hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
@CyberPentester, I really want to answer your question, received by PM
Code:
I wanted to ask you directly since you are quite the expert on this field.

1. Let's say I got 2 PMKID hashes and 1 WPA Handshake, all from the same WiFi network, using hcxpcapngtool. Would hashcat crack faster if I give all 3 hashes? Or is selecting just 1 PMKID faster?

2. Do you know of any tool (maybe a hashcat option does this) that can bruteforce passwords with a mask attack based on probability? For example: A WiFi password that consists of 10 digits where different random numbers ("1634845593") are more probable than say "1111111111" or "22224444".

But you disabled private messaging!
Code:
Please correct the following errors before continuing:
    CyberPentester has private messaging disabled. You cannot send private messages to this user.

To answer 1) we have to take a closer look at the calculation of the keys:
The construction (PBKDF2 calculation) of the plainmasterkey (PMK) is for both hash types (PMKID and EAPOL 4way) the same and take long period of CPU/GPU time.
This part is a really slow part.
Luckyly, we need to calculate PBKDF2 once (each different ESSID) and can use it for PMKID and MIC (EAPOL 4way) calculation:
https://github.com/hashcat/hashcat/issues/1816

In the second part, PMKID calculation (PMKID) is much faster:
Code:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
than calculating a MIC from EAPOL (4way handshake) wpa1:
calculate PKE, calculate PTK, calculate MIC (encrypt message and compare MIC) for WPA1:
Code:
HMAC(EVP_sha1(), pmk, 32, pkedata, 100, ptk + p * 20, NULL);
HMAC(EVP_md5(), &ptk, 16, eapol, eapol_len, mic, NULL);
or wpa2:
calculate PKE, calculate PTK, calculate MIC (encrypt message and compare MIC) for WPA2:
Code:
HMAC(EVP_sha1(), pmk, 32, pkedata, 100, ptk + p * 20, NULL);
HMAC(EVP_sha1(), &ptk, 16, eapol, eapol_len, mic, NULL);
or wpa2 keyversion3:
calculate PKE, calculate PTK, calculate MIC (encrypt message and compare MIC) for WPA2 key version 3:
[code]
HMAC(EVP_sha256(), pmk, 32, pkedata_prf, 2 + 98 + 2, ptk, NULL);
omac1_aes_128(&ptk, eapol, eapol_len, mic);
[code]
If you only want to recover the PSK just use the PMKID hash line (WPA*01*) and remove the EAPOL 4way hash lines (WPA*02*) for that ESSID.


The second question is not easy to answer, because it depend on the target.
If the default password algo is known, routerkeygen (RKG) should be the first choice.
https://github.com/routerkeygen/routerkeygenPC
If the default key space is know, hcxpsktool could be a choice.
Additional you can do a picture search (e.g. DuckDuckGo or ebay) to find a possible pattern and use it as a mask file.
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 09-01-2022, 08:46 AM