4-way handshaking vs hc22000

[ZerBea]

Your question is not silly. The entire 802.11 stuff is quite difficult to understand.
The SNONCE is not missing in a hc22000 line. It is inside the EAPOL field.
Example taken from here:
https://hashcat.net/wiki/doku.php?id=example_hashes

Code:

WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2

First some information about the hash line:

Code:

$ hcxhashtool -i test.hc22000 --info=stdout
SSID.......: TP-LINK_HASHCAT_TEST
MAC_AP.....: 6466b38ec3fc (TP-LINK TECHNOLOGIES CO.,LTD.)
MAC_CLIENT.: 225edc49b7aa (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
RC INFO....: NC suggested
MP M2M3 E2.: authorized
MIC........: 024022795224bffca545276c3762686f
HASHLINE...: WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2

EAPOL MESSAGE taken from field 8:

Code:

0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000

displayed in Wireshark format:

Code:

802.1X Authentication
    Version: 802.1X-2001 (1)
    Type: Key (3)
    Length: 117
    Key Descriptor Type: EAPOL RSN Key (2)
    [Message number: 2]
    Key Information: 0x010a
    Key Length: 0
    Replay Counter: 1
    WPA Key Nonce: 48ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171
    Key IV: 00000000000000000000000000000000
    WPA Key RSC: 0000000000000000
    WPA Key ID: 0000000000000000
    WPA Key MIC: 024022795224bffca545276c3762686f
    WPA Key Data Length: 22
    WPA Key Data: 30140100000fac040100000fac040100000fac028000

and final the calculated/confirmed keys:

Code:

$ hcxpmktool -l WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2 -p hashcat!

HASH FORMAT.: EAPOL (WPA*02)
ESSID.......: TP-LINK_HASHCAT_TEST
MAC_AP......: 6466b38ec3fc
MAC_CLIENT..: 225edc49b7aa
PSK.........: hashcat!
PMK.........: 0857172bd4d3ebb34cf00f3619726008d27558926d963a547332fab033023b82 (calculated)
KEY VERSION.: WPA2
NONCE AP....: 10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e
NONCE CLIENT: 48ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171
KCK.........: 57d0f2ff5faef56f9b94390aebf4474d (calculated)
KEK.........: 9913af266f6e00225edc49b7aa6466b3 (calculated)
TK..........: 8ec3fc10e3be3b005a629e89de088d6a (calculated)
TKIP TX MIC.: 2fdc489db83ad476 (calculated)
TKIP RX MIC.: 4f2d186b9cde1544 (calculated)
MIC.........: 024022795224bffca545276c3762686f (confirmed)
PMKID.......: e7b71e94595346b4c5e084cbf7ac328e (calculated)

The PTK is composed of KCK + KEK + TK + TKIP TX MIC + TKIP RX MIC

Once we got the PMK, it is easy to calculate a matching PMKID, too.


confirm the PMK:

Code:

$ wlangenpmk -e TP-LINK_HASHCAT_TEST -p hashcat!

essid (networkname)....: TP-LINK_HASHCAT_TEST
password...............: hashcat!
plainmasterkey (SHA1)..: 0857172bd4d3ebb34cf00f3619726008d27558926d963a547332fab033023b82