Posts: 2
Threads: 1
Joined: Jan 2017
Hi,
I am using hashcat to brute force decrypt my CHAP sessions. (-m 4800). All works fine for Challenge Salt length of 16 bytes, but I get an error when trying to use longer Challenge Salts (My Packet Capture has Value of length 26).
Can anyone guide me to the error of my ways?
Thanks in anticipation
S2Art
Posts: 5,185
Threads: 230
Joined: Apr 2010
The challenge salt should be a fixed 16 byte value. You sure the capture is ok?
Posts: 2
Threads: 1
Joined: Jan 2017
Hi atom. My reading is that CHAP challenge can vary.
I've rechecked my .pcap dump and the PPP CHAP is length 36. (happy to share). Is there an alternative -m mode I can use?
regards
Posts: 5,185
Threads: 230
Joined: Apr 2010
No, only fixed length is supported
Posts: 1
Threads: 0
Joined: May 2017
(01-23-2017, 10:41 AM)atom Wrote: No, only fixed length is supported
I realise this is several months old now but a breakthrough was made by members of another forum where a CHAP was to be broken with challenge longer than 16 bytes. This was achieved with a combination of custom charset and --hex-charset
hashcat -m 0 -a 3 -w 3 file.hash --hex-charset -1 ?d?u?l [insert identifier from wireshark]?1?1?1?1?1?1?1?1[insert challenge value from wireshark]
Where file.hash contains the computed hash to crack. Identifier is the 1 byte session number in hex and challenge is the challenge in hex. Both from the capture file.
The result is the source for the hash with, in this case 8 chars, in hex. Convert the password hex values to ASCII gives the pass.
I'd like to take the credit for this but it wasn't me.
