need batch stop after pass found hccapx
#13
hashcat online converter run cap2hccapx from hashcat-utils.
You should know that cap2hccapx will convert more than one hash to the hccapx file. Therefore it takes every good message pair and convert it:

Code:
$ ./cap2hccapx.bin ptcl_l2-test-01.cap test.hccapx
Networks detected: 1
[*] BSSID=c8:3a:35:57:d2:d1 ESSID=PTCL_L2 290 (Length: 11)
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=0
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=0
Written 15 WPA Handshakes to: test.hccapx

Result is a single hccapx file that contain 15 hashes from your BSSID!

I noticed that you ran airodump-ng in combination with aireplay-ng to deauthenticate the client. In that case you must expect a packet loss, because neither aireplay-ng (active part) nor airodump-ng (passive part) request missing packets. Additional your cap file contain many, many useless frames.
Also, you have made much noise on the channel to get a few hashes:
DEAUTHENTICATION (total).................: 10779 !!!!!!!!!!!!!

Code:
$ hcxpcapngtool -o test.22000 ptcl_l2-test-01.cap
reading from ptcl_l2-test-01.cap...

summary capture file
--------------------
file name................................: ptcl_l2-test-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 22.01.2020 23:09:00
timestamp maximum (GMT)..................: 22.01.2020 23:11:52
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 70694
BEACON (total)...........................: 1
PROBEREQUEST (directed)..................: 17
PROBERESONSE.............................: 574
DEAUTHENTICATION (total).................: 10779
DISASSOCIATION (total)...................: 4
AUTHENTICATION (total)...................: 30
AUTHENTICATION (OPEN SYSTEM).............: 30
ASSOCIATIONREQUEST (total)...............: 7
ASSOCIATIONREQUEST (PSK).................: 7
REASSOCIATIONREQUEST (total).............: 6
REASSOCIATIONREQUEST (PSK)...............: 6
WPA encrypted............................: 17929
EAPOL messages (total)...................: 275
EAPOL RSN messages.......................: 275
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 518630
REPLAYCOUNT gap (measured maximum).......: 23
EAPOL M1 messages........................: 264
EAPOL M2 messages........................: 4
EAPOL M3 messages........................: 5
EAPOL M4 messages........................: 2
EAPOL pairs (total)......................: 26
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file...: 1 (RC checked)
EAPOL M12E2..............................: 1
PMKID (total)............................: 270
PMKID (best).............................: 3
PMKID written to combi hash file.........: 3

Using the new hashline (hashmode -m 22000), you will get three PMKIDs and one EAPOL messagepair :
EAPOL pairs written to combi hash file...: 1 (RC checked)
PMKID (best).............................: 3

Code:
WPA*01*6ad4d529d74c755225770588504731d0*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930***
WPA*01*ac60b839f81746454d2bb743973b70c1*c83a3557d2d1*b072bf54a97b*5054434c5f4c3220323930***
WPA*01*21210939fda7e65a095426fb43ef8c7a*c83a3557d2d1*e4a7c5915cf1*5054434c5f4c3220323930***
WPA*02*83388eaca56640cb56e87a5527fe11e2*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930*949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e70*0103007502010a0000000000000000000df98bbc1103e2852cbd86968b713e0d3063c30dc60df02b5a840e91e63d260172000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac022c24*00

If you take a closer look at the converted hashes, you'll notice that hcacpangtool converted different "best" hashes (a PMKID send from the access point to every CLIENTS and an EAPOL messagepair).
Running hashcat against them will recover the PSK quickly (and without any additional options):
Code:
$ hashcat -m 22000 test.22000 -a 3 11223344
hashcat (v5.1.0-1633-g346637ec) starting...

21210939fda7e65a095426fb43ef8c7a:c83a3557d2d1:e4a7c5915cf1:PTCL_L2 290:11223344
6ad4d529d74c755225770588504731d0:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
ac60b839f81746454d2bb743973b70c1:c83a3557d2d1:b072bf54a97b:PTCL_L2 290:11223344
83388eaca56640cb56e87a5527fe11e2:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Sat Feb  1 20:32:39 2020 (0 secs)
Time.Estimated...: Sat Feb  1 20:32:39 2020 (0 secs)
Guess.Mask.......: 11223344 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       39 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 4/4 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3-7
Candidates.#1....: 11223344 -> 11223344
Hardware.Mon.#1..: Temp: 55c Fan: 35% Util: 55% Core:1873MHz Mem:5005MHz Bus:16

Started: Sat Feb  1 20:32:34 2020
Stopped: Sat Feb  1 20:32:41 2020

Three times from the PMKID and one time from the EAPOL messagepair.

BTW:
You may have noticed that the new hashline is HEX-ASCII. You can use simple bash commands to show it, to sort it and to remove unwanted hashes.
A single PMKID is more than enough to recover the PSK. You can remove the other hashes.

should I use this --nonce-error-corrections=128 in my batch ?
-> that question isn't easy to answer, because it depend on the tools you use to atttack the network, to capture the traffic, to convert the hash and to recover the PSK.
But hcxpcangtool will help you a little bit to choose the nonce-error-corrections values. This is the measured value between the lowest replaycount and the highest replaycount:
REPLAYCOUNT gap (measured maximum).......: 23
Always, you can use this value for hashcat nonce-error-corrections to be on the safe side.
Running hcxdumptool to attack and capture, hcxpcapngtool to convert and latest hashcat to recover the PSKs will give you good results and less noise on the channel (PMKID attack: https://hashcat.net/forum/thread-7717.html).
If you have a PMKID, use it (hashcat old hashmode -m 16800 or hashcat new hashmode -m 22000). Don't waste your GPU time on EAPOL messagepairs (unless you like to discover the secrets of an unauthorized M2).
If you retrieve the PMKID by hand (Wireshark), keep in mind that it can be calculated using a zeroed PMK!
If you run hcxpcapngtool, you will be informed and this kind of PMKID will not be not converted:
PMKID (over zeroed PMK)..................: 1

Additional hcxhashtool will give you an information about the ACCESS POINT, the CLIENT and the state of the authentication:
Code:
$ hcxhashtool -i test.22000 --info=stdout
SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: a8515b2b3452 (Samsung Electronics Co.,Ltd)
PMKID......: 6ad4d529d74c755225770588504731d0
HASHLINE...: WPA*01*6ad4d529d74c755225770588504731d0*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930***

SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: b072bf54a97b (Murata Manufacturing Co., Ltd.)
PMKID......: ac60b839f81746454d2bb743973b70c1
HASHLINE...: WPA*01*ac60b839f81746454d2bb743973b70c1*c83a3557d2d1*b072bf54a97b*5054434c5f4c3220323930***

SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: e4a7c5915cf1 (HUAWEI TECHNOLOGIES CO.,LTD)
PMKID......: 21210939fda7e65a095426fb43ef8c7a
HASHLINE...: WPA*01*21210939fda7e65a095426fb43ef8c7a*c83a3557d2d1*e4a7c5915cf1*5054434c5f4c3220323930***

SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: a8515b2b3452 (Samsung Electronics Co.,Ltd)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 13
RC INFO....: replycount checked
MP M1M2 E2.: not authorized
MIC........: 83388eaca56640cb56e87a5527fe11e2
HASHLINE...: WPA*02*83388eaca56640cb56e87a5527fe11e2*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930*949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e70*0103007502010a0000000000000000000df98bbc1103e2852cbd86968b713e0d3063c30dc60df02b5a840e91e63d260172000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac022c24*00

And even if you decide to convert all(!) hashes, your attempt will be successful:
Code:
$ hcxpcapngtool --all -o test.22000 ptcl_l2-test-01.cap
reading from ptcl_l2-test-01.cap...

summary capture file
--------------------
file name................................: ptcl_l2-test-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 22.01.2020 23:09:00
timestamp maximum (GMT)..................: 22.01.2020 23:11:52
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 70694
BEACON (total)...........................: 1
PROBEREQUEST (directed)..................: 17
PROBERESONSE.............................: 574
DEAUTHENTICATION (total).................: 10779
DISASSOCIATION (total)...................: 4
AUTHENTICATION (total)...................: 30
AUTHENTICATION (OPEN SYSTEM).............: 30
ASSOCIATIONREQUEST (total)...............: 7
ASSOCIATIONREQUEST (PSK).................: 7
REASSOCIATIONREQUEST (total).............: 6
REASSOCIATIONREQUEST (PSK)...............: 6
WPA encrypted............................: 17929
EAPOL messages (total)...................: 275
EAPOL RSN messages.......................: 275
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 518630
REPLAYCOUNT gap (measured maximum).......: 23
EAPOL M1 messages........................: 264
EAPOL M2 messages........................: 4
EAPOL M3 messages........................: 5
EAPOL M4 messages........................: 2
EAPOL pairs (total)......................: 26
EAPOL pairs (best).......................: 26
EAPOL pairs written to combi hash file...: 26 (RC checked)
EAPOL M12E2..............................: 22
EAPOL M32E2..............................: 4
PMKID (total)............................: 270
PMKID (best).............................: 270
PMKID written to combi hash file.........: 270

$ hashcat -m 22000 test.22000 --nonce-error-corrections=8 -a 3 11223344
hashcat (v5.1.0-1633-g346637ec) starting...

2356d59821bb6d62813c41a375951f77:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
2596f54e999999f40e18dcad30662816:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
21210939fda7e65a095426fb43ef8c7a:c83a3557d2d1:e4a7c5915cf1:PTCL_L2 290:11223344
6ad4d529d74c755225770588504731d0:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
2356d59821bb6d62813c41a375951f77:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
ac60b839f81746454d2bb743973b70c1:c83a3557d2d1:b072bf54a97b:PTCL_L2 290:11223344
83388eaca56640cb56e87a5527fe11e2:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
3389a0f054251b47a226412e078920b5:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
3389a0f054251b47a226412e078920b5:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
83388eaca56640cb56e87a5527fe11e2:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Sat Feb  1 20:48:40 2020 (0 secs)
Time.Estimated...: Sat Feb  1 20:48:40 2020 (0 secs)
Guess.Mask.......: 11223344 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       36 H/s (0.71ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 10/10 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9-19
Candidates.#1....: 11223344 -> 11223344
Hardware.Mon.#1..: Temp: 57c Fan: 38% Util: 55% Core:1860MHz Mem:5005MHz Bus:16

Started: Sat Feb  1 20:48:36 2020
Stopped: Sat Feb  1 20:48:42 2020

By option --all, hcxpcapngtool will convert all PMKIDs and all EAPOL messagepairs. That included many duplicates, but hashcat recovered the PSKs successful from them, too.

In that case you should use at least nonce-error-corrections=8 to recover all PSKs.
Reply


Messages In This Thread
RE: need batch stop after pass found hccapx - by ZerBea - 02-01-2020, 09:38 PM