Newbie - my try didn´t work for WPA
#1
hy there - i´m newbie.


tried to hashcat a handshake with following comand line:


tried to bruteforce a 10 digit pw (alphanumeric) with the following comand:

hashcat.exe -m 22000 -a 3 ?u?d tiscali.hccapx ?1?1?1?1?1?1?1?1?1?1

(WPA is chaged from 2500 to 22000 - thay told me) but getting following error: Hash ´?u?d´: Separator unmatched >>> No hashes loaded was seaching the internet for a solution and also trying multile changes of comand line - dind´t find any progress

if i type it like:

hashcat.exe -m 22000 -a 3 -1?u?d tiscali.hccapx ?1?1?1?1?1?1?1?1?1?1 or
hashcat.exe -m 22000 -a 3 -1 ?u?d tiscali.hccapx ?1?1?1?1?1?1?1?1?1?1


it says: hashfile ... on line Separator unmatched


.png   unknown.png (Size: 175.1 KB / Downloads: 2)
Reply
#2
Format of hash file has changed from binary (2500) to ASCII (hc2200). Additional hash modes 16800 and 2500 are combined now.
A binary hccapx hash file is not accepted using hash mode 22000 which result in the warning "separator unmatched".

Please read this:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
and this:
https://hashcat.net/forum/thread-7717.html
and, if you are interested in more, this:
https://hashcat.net/forum/thread-10529-p...l#pid54304

An online converter (pcapng, pcap, cap to hc22000) is here:
https://hashcat.net/cap2hashcat
The converter will give you additional information about the dump file.
Reply
#3
Thanks a lot for your directly reply.

That means I have to convert my handshake capture new, havent I?
But I didn’t find a command line to convert a .cap file to a .hc22000 file.
I tried with my Little knowledge like this in my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):
Hcxpcapngtool -o hash.hc22000 -E tiscali.txt handshake.cap

Getting some errors:
Failed to read PCAP packet heater full packet 1132

In the summary of catcher file down they say: packet reader error 1

And down they say warning missing frames
This damn fire contains no undirected proberrequest frames
Another directed proberequest may contain information about the PSK
Makes it hard to recover the PSK.

So I need instruction to do it’s right to convert the .CAP file to a .HC2200 file
Reply
#4
I tried in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) do use hash cat like I did it before and they’re my first line is working.
My version of Hashcat here in is 6.1.1 and is able to work with the .hccapx file.
But here, the graphic card is too slow at not recognized so Henschke is working with the processor i7 And therefor for to slow to do a brute force of 10 digits. The Linux System is running here on a virtual machine
Reply
#5
There is no need to run hashcat on a VM. Your Windows version is doing this fine.

"So I need instruction to do it’s right to convert the .CAP file to a .HC2200 file".
This will do it:
Code:
$ hcxpcapngtool -o hash.hc22000 handshake.cap
You don't need the -E option on your cap file. It is useless because your very limited cap file doesn't contain this kind of frames.

If you got something like this:
Code:
EAPOL pairs written to combi hash file...: 17 (RC checked)
PMKID written to combi hash file.........: 9
hashcat can work on the converted hash file.


About the warnings after conversion:
The quality of the dump file depend on the tools you have used to attack the target and to capture the traffic.
hcxpcapngtool perform an analysis of the dump file to be converted and tell you what is missing inside the file.
If you received an ERROR or a WARNING from hcxpcapngtool, your tool to attack the target and to dump the traffic to a file or your entire attack procedure may have failed!
It is not a good idea to ignore or to filter out received packets within the reception branch. Missing frames cannot be restored. They are gone for ever. It looks like your tool (some useful frames are not stored to the dump file) or your attack procedure (wrong filter options) do not take care about this.
Unfortunately you haven't mentioned what tools you use for this purpose (attack and dump).
Please notice that a successful recovery of the PSK always starts with a successful attack of the target.

This ERROR:
Code:
failed to read pcap packet header for packet 1132
means that your dump tool terminated (hard) without closing the dump file in a correct way.
Not a good style, but if it is the last packet, you can ignore it.

The missing frame warning means that your dump tool doesn't store some useful frames (which can help to recover the PSK) to the dump file. That can be a failure of the dump tool or caused by too restricted filter options.

To get rid of all this Warnings, I recommend to think about your entire attack procedure.
A good idea is to use hcxdumptool that combine several attack modes:
Code:
$ hcxdumptool -i YOUR_INTERFACE -o dumpfile.pcapng --active_beacon --enable_status=95
as described here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Than convert to hc22000 file by hcxpcapngtool.
Filter your target by hcxhashtool.
Run hashcat on it.


BTW:
hcxdumptool and hcxtools are designed to work prefect in combination with hashcat.
This thread (read it backwards to get the latest information) will give you an overview how they are working:
https://hashcat.net/forum/thread-6661-page-72.html
Reply