Hashcat + wlangenpmkocl how to convert back to plaintext ?
(02-28-2021, 11:23 PM)pr0ph3t Wrote:
(02-28-2021, 11:12 PM)ZerBea Wrote: Regarding your example, there is nothing to extract. It is a proprietary ESSID.
To get a feeling for PSKs in the clear, get this example:
Decompress it, convert it and run hashcat:
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
and you'll know what I mean.

Open the pcap with Wireshark and take a look at frame 2, to get a feeling how this frames could look like.
It wiil take a while, but I'm sure you'll get a sense for it.

Please notice:
The example is from a feature request and was converted to pcap format, because there are still some tools in the wildness which are not able to read the new pcapng format.
That does not apply to tools like Wireshark and tshark. They use pcapng as default format:

It is definitely not a good idea to ignore this frames (e.g. by filter options) or to remove them from a capture file.
hcxpcapngtool will print a warning, if the absence of this frame types is detected:

Ah thank you will read up on it now.
Confirmed your pmktool works from start to finish without any problems (5.10.0-k*ali3-amd64). That's a nice assembly line you've got there.
Now for the live exercise though. This time "I don't know the key" so I need to revert to the prior step to get that hash but this time once we get that hash string to put it through your tool. Meanwhile going to read the links you posted.

Oh right, I'm sorry. I shouldn't been specific. I was following this procedure not the one from your thread (well I mean it's pretty much the same it's the readme in yer GIT.. the one that says hardware modification required)

Identify interface and processes that interferes with hcxdumptool:

$ hcxdumptool -I
wlan interfaces:
MAC_INTERFACE  <wlan_interface> (used_driver)

On a warning like this, stop services:
warning: NetworkManager is running with pid 415
warning: wpa_supplicant is running with pid 515
stop this processes:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service

Check driver
$ sudo hcxdumptool -i <wlan_interface> --check_driver
starting driver test...
driver tests passed - all required ioctl() system calls are supported by driver
restoring old driver settings

Check that packet injection is working (run it at least 13 * 5 seconds):
$ sudo hcxdumptool -i  <wlan_interface> --do_rcascan
INFO: cha=6, rx=351, rx(dropped)=0, tx=47, err=0, aps=21 (13 in range)

if the values increase and APs are in range, start the attack:
$ hcxdumptool -i <wlan_interface> -o test.pcapng --enable_status=1
otherwise hcxdumptool will inform you that packet injection is not working as expected.

If attack finished and hcxdumptool terminated, restart services
$ sudo systemctl start NetworkManager.service
$ sudo systemctl start wpa_supplicant.service

If hcxdumptool is not able to set monitor mode for example on this driver:
run ip link and iw first - than run hcxdumptool:
$ sudo ip link set <wlan_interface> down
$ sudo iw dev  <wlan_interface> set type monitor
$ sudo ip link set  <wlan_interface> up
$ sudo iw dev  <wlan_interface> info

Most (nearly all) occurring issues are related to the driver (driver doesn't support monitor mode and
full packet injection) and the system configuration (running services that take access to the interface).
The driver of the device must support both: monitor mode and full packet injection!
Otherwise hcxdumptool will fail!

Some of the issues are fixed:

Some of them are partly fixed (or somebody is working on them):

Some of them are not fixed, yet:

Unfortunately many, many drivers do not support monitor mode and full packet injection. Get more information here:

But yes I understand what you've done there. What I was saying is now to apply YOUR method to the handshake I'm trying to crack (my network). Except this time I'm pretending I don't know the key. So I need to produce that hash you get in the first steps, and then I can continue your procedure with my new handshake. I know it's all the same but I want to experiment all the methods, see what's best, understand blahblahlah

So now I need to generate a pmk from wordlist etc and try to crack the handshake with hashcat. IT's just I'm doing it a little differently this time. It's going to be mode 12000 with that hash string but I'm curious to see what the PMK converted dictionnary is going to do

Messages In This Thread
RE: Hashcat + wlangenpmkocl how to convert back to plaintext ? - by pr0ph3t - 03-01-2021, 01:13 AM