New 22000 mode is USELESS GARBAGE
#1
This shit is not working at all.

I do step-by-step from the instruction, this one https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Then I put my Wi-Fi password into the word list, and it always says exhausted, password never found.

I'm getting ******* frustrated here, was this 22000 mode some NSA invention to make sure that they are the only ones to hack me? 

I had never ever any issues with the previous mode with the binary handshakes, so what is the point of this crap? It is not even faster, and it is not reliable at all, 0% success rate so far, previous one required handshakes, but it was 100% reliable when the password was in a word list.
Reply
#2
Code:
pdo@raptor:~$ wc -l ~/.hashcat/WPA-22000.potfile

3804 /home/pdo/.hashcat/WPA-22000.potfile

Works for me?

(05-28-2022, 07:36 PM)lispustynny Wrote: This shit is not working at all.

I do step-by-step from the instruction, this one https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Then I put my Wi-Fi password into the word list, and it always says exhausted, password never found.

I'm getting ******* frustrated here, was this 22000 mode some NSA invention to make sure that they are the only ones to hack me? 

I had never ever any issues with the previous mode with the binary handshakes, so what is the point of this crap? It is not even faster, and it is not reliable at all, 0% success rate so far, previous one required handshakes, but it was 100% reliable when the password was in a word list.
Reply
#3
WPA*02*066aed0940ca557fcc9d9f08ed8f09e2*cc32e562b757*88b4a6c73425*2f2722272727*d538c895e22e902ccbcda6f43c060531704f1d664dea987e604cbb2bad79db0d*0103007502010a0000000000000000f25d0d52220052ab5c6dbd52419992f0e8014cc04f26b9f794a6ab652e5930517cca000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*10
WPA*02*ed4510793b6da2b5cc58608ae0ac704e*cc32e562b757*b4cd274b31a1*2f2722272727*da5d5ec58b51b4af3decc13c0497ef9b2d31882d8ff10d54a84bee0abe9bf9d8*0103007502010a000000000000000000034a3b019a409247a0c74c23162c75ee3c622c64379704e9ff9dbaa1ace56ba6d3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02

Password in rockyou.txt, show me how great it is working for ya.
Reply
#4
Maybe there is a bug, Maybe your procedure and *.cap file is absolute trash. But with that piss poor attitude you come off as a spoiled little 5 year old missing his/her "my little pony" shows. 

Act like a professional, read the rules, and make a proper help case and get it figured out
Reply
#5
(05-29-2022, 01:11 PM)The Mechanic Wrote: Maybe there is a bug, Maybe your procedure and *.cap file is absolute trash. 

Well, I didn't invent that procedure. Maybe it was flawed by design.
All I did was the steps from the instructions. I've also tried to change the parameters, tried to lock it to the single channel and filter bssid, tried it on different networks both my main home network and mobile hotspot and it fails to crack the hash on any given case.

(05-29-2022, 01:11 PM)The Mechanic Wrote: Act like a professional, read the rules, and make a proper help case and get it figured out

Yeah, and how exactly am I supposed to do that when nothing is working.
Reply
#6
Environment 1:

router: TP-Link TL-WR841N - encryption: WPA2 - wifi channel 11 (fixed)
We use the example password "hashcat!" from
https://hashcat.net/wiki/doku.php?id=example_hashes
client: notebook

get target information:
Code:
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 --do_rcascan -c 11
BSSID        FREQ  CH RSSI BEACON RESPONSE ESSID  SCAN-FREQ: 2462 INJECTION-RATIO: 100% [13:11:05]
-----------------------------------------------------------------------------------------------------
6466b38ec3fc 2462  11  -31    24      23 TP-LINK_HASHCAT_TEST

set monitor mode and create attack filter tailored to the target:
Code:
$ sudo hcxdumptool -m wlp39s0f3u1u1u2
$ sudo tcpdump -i wlp39s0f3u1u1u2 wlan addr1 6466b38ec3fc or wlan addr2 6466b38ec3fc or wlan addr3 6466b38ec3fc -ddd > target.bpfc
This is not mandatory, but we do not want to disturb/jam the entire neighborhood.

run attack:
Code:
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 -c 11 -o test.pcapng --enable_status=15 --bpfc=target.bpfc --active_beacon
initialization of hcxdumptool 6.2.6-10-g36ce1fb (depending on the capabilities of the device, this may take some time)...
interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls

start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
PHYSICAL INTERFACE........: phy0
INTERFACE NAME............: wlp39s0f3u1u1u2
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 74da38f2038e (not used for the attack)
INTERFACE VIRTUAL MAC.....: 74da38f2038e (not used for the attack)
DRIVER....................: mt7601u
DRIVER VERSION............: 5.18.0-arch1-1
DRIVER FIRMWARE VERSION...: N/A
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 33
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 000e175c955e (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 000e175c955f (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 000e175c9560 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: b0ece1ad5e88
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 63271
ANONCE....................: 2c1480188261ae8ecb947768c0838ebf2bc650f41e443656a64a0af314f36e5d
SNONCE....................: 358c7cc83ff0600a54c79e5660a9763a54abde52564c5203eb9db3caf722341a

TIME    FREQ/CH  MAC_DEST    MAC_SOURCE  ESSID [FRAME TYPE]
13:24:05 2462/11  ffffffffffff 6466b38ec3fc TP-LINK_HASHCAT_TEST [BEACON]
13:24:06 2462/11  225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [AUTHENTICATION]
13:24:06 2462/11  225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [ASSOCIATION]
13:24:06 2462/11  225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [EAPOL:M2M3 EAPOLTIME:4227 RC:2 KDV:2]
13:24:06 2462/11  225edc49b7aa 6466b38ec3fc TP-LINK_HASHCAT_TEST [EAPOL:M3M4ZEROED EAPOLTIME:9937 RC:2 KDV:2]
^C
terminating...


convert to hash file hc22000:
Code:
$ hcxpcapngtool -o test.hc22000 test.pcapng
hcxpcapngtool 6.2.7-5-gd66ebbf reading from test.pcapng...

summary capture file
--------------------
file name.................................: test.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.18.0-arch1-1
application..............................: hcxdumptool 6.2.6-10-g36ce1fb
interface name...........................: wlp39s0f3u1u1u2
interface vendor.........................: 74da38
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 000e175c9560 (incremented on every new client)
MAC CLIENT...............................: b0ece1ad5e88
REPLAYCOUNT..............................: 63271
ANONCE...................................: 2c1480188261ae8ecb947768c0838ebf2bc650f41e443656a64a0af314f36e5d
SNONCE...................................: 358c7cc83ff0600a54c79e5660a9763a54abde52564c5203eb9db3caf722341a
timestamp minimum (GMT)..................: 30.05.2022 13:24:05
timestamp maximum (GMT)..................: 30.05.2022 13:24:07
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 114
packets received on 2.4 GHz..............: 112
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 11
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
EAPOL messages (total)...................: 109
EAPOL RSN messages.......................: 109
EAPOLTIME gap (measured maximum usec)....: 43208
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 106
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file....: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2462: 112

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

session summary
---------------
processed pcapng files................: 1

Please notice that I excluded undirected PROBEREQUEST frames when creating the packet filter. We don't need them for this small test.
hcxpcapngtool noticed that and gave a warning.
If you want to include them, you have to modify the filter this way:
Code:
$ sudo tcpdump -i wlp39s0f3u1u1u2 wlan addr1 ffffffffffff or wlan addr1 6466b38ec3fc or wlan addr2 6466b38ec3fc or wlan addr3 6466b38ec3fc -ddd > target.bpfc


run hashcat to recover the PSK:
Code:
$ hashcat -m 22000 test.hc22000 -a 3 hashcat!
hashcat (v6.2.5-439-ged3b52185) starting

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 11.7)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3852/3911 MB, 16MCU

OpenCL API (OpenCL 3.0 CUDA 11.7.57) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped


Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1084 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.         

024022795224bffca545276c3762686f:6466b38ec3fc:225edc49b7aa:TP-LINK_HASHCAT_TEST:hashcat!

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.hc22000
Time.Started.....: Mon May 30 13:27:52 2022 (0 secs)
Time.Estimated...: Mon May 30 13:27:52 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      29 H/s (0.20ms) @ Accel:32 Loops:64 Thr:256 Vec:1
Recovered.Total..: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 47c Util: 26% Core:1770MHz Mem:3500MHz Bus:8

Started: Mon May 30 13:27:49 2022
Stopped: Mon May 30 13:27:54 2022

The complete process (preparing environment -> recovered PSK) took no more than 5 minutes.

From my point of view, the new hash mode 22000 is fantastic. Running hashcat (mode 22000) in combination with hcxdumptool/hcxlabtool and hcxtools even my GTX 1650 is fast enough to recover a PSK in a short time.


Environment 2:
To verify that hcxpcapngtool -> hashcat is working es expected, you can use this example dump file (in pcap format) from:
https://wiki.wireshark.org/SampleCaptures
Code:
$ wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap

convert to hash file hc22000:
Code:
$ hcxpcapngtool -o wpa-induction.hc22000 wpa-Induction.pcap
hcxpcapngtool 6.2.7-5-gd66ebbf reading from wpa-Induction.pcap...

summary capture file
--------------------
file name.................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:45
timestamp maximum (GMT)..................: 04.01.2007 07:15:26
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST.............................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum usec)....: 4998
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file....: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
PMKID (total)............................: 1
PMKID (from zeroed PMK)..................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
not available due to missing radiotap header

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.

session summary
---------------
processed cap files...................: 1


get a good (and small) wordlist:
Code:
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz


run hashcat to recover the example PSK:
Code:
$ hashcat -m 22000 wpa-induction.hc22000 cracked.txt.gz
hashcat (v6.2.5-439-ged3b52185) starting

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 11.7)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3852/3911 MB, 16MCU

OpenCL API (OpenCL 3.0 CUDA 11.7.57) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 1 digests; 1 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1084 MB

Dictionary cache built:
* Filename..: cracked.txt.gz
* Passwords.: 358090
* Bytes.....: 3881090
* Keyspace..: 358090
* Runtime...: 0 secs

a462a7029ad5ba30b6af0df391988e45:000c4182b255:000d9382363a:Coherer:Induction

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: wpa-induction.hc22000
Time.Started.....: Mon May 30 14:26:50 2022 (2 secs)
Time.Estimated...: Mon May 30 14:26:52 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (cracked.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    85823 H/s (11.14ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered.Total..: 1/1 (100.00%) Digests
Progress.........: 131072/358090 (36.60%)
Rejected.........: 0/131072 (0.00%)
Restore.Point....: 98304/358090 (27.45%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: E5EB6C05AE -> DMCJUWPR
Hardware.Mon.#1..: Temp: 41c Util: 39% Core:1545MHz Mem:3500MHz Bus:8

Started: Mon May 30 14:26:48 2022
Stopped: Mon May 30 14:26:52 2022
And again, my GTX 1650 is fast enough to recover the PSK in less than a minute.


BTW:
It would be a good style if you would describe your steps exactly (description of environment - that include your distrubution, hashcat version, hcxdumptool version, hcxpcapngtool version, used command lines and expected results).


And the password for this two hashes
https://hashcat.net/forum/thread-10805-p...l#pid55450
is not(!) in rockyou.txt, so you should remove them.
Unfortunately you have not provided information about the environment and how you captured/converted them


If you like to reproduce the workflow from environment 1.
Download and convert the attached example dump file.
Get the word list as described in environment 2.
Run hashcat to recover the PSK.

Feel free to comment how long it took to recover the PSK so we can see if hash mode 22000 is really "useless garbage".

I'll open:
GTX 1650
$ hashcat -m 22000 test.22000 cracked.txt.gz
Recovered.Total..: 1/1 (100.00%) Digests
Started: Mon May 30 18:02:18 2022
Stopped: Mon May 30 18:02:21 2022


Attached Files
.zip   test.pcapng.zip (Size: 2.15 KB / Downloads: 5)
Reply
#7
Environment 1:
Client: Lenovo T440s
Adapter : ALFA AWUS036AC
Router: Archer C6 v2.0 1.3.6 Build 20200902 rel.65591(4555)
Encryption: AUTO
Channel: AUTO (2.4 on c1 in the scenario)
BSSID: /'"'''
Password: hashcat!



Getting the target BSSID:
Code:
BSSID        FREQ  CH RSSI BEACON RESPONSE ESSID  SCAN-FREQ: 5018 INJECTION-RATIO:  29% [17:08:12]
-----------------------------------------------------------------------------------------------------
cc32e562b757 5009    1  -40    246      27 /'"'''

(Verifying its correct)
Code:
$ sudo tcpdump -i wlan1 wlan addr1 cc32e562b757 or wlan addr2 cc32e562b757 or wlan addr3 cc32e562b757 -ddd > target.bpfc
                                                                                       
$ cat target.bpfc           
33
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
64 0 0 6
21 0 2 3848451927
72 0 0 4
21 20 0 52274
80 0 0 0
84 0 0 12
21 0 6 4
80 0 0 0
84 0 0 240
21 15 0 192
80 0 0 0
84 0 0 240
21 12 0 208
64 0 0 12
21 0 2 3848451927
72 0 0 10
21 7 0 52274
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 3848451927
72 0 0 16
21 0 1 52274
6 0 0 262144
6 0 0 0

Obtaining the hash:
Code:
$ sudo hcxdumptool -i wlan1 -o TEST.pcapng -c1 --enable_status=15 --bpfc=target.bpfc --active_beacon
initialization of hcxdumptool 6.2.6 (depending on the capabilities of the device, this may take some time)...
interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls

start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
PHYSICAL INTERFACE........: phy3
INTERFACE NAME............: wlan1
INTERFACE PROTOCOL........: IEEE 802.11b
INTERFACE TX POWER........: 0 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 00c0cab018d5 (not used for the attack)
INTERFACE VIRTUAL MAC.....: 00c0cab018d5 (not used for the attack)
DRIVER....................: rtl88XXau
DRIVER VERSION............: 5.16.0-kali7-amd64
DRIVER FIRMWARE VERSION...:
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 33
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 0022f1c3cf6f (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 0022f1c3cf70 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 0022f1c3cf71 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: a4a6a932d16b
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 64526
ANONCE....................: 7a855d431690aed0b6ad0000c0b8afa34038d8ab8f3a2d3a4054ecb01bbfd4f3
SNONCE....................: d48eb08d934b717cb4f004efc5916ba9a81dfbee3cbd0be3e740542d694ae294

TIME    FREQ/CH  MAC_DEST    MAC_SOURCE  ESSID [FRAME TYPE]
17:15:05 2412/1  ffffffffffff cc32e562b757 [WILDCARD BEACON]
17:20:45 2412/1  daa119b0c26c cc32e562b757 /'"''' [PROBERESPONSE]
17:20:46 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [AUTHENTICATION]
17:20:46 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [ASSOCIATION]
17:20:46 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [EAPOL:M1M2 EAPOLTIME:12719 RC:1 KDV:2]
17:20:48 2412/1  b4cd274b31a1 cc32e562b757 /'"''' [EAPOL:M1M2 EAPOLTIME:4046 RC:3 KDV:2]

Converting to hc22000:
Code:
$ hcxpcapngtool -o TEST.hc22000 TEST.pcapng                                      1 ⨯
hcxpcapngtool 6.2.7 reading from TEST.pcapng...

summary capture file
--------------------
file name................................: TEST.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.16.0-kali7-amd64
application..............................: hcxdumptool 6.2.6
interface name...........................: wlan1
interface vendor.........................: 00c0ca
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 580943b74ffc (incremented on every new client)
MAC CLIENT...............................: fcc233f3f447
REPLAYCOUNT..............................: 62473
ANONCE...................................: 5d2469db45d6d67137a2d31ef25e9a0a0ae9143d47db1d786c0029df3eb68bcf
SNONCE...................................: bcf2e54a020388599e2c8d20a01a4d77ad73c559941f4ed31c409d1c3e584015
timestamp minimum (GMT)..................: 30.05.2022 17:04:41
timestamp maximum (GMT)..................: 30.05.2022 17:04:56
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)...............: little endian
packets inside...........................: 44
frames with correct FCS..................: 44
packets received on 2.4 GHz..............: 44
ESSID (total unique).....................: 4
BEACON (total)...........................: 6
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
BEACON (SSID wildcard/unset).............: 2
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 5
AUTHENTICATION (OPEN SYSTEM).............: 5
EAPOL messages (total)...................: 30
EAPOL RSN messages.......................: 30
EAPOL M1 messages (total)................: 30
PMKID (total)............................: 30
PMKID (best).............................: 2
PMKID ROGUE..............................: 2
PMKID written to 22000 hash file.........: 2

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 43 2427: 1

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.


session summary
---------------
processed pcapng files................: 1

Creating some example wordlist:
Code:
$ tail -n500 /usr/share/wordlists/rockyou.txt >> 500.txt
                                                                                       
$ wc -l 500.txt                                                 
500 500.txt
                                                                                       
$ echo 'hashcat!' >> 500.txt                                                                                                                         
$ tail -n1 500.txt                       
hashcat!

Running the cat:
Code:
$ hashcat -m 22000 TEST.hc22000 500.txt
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 2766/5597 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache built:
* Filename..: 500.txt
* Passwords.: 501
* Bytes.....: 5475
* Keyspace..: 501
* Runtime...: 0 secs

Approaching final keyspace - workload adjusted.         

Session..........: hashcat                               
Status...........: Exhausted
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: TEST.hc22000
Time.Started.....: Mon May 30 17:25:55 2022 (0 secs)
Time.Estimated...: Mon May 30 17:25:55 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (500.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    4097 H/s (5.69ms) @ Accel:64 Loops:512 Thr:1 Vec:8
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 1002/1002 (100.00%)
Rejected.........: 230/1002 (22.95%)
Restore.Point....: 501/501 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....:  iluveddie1 -> hashcat!
Hardware.Mon.#1..: Temp: 52c Util: 34%

Started: Mon May 30 17:25:53 2022
Stopped: Mon May 30 17:25:57 2022

TEST.hc22000 contains:
Code:
WPA*01*a1d7b930ef5566e3ef598e7760bf4821*8c5bf06e6c46*fcc233f3f447*555043323436303935363533***
WPA*01*306754a8d7f41b0e0c9352119275eb07*8c5bf0a266ab*fcc233f3f447*555043323439333734303133***

* I've performed the test on the laptop without the dedicated GPU, but I doubt that result would be any different.
** I've performed the test with and without the additional filtering options already, with the same results.
*** The hash provided in the test.pcapng.zip file was successfully cracked in the very same environment.
Reply
#8
"The hash provided in the test.pcapng.zip file was successfully cracked in the very same environment."
That means hcxpcapngtool and hashcat are working as expected.

You successfully attacked your target. That means, hcxdumptool is working as expected.

But you have to check your workflow!
You attacked the target AP
$ whoismac -m cc32e562b757
VENDOR: TP-LINK TECHNOLOGIES CO.,LTD. (UAA), unicast
Make sure, the PSK for this target is in your word list.

connected with this CLIENT:
$ whoismac -m b4cd274b31a1
VENDOR: HUAWEI TECHNOLOGIES CO.,LTD (UAA), unicast


But you converted a total different target
"Converting to hc22000"
and ran hashcat against it
$ whoismac -m 8c5bf06e6c46
VENDOR: ARRIS Group, Inc. (UAA), unicast

connected with this CLIENT:
$ whoismac -m fcc233f3f447
VENDOR: ASUSTek COMPUTER INC. (UAA), unicast

This target use a default PSK of 12 characters (0-9a-zA-Z). You will not be able to recover this PSK on CPU only if it is not inside the word list.

Please notice POCL is not the best choice running OpenCL tasks.

If you are new to hash mode 22000, it is a good idea to clean up your working directory, before starting hcxpcapngtool, because it will append everything to existing files, as mentioned at the end of --help:
Output is appended to existing files.
This is a wanted behavior, especially on headless web servers, but it could lead to situations as mentioned above.

hcxdumptool behavior is a little bit different. Because it use random values after starting, pcapng files will not be appended. Instead a sequential numbering will be appended if the file name is the same:
test.pcapng
test.pcapng-0
test.pcapng-1


hcxhashtool will give you an information about the converted hash file. That include MAC AP, MAC CLIENT and the hash itself.
Again we take the example from environment 1:
Code:
$ hcxhashtool -i test.hc22000 --info=stdout
SSID.......: TP-LINK_HASHCAT_TEST
MAC_AP.....: 6466b38ec3fc (TP-LINK TECHNOLOGIES CO.,LTD.)
MAC_CLIENT.: 225edc49b7aa (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
RC INFO....: NC suggested
MP M2M3 E2.: authorized
MIC........: 024022795224bffca545276c3762686f
HASHLINE...: WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2

@Atom , how about adding this example hash to:
https://hashcat.net/wiki/doku.php?id=example_hashes
in addition to the PMKID hash.
Reply
#9
Maybe this is just too complicated for me. I have filtered the AP mac as a target, so how came I have some useless junk in my hashes?

Also, isn't it enough to have just one good hash?  So in my brain, when I got two hashes instead of just one, cracking the hash would be even more of an expected outcome and I don't understand it.

Now I have repeated the attack inside the new working directory and got two hashes again, for both AP is cc32e562b757 and just the client APs differ, the password is still 'hashcat!' and still nothing was cracked both on the CPU and on the desktop 1660S. So what else can I do?

I can even let the hcxdumptool running for an entire 24h, then run the hashcat on the dozens of collected hashes and still nothing will be cracked, all of this is extremely odd for me.
Reply
#10
First of all: Don't give up.
Attacking a Wireless Network is not trivial (like recovering the password from a md5 hash).
Techniques (wifi device, tools), tactics (attack and protect filters, passwords, rules, masks, get information about the target) and procedures (environment, workflow) is the key to the goal.

The steps are always the same:
Code:
clear your working directory
attack the target
convert the hash to hc22000 hash file
feed hashcat with the target hc22000 file (double check this) and a good word list, rules or masks (or a combination of them)

The examples I have shown seem simple. But that is not the case, because they reflecting an experience acquired over 35 years working (and learning something new every day) in signals and crypto analysis. That is neither witchcraft, nor NSA stuff, nor a design flaw - but a lot of experience.


BTW:
rockyou word list is not the best choice, because this list is very (very) old and not related to WiFi. Mostly you'll never find a PSK using this ancient list.

You can assume that everything described above is working as expected, because all tools are running in the back ground of
https://hashcat.net/cap2hashcat/
and
https://wpa-sec.stanev.org/?stats
They (successfully) converted thousands of hashes and recovered thousands of PSKs.


BTW2:
"hashcat!" is not the PSK for the hashes you reported here
https://hashcat.net/forum/thread-10805-p...l#pid55450
Reply