CHAP Challenge Limit

I am using hashcat to brute force decrypt my CHAP sessions.  (-m 4800).  All works fine for Challenge Salt length of 16 bytes, but I get an error when trying to use longer Challenge Salts (My Packet Capture has Value of length 26).  

Can anyone guide me to the error of my ways?

Thanks in anticipation

The challenge salt should be a fixed 16 byte value. You sure the capture is ok?
Hi atom. My reading is that CHAP challenge can vary.

I've rechecked my .pcap dump and the PPP CHAP is length 36. (happy to share). Is there an alternative -m mode I can use?

No, only fixed length is supported
(01-23-2017, 10:41 AM)atom Wrote: No, only fixed length is supported

I realise this is several months old now but a breakthrough was made by members of another forum where a CHAP was to be broken with challenge longer than 16 bytes. This was achieved with a combination of custom charset and --hex-charset

hashcat -m 0 -a 3 -w 3 file.hash --hex-charset -1 ?d?u?l [insert identifier from wireshark]?1?1?1?1?1?1?1?1[insert challenge value from wireshark]

Where file.hash contains the computed hash to crack. Identifier is the 1 byte session number in hex and challenge is the challenge in hex. Both from the capture file.

The result is the source for the hash with, in this case 8 chars, in hex. Convert the password hex values to ASCII gives the pass.

I'd like to take the credit for this but it wasn't me.