md5 Candidates.#1
#1
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 5ede461c1909387e23e19b2434bdb720
Time.Started.....: Fri Dec 24 22:16:09 2021 (0 secs)
Time.Estimated...: Fri Dec 24 22:16:09 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d?d?d?d [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1334.1 MH/s (0.16ms) @ Accel:1024 Loops:125 Thr:32 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 100000000/100000000 (100.00%)
Rejected.........: 0/100000000 (0.00%)
Restore.Point....: 100000/100000 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:875-1000 Iteration:0-125
Candidate.Engine.: Device Generator
Candidates.#1....: 46895749 -> 68874949 

WHY is my last candidate not 99999999???? I know my password but hashcat wont seem to find it because it starts with an 8 and hashcat's last candidate before it stops is 68874949   maybe im misunderstanding this idk some1 please help. any input or help would be greatly appreciated!
Reply
#2
Hashcat doesn't go from 11111111 - 99999999, it does the full keyspace but in an order from most to least likely, based on Markov Chains created off of a human generated password corpus. If your hash was actually 8 digits, it would have cracked it in that attack, but it appears your hash is not just the MD5 of 8 digits.
Reply
#3
(12-25-2021, 12:07 PM)Chick3nman Wrote: Hashcat doesn't go from 11111111 - 99999999, it does the full keyspace but in an order from most to least likely, based on Markov Chains created off of a human generated password corpus. If your hash was actually 8 digits, it would have cracked it in that attack, but it appears your hash is not just the MD5 of 8 digits.

It is just md5 and it is just 8 digits its a default set tp-link router password and hash ..i was able to crack using crunch piped to aircrack-ng suite but it took my laptop 12 hrs ..so im trying to see how fast my ..far better desktop with it gpu would take ...How do i set my flags in cli to "crunch" if u will, the numbers ...or how do i set the gui (what i been using) to go from 11111111 -99999999..if u search the hash u will see it a regular md5 hash no salt ....not sure what im setting wrong here to not get it ..it should be simple
Reply
#4
you can use --stdout mode

hashcat --stdout -a 3 ?d?d?d?d?d?d?d?d > dict

this will generate a file exactly 1.000.000.000 bytes (1 GB) in size ( 10^8) so these are ALL possibilities, 10 digits, lenght 8)
open this dict file and see that hashscat REALLY generates ALL candidates (unsorted, you can use sort in linux, but anyway)

next, where did you get this hash and why do you know that it should be straight md5?

a fast search was not able to find this hash (and plain 8 digits are really all known) but i found your second post
jfyi

md5 of 83484919 is -> 177653215c267b058e2966319ad87ae0
so your hash is not PLAIN MD5
Reply
#5
If i do a google search for a hash identifier and copy paste my hash in it says md5 90% of the time and others it says md5 or md4.

But thank you. P.s i got this hash from wireshark eapol
Reply
#6
Your question is already answered here:
https://hashcat.net/forum/thread-10557-p...l#pid54451

MICs of 4way handshakes or PMKIDs are not(!) MD5 or MD4.
Don't (never, under no circumstances) trust a google search result!!!

It take much more than a single PMKID or a MIC copied from a Wireshark field to recover the PSK. Depending on PMKID or 4way handshake, additional information like ESSID, MAC AP, MAC CLIENT, ANONCE, SNONCE and at least a complete M2 (or M3 or not zeroed M4) EAPOL MESSAGE are mandatory.

Here is an example EAPOL PMKID from the example hashes:
https://hashcat.net/wiki/doku.php?id=example_hashes
22000 WPA-PBKDF2-PMKID+EAPOL WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***

The PMKID is definitely not MD5 or MD4
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

run it through an online analyzer, e.g.:
https://www.tunnelsup.com/hash-analyzer/
Hash: 4d4fe7aac3a2cecab195321ceb99a7d0
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal

and it failed epically!!!
Looks like this hash-analyzer only take the length of the hash to identify the type.

While hashcat is able to recover the PSK:
Code:
$ hashcat -m 22000 "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" -a 3 hashcat!
hashcat (v6.2.5-52-g806257f2e) starting

4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid
Time.Started.....: Thu Jan  6 07:32:28 2022 (0 secs)
Time.Estimated...: Thu Jan  6 07:32:28 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       35 H/s (0.74ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 32c Util:  7% Core:1770MHz Mem:3500MHz Bus:8

Started: Thu Jan  6 07:32:26 2022
Stopped: Thu Jan  6 07:32:30 2022

The same applies to a MIC of a 4way handshake as described here:
https://hashcat.net/forum/thread-10496-p...l#pid54230

The MIC is definitely not MD5 or MD4
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PTK = PRF(PMK + ANONCE + SNONCE + MAC AP + MAC CLIENT)

run it through the same online analyzer:
https://www.tunnelsup.com/hash-analyzer/
Hash: 6ec572e97e2ede5a6099bf964fa880fd
Salt: Not Found
Hash type: MD5 or MD4
Bit length: 128
Character length: 32
Character type: hexidecimal

and as expected, it failed again (epically).
Reply