Plugins 2500/2501 and 16800/16801 are deprecated
#1


Since version 6.0.0, hashcat has been offering the new hash mode 22000, which we have not discussed in detail so far:

Code:
  22000 | WPA-PBKDF2-PMKID+EAPOL
  22001 | WPA-PMK-PMKID+EAPOL

Our goal is to replace the existing hash modes 2500 and 16800 (the .hccap and .hccapx file formats) with the new hash mode 22000:

Quote:  2500 | WPA-EAPOL-PBKDF2
  2501 | WPA-EAPOL-PMK

Quote:  16800 | WPA-PMKID-PBKDF2
  16801 | WPA-PMKID-PMK

With this thread we want to explain the reasons for the update and explain the details of the new format.

We should have added this announcement at the same time as the release of the new hash mode to get the community's attention. We're seeing some movement towards the new 22000 mode, but we're also seeing a lot of people referring to outdated techniques when it comes to WPA cracking in general, and most of the time they involve hash mode 2500, 16800, or even older tools.

We want to set up a reference that you can link to people who are still using old tools formats and techniques. This will probably never end as there are so many (now outdated) videos, documents, tutorials, training courses in the wild. But we have to get started somewhere.

If you see people talking about using -m 2500 or -m 16800, link them to this thread.

Note: this is not a new attack like PMKID was.



So what are the benefits of hash mode 22000?
  • The hash mode 22000 hash line combines PMKIDs and EAPOL MESSAGE PAIRs in a single file
  • Having all the different handshake types in a single file allows for efficient reuse of PBKDF2 to save GPU cycles
  • It is no longer a binary format that allows various standard tools to be used to filter or process the hashes
  • It is no longer a binary format which makes it easier to copy / paste anywhere as it is just text
  • The best tools for capturing and filtering WPA handshake output in hash mode 22000 format (see tools below)



In order to be able to use the hash mode 22000 to the full extent, you need the following tools:

Optionally there is hcxlabtool, which you can use as an experienced user or in headless operation instead of hcxdumptool: https://github.com/ZerBea/wifi_laboratory

For users who don't want to struggle with compiling hcxtools from sources there is an online converter: https://hashcat.net/cap2hashcat/

If you choose the online converter, you may need to remove some data from your dump file if the file size is too large. Most of the time, this happens when data traffic is also being recorded.

You can reduce the size by tshark:

Code:
tshark -r dumpfile.cap/pcap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng



ATTENTION!!! Please read carefully and respect:

Do not clean up the cap / pcap file (e.g. with wpaclean), as this will remove useful and important frames from the dump file.
Do not use filtering options while collecting WiFi traffic.



The hcxdumptool / hcxlabtool offers several attack modes that other tools do not.

This includes the PMKID attack, which is described here: https://hashcat.net/forum/thread-7717.html

It also includes AP-less client attacks and a lot more.

The traffic is saved in pcapng format. This format is used by Wireshark / tshark as the standard format. Additional information (NONCE, REPLAYCOUNT, MAC, hash values calculated during the session) are stored in pcapng option fields. The hcxpcapngtool uses these option fields to calculate the best hash values in order to avoid unbreakable hashes at best.

In addition, Hashcat is told how to handle the hash via the message pair field. When hcxdumptool is connected to a GPS device, it also saves the GPS coordinates of the frames.



Examples of the target and how traffic is captured:

1.Stop all services that are accessing the WLAN device (e.g .: NetworManager and wpa_supplicant.service)

Code:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service

2. Start the attack and wait for you to receive PMKIDs and / or EAPOL message pairs, then exit hcxdumptool

Code:
$ hcxdumptool -i interface -o dumpfile.pcapng --active_beacon --enable_status=15

3. Restart stopped services to reactivate your network connection

Code:
$ sudo systemctl start wpa_supplicant.service
$ sudo systemctl start NetworkManager.service

4. Convert the traffic to hash format 22000

Code:
$ hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng

5. Run Hashcat on the list of words obtained from WPA traffic

Code:
$ hashcat -m 22000 hash.hc22000 wordlist.txt

For more options, see the tools help menu (-h or --help) or this thread: https://hashcat.net/forum/thread-6661-po...l#pid52103

Get more examples from here: https://github.com/evilsocket/pwnagotchi...-598597214

Run Hashcat on an excellent WPA word list or check out their free online service:

Code:
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz
$ hashcat -m 22000 test.hc22000 cracked.txt.gz

Get more examples from here: https://github.com/hashcat/hashcat/issues/2923



Examples to work on hc22000 hash files:

Filter hash file by PMKID

Code:
$ grep 'WPA\*01' hash.hc22000 > pmkid.hc22000
$ hcxhashtool -i hash.hc22000 --type=1 -o pmkid.hc22000

Filter hash file by EAPOL

Code:
$ grep 'WPA\*02' hash.hc22000 > eapol.hc22000
$ hcxhashtool -i hash.hc22000 --type=2 -o eapol.hc22000

Filter by MAC:

Code:
$ grep 'WPA\*02' hash.hc22000
$ grep '\*112233445566\*' home.22000 > mac.hc22000
$ hcxhashtool -i home.22000 --mac-ap=112233445566 -o mac.hc22000
$ hcxhashtool -i home.22000 --mac-client=112233445566 -o mac.hc22000



For developers

The new hash format 22000 in detail:

Code:
PROTOCOL*TYPE*PMKID/MIC*MACAP*MACCLIENT*ESSID*ANONCE*EAPOL*MESSAGEPAIR

PROTOCOL = Fixed string "WPA"
TYPE = 01 for PMKID, 02 for EAPOL
PMKID/MIC = PMKID if TYPE=01, MIC if TYPE=02
MACAP = MAC of AP
MACCLIENT = MAC of CLIENT
ESSID = network name (ESSID) in HEX
ANONCE = ANONCE
EAPOL = EAPOL (SNONCE is in here)
MESSAGEPAIR = Bitmask:

The pot file format in detail (resultat of PBKDF2 calculation):

Code:
PMK*ESSID:PSK

PMK = Plain Master Key
ESSID = network name (ESSID) in HEX
PSK = Pre Shared Key

The out file format in detail:

Code:
PMKID/MIC:MACAP:MACCLIENT:ESSID:PSK

PMKID/MIC = PMKID or MIC depending on hash type
MACAP = MAC of AP
MACCLIENT = MAC of CLIENT
ESSID = network name (ESSID) in plain
PSK = Pre Shared Key

All the discussion about finding the details of this new format is here: https://github.com/hashcat/hashcat/issues/1816



One last note: the plugins 2500/2501 and 16800/16801 receive a deprecated flag in the hashcat module that blocks the use of the plugin. There may be a parameter you can set to work around this if you really have to, but keep it to yourself :)

- atom
Reply


Messages In This Thread
Plugins 2500/2501 and 16800/16801 are deprecated - by atom - 08-10-2021, 06:12 PM