07-25-2023, 10:45 AM
(07-25-2023, 07:40 AM)ZerBea Wrote: > From what i see there (which is obvisouly wrong) 010 is authorized, so I must missing a key somewhere
The value in the explanation is binary while the value in the MESSAGEPAIRFIELD is HEX.
You have to convert it.
hex 10 == binary 00010000
regarding the matrix and reading the bits from the right to the left:
this MESSAGE PAIR is from a connect attempt (M1M2 challenge) from a CLIENT to hcxdumptool.Code:000 == M1M2 challenge
0 == reserved
1 == ap-less attack (set to 1) - nonce-error-corrections not required
0 == LE router detected (set to 1) - nonce-error-corrections required only on LE
0 == BE router detected (set to 1) - nonce-error-corrections required only on BE
0 == replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory
Default key space SFR_xxxx (vendor SFR):
?l?d, ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
Default key space Livebox-xxxx (vendor Arcadyan):
?l?u?d, ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
Default key space Livebox-xxxx (vendor SAGEMCOM):
?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H
impossible to recover by hashcat (even with a GPU farm).
BTW:
The hash from this comment
https://hashcat.net/forum/thread-11513-p...l#pid58698
is easy to recover, because it is not the default PSK.Code:WPA*02*f26698......
Took me only a few seconds to get it:
Code:Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: /tmp/x
Time.Started.....: Tue Jul 25 07:41:47 2023 (4 secs)
Time.Estimated...: Tue Jul 25 07:41:51 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 959.7 kH/s (6.31ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3736554/10354402 (36.09%)
Rejected.........: 1002/3736554 (0.03%)
Restore.Point....: 3580884/10354402 (34.58%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 001AEF24D2F3 -> 737291Ol
Hardware.Mon.#1..: Temp: 53c Fan: 0% Util: 66% Core:2835MHz Mem:10802MHz Bus:16
Started: Tue Jul 25 07:41:47 2023
Stopped: Tue Jul 25 07:41:53 2023
Alright thanks to take the time to explains this.
How did you came to the conclusion of that ? i'd be glad to know how to do that for it would spare some time on cracking possible passwords
Quote:Default key space SFR_xxxx (vendor SFR):
?l?d, ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
Default key space Livebox-xxxx (vendor Arcadyan):
?l?u?d, ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
Default key space Livebox-xxxx (vendor SAGEMCOM):
?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H?H
Just to be sure when you MESSAGEPRAI is x0, by x you mean any digits right ? or is it a HEX convention ?
I got it for the MESSAGEPAIR is in hex and have to convet it to binary to get the bitmask.
From my previous example hex 10 == binary 00010000 that is very clear no problem
How do you go from that ?
Code:
000 = M1+M2, EAPOL from M2 (challenge)
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatoryto this :
Code:
000 == M1M2 challenge
0 == reserved
1 == ap-less attack (set to 1) - nonce-error-corrections not required
0 == LE router detected (set to 1) - nonce-error-corrections required only on LE
0 == BE router detected (set to 1) - nonce-error-corrections required only on BE
0 == replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatoryFrom my understanding of your reply, I have to read binary from right to left.
I think that the doc numbers confuse me 3,4,5,6,7 are just the 'index' of the bit ?
The acronyms are kinda confusing as well.
Quote:So basically for my example above the WPA*02 line is not usable since the PSK was not authorized, if I bruteforce that one I might recover a wrong PSK. Am I right ?
Yes, i'd be glad tho if you could teach me how to know if a PSK is right or wrong by reading the hash like you seems to do .
Again many thanks for your time sir.