Using Hashcat with vast.ai
#11
(05-06-2021, 12:55 PM)x34cha Wrote: Are you using wget to download tge hccap from github? Are you downloading the github page on accident? Try uploading to transfer.sh and then wget the file in ssh.

hccapx was transferring to the instant fine as can be seen in a screenshot posted above. I did wonder if it was somehow getting corrupted enroute, but I don't think it was.

https://hashcat.net/forum/attachment.php?aid=824

Thanks for the link to transfer.sh though, that looks very useful.

(05-06-2021, 11:38 PM)Snoopy Wrote: its late, but

in your screenshots the mode/kernel tells that the minimum and maximum length for the password is 64, so ot has to be length 64

if you look at examples for 2501 it tells:  Password: a288fcf0caaacda9a9f58633ff35e8992a01d9c10ba5e02efdf8cb5d730ce7bc

so your given mask is way to short and i think hahscat just skips to try these short mask because it does not meet the required length

Interesting. I hadn't noticed that minimum password length bit. On my first screenshots thought when using 2500 I have minimum length of 8. Would that not be correct for my mask?

https://hashcat.net/forum/attachment.php?aid=825
Reply
#12
Actually, I think I see.

I had messed up my command?

Should have been:-

[font=Verdana]./[/font][font=Verdana]hashcat -m 2500 handshake.hccapx -a 3 -1 ABCDEFGHJKMNPQRTUVWXY346789 ?1?1?1?1?1?1?1?1[/font]

So as you say, where I had missed the 1 off the end on my original command, the mask was too short so HC hasn't bothered as it's less than the minimum WPA2 password length.

I couldn't see my mistake no matter how hard I looked the other day. Feel a bit silly now, but at least it's put my mind to rest what was going on there.
Reply
#13
Or maybe not. Fixed the missing '1' and gave it a quick test run on a cheap machine, and still a no go.

Completely beyond me why it was running fine on my local machine, but won't run on a remote one. Very odd.


Attached Files
.png   StillNoGo.png (Size: 71.63 KB / Downloads: 4)
Reply
#14
testet your command with hashcat.hccapx + hashcat-pmk.hccapx from examples and it runs fine

can you try this both?
https://hashcat.net/wiki/doku.php?id=example_hashes

if the examples work and your file not, the last thing i could think of is encoding problems with upload/download and linebreaks/linefeeds diffs between windows and linux, but this should not be the problem due to the binary-data (binary transfer shouldnt change anything)
Reply
#15
(05-07-2021, 12:20 PM)Snoopy Wrote: testet your command with hashcat.hccapx + hashcat-pmk.hccapx from examples and it runs fine

can you try this both?
https://hashcat.net/wiki/doku.php?id=example_hashes

if the examples work and your file not the last thing i could think of is encoding problems with upload/download and linebreaks/linefeeds diffs between windows and linux, but this should not be the problem due to the binary-data (binary transfer shouldnt change anything)


I have already tested the instance with the example hashes, and it worked fine with both.

On my local machine I was running hashcat in Windows 10, and it was happy working on that hccapx, for whatever reason the Linux version isn't. It's very odd though, as I captured it again with hcxdumptool and converted it to hccapx and that one wouldn't work in the instance either.

I did half wonder if somehow transferring it with github has messed it up.


Attached Files
.jpg   Running in Windows.jpg (Size: 229.94 KB / Downloads: 2)
Reply
#16
try md5sum the file on linux and windows and see the results, like i said, binary data should not be altered when transfered between win<->*nix but who knows...
Reply
#17
"Strange, I just recaptured, converted to hccapx using aircrack, uploaded to github, wget onto my instance, tried again, and still the same error.
Something strange is afoot here."

Do not use aircrack-ng to convert to hashcat formats, because aircrack-ng has several unfixed issues in detection of handshakes:
https://github.com/aircrack-ng/aircrack-ng/issues/2079
https://github.com/aircrack-ng/aircrack-ng/issues/2136
https://github.com/aircrack-ng/aircrack-ng/issues/1993

I suggest to convert to hashmode 22000 format (no longer binary format like deprecated hccapx format).
In addition to that, I suggest to use the PMKID:
https://hashcat.net/forum/thread-7717.html

Most of TALKTALK routers transmit a PMKID:
https://wpa-sec.stanev.org/?search=TALKTALK

example (PMKID in hashmode 22000) from:
https://hashcat.net/wiki/doku.php?id=example_hashes

Code:
$ hashcat -m 22000 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -a 3 'hashcat!'
hashcat (v6.1.1-320-g9b7c2f8f5) starting...

CUDA API (CUDA 11.3)
====================
* Device #1: NVIDIA GeForce GTX 1080 Ti, 10905/11175 MB, 28MCU

OpenCL API (OpenCL 3.0 CUDA 11.3.101) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce GTX 1080 Ti, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 491 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.          

4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid
Time.Started.....: Fri May  7 16:10:54 2021 (0 secs)
Time.Estimated...: Fri May  7 16:10:54 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       29 H/s (0.39ms) @ Accel:16 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 53c Fan: 38% Util: 46% Core:1733MHz Mem:5005MHz Bus:16

Started: Fri May  7 16:10:53 2021
Stopped: Fri May  7 16:10:55 2021
Reply
#18
(05-07-2021, 03:51 PM)ZerBea Wrote: "Strange, I just recaptured, converted to hccapx using aircrack, uploaded to github, wget onto my instance, tried again, and still the same error.
Something strange is afoot here."

Do not use aircrack-ng to convert to hashcat formats, because aircrack-ng has several unfixed issues in detection of handshakes:
https://github.com/aircrack-ng/aircrack-ng/issues/2079
https://github.com/aircrack-ng/aircrack-ng/issues/2136
https://github.com/aircrack-ng/aircrack-ng/issues/1993

I suggest to convert to hashmode 22000 format (no longer binary format like deprecated hccapx format).
In addition to that, I suggest to use the PMKID:
https://hashcat.net/forum/thread-7717.html

Most of TALKTALK routers transmit a PMKID:
https://wpa-sec.stanev.org/?search=TALKTALK

example (PMKID in hashmode 22000) from:
https://hashcat.net/wiki/doku.php?id=example_hashes

Code:
$ hashcat -m 22000 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -a 3 'hashcat!'
hashcat (v6.1.1-320-g9b7c2f8f5) starting...

CUDA API (CUDA 11.3)
====================
* Device #1: NVIDIA GeForce GTX 1080 Ti, 10905/11175 MB, 28MCU

OpenCL API (OpenCL 3.0 CUDA 11.3.101) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce GTX 1080 Ti, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 491 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.         

4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
                                                         
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid
Time.Started.....: Fri May  7 16:10:54 2021 (0 secs)
Time.Estimated...: Fri May  7 16:10:54 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      29 H/s (0.39ms) @ Accel:16 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 53c Fan: 38% Util: 46% Core:1733MHz Mem:5005MHz Bus:16

Started: Fri May  7 16:10:53 2021
Stopped: Fri May  7 16:10:55 2021

Have given it a go on the website using that to convert the cap to hccapx and still the same issue, also tried hcxtools to convert the cap and still the same issue.

I will give HCXDumpTool a go in a bit and see if that makes any difference. 

It's very strange that it works fine on my Windows setup (well did till the GPU gave out), but refuses to work on a cloud setup.

I will have another play, I have a few routers hanging around to test things out on.

Strangely this TalkTalk router doesn't ever seem to generate any PMKIDs, why that is I am unsure.
Reply
#19
Have given it a go on the website using that to convert the cap to hccapx and still the same issue, also tried hcxtools to convert the cap and still the same issue.
Have you converted it to hash format 22000?
Have you run the 22000 example on the cracking machine?
Does the 22000 example work there?
Can you please send me a PM including the dumpfile or a download link to the dumpfile?

BTW1:
The new (non binary) hash format 22000 should make live easier to use hashfiles converted from WiFi traffic on websites/servers which doesn't accept a binary format. It allows to add the hash in the commandline.
This feature was added after issue report:
https://github.com/hashcat/hashcat/issues/2742
by commit:
https://github.com/hashcat/hashcat/commi...abe98195de
So, it is mandatory to use latest hashcat beta version to get benefit of it.
It works on PMKID (WPA*01*) and EAPOL (WPA*02*).

BTW2:
Although hcxdumptool/hcxtools are the recommended tools to be used in combination with hashcat, there are many other, very good tools you can use:

bettercap (PMKID attack vector and full support of hashmode 22000)
https://github.com/bettercap/bettercap/issues/810
that include pwnagotchi (same developer)
https://github.com/evilsocket/pwnagotchi

multicapconverter (full support of hashmode 22000)
https://github.com/s77rt/multicapconverter

BTW3:
aircrack-ng is an excellent suite. It contain a nice script to set monitor mode and provide tools to capture traffic, to attack an AP and to recover the PSK - as long as you decide to stay inside the suite. If you decide to leave the suite (e.g. using the converted hash in combination with hashcat), I suggest to use one of the tools mentioned above.
Reply
#20
(05-07-2021, 01:59 PM)Snoopy Wrote: try md5sum the file on linux and windows and see the results, like i said, binary data should not be altered when transfered between win<->*nix but who knows...

Ah, I think we have a winner. For whatever reason, wget(ting) from github appears to modify the file somehow.


Attached Files
.png   LinuxMD5Sum.png (Size: 14.15 KB / Downloads: 3)
.png   WindowsMD5Sum.png (Size: 4.71 KB / Downloads: 3)
Reply