hashcat Forum Support hashcat v
How to view SSID of cracked PMKID (16800) PCAP?

Threaded Mode
How to view SSID of cracked PMKID (16800) PCAP?
sudo_overflow Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Jan 2020
#1
01-12-2020, 08:47 AM
Hi all, 

I've got a grouped pcap file of about 11 Wifi PMKID captures. 

I've run this with Hashcat and cracked a couple with the below: 

Code:
./hashcat64 -m 16800 -o .\output\results.txt .\handshakes\all.pmkid .\wordlist\1stAttackWordlist.txt

The results in the output file are like: 

Code:
cf5ae152s57d97ba4336e13162f34ac7*807d1452c6e4*0ace1b4b5967*43616d616e64417269:P@ssw9rd
etc...
etc...

Why doesn't Hashcat save the SSID with it, or how can I tell what cracked hash belongs to which SSID? 

Any help appreciated. 
Cheers
Find
Reply
philsmd Offline
I'm phil
******
Posts: 2,267
Threads: 16
Joined: Feb 2013
#2
01-12-2020, 09:08 AM
the SSID is within the output, CamandAri is the SSID

hint: hexadecimal
Find
Reply
sudo_overflow Offline
Junior Member
**
Posts: 2
Threads: 1
Joined: Jan 2020
#3
01-12-2020, 09:26 AM
(01-12-2020, 09:08 AM)philsmd Wrote: the SSID is within the output, CamandAri is the SSID

hint: hexadecimal

Ahh awesome thanks, yes I can see it if I convert it from hexadecimal to text. Would be nice if Hashcat added the SSID in plain text with the password at the end. 

But cheers, thanks for the help Smile
Find
Reply
ZerBea Offline
Moderator
*****
Posts: 1,042
Threads: 2
Joined: Jun 2017
#4
01-12-2020, 12:07 PM (This post was last modified: 01-12-2020, 06:28 PM by ZerBea.)
Are you running an older version of hashcat?

$ hashcat -V
v5.1.0-1569-g74c1bf81+

potfile: PMK * ESSID : PSK
Code:
5b13d4babb3714ccc62c9f71864bc984efd6a55f237c7a87fc2151e1ca658a9d*ed487162465a774bfba60eb603a39f3a:hashcat!
That is exactly the result of the PBKDF2 calculation. It is no longer necessary to pay the price (PBKDF2 calculation time) again if we have a PMK. That will save us GPU time. Also, the calculated PMKs can be used on hashmode 2501, 16801 and 22001 in case we have hashes using the same SALT (ESSID). That will save us more GPU time.

outfile (-o) - only hexyfied if necessary, otherwise in ASCII: MAC_AP : MAC_STA : ESSID : PSK
Code:
4604ba734d4e:89acf0e761f4:$HEX[ed487162465a774bfba60eb603a39f3a]:hashcat!
That is human readable and contain detailed information about the content of the hash.
Find
Reply
reese_wang Offline
Junior Member
**
Posts: 3
Threads: 0
Joined: Mar 2020
#5
04-01-2020, 01:49 PM (This post was last modified: 04-01-2020, 01:52 PM by reese_wang.)
Print ESSIDs from all.pmkid:
Code:
cat all.pmkid | cut -f 4 -d : | sed 's/\([0-9a-f]\{2\}\)/\\\\\\x\1/gI' | xargs -n 1 echo -e

Print ESSIDs from results.txt:
Code:
cat results.txt | cut -f 4 -d \* | sed 's/\([0-9a-f]\{2\}\)/\\\\\\x\1/gI' | xargs -n 1 echo -e
Find
Reply
Mem5 Offline
Posting Freak
*****
Posts: 803
Threads: 135
Joined: Feb 2011
#6
04-01-2020, 02:31 PM
(01-12-2020, 09:26 AM)sudo_overflow Wrote: Would be nice if Hashcat added the SSID in plain text with the password at the end.
Don't think so. What about non-printable ESSID characters? That's why hashcat uses hex.
Find
Reply
ZerBea Offline
Moderator
*****
Posts: 1,042
Threads: 2
Joined: Jun 2017
#7
04-01-2020, 03:38 PM
And some of this characters will destroy your terminal. This is especially the case if escape sequences are in use! So it is definitely a good idea to hexify them

Examples:
https://wpa-sec.stanev.org/?search=04d13ae06d80
https://wpa-sec.stanev.org/?search=dc1ac5f7025b
https://wpa-sec.stanev.org/?search=a0f3c181dd14
https://wpa-sec.stanev.org/?search=000f0992ba64
Find
Reply