Plugins 2500/2501 and 16800/16801 are deprecated
#4
Your request will produce significant redundant overhead which is not necessary.
It is not the purpose of the hash line to be human readable. Instead it should be readable in a fast way by the the tools on the cracking machine (hashcat or bash tools or other tools like hcxhashtool - but definitely not by a human).

BTW1:
1. Mark the PMKID hash in front
The PMKID is marked in front as WPA*01

You can do filtering in a very easy way by bash tools:

get PMKIDs only:
Code:
$ cat hashfile.hc22000 | grep "WPA.01"

get authenticated handshakes only:
Code:
$ cat hashfile.hc22000 | grep "WPA.02" | grep "2$"

BTW2:
2. The hash of the handshake is best to mark whether those hashes are valid, so that everyone can recover the password faster and save time.
Every converted hash should be a valid hash (depending on the quality of the dump tool handling possible packet loss and the conversion tool regarding EAPOL TIME OUT, detecting NC, evaluation RC). The PSK from this hash is recoverable, but it may not belong to your target network if it is converted from M1M2.

Overview of valid MESSAGE PAIRs belonging to the same AUTHENTICATION SEQUENCE:
M1M2 = challenge and RC on M1 and M2 is the same
M2M3 = authenticated (by AP) and RC of M3 = RC M2 +1
M3M4 = authenticated (by CLIENT) and RC on M3 and M4 are the same
M1M4 = authenticated (by CLIENT) and RC of M1 = RC M4 +1

Example of invalid MESSAGE PAIRs (NC not possible = PSK not recoverable):
M1RC1M2RC9
M2RC3M3RC14

Example of invalid MESSAGE PAIRs that can be converted to valid MESSAGE PAIRS (NC possible = PSK recoverable) by hashcat default NC option (8):
M1RC1M2RC3
M2RC3M3RC5
It is not mandatory that they belong to the same AUTHENTICATION sequence, as long as NC is possible.

State of the art attack tools should detect a packet loss and request the packet again. Also they shouldn't run excessive deauthentications/disassociations which cause an AP to reset its EAPOL timers, counters and ANONCE or to start a new AUTHENTICATION sequence.
State of the art conversion tools should detect if NC is possible or not.

BTW3 (experienced users):
The most important MESSAGE PAIR is M1M2ROGUE coming from hcxdumptool/hcxlabtool attack against a weak CLIENT:
Code:
hcxdumptool option:
--stop_client_m2_attacks=<digit>   : stop attacks against CLIENTS after 10 M2 frames received
                                     affected: ap-less (EAPOL 2/4 - M2) attack
                                     require hcxpcangtool --all option

hcxlabtool option:
--m2attempt=<digit>       : reject CLIENT request after n received M2 frames
                            default: 10 received M2 frames
In combination with hcxpcapngtool --all and -E it will give useful information about the wpa_supplicant.conf entries of the CLIENT.

BTW4:
Please do not post real hashes, because it is against the forum rules.

Legend:
RC = replaycount
NC = nonce error correction on BE and LE routers
BE = big endian
LE = low endian
M1 = EAPOL message 1 (AP) of 4way handshake
M2 = EAPOL message 2 (CLIENT) of 4way handshake
M3 = EAPOL message 3 (AP) of 4way handshake
M4 = EAPOL message 4 (CLIENT) of 4way handshake (useless if SNONCE is zeroed)
ROGUE = coming from hcxdumptool/hcxlabtool attack
PSK = pre-shared key (password of the NETWORK)


Notice:
hcxhashtool provide various filtering options, especially on big hash files (e.g. > 100 hashes):
Code:
$ hcxhashtool -h
hcxhashtool 6.2.4-1-g34a4170 (C) 2021 ZeroBeat
usage:
hcxhashtool <options>

options:
-i <file>   : input PMKID/EAPOL hash file
-o <file>   : output PMKID/EAPOL hash file
-E <file>   : output ESSID list (autohex enabled)
-d          : download http://standards-oui.ieee.org/oui.txt
              and save to ~/.hcxtools/oui.txt
              internet connection required
-h          : show this help
-v          : show version

--essid-group                : convert to ESSID groups in working directory
                               full advantage of reuse of PBKDF2
                               not on old hash formats
--oui-group                  : convert to OUI groups in working directory
                               not on old hash formats
--mac-group-ap               : convert APs to MAC groups in working directory
                               not on old hash formats
--mac-group-client           : convert CLIENTs to MAC groups in working directory
                               not on old hash formats
--type=<digit>               : filter by hash type
                               bitmask:
                                1 = PMKID
                                2 = EAPOL
                               default PMKID and EAPOL (1+2=3)
--hcx-min=<digit>            : disregard hashes with occurrence lower than hcx-min/ESSID
--hcx-max=<digit>            : disregard hashes with occurrence higher than hcx-max/ESSID
--essid-len                  : filter by ESSID length
                               default ESSID length: 0...32
--essid-min                  : filter by ESSID minimum length
                               default ESSID minimum length: 0
--essid-max                  : filter by ESSID maximum length
                               default ESSID maximum length: 32
--essid=<ESSID>              : filter by ESSID
--essid-part=<part of ESSID> : filter by part of ESSID
--essid-list=<file>          : filter by ESSID file
--mac-ap=<MAC>               : filter AP by MAC
                               format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--mac-client=<MAC>           : filter CLIENT by MAC
                               format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--mac-list=<file>            : filter by MAC file
                               format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--mac-skiplist=<file>        : exclude MAC from file
                               format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--oui-ap=<OUI>               : filter AP by OUI
                               format: 001122, 00:11:22, 00-11-22 (hex)
--oui-client=<OUI>           : filter CLIENT by OUI
                               format: 001122, 00:11:22, 00-11-22 (hex)
--vendor=<VENDOR>            : filter AP or CLIENT by (part of) VENDOR name
--vendor-ap=<VENDOR>         : filter AP by (part of) VENDOR name
--vendor-client=<VENDOR>     : filter CLIENT by (part of) VENDOR name
--authorized                 : filter EAPOL pairs by status authorized
--notauthorized              : filter EAPOL pairs by status CHALLENGE (not authorized)
--rc                         : filter EAPOL pairs by replaycount status checked
--apless                     : filter EAPOL pairs by status M1M2ROGUE (M2 requested from CLIENT)
--info=<file>                : output detailed information about content of hash file
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info=stdout                : stdout output detailed information about content of hash file
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor=<file>         : output detailed information about ACCESS POINT and CLIENT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-ap=<file>      : output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-client=<file>  : output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor=stdout         : stdout output detailed information about ACCESS POINT and CLIENT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-ap=stdout      : stdout output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-client=stdout  : stdout output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--psk=<PSK>                  : pre-shared key to test
                               due to PBKDF2 calculation this is a very slow process
                               no nonce error corrections
--pmk=<PMK>                  : plain master key to test
                               no nonce error corrections
--hccapx=<file>              : output to deprecated hccapx file
--hccap=<file>               : output to ancient hccap file
--hccap-single               : output to ancient hccap single files (MAC + count)
--john=<file>                : output to deprecated john file
--vendorlist                 : stdout output complete OUI list sorted by OUI
--help                       : show this help
--version                    : show version
Reply


Messages In This Thread
RE: Plugins 2500/2501 and 16800/16801 are deprecated - by ZerBea - 09-16-2021, 08:31 AM