hashcat Forum Deprecated; Ancient Versions Very old oclHashcat-plus Support v
can't crack wpa even if key is in dictionary

Threaded Mode
can't crack wpa even if key is in dictionary
Ajeje Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Apr 2013
#1
04-05-2013, 09:10 PM
Hi, i've used hashcat for a while and i'm super-happy with it, it worked several times for me.

However, on this specific network, it can't find the wpa key even if it is in the dictionary. It goes through the dictionary then says "Exhausted"

[Image: THBgvCW.jpg]

The WPA key is "mercedes1" (no quotes).. Here's the .hccap file: https://mega.co.nz/#!dBRlgRaD!ed3mxHF6NU...Pt8Ljkl6F4

Thank you for your help.
Find
Rolf Offline
Товарищ Ролф
******
Posts: 601
Threads: 18
Joined: Apr 2010
#2
04-06-2013, 06:58 AM
I have tried to reproduce using plus and hc, and also with third party software.
None found the password as "mercedes1"
Mayhaps its not "mercedes1" ?
Or the hccap is corrupted.
Find
atom Offline
Administrator
*******
Posts: 5,232
Threads: 233
Joined: Apr 2010
#3
04-06-2013, 08:48 AM
cant crack it either. i agree to what rolf said
Website Find
Ajeje Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Apr 2013
#4
04-06-2013, 12:54 PM
An online hash cracking service found the password for me, and it is indeed "mercedes1".

Here is a screenshot from the router configuration file [Image: GWcd7Lk.jpg]

I submitted the .cap file to the site (not the .hccap), maybe that's the problem?

Here's the .cap file I submitted to the service:

https://mega.co.nz/#!sBoWzYxK!CH98XwYbB6...I-ElOdTVag
Find
Hash-IT Offline
Moderator
*****
Posts: 723
Threads: 85
Joined: Apr 2011
#5
04-06-2013, 02:06 PM
(04-06-2013, 12:54 PM)Ajeje Wrote: An online hash cracking service found the password for me, and it is indeed "mercedes1".

I submitted the .cap file to the site (not the .hccap), maybe that's the problem?

Try making a new password in your router 0123456789 for example. Re capture it and test that.
Find
The Mechanic Offline
Member
***
Posts: 63
Threads: 10
Joined: Jun 2012
#6
04-06-2013, 03:46 PM
Way to many captures in that file, aircrack didnt find it, pyrit missed it until --all-handshakes was used. Get a clean capture then convert the file

Code:
#1: AccessPoint 02:24:01:4e:f6:22 ('business'):
  #1: Station 00:1f:c0:cb:64:cd
  #2: Station 00:1a:73:08:f3:09, 13 handshake(s):
    #1: HMAC_MD5_RC4, bad, spread 5
    #2: HMAC_MD5_RC4, bad, spread 6
    #3: HMAC_MD5_RC4, bad, spread 6
    #4: HMAC_MD5_RC4, bad, spread 7
    #5: HMAC_MD5_RC4, bad, spread 7
    #6: HMAC_MD5_RC4, bad, spread 7
    #7: HMAC_MD5_RC4, bad, spread 7
    #8: HMAC_MD5_RC4, bad, spread 8
    #9: HMAC_MD5_RC4, bad, spread 8
    #10: HMAC_MD5_RC4, bad, spread 8
    #11: HMAC_MD5_RC4, bad, spread 9
    #12: HMAC_MD5_RC4, bad, spread 9
    #13: HMAC_MD5_RC4, bad, spread 10
  #3: Station 00:3c:f0:83:07:54
  #4: Station 00:16:37:44:0d:f2
  #5: Station 00:96:28:c8:63:89
  #6: Station 00:b8:ae:cd:61:7f
  #7: Station 00:cb:7b:69:35:7b
  #8: Station 00:48:4f:c3:3b:21
  #9: Station 00:0a:cd:04:8b:f5
  #10: Station 00:79:3e:80:f4:4d
  #11: Station 00:c4:63:6a:00:3a
  #12: Station 00:38:89:f3:d2:64
  #13: Station 00:bd:e8:87:e9:90
  #14: Station 00:84:ba:2b:a8:2b
  #15: Station 00:26:38:ab:aa:94
  #16: Station 00:cd:8a:ff:6c:84
  #17: Station 00:66:1c:80:70:2d
  #18: Station 00:27:92:e2:6f:1a
  #19: Station 00:ef:e4:31:f3:70
  #20: Station 00:1d:6f:9a:da:64
  #21: Station f0:1c:13:cc:d6:bd, 52 handshake(s):
    #1: HMAC_MD5_RC4, good, spread 1
    #2: HMAC_MD5_RC4, good, spread 1
    #3: HMAC_MD5_RC4, good, spread 1
    #4: HMAC_MD5_RC4, good, spread 1
    #5: HMAC_MD5_RC4, good, spread 1
    #6: HMAC_MD5_RC4, good, spread 1
    #7: HMAC_MD5_RC4, good, spread 1
    #8: HMAC_MD5_RC4, good, spread 1
    #9: HMAC_MD5_RC4, good, spread 3
    #10: HMAC_MD5_RC4, good, spread 3
    #11: HMAC_MD5_RC4, good, spread 3
    #12: HMAC_MD5_RC4, good, spread 4
    #13: HMAC_MD5_RC4, good, spread 4
    #14: HMAC_MD5_RC4, good, spread 5
    #15: HMAC_MD5_RC4, good, spread 5
    #16: HMAC_MD5_RC4, good, spread 6
    #17: HMAC_MD5_RC4, good, spread 6
    #18: HMAC_MD5_RC4, good, spread 6
    #19: HMAC_MD5_RC4, good, spread 7
    #20: HMAC_MD5_RC4, good, spread 9
    #21: HMAC_MD5_RC4, good, spread 10
    #22: HMAC_MD5_RC4, good, spread 10
    #23: HMAC_MD5_RC4, good, spread 10
    #24: HMAC_MD5_RC4, good, spread 10
    #25: HMAC_MD5_RC4, good, spread 10
    #26: HMAC_MD5_RC4, good, spread 11
    #27: HMAC_MD5_RC4, good, spread 11
    #28: HMAC_MD5_RC4, good, spread 11
    #29: HMAC_MD5_RC4, good, spread 14
    #30: HMAC_MD5_RC4, good, spread 15
    #31: HMAC_MD5_RC4, good, spread 15
    #32: HMAC_MD5_RC4, good, spread 17
    #33: HMAC_MD5_RC4, good, spread 17
    #34: HMAC_MD5_RC4, good, spread 17
    #35: HMAC_MD5_RC4, good, spread 18
    #36: HMAC_MD5_RC4, good, spread 21
    #37: HMAC_MD5_RC4, good, spread 21
    #38: HMAC_MD5_RC4, good, spread 21
    #39: HMAC_MD5_RC4, good, spread 22
    #40: HMAC_MD5_RC4, good, spread 23
    #41: HMAC_MD5_RC4, good, spread 23
    #42: HMAC_MD5_RC4, good, spread 23
    #43: HMAC_MD5_RC4, good, spread 25
    #44: HMAC_MD5_RC4, good, spread 28
    #45: HMAC_MD5_RC4, good, spread 29
    #46: HMAC_MD5_RC4, good, spread 33
    #47: HMAC_MD5_RC4, bad, spread 23
    #48: HMAC_MD5_RC4, bad, spread 29
    #49: HMAC_MD5_RC4, bad, spread 34
    #50: HMAC_MD5_RC4, bad, spread 41
    #51: HMAC_MD5_RC4, bad, spread 45
    #52: HMAC_MD5_RC4, bad, spread 53
  #22: Station 00:18:cd:c4:17:39
  #23: Station 00:90:9d:6f:13:a5
  #24: Station 00:50:c5:3c:d7:ae
  #25: Station 00:b2:51:9f:fa:39
  #26: Station 00:47:f3:26:b7:06
  #27: Station 00:75:61:bd:f5:55
  #28: Station 00:d8:af:81:28:22
  #29: Station 00:26:19:a8:d1:c3
  #30: Station 00:68:0e:47:e8:7e
  #31: Station 00:ad:b6:84:5b:74
  #32: Station 00:57:c1:48:88:b4
Find
atom Offline
Administrator
*******
Posts: 5,232
Threads: 233
Joined: Apr 2010
#7
04-07-2013, 09:49 AM
I cant say it often enough.

Use the "wpaclean" utility before converting!

See how it works afterwards:

Code:
root@sf:~/crackers/aircrack-ng/src# ./wpaclean x.cap /root/sniff_dump-11.cap
Pwning /root/sniff_dump-11.cap (1/1 100%)
Net 02:24:01:4e:f6:22 business
Done
root@sf:~/crackers/aircrack-ng/src# ./aircrack-ng -J x x.cap
Opening x.cap
Read 3 packets.

   #  BSSID              ESSID                     Encryption

   1  02:24:01:4E:F6:22  business                  WPA (1 handshake)

Choosing first network as target.

Opening x.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 8): business
[*] Key version: 1
[*] BSSID: 02:24:01:4E:F6:22
[*] STA: F0:1C:13:CC:D6:BD
[*] anonce:
    23 7E AE 2C 9F 6F 54 78 1A 95 D3 4C 18 B2 1D A8
    A6 C5 8F D1 80 F6 A5 EE 64 E7 29 49 65 82 FB A5
[*] snonce:
    64 08 6B F3 EA D0 EE 92 33 26 33 30 AC 84 5F 1B
    54 50 82 9C EE 86 F3 45 47 53 D6 C0 1D BE A5 99
[*] Key MIC:
    27 51 A2 9D 08 83 A0 98 BB 11 AF F5 4D E8 95 5D
[*] eapol:
    01 03 00 77 FE 01 09 00 20 00 00 00 00 00 00 00
    02 64 08 6B F3 EA D0 EE 92 33 26 33 30 AC 84 5F
    1B 54 50 82 9C EE 86 F3 45 47 53 D6 C0 1D BE A5
    99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 18 DD 16 00 50 F2 01 01 00 00 50 F2 02 01
    00 00 50 F2 02 01 00 00 50 F2 02

Successfully written to x.hccap


Quitting aircrack-ng...
root@sf:~/crackers/aircrack-ng/src# cp x.hccap /root/xy/oclHashcat-plus-0.15
root@sf:~/crackers/aircrack-ng/src# cd /root/xy/oclHashcat-plus-0.15/
root@sf:~/xy/oclHashcat-plus-0.15# echo mercedes1 > testdict
root@sf:~/xy/oclHashcat-plus-0.15# ./oclHashcat-plus64.bin -m 2500 x.hccap testdict        
oclHashcat-plus v0.15 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
Workload: 16 loops, 8 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Cayman, 1024MB, 830Mhz, 24MCU
Device #2: Cayman, 1024MB, 830Mhz, 24MCU
Device #3: Cayman, 1024MB, 830Mhz, 24MCU
Device #4: Cayman, 1024MB, 830Mhz, 24MCU
Device #1: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)
Device #2: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)
Device #3: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)
Device #4: Kernel ./kernels/4098/m2500.Cayman_1084.4_1084.4.kernel (1810128 bytes)

Cache-hit dictionary stats testdict: 10 bytes, 1 words, 1 keyspace

business:mercedes1                          
                                            
Session.Name...: oclHashcat-plus
Status.........: Cracked
Input.Mode.....: File (testdict)
Hash.Target....: business (02:24:01:4e:f6:22 <-> f0:1c:13:cc:d6:bd)
Hash.Type......: WPA/WPA2
Time.Started...: Sun Apr  7 09:47:08 2013 (1 sec)
Speed.GPU.#1...:        0/s
Speed.GPU.#2...:        0/s
Speed.GPU.#3...:        0/s
Speed.GPU.#4...:        0/s
Speed.GPU.#*...:        0/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1/1 (100.00%)
Rejected.......: 0/1 (0.00%)
HWMon.GPU.#1...:  0% Util, 43c Temp, 29% Fan
HWMon.GPU.#2...:  0% Util, 41c Temp, N/A Fan
HWMon.GPU.#3...:  0% Util, 40c Temp, 29% Fan
HWMon.GPU.#4...:  0% Util, 38c Temp, N/A Fan

Started: Sun Apr  7 09:47:08 2013
Stopped: Sun Apr  7 09:47:09 2013
Website Find
Ajeje Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Apr 2013
#8
04-09-2013, 05:27 PM
Thanks a lot guys! Smile
Find