hashcat Forum Support hashcat v
md5 Candidates.#1

Linear Mode
md5 Candidates.#1
ZerBea Offline
Moderator
*****
Posts: 1,014
Threads: 2
Joined: Jun 2017
#6
01-06-2022, 08:23 AM (This post was last modified: 01-06-2022, 04:39 PM by ZerBea.)
Your question is already answered here:
https://hashcat.net/forum/thread-10557-p...l#pid54451

MICs of 4way handshakes or PMKIDs are not(!) MD5 or MD4.
Don't (never, under no circumstances) trust a google search result!!!

It take much more than a single PMKID or a MIC copied from a Wireshark field to recover the PSK. Depending on PMKID or 4way handshake, additional information like ESSID, MAC AP, MAC CLIENT, ANONCE, SNONCE and at least a complete M2 (or M3 or not zeroed M4) EAPOL MESSAGE are mandatory.

Here is an example EAPOL PMKID from the example hashes:
https://hashcat.net/wiki/doku.php?id=example_hashes
22000 WPA-PBKDF2-PMKID+EAPOL WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***

The PMKID is definitely not MD5 or MD4
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

run it through an online analyzer, e.g.:
https://www.tunnelsup.com/hash-analyzer/
Hash: 4d4fe7aac3a2cecab195321ceb99a7d0
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal

and it failed epically!!!
Looks like this hash-analyzer only take the length of the hash to identify the type.

While hashcat is able to recover the PSK:
Code:
$ hashcat -m 22000 "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" -a 3 hashcat!
hashcat (v6.2.5-52-g806257f2e) starting

4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid
Time.Started.....: Thu Jan  6 07:32:28 2022 (0 secs)
Time.Estimated...: Thu Jan  6 07:32:28 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       35 H/s (0.74ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 32c Util:  7% Core:1770MHz Mem:3500MHz Bus:8

Started: Thu Jan  6 07:32:26 2022
Stopped: Thu Jan  6 07:32:30 2022

The same applies to a MIC of a 4way handshake as described here:
https://hashcat.net/forum/thread-10496-p...l#pid54230

The MIC is definitely not MD5 or MD4
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PTK = PRF(PMK + ANONCE + SNONCE + MAC AP + MAC CLIENT)

run it through the same online analyzer:
https://www.tunnelsup.com/hash-analyzer/
Hash: 6ec572e97e2ede5a6099bf964fa880fd
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal

and as expected, it failed again (epically).
Find
Reply


Messages In This Thread
md5 Candidates.#1 - by Kay_Z420 - 12-25-2021, 06:32 AM
RE: md5 Candidates.#1 - by Chick3nman - 12-25-2021, 12:07 PM
RE: md5 Candidates.#1 - by Kay_Z420 - 12-26-2021, 07:21 AM
RE: md5 Candidates.#1 - by Snoopy - 01-05-2022, 07:53 PM
RE: md5 Candidates.#1 - by Kay_Z420 - 01-06-2022, 06:47 AM
RE: md5 Candidates.#1 - by ZerBea - 01-06-2022, 08:23 AM