WPA2 Half-Handshake
#1
I'm interested in cracking router passwords using only the first two parts of the WPA2 4-way handshake. Something similar to WPA2-HalfHandshake-Crack but with hashcat. Is this currently possible with the hashcat WPA/WPA2 hash mode?

Thanks!
#2
Short answer to your question:
Yes, it is possible with latest hashcat!



Long statement:
But you don't need that tool!
Using only M1 and M2 is not a new idea.
You can use every combination of the handshake to crack the net:
M1/M2
M2/M3
M3/M4
M1/M4 (if M4 snonce is not zero)

cap2hccapx/wlancap2hcx will convert every combination of the message pairs.
They also tests the timestamp and the possibility to use hashcats --nonce-error-corrections.
Nonce error correction is possible, because of the non-existing entropy of some access points.
That means the anonce isn't random!


If you use wlandump-ng/wlanresponse to capture the traffic, you only need the M2 of a client
(booth tools generates the M1).
#3
And please keep in mind:

hcxtools and hashcat are "area weapons" against wifi!

hashcat (v3.6.0-279-g6946329b) starting...
Session..........: hashcat
Status...........: Running
Hash.Type........: WPA/WPA2
Hash.Target......: database.hccapx
Time.Started.....: Tue Aug 1 19:02:57 2017 (1 min, 26 secs)
Time.Estimated...: Tue Aug 1 21:51:12 2017 (2 hours, 46 mins)
Guess.Base.......: File (worlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 428.8 kH/s (1.04ms)
Recovered........: 177354/979759 (18.10%) Digests, 27439/163480 (16.78%) Salts
Recovered/Time...: CUR:0,N/A,N/A AVG:0,0,0 (Min,Hour,Day)
Progress.........: 42412061/5201443160 (0.82%)
Rejected.........: 0/42412061 (0.00%)
Restore.Point....: 0/31817 (0.00%)
Candidates.#1....: -> ~!@#$%^&*
HWMon.Dev.#1.....: Temp: 76c Fan: 85% Util: 93% Core:1822MHz Mem:5005MHz Bus:16
#4
Wink 
Oh fantastic, I didn't realize that it would try and hack from all possible Mx combinations. I also just want to say that I absolutely LOVE your hcxtools! Thanks for that Smile

Which brings me to a follow up question of sorts regarding wlandump-ng. I noticed in reading through the source that you seem to be replying to probes with probe responses. Is this in an attempt to capture at least two of these handshakes by pretending to be an AP? I also am trying to parse out the use of the -b flag which reports to respond to the last 10 probe requests with beacon frames. Is this in an attempt to do the same? I guess in short I'm wondering if wlandump-ng has the capacity to grab handshakes from probing devices alone, even when they aren't anywhere near their legitimate AP.
#5
Well, answering every probe request, makes it possible that a client will try to connect to us. In that case, we are the access point (ap) which the client expected to see. This is an attempt to get the M2 of the client (and that works perfect).
The authentication process is very simple to understand:
th client sends a probe request
the ap responds sending a probe response
the clients sends an authentication request
the ap responds to the authentication request
the client sends an association request
the ap acknowledges and sends an authentication response followed by the M1
the client acknowledges and sends the M2
if the M2 is ok, the ap  acknowledges and sends the M3 (that means the client is authenticated)
if the M3 is ok the client acknowledges and sends the M4 (that means the ap is authenticated)
now the data transfer can begin

Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.
A stupid client also probes his 5GHz ap on 2.4GHz!
wlandump-ng accepts and sends a M1 (we are just friendly and give the client what he wants).
After receiving this M1 the client sends us his M2, because he can't resist us. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.
wlandump-ng will show us this (using the -s xx option):
transmitted m1/received appropriate m2...: 343/719

and the regular messages from a real ap connected to a client:
received regular m1/m2/m3/m4.............: 146/98/143/68


Since we know our mac and our anonce (both are part of the authentication process and the calculation of the keys), we can start to crack the hash without the M1 of the legitimate ap.


Keep in mind:
1) This attack works only on the message_pair M1/M2.
We can not be shure that the network we cracked, is the network we expected to crack (for example if different networks uses the same essid: dlink, linksys, home, ASUS).
But nevermind, we cracked a network, we got a password and we can save the password to our database for analyses or future use.
2) The aim is not to crack a single net using a single password. The aim is to break the system by running massive attacks against all received nets. So we are able to calculate default keyspaces, default passwords, default password calculation algos, most used passwords, and more.... (Alex makes a real good job: https://github.com/RealEnder/routerkeygenPC).
So please upload your caps here:
(wlancap2hcx: -p <file> : output merged pcap file (upload this file to http://wpa-sec.stanev.org)


The -b option (beaconing on the last 10 probes) will seduce clients which do not send probes, yet, to probe us and then to connect us.
#6
The -b option (beaconing on the last 10 probes) will seduce clients which do not send probes, yet, to probe us and then to connect us.


I'm having a bit of trouble parsing out what exactly this means. I am aware that many clients do not send probes, but if they don't send probes how can we beacon for them? Do we assume that they may "bite" at a beacon that matches a probe of a nearby (different) device just by chance? Or am I missing something?

The answer you gave is very helpful. It sounds like wlandump-ng is already doing what I was asking about, which is great news. I also had no idea about Alex's project. That is a wonderful idea, I am interested in contributing. Do you know where the product of much of that research goes? Like are there downloadable wordlist files or blog posts etc about the statistical analysis of passwords uploaded so far etc?
#7
This is my first post, if I'm posting from the wrong place, to the administrators, move to the correct location and accept my apologies.

My native language is not English, sorry for any mistake.

I want to do a crash test using hascat, after some unsuccessful tests, I've been researching something to fix some doubts.

doubt:

Scenario:

1. The handcheck was captured;
2. Made the file conversion;
3. In this environment, the password Ass8162117 was used;
4. The hybrid mask + dict method was chosen;
5. Mascara used:? U? L? L
6. Numerical Dictionary 6/6;

In this context, where is the error?
#8
(08-02-2017, 03:22 AM)braxxox Wrote: The -b option (beaconing on the last 10 probes) will seduce clients which do not send probes, yet, to probe us and then to connect us.


I'm having a bit of trouble parsing out what exactly this means. I am aware that many clients do not send probes, but if they don't send probes how can we beacon for them? Do we assume that they may "bite" at a beacon that matches a probe of a nearby (different) device just by chance? Or am I missing something?

The answer you gave is very helpful. It sounds like wlandump-ng is already doing what I was asking about, which is great news. I also had no idea about Alex's project. That is a wonderful idea, I am interested in contributing. Do you know where the product of much of that research goes? Like are there downloadable wordlist files or blog posts etc about the statistical analysis of passwords uploaded so far etc?

Well there are 2 possibilities:
1) we hit exact the networkname and send a beacon with this name - This is pure coincidence!
2) we make some more traffic on the channel  to bring "silent" clients out of their shell - This is realistic.

The statistics can be found here: http://wpa-sec.stanev.org/?stats
The product goes into new keygens and a wordlist (every time a new password was found, this list receives an update):
http://wpa-sec.stanev.org/dict/cracked.txt.gz

If you use this script (where $HOME/wordlists is the place of your wordlist folder):

(you need to create an empty foundstanev in your $HOME/wordlists folder bevore the first run!)


#!/bin/bash

cd /tmp
if [ -f "cracked.txt" ]
then
    rm cracked.txt
fi
wget -N http://wpa-sec.stanev.org/dict/cracked.txt.gz

if [ -f "cracked.txt.gz" ]
then
    sort $HOME/wordlists/foundstanev | uniq > foundstanev.tmp
    gzip -k -d cracked.txt.gz
    cat cracked.txt >> $HOME/wordlists/foundstanev
    sort cracked.txt | uniq > cracked.tmp
    echo "new words:"
    diff foundstanev.tmp cracked.tmp | grep '^>' | sed -e 's/> //'
    wc cracked.txt
fi

you can see the progress every day (new found words).

Alex is using newest hashcat with nonce-corr (internal). The script to contribute gpu power wasn't updated, yet and uses still old hccap format. But he's working on that.

His site is absolute free and the main purpose is
a community effort to study and improve security of WPA protected WiFi networks.

If you like to contribute gpu power (and receive a copy of every tested network) download his script:
http://wpa-sec.stanev.org/hc/help_crack.py
and modify it (for use with hashcat 3.6.0 - assuming hcxtools are installed):

198c198
<         tl = ['hashcat-cli64', 'hashcat-cliAVX', 'hashcat-cliXOP', 'hashcat-cli64.bin', 'hashcat-cliAVX.bin', 'hashcat-cliXOP.bin', 'hashcat-cli64.app']
---
>         tl = ['hashcat-cli', 'hashcat-cliAVX', 'hashcat-cliXOP', 'hashcat-cli64.bin', 'hashcat-cliAVX.bin', 'hashcat-cliXOP.bin', 'hashcat-cli64.app']
204c204
<         tl = ['hashcat64.bin', 'hashcat64', 'oclHashcat64', 'oclHashcat64.bin', 'cudaHashcat64', 'cudaHashcat64.bin']
---
>         tl = ['hashcat64.bin', 'hashcat', 'oclHashcat64', 'oclHashcat64.bin', 'cudaHashcat64', 'cudaHashcat64.bin']



       if tool.find('ashcat') != -1:
            try:

494a495,499
>                 os.system('mv help_crack.net alt.net')
>                 cracker = 'wlanhc2hcx -o help_crack.net alt.net'
>                 subprocess.check_call(shlex.split(cracker))
>                 os.system('cat help_crack.net >> stanevneu.hccapx')
>                 os.system('rm alt.net')

                cracker = '{0} -m2500 -w 1 --potfile-disable --outfile-format=2 {1} -o{2} {3} {4} {5}'.format(tool, performance, key_file, rule, net_file, dictname)

You can also test if your own wordlists are good (list size shouldn't be greater than 1 GB):
Simply add them to one of the downloaded testwordlists (except cracked.txt)
for example:
cat your_wordlist >> pinyin.txt
cat your_second_wordlist >> cow.txt
and see if the incoming net is crackable using your added wordlist
#9
(08-02-2017, 04:48 AM)ThiagoAlvarenga Wrote: This is my first post, if I'm posting from the wrong place, to the administrators, move to the correct location and accept my apologies.

My native language is not English, sorry for any mistake.

I want to do a crash test using hascat, after some unsuccessful tests, I've been researching something to fix some doubts.

doubt:

Scenario:

1. The handcheck was captured;
2. Made the file conversion;
3. In this environment, the password Ass8162117 was used;
4. The hybrid mask + dict method was chosen;
5. Mascara used:? U? L? L
6. Numerical Dictionary 6/6;

In this context, where is the error?

That what you like to do is called a hybrid attack (a: dictionary and mask or b: mask an dictionary).

case a:
the correct simplified syntax is hashcat -m 2500 hashfile.hccapx -a 6 example.dict ?d?d
where example dict contains  the first part of the password >= 8 characters
Ass81621

case b:
the correct simplified syntax is hashcat -m 2500 hashfile.hccapx -a 7 ?U?l example.dict
where example dict contains the last part of the password >= 8 characters
s8162117

You can read more here:
https://hashcat.net/wiki/doku.php?id=hybrid_attack

and here:
https://hashcat.net/wiki/doku.php?id=mask_attack