Mask only working partially
#1
Heya all,

I have this hash

Code:
WPA*01*44da7fcbc0465ea5a5938f5d9c695253*9aded09afa5f*b4e1eb20d94c*544553545f4150***

For which the password is asdfPWD1

When I run the following hashcat, it finds it OK:
Code:
hashcat -m 22000 pmkid-only -a 3 "asdfPWD1"

However, if I replace the last three capital letters with a ?u?u?u mask, it fails to find it:

Code:
hashcat -m 22000 pmkid-only -a 3 "asdf?u?u?u1"

...

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: pmkid-only
Time.Started.....: Thu Jan 13 15:27:17 2022 (5 secs)
Time.Estimated...: Thu Jan 13 15:27:22 2022 (0 secs)
Guess.Mask.......: asdf?u?u?u1 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:    3399 H/s (2.01ms) @ Accel:2 Loops:2 Thr:512 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 17576/17576 (100.00%)
Rejected.........: 0/17576 (0.00%)
Restore.Point....: 17576/17576 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: asdfANA1 -> asdfXQJ1

Changing the mask to asdfP?u?u1 works just fine, as well as asd?l?u?uD1. Is there something wrong with my syntax or is it a bug?
Reply
#2
just given your information i cannot see any failure

upperchars are 26 possibilities and you provided 3 positions so 26^3 is 17576

i used
hashcat --sdtout -a 3 asdf?u?u?u1 > test.dict
and searched for your PW and it was inside this generated dict

which version of hashcat do you use?

could you try this command? (without quotationmarks and in the right order) i know hashcat is quite generous but you should follow this input style
hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]

hashcat -m 22000 -a 3 pmkid-only asdf?u?u?u1

and see if this works, before take a look in your potfile and see if there are any recovered hashes, or did you deleted it before your other tests?
Reply
#3
(01-13-2022, 11:37 AM)Snoopy Wrote: hashcat --sdtout -a 3 asdf?u?u?u1 > test.dict

and searched for your PW and it was inside this generated dict

Thanks for the command example. I am sure it generates the right password, just for some reason it fails to register that it actually matches the hash.

(01-13-2022, 11:37 AM)Snoopy Wrote: which version of hashcat do you use?
6.1.1


(01-13-2022, 11:37 AM)Snoopy Wrote: could you try this command? (without quotationmarks and in the right order) i know hashcat is quite generous but you should follow this input style

hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]



hashcat -m 22000 -a 3 pmkid-only asdf?u?u?u1
It didn't, although I had to escape the ? to make it work in zsh. But it definitely produces the expected password when ran with --stdout param. Not sure what's going on here.

I assume you were able to run hashcat on a file with the hash that I posted and it produced the password?
Reply
#4
Working OK for me on 6.2.5 (Linux)

44da7fcbc0465ea5a5938f5d9c695253:9aded09afa5f:b4e1eb20d94c:TEST_AP:asdfPWD1

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: pmkid-only
Time.Started.....: Fri Jan 14 00:09:10 2022 (0 secs)
Time.Estimated...: Fri Jan 14 00:09:10 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: asdf?u?u?u1 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  575.4 kH/s (0.56ms) @ Accel:16 Loops:128 Thr:256 Vec:1
Speed.#2.........:  181.9 kH/s (0.67ms) @ Accel:16 Loops:128 Thr:256 Vec:1
Speed.#*.........:  757.3 kH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 17576/17576 (100.00%)
Rejected.........: 0/17576 (0.00%)
Restore.Point....: 0/17576 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: asdfANA1 -> asdfESR1
Candidates.#2....: asdfSOA1 -> asdfXQJ1
Hardware.Mon.#1..: Temp: 40c Fan: 60% Util:  3% Core:1995MHz Mem:7500MHz Bus:16
Hardware.Mon.#2..: Temp: 36c Fan: 20% Util: 41% Core:1905MHz Mem:6800MHz Bus:16

Started: Fri Jan 14 00:07:54 2022
Stopped: Fri Jan 14 00:09:12 2022


(01-14-2022, 12:38 AM)bobcat Wrote:
(01-13-2022, 11:37 AM)Snoopy Wrote: hashcat --sdtout -a 3 asdf?u?u?u1 > test.dict

and searched for your PW and it was inside this generated dict

Thanks for the command example. I am sure it generates the right password, just for some reason it fails to register that it actually matches the hash.

(01-13-2022, 11:37 AM)Snoopy Wrote: which version of hashcat do you use?
6.1.1


(01-13-2022, 11:37 AM)Snoopy Wrote: could you try this command? (without quotationmarks and in the right order) i know hashcat is quite generous but you should follow this input style

hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]



hashcat -m 22000 -a 3 pmkid-only asdf?u?u?u1
It didn't, although I had to escape the ? to make it work in zsh. But it definitely produces the expected password when ran with --stdout param. Not sure what's going on here.

I assume you were able to run hashcat on a file with the hash that I posted and it produced the password?
Reply
#5
Updated to v6.2.5 and it works!

Thanks everyone!
Reply