Getting previous router password when cracking

[hashmando]

I've been trying to crack my home WiFi passwords for my final year project at university. When hashcat has finished cracking the password, the password that is revealed is not the current password for the router I am trying to crack, but instead a previous one. Any help ?

[Snoopy]

you maybe used the same capturfile or hash?

[hashmando]

you maybe used the same capturfile or hash?

I deleted all of the files that had been made in my previous attempts and still got the same result.

[Snoopy]

how did you captured the wlan password?

did you used the new ncxtools?

did you changed both wifi passwords? most wifi routers have the ability to use different BSSID and passes for 2.4 GHz and 5GHz

[hashmando]

how did you captured the wlan password?

did you used the new ncxtools?

did you changed both wifi passwords? most wifi routers have the ability to use different BSSID and passes for 2.4 GHz and 5GHz

I captured the wlan password with hcxdumptool. I'm using an older router that only supports 2.4GHz so I only have one password to change.

[Snoopy]

did you also deleted the hashcat potfile? im not quite sure on how hashcat stores already cracked wifi networks maybe it just stores the BSSID or MAC along wiht the pass and therefore maybe shows your "old" password

[hashmando]

did you also deleted the hashcat potfile? im not quite sure on how hashcat stores already cracked wifi networks maybe it just stores the BSSID or MAC along wiht the pass and therefore maybe shows your "old" password

Yes I have tried deleting the hashcat potfile but I'm still getting the old password.

[ZerBea]

The nature of hcxdumptool is to retrieve all(!) passwords stored in the wpa-supplicant conf of a CLIENT. That include old passwords, the actual password and passwords of other NETWORKs the CLIENT was connected to.
To identify the actual password I recommend to use hcxhashtool (--info=stdout) or to take a look at the message pair field at the end of the hash line as described here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Code:

bitmask of message pair field:
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory

challenge = valid handshake that does not necessarily have to be part of the target ACCESS POINT
authorized = valid handshake that allow access to the target ACCESS POINT

BTW:
Goal of hcxdumptool/hcxtools is hunting for weak CLIENTs. If one of your CLIENTs respond to an old password this CLIENT is weak!
Check wpa-supplicant config of that CLIENT and remove this entry.

[hashmando]

Thank you my friend, your solution worked!

[ZerBea]

No problem, you're welcome.

BTW:
To test this weak point you can do this steps:
Take a look at your stored WiFi NETWORKs of your smart phone.
Add them to an essid.list.
Look for a free WiFi channel (for the example we assume channel 9 is free).
Run hcxdumptool with option essidlist and active_beacon:

Code:

$ sudo hcxdumptool -i YOUR_INTERFACE -c 9 --enable_status=31 -o dump.pcapng --essidlist=essid.list --active_beacon --stop_client_m2_attacks=1000

Disable WiFi and enable WiFi on your smart phone.
Wait a while (as long as the CLIENT respond, > 10 min).
You should retrieve valid handshakes (M1M2 challenge) for every stored NETWORK of your smart phone's NETWORK list. In that case, the smart phone is vulnerable to this attack vector.