Posts: 47
Threads: 27
Joined: Apr 2019
10-21-2021, 07:40 PM
(This post was last modified: 10-21-2021, 07:47 PM by Pilsener.)
I am a little confused here.
I run:
airodump-ng -c 3 -w capturefilename --bssid 00:00:00:00:00:00 wlan0mon
This sometimes result in an output in the terminal saying "PMKID Captured", but it is still stored as a .cap file.
What do I have to do to use the PMKID in this .cap file in some kind of attack in Hashcat?
Posts: 1,044
Threads: 2
Joined: Jun 2017
10-21-2021, 10:09 PM
(This post was last modified: 10-22-2021, 07:29 AM by ZerBea.)
How to is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
The hash format (22000 - WPA-PBKDF2-PMKID+EAPOL) is explained here:
https://hashcat.net/forum/thread-10253.html
The PMKID attack is explained here:
https://hashcat.net/forum/thread-7717.html
This command is aircrack-ng specific:
Code: I run:
airodump-ng -c 3 -w capturefilename --bssid 00:00:00:00:00:00 wlan0mon
This sometimes result in an output in the terminal saying "PMKID Captured", but it is still stored as a .cap file.
How to use aircrack-ng suite options to handle PMKIDs, you should ask here:
https://forum.aircrack-ng.org
Posts: 46
Threads: 1
Joined: Apr 2018
10-22-2021, 09:53 AM
(This post was last modified: 10-22-2021, 10:00 AM by CUwindows00.)
Test 22000 OK
Test 22001 NO
22001 mode does not seem to work properly
Know the password, I will write the correct password into dic
The password was not found after executing the command!
Test v 6.2.3
Code: D:\hashcat-6.2.3>hashcat -m 22001 -a 0 WPA.hc22000 dic.txt
hashcat (v6.2.3) starting
CUDA API (CUDA 11.4)
====================
* Device #1: NVIDIA GeForce RTX 2070, 6744/8192 MB, 36MCU
* Device #2: NVIDIA GeForce RTX 2070, 6744/8192 MB, 36MCU
OpenCL API (OpenCL 3.0 CUDA 11.4.125) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #3: NVIDIA GeForce RTX 2070, skipped
* Device #4: NVIDIA GeForce RTX 2070, skipped
Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64
Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1264 MB
Dictionary cache hit:
* Filename..: dic.txt
* Passwords.: 99
* Bytes.....: 1086
* Keyspace..: 99
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PMK-PMKID+EAPOL
Hash.Target......: WPA.hc22000
Time.Started.....: Fri Oct 22 15:50:30 2021 (0 secs)
Time.Estimated...: Fri Oct 22 15:50:30 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (dic.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 0 H/s (0.00ms) @ Accel:64 Loops:256 Thr:1024 Vec:1
Speed.#2.........: 0 H/s (0.00ms) @ Accel:64 Loops:256 Thr:1024 Vec:1
Speed.#*.........: 0 H/s
Recovered........: 0/2 (0.00%) Digests
Progress.........: 99/99 (100.00%)
Rejected.........: 99/99 (100.00%)
Restore.Point....: 0/99 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-256
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-256
Candidate.Engine.: Device Generator
Candidates.#1....: [Copying]
Candidates.#2....: [Copying]
Hardware.Mon.#1..: Temp: 43c Fan: 0% Util: 20% Core:1949MHz Mem:6794MHz Bus:1
Hardware.Mon.#2..: Temp: 38c Fan: 0% Util: 6% Core:1736MHz Mem:6794MHz Bus:1
Started: Fri Oct 22 15:50:27 2021
Stopped: Fri Oct 22 15:50:32 2021
D:\hashcat-6.2.3>pause
Test v6.2.4 returned an error
Code: cuMemAlloc(): out of memory
Posts: 1,044
Threads: 2
Joined: Jun 2017
10-22-2021, 10:30 AM
(This post was last modified: 10-22-2021, 11:15 AM by ZerBea.)
Hash mode 22000 take a PSK as input, while hash mode 22001 take a PMK as input.
Running hash mode 22001, all your PSKs, stored in your dictionary are rejected and hashcat (both versions) told you that:
Code: Rejected.........: 99/99 (100.00%)
Try the 22001 example hash from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
Code: echo "WPA*01*5ce7ebe97a1bbfeb2822ae627b726d5b*27462da350ac*accd10fb464e*686173686361742d6573736964***" > test.hc22000
get the PMK as mentioned in footnote 18:
Code: echo "88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc" > pmk.dict
run hashcat
Code: $ hashcat -m 22001 test.hc22000 pmk.dict
Try it, running latest git head of hashcat:
https://github.com/hashcat/hashcat
If you still get an error, I recommend to open an issue report here:
https://github.com/hashcat/hashcat/issues
Please notice that hash mode 22001 is designed for analysis purpose only, to verify an existing PMK (already calculated by PBKDF2 function):
Code: $ wlangenpmk -p "hashcat!" -e "hashcat-essid"
essid (networkname)....: hashcat-essid
password...............: hashcat!
plainmasterkey (SHA1)..: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
To calculate a PMK by PBKDF2 function it is mandatory to know PSK and ESSID.
From hashcat --help:
Code: 22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocol
22001 | WPA-PMK-PMKID+EAPOL | Network Protocol
Posts: 46
Threads: 1
Joined: Apr 2018
Your WPA*01***** has also tried, but still returns an error as above
It should be a bug
you look carefully at the execution of the command, it returns a message that the minimum length of the password is 64, which should be a BUG
Code: Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64
Posts: 1,044
Threads: 2
Joined: Jun 2017
10-22-2021, 01:06 PM
(This post was last modified: 10-22-2021, 01:31 PM by ZerBea.)
The length of a PSK is always 8 -> 63 (hash mode 22000) and hashcat will tell you that:
Code: Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
The length of a PMK is always 64 (hash mode 22001) and hashcat will tell you that:
Code: Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64
The PMK is calculated via PBKDF2 function from ESSID and PSK:
PMK = PBKDF2(PSK, ESSID, 4096)
as described here:
https://en.wikipedia.org/wiki/Pbkdf2
Running hash mode 22001 the dictionary should contain only PMKs of length 64 (HEX).
The example is working as expected:
Code: $ echo "WPA*01*5ce7ebe97a1bbfeb2822ae627b726d5b*27462da350ac*accd10fb464e*686173686361742d6573736964***" > test.hc22000
$ echo "88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc" > pmk.dict
$ hashcat -m 22001 test.hc22000 pmk.dict
hashcat (v6.2.4-95-g707bff5c2) starting
CUDA API (CUDA 11.4)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3857/3911 MB, 16MCU
OpenCL API (OpenCL 3.0 CUDA 11.4.136) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped
Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1198 MB
Dictionary cache built:
* Filename..: pmk.dict
* Passwords.: 1
* Bytes.....: 65
* Keyspace..: 1
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
5ce7ebe97a1bbfeb2822ae627b726d5b:27462da350ac:accd10fb464e:hashcat-essid:88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)
Hash.Target......: test.hc22000
Time.Started.....: Fri Oct 22 13:03:32 2021 (0 secs)
Time.Estimated...: Fri Oct 22 13:03:32 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pmk.dict)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 5508 H/s (0.00ms) @ Accel:1024 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc -> 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
Hardware.Mon.#1..: Temp: 47c Util: 32% Core:1965MHz Mem:4001MHz Bus:8
Started: Fri Oct 22 13:03:31 2021
Stopped: Fri Oct 22 13:03:33 2021
Posts: 46
Threads: 1
Joined: Apr 2018
10-22-2021, 01:53 PM
(This post was last modified: 10-22-2021, 02:13 PM by CUwindows00.)
@ZerBea
Thanks.
Posts: 1,044
Threads: 2
Joined: Jun 2017
start task:
Code: $ hashcat -m 22001 test.hc22000 pmk.dict
request checkpoint:
Code: [s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => c
Checkpoint enabled. Will quit at next restore-point update.
resume task:
Code: $ hashcat --session=hashcat --restore
Hash mode 22001 is a very special hash mode that should be used by analysts to verify a large number of given PMKs.
It is not possible to recover an unknown PSK running hash mode 22001.
Posts: 46
Threads: 1
Joined: Apr 2018
10-22-2021, 02:30 PM
(This post was last modified: 10-22-2021, 02:58 PM by CUwindows00.)
@ZerBea Thanks
Posts: 1,044
Threads: 2
Joined: Jun 2017
10-22-2021, 03:11 PM
(This post was last modified: 10-22-2021, 03:36 PM by ZerBea.)
BTW:
22000 recover a PSK from a PMKID or EAPOL MESSAGE PAIR
22001 verify a PMK
If you're interested in working with PMKs, please take a look at hash mode 12000, too.
This mode will recover a PSK from a PMK and an ESSID.
From hashcat --help
Code: 12000 | PBKDF2-HMAC-SHA1 | Generic KDF
Let's use the example from above and prepare a 12000 hash line from ESSID and PMK hascat can work on:
Code: $ hcxpmktool -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc -e hashcat-essid
ESSID............: hashcat-essid
PMK..............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PBKDF2-HMAC-SHA1.: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=
and recover the PSK:
Code: $ hashcat -m 12000 sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw= -a 3 'hashcat!'
hashcat (v6.2.4-95-g707bff5c2) starting
CUDA API (CUDA 11.4)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3857/3911 MB, 16MCU
OpenCL API (OpenCL 3.0 CUDA 11.4.136) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 908 MB
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=:hashcat!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 12000 (PBKDF2-HMAC-SHA1)
Hash.Target......: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnn...OVNdw=
Time.Started.....: Fri Oct 22 15:29:06 2021 (0 secs)
Time.Estimated...: Fri Oct 22 15:29:06 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 43 H/s (0.17ms) @ Accel:256 Loops:128 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3968-4095
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 54c Util: 7% Core:1815MHz Mem:4001MHz Bus:8
Started: Fri Oct 22 15:29:04 2021
Stopped: Fri Oct 22 15:29:06 2021
|