Why So Many Digests?
#1
Hello Hashcat Folks,

I have a WPA/WPA2 hash I'm running dictionary+rule attack on.
I converted the .cap file I had to the .hccapx format needed for hashcat.
The attack is running just fine, but was just curious about this bit:
[Image: C9DexiZ.png]
Why does it show 0/21 digests? I understand that the hash has been salted once (0/1); but shouldn't there only be one possible digest from the hash?

If I understand it correctly, the digest is just the output of the hash?

Thanks.
Reply
#2
You have probably collected several full handshakes for the same network (all data for this set of handshakes is present in the hccapx file) and hashcat loads all of them.
This shouldn't make much speed difference and there might be the tiny possibility that some of the handshakes are invalid (e.g. the user entered the wrong password e.g. if not all messages M1-M2-M3-M4 were captured).

If you really want to you could also clean the hccapx file and just use 1 handshake (the file format is explained here: https://hashcat.net/wiki/doku.php?id=hccapx, you could just split the file into several smaller hccapx files, or just use the first 393 bytes), but it's probably not worth it.
Reply
#3
(11-03-2017, 09:39 PM)philsmd Wrote: You have probably collected several full handshakes for the same network (all data for this set of handshakes is present in the hccapx file) and hashcat loads all of them.
This shouldn't make much speed difference and there might be the tiny possibility that some of the handshakes are invalid (e.g. the user entered the wrong password e.g. if not all messages M1-M2-M3-M4 were captured).

If you really want to you could also clean the hccapx file and just use 1 handshake (the file format is explained here: https://hashcat.net/wiki/doku.php?id=hccapx, you could just split the file into several smaller hccapx files, or just use the first 393 bytes), but it's probably not worth it.

Thank you sir! I just wanted to have a better understanding of how Hashcat reads its file, and make sure the file hadn't been corrupted or it was interpreting incorrectly. Thank you for the link and note on whether it affects speed. Much obliged.
Reply