Hashcat command bruteforce
#1
Hi

I'll begin by saying I'm new to hashcat.

I've got permission to attack a friend's WiFi which uses WPA2 (he thinks WPA is impenetrable, I say it isn't and then the bet is on...). 

I've read the Haschat Wiki and tried to google my questions but hasn't come up with any good answers. 

To my understanding the Haschat command will be: hashcat.exe -m 2500 -a 3 FILE.hccapx but the last part gets me confused. I basically have two questions regarding the last part of the command.

1. in the Hashcat wiki it says "In Brute-Force we specify a Charset and a password length range." Which command am I supposed to use if I don't know anything regarding his password?
2. It is possible he has Swedish letters in his password (eg Å, Ä and Ö) - is it possible to make them a part of the brutforce attack`?
Reply
#2
The simplest hashcat commands are:
by wordlist:
$ hashcat -m 22000 hashfile.22000 wordlist

by pattern (e.g. 8 digit PSK)
$ hashcat -m 22000 hashfile.22000 -a 3 ?d?d?d?d?d?d?d?d

by pattern, if you know a part (e.g.: name and date) of the PSK
$ hashcat -m 22000 hashfile.22000 -a 3 Agneta?d?d?d?d

by wordlist (e.g. prenames) + rule (e.g. dates)
$ hashcat -m 22000 hashfile.22000 prenamelist -r date.rule

I recommend to do some investigations about the ROUTER (default PSK, default PSK keyspace, possbile default PSK pattern), about the CLIENTs which belong to the NETWORK (does a CLIENT transmit the PSK in the clear).
Are you able to confuse a CLIENT, so that you can retrieve the PSK from him?
Does the administrator use the default ESSID or does he use an user defined one?

Is wpa-sec able to recover the PSK, by testing some common wordlists?
https://wpa-sec.stanev.org/?nets

Please also read this comment:
https://hashcat.net/forum/thread-10151-p...l#pid52834

BTW:
hashcat is a tool to recover a password from a hash file.
It is not a tool to attack a NETWORK directly.
The attack vector and the conversion to a hash file (e.g. 22000) is an important part. If one of them or both failed, hashcat will not be able to recover the PSK.

I'm interested how you performed the attack on the air interface.
Which tool have you used to attack the NETWORK?
Which tool have you used to convert the EAPOL MESSAGE PAIR to hccapx?
Which WiFi adapter have you used?
Have you attacked the AP or the CLIENTs or both?
Does the AP transmit a PMKID?

I asked, because I talked with Atom about hash modes 250x and 1680x. We both wonder why so many users still run this deprecated modes.
Reply
#3
excuse me for joining this thread, but I am also a novice and am interested in why you ask



Code:
I'm interested how you performed the attack on the air interface.
Which tool have you used to attack the NETWORK?
Which tool have you used to convert the EAPOL MESSAGE PAIR to hccapx?
Which WiFi adapter have you used?
Have you attacked the AP or the CLIENTs or both?
Does the AP transmit a PMKID?


I obtained a few handshakes from a pwnagotchi and several others using wifite on a laptop with an external alfa adapter.

I converted the pcap file like so

Code:
$ ./cap2hccapx.bin BS_38-2C-4A-49-CB-E0_2021-05-10T20-37-43.cap BS.hccapx
Networks detected: 1

[*]BSSID=38:2c:4a:49:cb:e0 ESSID=BiggySmells (Length: 11)
--> STA=18:74:2e:8d:e0:c7, Message Pair=0, Replay Counter=948
--> STA=18:74:2e:8d:e0:c7, Message Pair=2, Replay Counter=948

Written 2 WPA Handshakes to: BS.hccapx

[*]
I understood this output to mean that the pcap file had captured several handshakes.

Then did this

Code:
hashcat -m 22000 -a 0 -r ../../dict/rules/best64.rule BS.hccapx ../../dict/rockyou.txt  -o cracked -w 3 -O

Although I have 32gig ram and an NVIDIA ampere card hashcat says:

Host memory required for this attack: 1166 MB

and

Speed.#1.........:  1130.0 kH/s (73.22ms) @ Accel:32 Loops:128 Thr:1024 Vec:1

Shouldnt hashcat use more memory and go faster?
Reply
#4
I asked the question about the used tools, because the attack of the target and the conversion to a format that hashcat accept is a main part in the workflow:
If the attack failed you'll never get a useful handshake or a useful PMKID.
If the conversion failed, hashcat will not be able to recover the PSK from the converted hash.
In both cases you'll waste your time.

Not all tools provide this features or you need at least a newer version of the tool than provided by your distribution:
https://github.com/bettercap/bettercap/issues/810
https://github.com/evilsocket/pwnagotchi/issues/835
https://github.com/aircrack-ng/aircrack-ng/issues/2079
https://github.com/aircrack-ng/aircrack-ng/issues/2175

PBKDF2 is a very slow algorithm and the calculation time doesn't depend on the size of your RAM.
This are my results ( NVIDIA GeForce GTX 1650):
Speed.#1.........: 167.4 kH/s (96.93ms) @ Accel:16 Loops:256 Thr:1024 Vec:1
Regarding this results, your ampere is really fast.

The only way to speed up this process is to use the latest tools, to do some OSINT (router type known default PSK algo or pattern, admin/user prefer birth dates, names,....). That will reduce the time to recover the PSK.
Additional, you can get some useful information from the captured traffic, if the tools you use for the attack will provide this feature.

BTW:
Your hashcat command line is totally wrong:
Code:
$ hashcat -m 22000 -a 0 -r ../../dict/rules/best64.rule BS.hccapx ../../dict/rockyou.txt  -o cracked -w 3 -O
because hascat in hash mode 22000 will not work on binary hccapx files.
Reply
#5
(06-07-2021, 03:06 PM)ZerBea Wrote: The simplest hashcat commands are:
by wordlist:
$ hashcat -m 22000 hashfile.22000 wordlist

by pattern (e.g. 8 digit PSK)
$ hashcat -m 22000 hashfile.22000 -a 3 ?d?d?d?d?d?d?d?d

by pattern, if you know a part (e.g.: name and date) of the PSK
$ hashcat -m 22000 hashfile.22000 -a 3 Agneta?d?d?d?d

by wordlist (e.g. prenames) + rule (e.g. dates)
$ hashcat -m 22000 hashfile.22000 prenamelist -r date.rule

I recommend to do some investigations about the ROUTER (default PSK, default PSK keyspace, possbile default PSK pattern), about the CLIENTs which belong to the NETWORK (does a CLIENT transmit the PSK in the clear).
Are you able to confuse a CLIENT, so that you can retrieve the PSK from him?
Does the administrator use the default ESSID or does he use an user defined one?

Is wpa-sec able to recover the PSK, by testing some common wordlists?
https://wpa-sec.stanev.org/?nets

Please also read this comment:
https://hashcat.net/forum/thread-10151-p...l#pid52834

BTW:
hashcat is a tool to recover a password from a hash file.
It is not a tool to attack a NETWORK directly.
The attack vector and the conversion to a hash file (e.g. 22000) is an important part. If one of them or both failed, hashcat will not be able to recover the PSK.

I'm interested how you performed the attack on the air interface.
Which tool have you used to attack the NETWORK?
Which tool have you used to convert the EAPOL MESSAGE PAIR to hccapx?
Which WiFi adapter have you used?
Have you attacked the AP or the CLIENTs or both?
Does the AP transmit a PMKID?

I asked, because I talked with Atom about hash modes 250x and 1680x. We both wonder why so many users still run this deprecated  modes.

Hi

Thank you for your reply

I used a alpha nic adapter with The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) and Wifite (not sure if this answers your question?)
Is it possible to aquire the router/accesspoint information using it's MAC or BSSID adress?

Is there a command if I want to try variations containing numbers, smal letters, large letters and special carracters on all places instead of only ?d?d?d?d?d?d?d?d which only tries numbers when trying to crack the password (?)
Reply
#6
Thanks for your reply. I know about the successor of wifite (wifite2, maintained by kimocoder):
https://github.com/kimocoder/wifite2
which is a nice script.

Some PSKs are based on MAC_AP or ESSID. There are som tools you can use to try this:
https://github.com/routerkeygen/routerkeygenPC
https://github.com/ZerBea/hcxtools/blob/...xpsktool.c

To calculate PSKs based on a pattern, hashcat mask attack is your choice:
https://hashcat.net/wiki/doku.php?id=mask_attack
Reply