hcxtools - solution for capturing wlan traffic and conversion to hashcat formats

[ZerBea]

Wondering if message pairs are still included, and easy to find/decode, in the new format?
M2M3 or M3M4 are good evidence that the password was correct.

For sure. Last 2 characters in the hashline (MP):
https://github.com/ZerBea/hcxtools/blob/...ool.c#L710

Code:

WPA*TYPE*PMKID-OR-MIC*MAC_AP*MAC_STA*ESSID_HEX*ANONCE*EAPOL*MP

and you can run bash tools to find them:

$ cat test.22000 | grep "\*02$"
will give you all M2M3E2 for example.

The new hashline in combination with the new potfile and outfile format will make life much easier.


Let's take the 2500 and the 16800 example hashes from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
To demonstrate hashcat's latest improvements, convert (hcxmactool) them to the new hash format 22000 WPA-PBKDF2-PMKID+EAPOL

Code:

WPA*01*2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a***
WPA*02*dd380bd54bc9c316dce31562c22c87d1*aef50f22801c*987bdcf9f950*38333831353333343036303033383037363835383831353233*1e33f3eca3a1f2216a52b60c87191e7473ac54ecb023ac5989becf1e3c7e4509*01030077fe010900200000000000000001faf192b205d47b81f43f91f850c81976da019e00722f3958370692ab0562f70b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*00

verify the hashline (is the conversion ok?):

Code:

$ hcxhashtool -i test.22000 --psk='hashcat!'
5b13d4babb3714ccc62c9f71864bc984efd6a55f237c7a87fc2151e1ca658a9d*ed487162465a774bfba60eb603a39f3a:hashcat!
27728647ac66c5edea4d448fd2c1da57cf02e6347b1465a0d43142c6bd6e37b6*38333831353333343036303033383037363835383831353233:hashcat!

looking good, so far - the PSK is confirmed on both hashes. This output is the result of PBKDF2 calculation and similar to hashcat's new potfile format: PMK * ESSID_HEX : PSK

and try to recover the PSKs, running hashcat:

Code:

$ hashcat -m 22000 test.22000 wordlist
hashcat (v5.1.0-1573-g7471ecee+) starting...

4604ba734d4e:89acf0e761f4:$HEX[ed487162465a774bfba60eb603a39f3a]:hashcat!
aef50f22801c:987bdcf9f950:8381533406003807685881523:hashcat!

Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Sun Jan 12 21:02:09 2020 (0 secs)
Time.Estimated...: Sun Jan 12 21:02:09 2020 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      24 H/s (0.25ms) @ Accel:16 Loops:32 Thr:1024 Vec:1
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 2/2 (100.00%)
Rejected.........: 0/2 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 34c Util: 82% Core:1176MHz Mem: 900MHz Bus:4
Started: Sun Jan 12 21:01:54 2020
Stopped: Sun Jan 12 21:02:11 2020

Both are recovered by hashcat, as expected. The output format is hashcat's new format: MAC_AP : MAC_STA : ESSID_ASCII (hexyfied only if necessary) : PSK

BTW:
Please do not wonder about the low speed. I'm running a very, very, very small wordlist (only a single word). We do not need big word lists, if we now what we are doing.

Additional hcxhashtool will show detailed information about the hashes:

Code:

$ hcxhashtool -i test.22000 --info=stdout
SSID.......: �HqbFZwK�����:
MAC_AP.....: 4604ba734d4e (unknown)
MAC_CLIENT.: 89acf0e761f4 (unknown)
PMKID......: 2582a8281bf9d4308d6f5731d0e61c61
HASHLINE...: WPA*01*2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a***

SSID.......: 8381533406003807685881523
MAC_AP.....: aef50f22801c (unknown)
MAC_CLIENT.: 987bdcf9f950 (unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA1
MP M1M2 E2.: not authorized
REPLAYCOUNT: 1
RC INFO....: replycount checked
MIC........: dd380bd54bc9c316dce31562c22c87d1
HASHLINE...: WPA*02*dd380bd54bc9c316dce31562c22c87d1*aef50f22801c*987bdcf9f950*38333831353333343036303033383037363835383831353233*1e33f3eca3a1f2216a52b60c87191e7473ac54ecb023ac5989becf1e3c7e4509*01030077fe010900200000000000000001faf192b205d47b81f43f91f850c81976da019e00722f3958370692ab0562f70b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*00



OUI information file...: /home/zerobeat/.hcxtools/oui.txt
OUI entires............: 27383
total lines read.......: 2
valid hash lines.......: 2
PMKID hash lines.......: 1
EAPOL hash lines.......: 1
PMKID written..........: 1
EAPOL written..........: 1