How to view SSID of cracked PMKID (16800) PCAP?
#1
Hi all, 

I've got a grouped pcap file of about 11 Wifi PMKID captures. 

I've run this with Hashcat and cracked a couple with the below: 

Code:
./hashcat64 -m 16800 -o .\output\results.txt .\handshakes\all.pmkid .\wordlist\1stAttackWordlist.txt

The results in the output file are like: 

Code:
cf5ae152s57d97ba4336e13162f34ac7*807d1452c6e4*0ace1b4b5967*43616d616e64417269:P@ssw9rd
etc...
etc...

Why doesn't Hashcat save the SSID with it, or how can I tell what cracked hash belongs to which SSID? 

Any help appreciated. 
Cheers
Reply
#2
the SSID is within the output, CamandAri is the SSID

hint: hexadecimal
Reply
#3
(01-12-2020, 09:08 AM)philsmd Wrote: the SSID is within the output, CamandAri is the SSID

hint: hexadecimal

Ahh awesome thanks, yes I can see it if I convert it from hexadecimal to text. Would be nice if Hashcat added the SSID in plain text with the password at the end. 

But cheers, thanks for the help Smile
Reply
#4
Are you running an older version of hashcat?

$ hashcat -V
v5.1.0-1569-g74c1bf81+

potfile: PMK * ESSID : PSK
Code:
5b13d4babb3714ccc62c9f71864bc984efd6a55f237c7a87fc2151e1ca658a9d*ed487162465a774bfba60eb603a39f3a:hashcat!
That is exactly the result of the PBKDF2 calculation. It is no longer necessary to pay the price (PBKDF2 calculation time) again if we have a PMK. That will save us GPU time. Also, the calculated PMKs can be used on hashmode 2501, 16801 and 22001 in case we have hashes using the same SALT (ESSID). That will save us more GPU time.

outfile (-o) - only hexyfied if necessary, otherwise in ASCII: MAC_AP : MAC_STA : ESSID : PSK
Code:
4604ba734d4e:89acf0e761f4:$HEX[ed487162465a774bfba60eb603a39f3a]:hashcat!
That is human readable and contain detailed information about the content of the hash.
Reply
#5
Print ESSIDs from all.pmkid:
Code:
cat all.pmkid | cut -f 4 -d : | sed 's/\([0-9a-f]\{2\}\)/\\\\\\x\1/gI' | xargs -n 1 echo -e

Print ESSIDs from results.txt:
Code:
cat results.txt | cut -f 4 -d \* | sed 's/\([0-9a-f]\{2\}\)/\\\\\\x\1/gI' | xargs -n 1 echo -e
Reply
#6
(01-12-2020, 09:26 AM)sudo_overflow Wrote: Would be nice if Hashcat added the SSID in plain text with the password at the end.
Don't think so. What about non-printable ESSID characters? That's why hashcat uses hex.
Reply
#7
And some of this characters will destroy your terminal. This is especially the case if escape sequences are in use! So it is definitely a good idea to hexify them

Examples:
https://wpa-sec.stanev.org/?search=04d13ae06d80
https://wpa-sec.stanev.org/?search=dc1ac5f7025b
https://wpa-sec.stanev.org/?search=a0f3c181dd14
https://wpa-sec.stanev.org/?search=000f0992ba64
Reply