Cracking a password present in wordlist doesn't work
#21
And now the funny part: impact of insufficient NC.
This is mostly the case if you use a passive dumper or a dumper that
is not able to detect a packet loss
is not able to detect the router endianess (big endian / little endian)
is not able to calculate NC

Again we take our example hash:
Code:
$ hashcat -m 22000 "WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2" -a 3 hashcat!
hashcat (v6.2.6-661-gf924ee801) starting
...
024022795224bffca545276c3762686f:6466b38ec3fc:225edc49b7aa:TP-LINK_HASHCAT_TEST:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
As expected, hashcat was able to recover the PSK.

Now we simulate a packet loss.
7 EAPOL M1 got lost and we do not got an information about the type of the router (BE or LE) - MESSAGEPAIR is set to *02 == AUTHENTICATED
Code:
$ hashcat -m 22000 "WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e9725*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*02" -a 3 hashcat!
hashcat (v6.2.6-661-gf924ee801) starting
...
Session..........: hashcat                                
Status...........: Exhausted
This is outside hashcat's default NC of +/-8 and the status is exhausted.

but if we set NC to 17 this will happen:
Code:
$ hashcat -m 22000 --nonce-error-corrections=17 "WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e9725*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*02" -a 3 hashcat!
hashcat (v6.2.6-661-gf924ee801) starting
...

024022795224bffca545276c3762686f:6466b38ec3fc:225edc49b7aa:TP-LINK_HASHCAT_TEST:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
As expected, hashcat was able to recover the PSK.
Reply
#22
I recommend to play around with this example hash to get overview of the capabilities/advantages of the MESSAGEPAIR.

One last example. We move the MESSAGEPAIR from an authorized one to a challenge:
Code:
$ hashcat -m 22000 "WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*00" -a 3 hashcat!
hashcat (v6.2.6-661-gf924ee801) starting
...
024022795224bffca545276c3762686f:6466b38ec3fc:225edc49b7aa:TP-LINK_HASHCAT_TEST:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
As expected, we got the PSK.

BTW: from README.md Requirements (hcxdumptool/hcxtools)
Code:
* knowledge of radio technology
* knowledge of electromagnetic-wave engineering
* detailed knowledge of 802.11 protocol
* detailed knowledge of key derivation functions
* detailed knowledge of Linux (strict)
* detailed knowledge of filter procedures (Berkeley Packet Filter, capture filter, display filter)
If you have acquired this knowledge (feel free to ask), I'm sure, you will have a lot of fun with hcxdumptool -> hcxtools -> hashcat/JtR.
Reply
#23
This MESSAGEPAIR field is more interesting and useful than I thought it was.
Thanks to bbjjlk for bringing this up.
And, of course, many thanks to ZerBea for explaining things to the community.
I have my questions, though. And I hope ZerBea will help me to get the answers too.

I have some hashes with different MESSAGEPAIRs indicate "replaycount not checked, nonce-error-corrections mandatory"
To crack'em successfully, I'd like to know what value to use in the nonce-error-corrections.

Hash 1
Code:
WPA*02*<some hex value here>*<ap mac>*<sta mac>*<essid>*<some hex value here>*0103007502010a00000000000000000000<some hex value here>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac022c24*a2

Hash 2
Code:
WPA*02*<some hex value here>*<ap mac>*<sta mac>*<essid>*<some hex value here>*0103007502010a00000000000000000000<some hex value here>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac023c00*a0

Hash 3
Code:
WPA*02*<some hex value here>*<ap mac>*<sta mac>*<essid>*<some hex value here>*0103007502010a00000000000000000000<some hex value here>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020c00*82

Hash 4
Code:
WPA*02*<some hex value here>*<ap mac>*<sta mac>*<essid>*<some hex value here>*0103007502010a0000000000000000000<some hex value here>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac02000c*80
Reply
#24
The MESSAGEPAIR field is very limited (8 bi only). It only hold basic information about the AUTHENTICATION state (CHALLENGE/AUTHORIZED), the type of the ROUTER (BE/LE), NC (mandatory/not mandatory) and AP-LESS attack on a CLIENT (M1M2ROGUE). That's all. We can't get more information from the hash line.


But, depending on the quality of the dump file, hcxpcapngtool provide much more information, e.g.:
Code:
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 170
...
EAPOL pairs written to 22000 hash file...: 1 (RC checked)

Regarding hashcat, nonce-error-corrections=170 should be fine to be on the bright side.

Please notice!
Deadly filtered or cleaned dump files do not contain this information any longer.
Make up your own mind.

Example is taken from here:
https://github.com/wireshark/wireshark/b...on.pcap.gz

Code:
$ hcxpcapngtool wpa-Induction.pcap -o test.22000
hcxpcapngtool 6.3.1-53-g747e304 reading from wpa-Induction.pcap...

summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:45
timestamp maximum (GMT)..................: 04.01.2007 07:15:26
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 1093    

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.

session summary
---------------
processed cap files...................: 1

$ cat test.22000
WPA*02*a462a........020000*02

Not enough M1 frames to calculate an exact value, but NC == 8 should be fine and hashcat will be able to recover the PSK.
Well, this is an example dump file - so it should really be fine.

But if we clean the dump file:
Code:
$ ./wpaclean cleaned.cap wpa-Induction.pcap
Pwning wpa-Induction.pcap (1/1 100%)
Net 00:0c:41:82:b2:55 Coherer
Done

and convert it again:
Code:
$ ./wpaclean cleaned.cap wpa-Induction.pcap
Pwning wpa-Induction.pcap (1/1 100%)
Net 00:0c:41:82:b2:55 Coherer
Done
[zerobeat@tux1 aircrack-ng]$ hcxpcapngtool cleaned.cap -o cleaned.22000
hcxpcapngtool 6.3.1-53-g747e304 reading from cleaned.cap...

summary capture file
--------------------
file name................................: cleaned.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:51
timestamp maximum (GMT)..................: 04.01.2007 07:14:51
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 3
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
EAPOL messages (total)...................: 2
EAPOL RSN messages.......................: 2
EAPOLTIME gap (measured maximum msec)....: 1
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)

Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing/cleaning tool.

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and
reception. The radiotap header format is a mechanism to supply
additional information about frames, rom the driver to userspace
applications.
https://www.radiotap.org/

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Information: missing frames!
This dump file does not contain important frames like
authentication, association or reassociation.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.

Information: missing EAPOL M3 frames!
This dump file does not contain EAPOL M3 frames (possible packet loss).
It strongly recommended to recapture the traffic or
to use --all option to convert all possible EAPOL MESSAGE PAIRs.

session summary
---------------
processed cap files...................: 1

$ cat cleaned.22000
WPA*02*a462a........020000*00

The results looks different, because most of the (useful) information got lost.
That include timestamps, AUTHENTICATION state and NC.
hashcat is able to recover the PSK from this hash line, too, because the source is a demo dump file of good quality.

But this may fail on poor quality dump files:
https://github.com/ZerBea/hcxtools/issues/265
Reply
#25
hcxdumptool, hcxpcapngtool and hashcat options are highly dependent on the expected result (e.g. discover weak points).

I'll say, for me as an analyst and coder, I prefer EAPOL M1M2ROGUE challenges (CLIENT connect attempt to hcxdumptool).
To identify weak points, unencrypted EAPOL M2's especially in combination with undirected PROBEREQUESTs and EAP identities are very, very useful. NC is not required (hashcat -m 22000 --nonce-error-corrections=0) which speed up the analysis).

bitmask: 0xx10000 (BE/LE router doesn't matter)
Code:
000 = M1+M2, EAPOL from M2 (challenge)
4: ap-less attack (set to 1) - nonce-error-corrections not required
Reply
#26
(07-25-2023, 01:27 PM)ZerBea Wrote: BTW: from README.md Requirements (hcxdumptool/hcxtools)
Code:
* knowledge of radio technology
* knowledge of electromagnetic-wave engineering
* detailed knowledge of 802.11 protocol
* detailed knowledge of key derivation functions
* detailed knowledge of Linux (strict)
* detailed knowledge of filter procedures (Berkeley Packet Filter, capture filter, display filter)
If you have acquired this knowledge (feel free to ask), I'm sure, you will have a lot of fun with hcxdumptool -> hcxtools -> hashcat/JtR.

Well I read that but i'm new to pen testing and being working with it for a month now. I admit I lack some of the requirements but i'm alwasy eager to learn that is why i'm asking for so much details.

From everything you wrote there I'll take the time to assimilate everything and play around with few example to completly understand it. 
I'm still a bit confused with how you can get that much info from such a little hash. 

Thank you for you patience and your explanations, now I do have to work to understand all of this ^^
Reply