Idea behind wlangenpmkocl.
target:
different NETWORKs using the same ESSID (eg.: home)
NETWORK often change PSK, but never the ESSID
In both cases, we must run hashcat 2500/16800/22000 more or less often on the same wordlist to recover the PSK (if it is inside the list). Every time we do this, we have to pay the price for PBKDF2
To avoid this:
hashcat -m 22000 hash.22000 word.list
we're calculating a PMK list (PMK : PSK) for that ESSID and have to pay the price for PBKDF2, too:
wlangenpmkocl -> hashcat -m 22001 hash.22000 pmk.list
If hashcat found a pmk we search for this finding in wlangenpmkocl list and get the PSK
Now we get a different (new) NETWORK, running the same ESSID or an existing NETWORK changed the PSK, but not the ESSID.
If we run hashcat we have to pay the price for PBKDF2 again (and again, and again, ...)
hashcat -m 22000 hash.22000 word.list
If we use the already calculated PMK list, we can do this a thousand times faster, because there is no PBKDF2 bill, we have to pay:
hashcat -m 22001 hash.22000 pmk.list
The pmk.list is our Rainbow Table and we know the PSK for every calculated PMK.
BTW:
Internal, hashcat is doing exactly the same. Take a look at hashcat's potfile and you'll see all components of PBKDF2:
PMK * ESSID : PSK
Please remember:
ESSID + PSK -> PMK
ESSID + PMK -> PSK
The same applies to hcxhashtool, if you apply a PMK:
Or to hcxpcapngtool, to detect a PMKID/EAPOL message calculated using a zeroed PMK:
Your experience is highly appreciated. If you discover something new, or something that is still missing, please let me know. I'll try to add it to hcxtools.
target:
different NETWORKs using the same ESSID (eg.: home)
NETWORK often change PSK, but never the ESSID
In both cases, we must run hashcat 2500/16800/22000 more or less often on the same wordlist to recover the PSK (if it is inside the list). Every time we do this, we have to pay the price for PBKDF2
To avoid this:
hashcat -m 22000 hash.22000 word.list
we're calculating a PMK list (PMK : PSK) for that ESSID and have to pay the price for PBKDF2, too:
wlangenpmkocl -> hashcat -m 22001 hash.22000 pmk.list
If hashcat found a pmk we search for this finding in wlangenpmkocl list and get the PSK
Now we get a different (new) NETWORK, running the same ESSID or an existing NETWORK changed the PSK, but not the ESSID.
If we run hashcat we have to pay the price for PBKDF2 again (and again, and again, ...)
hashcat -m 22000 hash.22000 word.list
If we use the already calculated PMK list, we can do this a thousand times faster, because there is no PBKDF2 bill, we have to pay:
hashcat -m 22001 hash.22000 pmk.list
The pmk.list is our Rainbow Table and we know the PSK for every calculated PMK.
BTW:
Internal, hashcat is doing exactly the same. Take a look at hashcat's potfile and you'll see all components of PBKDF2:
PMK * ESSID : PSK
Please remember:
ESSID + PSK -> PMK
ESSID + PMK -> PSK
The same applies to hcxhashtool, if you apply a PMK:
Code:
--pmk=<PMK> : plain master key to test
no nonce error correctionsOr to hcxpcapngtool, to detect a PMKID/EAPOL message calculated using a zeroed PMK:
Code:
EAPOL (from zeroed PMK)..................: 2
PMKID (from zeroed PMK)..................: 11Your experience is highly appreciated. If you discover something new, or something that is still missing, please let me know. I'll try to add it to hcxtools.