Issues in cracking WPA2 with wordlist+mask
#1
1. collect a WPA2 handshake with an AP.
2. convert it to hccapx
../hashcat-utils-1.8/bin/cap2hccapx.bin Testnetz_E0-28-6D-F9-4C-7D.cap Testnetz_E0-28-6D-F9-4C-7D.cap.hccapx

2. you know that the password is 8+ chars long. 5loweralpha and the rest are numbers.

3. what I did:

3.1 create a dictionary
crunch 5 5 -f /usr/share/rainbowcrack/charset.txt loweralpha -o /root/wordlists/5_5_loweralpha.lst

3.2 create a mask for the digits
mkdir /root/digirules

mp64 -o /root/digirules/append_3_digits.rule '$?d $?d $?d'

mp64 -o /root/digirules/append_4_digits.rule '$?d $?d $?d $?d'

mp64 -o /root/digirules/append_5_digits.rule '$?d $?d $?d $?d $?d'

cat /root/digirules/append*.rule > /root/digirules/append3-5.rule


execute the following:
 #hashcat -a0 -w3 -m2500 /root/hs/Testnetz_E0-28-6D-F9-4C-7D.cap.hccapx -r /root/digirules/append3-5.rule /root/wordlists/5_5_loweralpha.lst

 

But I get this.:

hashcat (pull/1273/head) starting...

nvmlDeviceGetFanSpeed(): Not Supported

nvmlDeviceGetTemperatureThreshold(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: Quadro M2000M, 1010/4042 MB allocatable, 5MCU

OpenCL Platform #2: Mesa, skipped or no OpenCL compatible devices found.

Hashes: 2 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 111000

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger disabled.

* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=32 -D CUDA_ARCH=500 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=2500 -D _unroll -cl-std=CL1.2'
Dictionary cache built:
* Filename..: /root/wordlists/5_5_loweralpha.lst
* Passwords.: 11881376
* Bytes.....: 71288256
* Keyspace..: 1318832736000
* Runtime...: 0 secs

- Device #1: autotuned kernel-accel to 128
- Device #1: autotuned kernel-loops to 128
Approaching final keyspace - workload adjusted.           [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: Testnetz (AP:e0:28:6d:f9:4c:7d STA:c0:ee:fb:e2:e7:64)
Time.Started.....: Mon Sep  4 09:46:50 2017 (1 sec)
Time.Estimated...: Mon Sep  4 09:46:51 2017 (0 secs)
Guess.Base.......: File (/root/wordlists/5_5_loweralpha.lst)
Guess.Mod........: Rules (/root/digirules/append3-5.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.00ms)
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 277776128/1318832736000 (0.02%)
Rejected.........: 277776128/277776128 (100.00%)
Restore.Point....: 11881376/11881376 (100.00%)
Candidates.#1....: [Copying]
HWMon.Dev.#1.....: Temp: 53c Util: 26% Core:1137MHz Mem:2505MHz Bus:16

Started: Mon Sep  4 09:46:45 2017
Stopped: Mon Sep  4 09:46:51 2017




however if I execute this:
 #hashcat -a0 -w3 -m0 469be687c1b631db23c195b04e24b497 -r /root/digirules/append3-5.rule /root/wordlists/5_5_loweralpha.lst
the process of cracking is much longer and the password will be found. So what is the issue with WPA2 hashes?


I already tried remving append1-2_digits because the password would be lower than 8chars, but I think hashcat will jump over too short passwords anyway.


Attached Files
.txt   Testnetz_E0-28-6D-F9-4C-7D.cap.hccapx.txt (Size: 786 bytes / Downloads: 2)
Reply
#2
The minimum password length for WPA/WPA2 is 8 bytes/characters.

Hashcat will immediately reject (see the Rejected.........: line within your status) all passwords which do not adhere to this limitation.

To avoid it (when using rules/amplifiers), you could just run something like this:
Code:
hashcat --stdout -r append3-5.rule 5_5_loweralpha.lst | hashcat -a 0 -m 2500 -w 3 Testnetz_E0-28-6D-F9-4C-7D.cap.hccapx



btw. you should find a better strategy to attack these hashes.
using a huge dict generated by crunch together with a lot of generated rules, might not be the most efficient way to crack these hashes.
You should read the wiki/forum etc to find better solutions... including the use of the built-in mask attack (-a 3) etc
Reply