Plugins 2500/2501 and 16800/16801 are deprecated
#14
Please notice my wording:

Valid message pairs are message pairs of which we can recover a PSK!
challenge = M1M2 - CLIENT may not belong to the target NETWORK
authorized = M2M3, M3M2 or M1M4 - CLIENT belong to the target NETWORK
This information is stored in the message pair field at the end of the hash line.

In your case:
00 = challenge - CLIENT may not belong to the target NETWORK
02 = M2M3 - CLIENT belong to the target NETWORK
Both of the converted message pairs are valid and we recovered a PSK.
The first one doesn't belong to your target network.
The second one belong to your target network.

Invalid message pairs are message pairs that doesn't contain matching EAPOL messages (regardless if the RC is matching, too or not). This is caused by packet loss or excessive deauthentications. It is impossible to recover a PSK from this message pairs:
challenge = M1M2
authorized = M2M3, M3M4 or M1M4
Even if you know the correct PSK, hashcat will exhausted on them!

The second cap file contain 24 message pairs. 13 of them are unique.
But only one(!) message pair is valid - all others are invalid due to packet loss or excessive deauthentications.

For sure, you can make a feature request to add this overhead to hashcat, here:
https://github.com/hashcat/hashcat/issues
If Atom decided to add this, hcxtools will follow.

But from my point of view there is absolutely no need to add this overhead to the hash line, because this information (and much more) is stored in the message pair field.

This is a script that will get all authorized message pairs from a .hc22000 file and store it to another .hc2200 file without adding overhead and not slowing hashcat down due to this overhead:
Code:
#!/bin/bash

if [ "$#" -ne 2 ];
    then echo "usage: input.hc22000 output.hc22000"
    exit
fi
cat $1 | grep "WPA.02" | grep "2$" | sort | uniq > $2

Open editor and insert text.
Store the script to "getauthorized".
Make it executable:
$ chmod -x getauthorized

Use it:
./getauthorized myhashfile.hc22000 authorized.hc22000
or copy it to /usr/local/bin

Now, "authorized.hc22000" will contain all M2M3 (authorized) message pairs, only.

As mentioned before, this is the advantage of machine readable hash files.
There is no need to add "authorized" to each hash line, because all hashes inside authorized.hc22000 are authorized.

Please notice:
If you run hcxpcapngtool on "crapy" dump files stored from stupid attacks, it is not recommended to run default options, only. Especially not, if hcxpcapngtool show you a warning!
Reply


Messages In This Thread
RE: Plugins 2500/2501 and 16800/16801 are deprecated - by ZerBea - 09-18-2021, 02:25 PM