Cracking WPA with hashcat news
#1
For those of you who is cracking WPA with hashcat, continue reading...

Sometimes it happens that the WPA handshake you've recorded is broken. Unfortionaly there's no reliable way to detect and report such a broken handshake on startup. Even worse, hashcat (or any other cracker) is unable to crack such handshakes even if you had the correct password in your wordlist.

The latest beta version of hashcat supports cracking multiple WPA/WPA2 handshakes with the same ESSID for the price of one. That's possible because in the PBKDF2 computation WPA/WPA2 protocol uses the ESSID as salt and no other data is mixed in. That's not really news, most of the WPA crackers make use of this and build rainbow tables (yes, lol) for the most common ESSID's. This is really useless.

However, there's another reason to exploit this and this is the reason why I've added support for it. You can record multiple WPA handshakes against the same AP and since the ESSID isn't changed you can now crack them all for the price of a single handshake. The advantage is that the chances increase that there's at least one valid handshake recorded the more handshakes you record.

For example, my GTX1080 processes rockyou.txt wordlist in 30 seconds. If I add 20 more of the same AP the time it takes to process rockyou.txt is still 30 seconds.

To make use of this feature, simply concatinate the single hccap's onto each other like:

Quote:$ cat handshake1.hccap > handshake_all.hccap
$ cat handshake2.hccap >> handshake_all.hccap
$ cat handshake3.hccap >> handshake_all.hccap
$ cat handshake4.hccap >> handshake_all.hccap
...

Then crack hashshake_all.hccap
Reply
#2
nice!
does it work if i have handshakes from 2 or more AP (meaning not the same ssid*)?

lets say
1, essid = AP1
2, essid = AP2
3, essid = AP3
Quote:AP1 as
AP1handshake1.hccap >> AP1handshake_all.hccap
AP1handshake2.hccap >> AP1handshake_all.hccap
AP1handshake3.hccap >> AP1handshake_all.hccap

AP2 as
AP2handshake1.hccap >> AP2handshake_all.hccap
AP2handshake2.hccap >> AP2handshake_all.hccap
AP2handshake3.hccap >> AP2handshake_all.hccap

AP3 as
AP3handshake1.hccap >> AP3handshake_all.hccap
AP3handshake2.hccap >> AP3handshake_all.hccap
AP3handshake3.hccap >> AP3handshake_all.hccap

will -m 2500 AP3handshake_all.hccap,AP2handshake_all.hccap,AP1handshake_all.hccap will work?
Reply
#3
(12-25-2016, 10:25 PM)kiara Wrote: nice!
does it work if i have handshakes from 2 or more AP (meaning not the same ssid*)?

lets say
1, essid = AP1
2, essid = AP2
3, essid = AP3
Quote:AP1 as
AP1handshake1.hccap >> AP1handshake_all.hccap
AP1handshake2.hccap >> AP1handshake_all.hccap
AP1handshake3.hccap >> AP1handshake_all.hccap

AP2 as
AP2handshake1.hccap >> AP2handshake_all.hccap
AP2handshake2.hccap >> AP2handshake_all.hccap
AP2handshake3.hccap >> AP2handshake_all.hccap

AP3 as
AP3handshake1.hccap >> AP3handshake_all.hccap
AP3handshake2.hccap >> AP3handshake_all.hccap
AP3handshake3.hccap >> AP3handshake_all.hccap

will -m 2500 AP3handshake_all.hccap,AP2handshake_all.hccap,AP1handshake_all.hccap will work?


I can confirm its working, I used to do it with the version 2 of the software. But the more you have the more you will slow down your speed Big Grin
Reply
#4
Quote:I can confirm its working, I used to do it with the version 2 of the software. But the more you have the more you will slow down your speed

Yes, simple multihash for WPA was working for a long time

Quote:will -m 2500 AP3handshake_all.hccap,AP2handshake_all.hccap,AP1handshake_all.hccap will work?

Yes, in your above case it's 9 different handshakes with 3 different ESSID, so speedup (compared to older version) is 300%
Reply
#5
I tried " -m 2500 a0 AP3handshake_all.hccap,AP2handshake_all.hccap rockyou.txt" and it did't work
It treated the two file as one and said it does not exist. "AP3handshake_all.hccap,AP2handshake_all.hccap" no such directory. Can you explain more how can I crack multiple handshakes at one
Reply
#6
Your syntax is all sorts of fucked up
Reply
#7
(04-29-2017, 06:30 PM)epixoip Wrote: Your syntax is all sorts of fucked up

why? I'm using the same as mentioned up there
Reply