Hashcat + wlangenpmkocl how to convert back to plaintext ?
#10
For sure a mask on a PMK will work, in case you hav 90% of the PMK.
Example:
$ wlangenpmk -e hashcat_net -p hashcat1

essid (networkname)....: hashcat_net
password...............: hashcat1
plainmasterkey (SHA1)..: 9cff1131859ffd9255a3bd412db53d3a576c41910cff9bf8165176b3fd6fdbf0

If you run hashcat with this mask
9cff1131859ffd9255a3bd412db53d3a576c41910cff9bf8165176b3fd6fdb?h?h
it will verify the PMK.
Please note my wording: I didn't write it cracked the network or it recovered the PSK.

Now take a look at the result of PMKDF2 if you change a character within the ESSID
$ wlangenpmk -e hashcat-net -p hashcat1

essid (networkname)....: hashcat-net
password...............: hashcat1
plainmasterkey (SHA1)..: da4976c8e0e045d3f3e48e3213953cde92f6ac2e0b75b5dde88d4177e924251a

No chance to run this simple mask to verify the PMK.

Now we change a character of the PSK:
$ wlangenpmk -e hashcat_net -p hashcat2

essid (networkname)....: hashcat_net
password...............: hashcat2
plainmasterkey (SHA1)..: 332f14d711b5be5b5b8dcce42c36a0b452502cab0d7db1b5a4ef7ac9d7ec90b3

our simple mask will fail, too.

In every case you must do "slow" PBKDF2:
ESSID + PSK -> PMK
ESSID + PMK -> PSK

And if you discover a new PMK, ESSID + PMK -> PSK is mandatory.


hash mode comparison table:
2500 -> 22000
2501 -> 22001
16800 -> 22000
16801 -> 22001

2500 & 16800 -> 22000 reuse of PBKDF2
2501 & 16801 -> 22001

Mostly I don't use masks, rules or big wordlists found in www.
hcxdumptool/hcxtools and hashcat (or JtR) is more than enough for me.

I recommend not to convert hccapx to 22000, because you don't know nothing about the quality of the hccxcap file.
It is much better to recapture and to convert them directly to 22000.

Which tools do you use for capturing and converting?
Reply


Messages In This Thread
RE: Hashcat + wlangenpmkocl how to convert back to plaintext ? - by ZerBea - 02-22-2021, 01:13 PM