Plugins 2500/2501 and 16800/16801 are deprecated
#51
Exactly this is the purpose of the MESSAGEPAIR field at the and of a WPA*02 line.
It will inform hashcat and the user about the kind of the hash and how to handle it.

Get all authenticated MESSAGEPAIRs:
Code:
$ cat hash.hc22000 | grep WPA.02 | grep 2$

Get all challenge MESSAGEPAIRs:
Code:
$ cat hash.hc22000 | grep WPA.02 | grep 1$

BTW:
Adding something like "challenge or authorized" to a hash line will produce overhead (especially if you have tons of hash lines). It take disc space and will make fread() slow.

Or use hcxhashtool on the hc22000 file:
Code:
--authorized                 : filter EAPOL pairs by status authorized (M2M3, M3M4, M1M4)
--challenge                  : filter EAPOL pairs by status CHALLENGE (M1M2, M1M2ROGUE)
--rc                         : filter EAPOL pairs by replaycount status checked
--rc-not                     : filter EAPOL pairs by replaycount status not checked
--apless                     : filter EAPOL pairs by status M1M2ROGUE (M2 requested from CLIENT)

To get information about the VENDOR, use hcxhashtool on the hc22000 file:
Code:
--info=<file>                : output detailed information about content of hash file
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info=stdout                : stdout output detailed information about content of hash file
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor=<file>         : output detailed information about ACCESS POINT and CLIENT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-ap=<file>      : output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-client=<file>  : output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor=stdout         : stdout output detailed information about ACCESS POINT and CLIENT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-ap=stdout      : stdout output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client
--info-vendor-client=stdout  : stdout output detailed information about ACCESS POINT VENDORs
                               not in combination with --vendor, --vendor-ap or --vendor-client

To get more information, use hcxpcapngtool -D option on the pcapng/pcap/cap file:
Code:
-D <file> : output device information list
            format MAC MANUFACTURER MODELNAME SERIALNUMBER DEVICENAME UUID
Reply
#52
ZerBea  Ok  thank you


I see some hash numbers at the end of it are 05 80 82 84 and so on
Some are challenges, some are authorizations
Code:
WPA*02****************05
WPA*02****************80
WPA*02****************82
WPA*02****************84

Code:
cat hash.hc22000 | grep WPA.02 | grep 1$

cat hash.hc22000 | grep WPA.02 | grep 2$

you use it, I think that it is impossible to classify by relying on these alone, because there is no unified field for challenges and authorizations, and it is impossible to guess what number will appear in the last paragraph.

If there is a unified replacement field at the end, it will be more complete
As i mentioned above
Reply
#53
The MESSAGEPAIR FIELD is a bitmask field.
Code:
bitmask of message pair field:
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory

Once you understand it, it's very easy to use:
There is only one challenge MESSAGEPAIR.
The remaining ones are authorized.

Let's exclude all challenges and get all other MESSAGEPAIR (authorized) combinations:
Code:
$ cat test.hc22000 | grep "$WPA\*02\*" | grep -v 0$ > all_authorized.hc22000
https://linuxconfig.org/bash-scripting-t...-beginners

There is absolutely no need to blow up a hash line with redundant information.

If you really can't read a messagepair field value, bash can make it more visual for you:
Code:
$ cat test.hc22000 | grep "$WPA\*02\*" | grep -v 0$ | sed -e 's/$/ authorized/' > visual_style.hc22000
$ cat test.hc22000 | grep "$WPA\*02\*" | grep 0$ | sed -e 's/$/ challenge/' > visual_style.hc22000

Before feeding hashcat with this line, remove the extension:
Code:
$ cat visual_style.hc22000 | sed -e 's/ authorized//' > hash.hc22000
$ cat visual_style.hc22000 | sed -e 's/ challenge//' > hash.hc22000
Reply
#54
ZerBea
Thank you

Code:
*0$

I understand, the last field is 0 is the challenge,  all the rest are authorization
Thanks Thanks
Reply
#55
Glad to read that.

BTW:
Due to the new format (ASCII instead of binary), there are much more possibilities to filter wanted/unwanted hashes.
E.g., if you would like to speed up hashcat, you can filter out all hashes that require NC:
Code:
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory

NC is explained here:
https://hashcat.net/forum/thread-6361.html
Reply
#56
[quote="ZerBea" pid='53971' dateline='1635778082']
Glad to read that.

BTW:
Due to the new format (ASCII instead of binary), there are much more possibilities to filter wanted/unwanted hashes.
E.g., if you would like to speed up hashcat, you can filter out all hashes that require NC:
Code:
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory




How can  classify the need for NC hash ?
Reply
#57
Mostly NC is required on:
- cleaned dump files (there is no need to clean a dump file)
- wrong/missing timestamps (bug of the dump tool)
- passive capturing due to possible packet loss
- running excessive deauthentications (AP increment ANONCE instead of replaycount)

hcxpcapngtool is able to detect this:
Code:
Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing tool.

Warning: excessive number of deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.

Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

In addition to that, hcxpcapngtool will give you an information about the elapsed time between 2 EAPOL MESSAGES. It will detect if NC is possible and it will give a recommendation for the value:
Code:
EAPOLTIME gap (measured maximum usec)....: 12808
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
Reply
#58
(11-02-2021, 09:09 AM)ZerBea Wrote: Mostly NC is required on:
- cleaned dump files (there is no need to clean a dump file)
- wrong/missing timestamps (bug of the dump tool)
- passive capturing due to possible packet loss
- running excessive deauthentications (AP increment ANONCE instead of replaycount)

hcxpcapngtool is able to detect this:
Code:
Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing tool.

Warning: excessive number of deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.

Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

In addition to that, hcxpcapngtool will give you an information about the elapsed time between 2 EAPOL MESSAGES. It will detect if NC is possible and it will give a recommendation for the value:
Code:
EAPOLTIME gap (measured maximum usec)....: 12808
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8


OK....
Reply
#59
I used your tool to extract tens of thousands of hashes  vidmate online saveinsta
Reply