WPA/WPA2 PMK mode (2501)

[Kangaroot]

I will definitely try wlangenpmkocl, because genpmk in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) is simply make whole thing useless as it take too much time to generate pmk file.

[Kangaroot]

hcxkey won't compile, missing CL/cl.h. Fixed it using symbolic link, but then it still won't compile:

gcc -std=gnu99 -O3 -Wall -Wextra -o wlangenpmk wlangenpmk.c -lcrypto
gcc -std=gnu99 -O3 -Wall -Wextra -o wlangenpmkocl wlangenpmkocl.c -lcrypto -lOpenCL
/usr/bin/ld: cannot find -lOpenCL
collect2: error: ld returned 1 exit status
Makefile:19: recipe for target 'build' failed
make: *** [build] Error 1

[Kangaroot]

Just if anyone have same problems like me on Ubuntu when it won't compile for missing cl.h and lOpenCL, both problems can be fixed using symbolic links:

1. sudo ln -s /home/kangaroot/hashcat/deps/OpenCL-Headers/CL /usr/include (to find cl.h location use find / -iname cl.h 2>/dev/null)
2. sudo ln -s /usr/lib/x86_64-linux-gnu/libOpenCL.so.1 /usr/lib/libOpenCL.so

[Kangaroot]

Maybe you're doing something wrong:

$ time wlangenpmkocl -e networkname -i rockyou -A pmklist
using: GeForce GTX 1080 Ti
9612471 plainmasterkeys generated, 4734589 password(s) skipped

real 0m45,772s
user 0m38,581s
sys 0m7,137s

Remarks:
skipped passwords are < 8 or > 63 chars

Main purpose for me is to verify allready retrieved PSKs on new incomming caps.
(in an extreme fast way, using nonce-error-corrections=128 in combination with hashcat's --remove to cleanup my database).
For that purpose I calculated a PMK list from hashcat's -m 2500 potfile.

I have two GPUs. Does this mean it uses only single unit?

Also, can you give example on how hashcat command will with -m 2501 will look like, please?

[ZerBea]

wlangenpmkocl use only one GPU each task. If you have 2 GPUs, you can calculate 2 different(!) PMK lists at the same time (or two parts of the same list - you need to split your word list into 2 parts).

hashcat commandline is simple:
hashcat -m 2501 --nonce-error-corrections=128 --remove --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundhashcat.2501 test.hccapx pmklist

or, if you have an ESSID and a PMK:

$ wlanpmk2hcx -e ESSID -p PMK
hashcat: hash-mode -m 12000 to get password
copy result to hashfile

$ hashcat -m 12000 hashfile_from_wlanpmk2hcx wordlist
to retrieve the PSK

purpose:
- confirm RADIUS PMKs (Royal Class of password recovering)
- weak point analysis (Royal Class of password recovering)
- for the purposes of comparative analysis (Royal Class of password recovering)
- verify allready retrieved keys (cleanup database)
- find PSKs on damaged caps (cleanup database)

[Kangaroot]

Here is some statistics, if you don't mind. I wanted to time both modes (2500 and 2501) and see which one will be faster in the end. Results seems identical.

First, I run normal 2500, which I would normally run to crack WPA/WPA2 hashes using dictionary.

$ time hashcat -m 2500 -a 0 -w 3 hash_1.hccapx dictionary_1

real 10m54.866s
user 5m39.843s
sys 2m49.298s

Secondly, run pmk generator for same SSID and same dictionary.

$ time wlangenpmkocl -e hash_1-ssid -i dictionary_1 -A pmk_hash_1-ssid

real 22m48.067s
user 16m59.001s
sys 5m44.242s

And finally, I run 2501 mode to see the difference between 2501 and 2500.

$ time hashcat -m 2501 hash_1.hccapx pmk_hash_1-ssid

real 2m5.982s
user 1m26.332s
sys 0m12.658s

As a result, considering that pmk generator works of single GPU unit per time, time to generate pmk could be divided by two = 22m 48s / 2 = 11m 24s, which means 11m 24s + 2m 5s (2501 mode) = 13m 29s which slightly longer than on 2500 mode - 10m54s.

I cannot see why would I use 2501 instead of 2500.

[ZerBea]

Well, that's easy to explain:
Both modes 2501 and 12000 designed are for analysts who work on large hashfiles.
‎
You captured a network with the same ESSID.
Time for calculation of the PMK list : 0.00 (you have the list allready)
Time for hashcat: real10m54.866s

You captured another network with the same ESSID
Time for calculation of the PMK list : 0.00 (you have the list allready)
Time for hashcat: real 10m54.866s

[ZerBea]

And Again: If you think, 2501 is slow, you're doing something really, really wrong:

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA/WPA2 PMK
Hash.Target......: archiv_raw.hccapx
Time.Started.....: Mon Mar  5 09:57:19 2018 (3 mins, 51 secs)
Time.Estimated...: Mon Mar  5 10:02:58 2018 (1 min, 48 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 44031.1 kH/s (0.01ms) @ Accel:64 Loops:1024 Thr:1024 Vec:1
Recovered........: 567/1166056 (0.05%) Digests, 16/168157 (0.01%) Salts
Recovered/Time...: CUR:55,N/A,N/A AVG:141,8468,203253 (Min,Hour,Day)
Progress.........: 6178751196/10950215683 (56.43%)
Rejected.........: 0/6178751196 (0.00%)
Restore.Point....: 0/65119 (0.00%)

Multi hash database / overhead 10%

[Kangaroot]

ZerBea, no, I wasn't saying 2501 is slow, but for the purpose I use hashcat, I will have to recreate PMK file with every SSID, which is never the same, and custom dictionaries I build.

I'm sure I will find the use of 2501, and I'm so pleased you helped me, really appreciate this and your time.

[ZerBea]

No problem, you're welcome.
If you are an analyst (coding-, crypto-, weak point analysis), or a penetration tester, or if you use a huge database (wpa-sec) 2501 /12000 is your mode.
If not, there is no advantage for you using this mode.