Hashcat - newbie advice needed
#1
Hello, I am having problem with cracking my own wi-fi network. Password has 11 characters and i made a custom list of chars that contain all characters needed in a plain text format with extension hcchr as it says in the documentation.
I used hcxdumptool for catching the handshake in .pcapng format and converted it to hc22000 for hashcat.
When I run the command

"hashcat.exe -a 3 -m 22000 --session pause -1 chars.hcchr hash.hc22000 ?1?1?1?1?1?1?1?1?1?1?1"
it works fine but when it finishes I get Exausted status, the output is below:


Session..........: pause
Status...........: Exhausted
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: hash.hc22000
Time.Started.....: Fri Sep 02 19:00:49 2022 (1 day, 5 hours)
Time.Estimated...: Sun Sep 04 00:31:41 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ?1?1?1?1?1?1?1?1?1?1?1 [11]
Guess.Charset....: -1 chars.hcchr, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  380.1 kH/s (2.20ms) @ Accel:4 Loops:256 Thr:512 Vec:1
Recovered........: 0/4 (0.00%) Digests
Progress.........: 100000000000/100000000000 (100.00%)
Rejected.........: 0/100000000000 (0.00%)
Restore.Point....: 10000000000/10000000000 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:9-10 Iteration:3-7
Candidate.Engine.: Device Generator
Candidates.#1....: x4vppxvxvxv -> xxvxvxvxvxv
Hardware.Mon.#1..: Temp: 73c Fan: 95% Util: 95% Core:1919MHz Mem:7293MHz Bus:16



Also output of converted file is below:
summary capture file
--------------------
file name................................: dumpfile.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.15.0-kali3-amd64
application..............................: hcxdumptool 6.2.7-11-g81e9aee
interface name...........................: wlan0
interface vendor.........................: 18cdb6
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 000ku404m836 (incremented on every new client)
MAC CLIENT...............................: abtg73bcbb1d
REPLAYCOUNT..............................: 64601
ANONCE...................................: e9436bfe1f19cb40ed99fa6cd9gh92b245871h7j14d260d9b895b9419c7f1
SNONCE...................................: 970de99c8e955n792648u5e135b40dfakt76j78c05e527cdf3330393654b7
timestamp minimum (GMT)..................: 30.08.2022 15:53:15
timestamp maximum (GMT)..................: 30.08.2022 15:57:40
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)...............: little endian
packets inside...........................: 2161
frames with correct FCS..................: 2137
packets received on 2.4 GHz..............: 2127
packets received on 5 GHz................: 10
ESSID (total unique).....................: 34
BEACON (total)...........................: 50
BEACON on 2.4 GHz channel (from IE_TAG)..: 1 4 5 6 8 11 13
BEACON on 5/6 GHz channel (from IE-TAG)..: 36 43
ACTION (total)...........................: 285
PROBEREQUEST.............................: 10
PROBEREQUEST (directed)..................: 4
PROBERESPONSE (total)....................: 26
AUTHENTICATION (total)...................: 34
AUTHENTICATION (OPEN SYSTEM).............: 33
AUTHENTICATION (unknown).................: 1
ASSOCIATIONREQUEST (total)...............: 7
ASSOCIATIONREQUEST (PSK).................: 7
REASSOCIATIONREQUEST (total).............: 1
REASSOCIATIONREQUEST (PSK)...............: 1
EAPOL messages (total)...................: 1720
EAPOL RSN messages.......................: 1623
EAPOL WPA messages.......................: 97
EAPOLTIME gap (measured maximum usec)....: 7283839
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 3
EAPOL M1 messages (total)................: 1682
EAPOL M2 messages (total)................: 15
EAPOL M3 messages (total)................: 14
EAPOL M4 messages (total)................: 9
EAPOL pairs (total)......................: 32
EAPOL pairs (best).......................: 6
EAPOL ROGUE pairs........................: 2
EAPOL pairs written to 22000 hash file...: 6 (RC checked)
EAPOL M12E2 (challenge)..................: 2
EAPOL M32E2 (authorized).................: 4
PMKID (useless)..........................: 738
PMKID (total)............................: 445
PMKID (best).............................: 19
PMKID ROGUE..............................: 15
PMKID written to 22000 hash file.........: 19

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2322: 445 2453: 41 2443: 5 7257:602
2454 665 2487: 141 2475: 8 7332: 9
5232: 1 5247: 3 2476: 485 2482: 152
2481: 6 5151: 6 7251: 1 7253: 2
3174: 8


session summary
---------------
processed pcapng files................: 1

I also removed all data that is not related to my own wifi from the file.

What am i doing wrong? All chars needed are in the file "chars.hcchr" so i'm confused why dont hashcat simply bruteforce the pass for wi-fi. Any help appreciated
Reply
#2
Because your capture file has several other hashes included with it. Whether your wifi was actually captured we cannot say.

In hashcat:
Recovered........: 0/4 (0.00%) Digests

This shows 4 different hashes are being attacked.

In hcxpcapngtool:

PMKID written to 22000 hash file.........: 19

States theres 19 pmkids captured and processed into your attack file.

So isolate your mac address of your device when you capture with hcxdumptool or just pull it from your capture file with a text editor and try an easier bruteforce since you KNOW the password.
Reply
#3
Thanks for your answer, much appreciated.
That's exactly what I did, I edited the captured file and deleted everything that has nothing to do with my wi-fi network, leaving only the entries which contained my MAC address (4 entries were with my MAC address). From your answer, the only thing that comes to my mind is that I did not capture the PMKID of my network or the file is corrupt, although during the capture period I created traffic (disconnecting and connecting clients, surfing the net...). And regardless of everything, I got the "status : Exhausted"
I'll try again to capture the file, let it run longer perhaps, and see how it goes.
Reply
#4
To make sure hashcat is working as expected get both hc22000 example hashes from here
https://hashcat.net/wiki/doku.php?id=example_hashes
and store them into sample.hc22000
Code:
WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2

Than run hashcat
Code:
$ hashcat -m 22000 sample.hc22000 -a 3 hashcat!
hashcat (v6.2.5-586-g9fe51563b) starting

...

Approaching final keyspace - workload adjusted.          

4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
024022795224bffca545276c3762686f:6466b38ec3fc:225edc49b7aa:TP-LINK_HASHCAT_TEST:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: sample.hc22000
Time.Started.....: Wed Sep  7 07:00:12 2022 (0 secs)
Time.Estimated...: Wed Sep  7 07:00:12 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       38 H/s (0.64ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered.Total..: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 2/2 (100.00%)
Rejected.........: 0/2 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 45c Util:  7% Core:1920MHz Mem:4001MHz Bus:8

Started: Wed Sep  7 07:00:10 2022
Stopped: Wed Sep  7 07:00:12 2022

The PSK should be recovered on both hashes.

Now do the same with your has and your PSK:
Code:
$ hashcat -m 22000 hash.hc22000 -a 3 you_PSK
if the PSK is correct, hashcat should recover it.
Reply
#5
I did everything as you suggested, Hashcat works as it should, I got passwords for both files. The only thing left is that the dump file is bad. I caught a new dump file again, so I'm going to start over. Thank you very much for the suggestions, they helped me a lot. When I succeed, the question is when, not if Smile , I will poste the success and share it with you. Thank you again and I wish you
all the best.
Reply
#6
It turns out that I had a typo in "chars .hcchr". I was so convinced that I put all the characters in the file that I didn't notice that when changing the password for this test I made a mistake in entering a number instead of a letter which I usually do and for some reason now I didn't . If anything, I look at things on the positive side, the mistake allowed me to better understand and learn about Hashcat, but I finally succeeded. Maybe for a new beginner, this can be a lesson on how not to waste a lot of time on a small typo Smile
Best regards, hashcat-newbie.
Reply