Question regarding 22000 hashes
#1
Hello!

So I recently realized that I'm a bit behind on the newer techniques used to crack WPA2 (the PMKID method, for instance). Decided to start reading up on it and experiment on my own network at home.

There is one thing I encountered though, that I wanted to ask about.

In this test I run "hcxdumptool -c 52 -i wlan1 -o wpatest.pcapng --enable-status=15 --active_beacon".

I didn't get any PMKID or EAPOL frames that could be used so I tried logging into my wifi from another device and entered the wrong password, which then seemed to trigger the correct frames being sent/captured (So I thought at least).

When later cracking the resulting hash (WPA*02*) the found password was the incorrect one I had entered earlier, which then of course gives me a useless result since I cannot use this to login to my wifi.

Now to my question. Is there a way to know if the hash contains an incorrectly entered password, or do I just have to assume that the person entering it knows what they are doing? Is any of the methods (PMKID, EAPOL) better in this scenario in terms of actually knowing if one can trust the resulting hash or not? If I do a security assessment in the future I would prefer to focus on one method where I can trust that the resulting hash is worth spending GPU cycles on.

Looking forward to any potential replies! : )
Reply
#2
An EAPOL key exchange consists of 4 parts.
https://www.wifi-professionals.com/2019/...-handshake
Or simply explained:
1. The AP transmit an EAPOL M1 (challenge) to the CLIENT "hey CLIENT, let's see if you entitled to enter this NETWORK"
2. The CLIENT respond with an EAPOL M2 (challenge) "hey AP, this my PSK, am I allowed to enter the NETWORK"
3. The AP transmit an EAPOL M3 message (authorization) "hey CLIENT, you are allowed to join the NETWORK"
4. The CLIENT confirm with an EAPOL M4 (authorization) and join the NETWORK

If the PSK is wrong, or the CLIENT belong to a different NETWORK, using the same ESSID the AP doesn't allow to join the NETWORK. It will not transmit EAPOL M3.

BTW:
This behavior is desired to retrieve an EAPOL M2 from a single CLIENT and major part of an AP-LESS attack.
You can control how many M2's hcxdumptool should accept by this options:
Code:
--stop_client_m2_attacks=<digit>   : stop attacks against CLIENTS after 10 M2 frames received
                                     affected: ap-less (EAPOL 2/4 - M2) attack
                                     require hcxpcangtool --all option


or

--all_m2                           : accept all connection attempts from a CLIENT
                                     affected: CLIENTs
                                     warning: that can prevent that a CLIENT can establish a connection to an assigned ACCESS POINT


The last field of a 22000 hash line contain information about the kind of the EAPOL MESSAGEPAIR that was converted by hcxpcapngtool. It is explained hcxpcapngtool help:
Code:
$ hcxpcapngtool --help
Bitmask of message pair field:
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 usable if not zeroed (authorized)
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 usable if not zeroed (authorized)
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory

Please notice that hcxdumptool/hcxtools are designed to be analysis tools. By default options they grep and convert everything that they will get, in order to filter/anaylse later on, offline.

How to get exactly the kind of the EAPOL MESSAGEPAIR that you want, is explained here:
https://hashcat.net/forum/thread-10253-p...l#pid53580

"In this test I run hcxdumptool -c 52 -i wlan1 -o wpatest.pcapng --enable-status=15 --active_beacon"
Please notice:
Not every AP will send a PMKID.
You're trying to run an attack on 5GHz. Therefore you must allow the driver to transmit on this RF band. That is mandatory.
If your regulatory domain is unset, transmission on 5GHz band is not allowed:
Code:
$ iw reg get
global
country 00: DFS-UNSET
    (2402 - 2472 @ 40), (N/A, 20), (N/A)
    (2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
    (2474 - 2494 @ 20), (N/A, 20), (N/A), NO-OFDM, PASSIVE-SCAN
    (5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
    (5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
    (5490 - 5730 @ 160), (N/A, 20), (0 ms), DFS, PASSIVE-SCAN
    (5735 - 5835 @ 80), (N/A, 20), (N/A), PASSIVE-SCAN
    (57240 - 63720 @ 2160), (N/A, 0), (N/A)

The regulatory domain (hcxdumptool respects it) and how to change it, is explained here:
https://wiki.archlinux.org/title/Network...ory_domain

e.g.:
Code:
$ sudo iw reg set US
$ iw reg get
global
country US: DFS-FCC
    (2400 - 2472 @ 40), (N/A, 30), (N/A)
    (5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
    (5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW
    (5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS
    (5730 - 5850 @ 80), (N/A, 30), (N/A), AUTO-BW
    (5850 - 5895 @ 40), (N/A, 27), (N/A), NO-OUTDOOR, AUTO-BW, PASSIVE-SCAN
    (57240 - 71000 @ 2160), (N/A, 40), (N/A)
From now on, active scanning is allowed.
Reply
#3
(10-02-2021, 02:09 PM)ZerBea Wrote: An EAPOL key exchange consists of 4 parts.
......................

Thank you for the swift reply, very helpful information!
So I ran a few more tests just to see what the different bitmasks on the hashes would result in.

I got two that I don't understand fully (Still on 5ghz though).

One ends with "*10" and one ends with "*c0". I can't find anything in the documentation about a 00001010 bitmask, and not sure what to make of the c0 one.
Reply
#4
hcxdumptool and hcxpcapngtool are able to detect the endianness (BE/LE) of a router.
https://en.wikipedia.org/wiki/Endianness
This value is used to tell hashcat that it should use NC LE (nonce-error-corrections) or NC BE, both (if endianness is not detected) or none. That will speed up hashcat.
NC is explained here:
https://hashcat.net/forum/thread-6361.html
That is a fantastic feature to compensate packet loss (mostly if passive dumpers, e.g. Wireshark are in use, or if stupid deauthentication tools destroyed the authentication sequence).
Code:
0x10 = 00010000
.....000 = M1+M2, EAPOL from M2 (challenge)
...1.... = hcxdumptool requested M2 from CLIENT (ap-less attack)
           nonce-error-corrections not required because packet loss is impossible

0xc0 = 11000000
.....000 = M1+M2, EAPOL from M2 (challenge)
.1...... = big endian (BE) router detected  
1....... = hashcat must use at least default NC value +-8 (in this case only NC BE)

00001010 is impossible, because bit 3 is reserved and not in use.
00010010 is impossible, because hcxdumptool is not able to calculate a valid M3. To do this, we must know the PSK!
Reply
#5
Thank you once more! Smile

When you say impossible though, do you mean impossible to crack or to get as a resulting hash?
Because the 0x10 one is the one where I entered the wrong password (and had hashcat crack it with said "wrong" password), and both bitmasks resulted in a hash. I'm guessing this is normal behavior because, as you said, they are designed to be analysis tools?

Again, thank you for your swift replies. I will continue reading the material you so generously provided Smile.
Reply
#6
Impossible means that this bit combinations are not coded in hcxpcapngtool. If you see this bit combination, something may have went wrong.

0x10 came from a hcxdumptool AP-LESS attack, because hcxdumptool requested this M2 from a CLIENT.
This is normal behavior, because, dependent on the options, hcxdumptool respond to every authentication attempt of a CLIENT and request as much as possible M2s (from which we can recover the PSK that was typed in or the PSK that is stored in e.g. the wpa_supplicant.conf of the CLIENT).
To identify this M1M2ROGUE EAPOLMESSAGEPAIRS later on (offline), bit 4 is set (AP-LESS attack).

Please notice:
hcxdumptool and hcxtools are analysis tools and M2s of CLIENTs are are ideal for analyses purpose.
Conversely, this means that the user of this tools should exactly know how to handle the output of them.
This applies to the attack options of hcxdumptool, the conversion options of hcxpcapngtool and the filter options of hcxhashtool.
Reply