Atom is a little bit busy this week. He told me that he is back next Sunday. Then hashcat will receive the NC fix.
Activating/using NC feature of hcxpcapngtool and hashcat will have a huge impact, especially on "crappy" cap files. And this cap file is a kind of "crapy" due to massive dauthentications and lost packets.
But anyway, by activated NC it is possible to recover the PSK from all(!) message pairs.
For sure, this need some additional options to be selected on hcxpcapngtool and hashcat.
Additional you can choose a higher NC than default (8) by hashcat --nonce-error-corrections as I did it for the demonstration below.
To demonstrate that, I converted the cap file to hccapx and 22000. Both hash files contain exactly the same hashes!
hash mode 2500 is still working:
hash mode 22000 failed due to its NC issue:
BTW:
If you're interested in that stuff and what it looks like behind the scenes, I recommend to use Linux.
hcxdumptool/hcxlabtool share additional EAPOL information with hcxpcapngtool via pcapng comment block and hcxpcapngtool share this information with hashcat via messagepair field.
In other words, this chain
hcxdumptool/hcxlabtool -> hcxpcapngtool -> hcxtools -> hashcat/JtR
can do magic, if you know what to do (e.g. by using their additional options).
Activating/using NC feature of hcxpcapngtool and hashcat will have a huge impact, especially on "crappy" cap files. And this cap file is a kind of "crapy" due to massive dauthentications and lost packets.
But anyway, by activated NC it is possible to recover the PSK from all(!) message pairs.
For sure, this need some additional options to be selected on hcxpcapngtool and hashcat.
Additional you can choose a higher NC than default (8) by hashcat --nonce-error-corrections as I did it for the demonstration below.
To demonstrate that, I converted the cap file to hccapx and 22000. Both hash files contain exactly the same hashes!
hash mode 2500 is still working:
Code:
$ hcxpcapngtool --hccapx=test.hccapx --all ht3466227.cap
$ hashcat -m 2500 --deprecated-check-disable --nonce-error-corrections=128 test.hccapx -a 3 ht3466227
hashcat (v6.2.4-67-gdbefc7e60) starting
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 2500 (WPA-EAPOL-PBKDF2)
Hash.Target......: test.hccapx
Time.Started.....: Mon Sep 20 08:51:19 2021 (0 secs)
Time.Estimated...: Mon Sep 20 08:51:19 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ht3466227 [9]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 6 H/s (1.42ms) @ Accel:8 Loops:256 Thr:512 Vec:1
Recovered........: 13/13 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:12-25
Candidate.Engine.: Device Generator
Candidates.#1....: ht3466227 -> ht3466227
Hardware.Mon.#1..: Temp: 55c Fan: 36% Util: 82% Core:1898MHz Mem:5005MHz Bus:16hash mode 22000 failed due to its NC issue:
Code:
$ hcxpcapngtool -o test.22000 --all ht3466227.cap
$ hashcat -m 22000 --nonce-error-corrections=128 test.22000 -a 3 ht3466227hashcat (v6.2.4-67-gdbefc7e60) starting
hashcat (v6.2.4-67-gdbefc7e60) starting
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.22000
Time.Started.....: Mon Sep 20 08:53:02 2021 (0 secs)
Time.Estimated...: Mon Sep 20 08:53:02 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ht3466227 [9]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 25 H/s (1.43ms) @ Accel:8 Loops:256 Thr:512 Vec:1
Recovered........: 1/13 (7.69%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:12-25
Candidate.Engine.: Device Generator
Candidates.#1....: ht3466227 -> ht3466227
Hardware.Mon.#1..: Temp: 54c Fan: 35% Util: 62% Core:1860MHz Mem:5005MHz Bus:16BTW:
If you're interested in that stuff and what it looks like behind the scenes, I recommend to use Linux.
hcxdumptool/hcxlabtool share additional EAPOL information with hcxpcapngtool via pcapng comment block and hcxpcapngtool share this information with hashcat via messagepair field.
In other words, this chain
hcxdumptool/hcxlabtool -> hcxpcapngtool -> hcxtools -> hashcat/JtR
can do magic, if you know what to do (e.g. by using their additional options).