hashcat v6.2.0
#21
What's need to be installed to support HIP? I'm getting this (under Windows 10):

hashcat (v6.2.4) starting

Unsupported AMD HIP runtime version '0.0.3224' detected! Falling back to OpenCL...

OpenCL API (OpenCL 2.1 AMD-APP (3224.5)) - Platform #1 [Advanced Micro Devices, Inc.]
==============================================================
* Device #1: AMD Radeon (TM) R9 200 Series, 1920/2048 MB (1523 MB allocatable), 20MCU

Also HCCAPX which was working fine with 6.1.1 isn't working anymore:

Hashfile 'example22000.hccapx' on line 1 (HCPX♦): Separator unmatched
Hashfile 'example22000.hccapx' on line 2 (ATTApDyXXX): Separator unmatched
Hashfile 'example22000.hccapx' on line 3 (): Separator unmatched
No hashes loaded.

Can I attach file?

Thanks!
Reply
#22
The old hash modes are deprecated and replaced by hash mode 22000. The new hash format is not longer binary (hccapx) and you don't need to take care whether the hash value is a PMKID or an EAPOL MESSAGE PAIR, any longer.

The new hash mode is explained here:
https://hashcat.net/forum/thread-10253.html
That include examples.

You can use hashcat online converter to get the hash values, hashcat can work on, from your pcapng/pcap/cap dump file here:
https://hashcat.net/cap2hashcat/
Reply
#23
(09-15-2021, 12:28 PM)ZerBea Wrote: The old hash modes are deprecated and replaced by hash mode 22000. The new hash format is not longer binary (hccapx) and you don't need to take care whether the hash value is a PMKID or an EAPOL MESSAGE PAIR, any longer.

The new hash mode is explained here:
https://hashcat.net/forum/thread-10253.html
That include examples.

You can use hashcat online converter to get the hash values, hashcat can work on, from your pcapng/pcap/cap dump file here:
https://hashcat.net/cap2hashcat/

Hey ZerBea, super-thanks! I still need to read the thread you've pointed to and compile tools (prefer online ones). Guess old hccapx files can't be converted to 22000 - no way to fake required by 22000 info, right?
Reply
#24
hcxmactool will do this job:
Code:
$ hcxmactool --hccapxin=deprecated.hccapx --pmkideapolout=new.hc22000

And some other cnversions, too:
Code:
$ hcxmactool -h
hcxmactool 6.2.4-7-gb37ef50 (C) 2021 ZeroBeat
usage:
hcxmactool <options>

options:
-o <oui>    : filter access point by OUI
-n <nic>    : filter access point by NIC
-m <mac>    : filter access point by MAC
-a <vendor> : filter access point by VENDOR name
-O <oui>    : filter client by OUI
-N <nic>    : filter client by NIC
-M <mac>    : filter client by MAC
-A <vendor> : filter client by VENDOR name
-h          : show this help
-v          : show version

--pmkideapolout=<file> : output PMKID/EAPOL hash line (22000 format)
--pmkidin=<file>       : input PMKID file
--pmkidout=<file>      : output PMKID file
--hccapxin=<file>      : input HCCAPX file
--hccapxout=<file>     : output HCCAPX file
--help                 : show this help
--version              : show version


But I can't recommend it, the hccapx hash file doesn't contain useful information collected from WiFi traffic. It is much better to re-capture.

Please notice that hcxmactool, hcxpmkidtool, hcxessidtool and hcxhashcattool are depracated, too.
I'm going to remove this tools, when OpenSSL 3.0.0 arrived in Arch Linux package system:
https://archlinux.org/packages/core/x86_64/openssl/
Reply
#25
Thank ZB, this is much more than I was hoping for. Your HCXTOOLS is a great addition to HASHCAT, thanks a lot for developing it

"Better recapture" is well noted
Reply
#26
Nice to hear that.
BTW:
hcxdumptool and hcxtools are a great addition to JtR, too.
Reply
#27
ZB, your tools are swiss army knife for both HC and JTR, I've gladly discarded all others which I painstakingly collected from the web or wrote myself.

One question: assuming I collect all HC22000 from multiple captures to the single file should I clean it up once in awhile leaving only latest with all required PMKID data? Or JTR/HC is smart enough to sort them out and use the best available?

P.S. Sorry for high jacking the thread, probably need to move it somewhere
Reply
#28
It is a good idea to collect all hashes to a single file. That is your hash database, that can be sorted unique and you can run small word lists on it. Findings can be removed directly by hashcat --remove option.
If you want to run special tasks that depend on your target or reuse of PBKDF2 on common used ESSIDs (e.g. masks, basic word lists + rules, big word lists), you can use hcxhashtool on your database to get a "special target" hc22000 hash file hashcat can work on.
Reply
#29
Mmm, may be I wasn't clear ... let's say I have collected 10 hashes from the same ESSID for period of time. I tried few attacks and didn't succeed. In next few months I added 10 more hashes from this EESID but old ones may be not valid anymore because pwd was changed. I also discovered new great attack and would like to try it out. What's the best strategy - keep only last one, keep few last ones or keep all? Of cause keep them all won't hurt, I'll get both passwords, old and new, but wouldn't it be 20x slower compare to keeping only last one? Oh, actually it may hurt because HC will stop processing hashes from this EEESID as soon as first (old!) pwd is found, right?
Reply
#30
If the ESSID wasn't changed, the speed impact isn't so much.
Hashcat will not stop unless all PSKs are tested against all hashes.
To calculate the elapsed time, I used a small word list that doesn't contain matching PSKs.
And I use Linux "time" to calculate the elapsed time and not(!) hashcat's internal calculation of elapsed time.
Code:
$ hcxhashtool -i test.22000

OUI information file...........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30555
total lines read..............: 887
valid hash lines..............: 887
PMKID hash lines..............: 258
EAPOL hash lines..............: 629


$ time hashcat -m 22000 test.22000 uncracked.txt.gz
hashcat (v6.2.4-76-g4b6654b50) starting

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.22000
Time.Started.....: Sun Sep 26 23:02:42 2021 (5 secs)
Time.Estimated...: Sun Sep 26 23:02:47 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (uncracked.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    76595 H/s (7.56ms) @ Accel:8 Loops:256 Thr:512 Vec:1
Recovered........: 0/887 (0.00%) Digests
Progress.........: 292559/292559 (100.00%)
Rejected.........: 0/292559 (0.00%)
Restore.Point....: 292559/292559 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:886-1773
Candidate.Engine.: Device Generator
Candidates.#1....: fedotov90 -> 87077890366
Hardware.Mon.#1..: Temp: 59c Fan: 44% Util:  0% Core:1885MHz Mem:5005MHz Bus:16

Started: Sun Sep 26 23:02:40 2021
Stopped: Sun Sep 26 23:02:48 2021

real    0m7,271s
user    0m1,904s
sys    0m1,225s


Less hashes:
Code:
$ hcxhashtool -i test20.22000

OUI information file...........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30555
total lines read..............: 20
valid hash lines..............: 20
PMKID hash lines..............: 6
EAPOL hash lines..............: 14

$ time hashcat -m 22000 test20.22000 uncracked.txt.gz
hashcat (v6.2.4-76-g4b6654b50) starting
Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test20.22000
Time.Started.....: Sun Sep 26 23:05:00 2021 (2 secs)
Time.Estimated...: Sun Sep 26 23:05:02 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (uncracked.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   193.3 kH/s (7.69ms) @ Accel:8 Loops:256 Thr:512 Vec:1
Recovered........: 0/20 (0.00%) Digests
Progress.........: 292559/292559 (100.00%)
Rejected.........: 0/292559 (0.00%)
Restore.Point....: 292559/292559 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:19-39
Candidate.Engine.: Device Generator
Candidates.#1....: fedotov90 -> 87077890366
Hardware.Mon.#1..: Temp: 58c Fan: 39% Util:  0% Core:1885MHz Mem:5005MHz Bus:16

Started: Sun Sep 26 23:04:58 2021
Stopped: Sun Sep 26 23:05:04 2021

real    0m5,291s
user    0m1,707s
sys    0m1,156s

If the PSK was changed, you will possible get the history of PSK changes, when running against all hashes, e.g:

PSK from M1M2ROGUE:
password1234

Maybe we can assume the PSK could be password + digits!

Old PSK from M2M3:
password2018

Newer PSK from M2M3:
password2019

Now we can assume the latest PSK could be
password2021
because you recovered a complete history.

BTW:
To get full advantage of hashcat's reuse of PBKDF2:
If you know the ESSID:
Code:
$ hcxhashtool -i hasharchive.22000 --essid=TARGET_ESSID -o test.22000

Or group all ESSIDs:
Code:
$ hcxhashtool -i hasharchive.22000 --essid-group
Reply