RC:3 KDV:2]

Converting to hc22000:
Code:
$ hcxpcapngtool -o TEST.hc22000 TEST.pcapng                                      1 ⨯
hcxpcapngtool 6.2.7 reading from TEST.pcapng...

summary capture file
--------------------
file name................................: TEST.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.16.0-kali7-amd64
application..............................: hcxdumptool 6.2.6
interface name...........................: wlan1
interface vendor.........................: 00c0ca
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 580943b74ffc (incremented on every new client)
MAC CLIENT...............................: fcc233f3f447
REPLAYCOUNT..............................: 62473
ANONCE...................................: 5d2469db45d6d67137a2d31ef25e9a0a0ae9143d47db1d786c0029df3eb68bcf
SNONCE...................................: bcf2e54a020388599e2c8d20a01a4d77ad73c559941f4ed31c409d1c3e584015
timestamp minimum (GMT)..................: 30.05.2022 17:04:41
timestamp maximum (GMT)..................: 30.05.2022 17:04:56
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)...............: little endian
packets inside...........................: 44
frames with correct FCS..................: 44
packets received on 2.4 GHz..............: 44
ESSID (total unique).....................: 4
BEACON (total)...........................: 6
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
BEACON (SSID wildcard/unset).............: 2
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 5
AUTHENTICATION (OPEN SYSTEM).............: 5
EAPOL messages (total)...................: 30
EAPOL RSN messages.......................: 30
EAPOL M1 messages (total)................: 30
PMKID (total)............................: 30
PMKID (best).............................: 2
PMKID ROGUE..............................: 2
PMKID written to 22000 hash file.........: 2

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 43 2427: 1

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.


session summary
---------------
processed pcapng files................: 1

Creating some example wordlist:
Code:
$ tail -n500 /usr/share/wordlists/rockyou.txt >> 500.txt
                                                                                       
$ wc -l 500.txt                                                 
500 500.txt
                                                                                       
$ echo 'hashcat!' >> 500.txt                                                                                                                         
$ tail -n1 500.txt                       
hashcat!

Running the cat:
Code:
$ hashcat -m 22000 TEST.hc22000 500.txt
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 2766/5597 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache built:
* Filename..: 500.txt
* Passwords.: 501
* Bytes.....: 5475
* Keyspace..: 501
* Runtime...: 0 secs

Approaching final keyspace - workload adjusted.         

Session..........: hashcat                               
Status...........: Exhausted
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: TEST.hc22000
Time.Started.....: Mon May 30 17:25:55 2022 (0 secs)
Time.Estimated...: Mon May 30 17:25:55 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (500.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    4097 H/s (5.69ms) @ Accel:64 Loops:512 Thr:1 Vec:8
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 1002/1002 (100.00%)
Rejected.........: 230/1002 (22.95%)
Restore.Point....: 501/501 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....:  iluveddie1 -> hashcat!
Hardware.Mon.#1..: Temp: 52c Util: 34%

Started: Mon May 30 17:25:53 2022
Stopped: Mon May 30 17:25:57 2022

TEST.hc22000 contains:
Code:
WPA*01*a1d7b930ef5566e3ef598e7760bf4821*8c5bf06e6c46*fcc233f3f447*555043323436303935363533***
WPA*01*306754a8d7f41b0e0c9352119275eb07*8c5bf0a266ab*fcc233f3f447*555043323439333734303133***

* I've performed the test on the laptop without the dedicated GPU, but I doubt that result would be any different.
** I've performed the test with and without the additional filtering options already, with the same results.
*** The hash provided in the test.pcapng.zip file was successfully cracked in the very same environment.
Reply


Messages In This Thread
RE: New 22000 mode is USELESS GARBAGE - by pdo - 05-28-2022, 09:03 PM
RE: New 22000 mode is USELESS GARBAGE - by ZerBea - 05-30-2022, 01:32 PM
RE: New 22000 mode is USELESS GARBAGE - by lispustynny - 05-30-2022, 06:08 PM
RE: New 22000 mode is USELESS GARBAGE - by ZerBea - 05-30-2022, 06:29 PM
RE: New 22000 mode is USELESS GARBAGE - by ZerBea - 05-31-2022, 07:38 AM
RE: New 22000 mode is USELESS GARBAGE - by Snoopy - 05-31-2022, 10:52 AM
RE: New 22000 mode is USELESS GARBAGE - by ZerBea - 06-03-2022, 05:05 PM
RE: New 22000 mode is USELESS GARBAGE - by rk3y - 01-03-2023, 04:44 PM
RE: New 22000 mode is USELESS GARBAGE - by ZerBea - 01-03-2023, 06:55 PM
RE: New 22000 mode is USELESS GARBAGE - by rk3y - 01-03-2023, 07:00 PM
RE: New 22000 mode is USELESS GARBAGE - by ZerBea - 01-03-2023, 07:57 PM