need batch stop after pass found hccapx
#11
(01-28-2020, 03:58 PM)msalman Wrote: the pass is in my first wordlist
11223344

The attached hccapx file is a multi hash file. It contain 15 hashes (6 of them are dupes). If one of them is not recovered, hashcat will exhaust!
Code:
$ hashcat -m 2500 hamza.hccapx -a 3 11223344
hashcat (v5.1.0-1628-g424a6ee8) starting...

c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
                                               
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: hamza.hccapx
Time.Started.....: Tue Jan 28 15:39:03 2020 (0 secs)
Time.Estimated...: Tue Jan 28 15:39:03 2020 (0 secs)
Guess.Mask.......: 11223344 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      41 H/s (0.71ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 4/9 (44.44%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:8-17
Candidates.#1....: 11223344 -> 11223344
Hardware.Mon.#1..: Temp: 60c Fan: 48% Util: 53% Core:1860MHz Mem:5005MHz Bus:16

Started: Tue Jan 28 15:38:59 2020
Stopped: Tue Jan 28 15:39:05 2020

only 4 of 9 are recoverable running hashcat default options.

But all of them are recoverable by activating nonce-error-corrections:
Code:
$ hashcat -m 2500 --nonce-error-corrections=128 hamza.hccapx -a 3 11223344
hashcat (v5.1.0-1628-g424a6ee8) starting...

c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344 
                                               
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: hamza.hccapx
Time.Started.....: Tue Jan 28 15:41:30 2020 (0 secs)
Time.Estimated...: Tue Jan 28 15:41:30 2020 (0 secs)
Guess.Mask.......: 11223344 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      11 H/s (0.71ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 9/9 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:8-17
Candidates.#1....: 11223344 -> 11223344
Hardware.Mon.#1..: Temp: 57c Fan: 43% Util: 63% Core:1860MHz Mem:5005MHz Bus:16

Started: Tue Jan 28 15:41:26 2020
Stopped: Tue Jan 28 15:41:32 2020

Which tool did you use to capture the traffic?
Which tool did you use to convert the handshakes?
Can you please attach the cap file?
Reply
#12
i have used ka li and air o dump and then i have used hashcat online converter but i only capture one bssid then why it have multi hashes i dont understand!!
should i use this --nonce-error-corrections=128 in my batch ?
cap link
https://gofile.io/?c=OKhbbD
Reply
#13
hashcat online converter run cap2hccapx from hashcat-utils.
You should know that cap2hccapx will convert more than one hash to the hccapx file. Therefore it takes every good message pair and convert it:

Code:
$ ./cap2hccapx.bin ptcl_l2-test-01.cap test.hccapx
Networks detected: 1
[*] BSSID=c8:3a:35:57:d2:d1 ESSID=PTCL_L2 290 (Length: 11)
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=5
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=9
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=13
--> STA=a8:51:5b:2b:34:52, Message Pair=0, Replay Counter=0
--> STA=a8:51:5b:2b:34:52, Message Pair=2, Replay Counter=0
Written 15 WPA Handshakes to: test.hccapx

Result is a single hccapx file that contain 15 hashes from your BSSID!

I noticed that you ran airodump-ng in combination with aireplay-ng to deauthenticate the client. In that case you must expect a packet loss, because neither aireplay-ng (active part) nor airodump-ng (passive part) request missing packets. Additional your cap file contain many, many useless frames.
Also, you have made much noise on the channel to get a few hashes:
DEAUTHENTICATION (total).................: 10779 !!!!!!!!!!!!!

Code:
$ hcxpcapngtool -o test.22000 ptcl_l2-test-01.cap
reading from ptcl_l2-test-01.cap...

summary capture file
--------------------
file name................................: ptcl_l2-test-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 22.01.2020 23:09:00
timestamp maximum (GMT)..................: 22.01.2020 23:11:52
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 70694
BEACON (total)...........................: 1
PROBEREQUEST (directed)..................: 17
PROBERESONSE.............................: 574
DEAUTHENTICATION (total).................: 10779
DISASSOCIATION (total)...................: 4
AUTHENTICATION (total)...................: 30
AUTHENTICATION (OPEN SYSTEM).............: 30
ASSOCIATIONREQUEST (total)...............: 7
ASSOCIATIONREQUEST (PSK).................: 7
REASSOCIATIONREQUEST (total).............: 6
REASSOCIATIONREQUEST (PSK)...............: 6
WPA encrypted............................: 17929
EAPOL messages (total)...................: 275
EAPOL RSN messages.......................: 275
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 518630
REPLAYCOUNT gap (measured maximum).......: 23
EAPOL M1 messages........................: 264
EAPOL M2 messages........................: 4
EAPOL M3 messages........................: 5
EAPOL M4 messages........................: 2
EAPOL pairs (total)......................: 26
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file...: 1 (RC checked)
EAPOL M12E2..............................: 1
PMKID (total)............................: 270
PMKID (best).............................: 3
PMKID written to combi hash file.........: 3

Using the new hashline (hashmode -m 22000), you will get three PMKIDs and one EAPOL messagepair :
EAPOL pairs written to combi hash file...: 1 (RC checked)
PMKID (best).............................: 3

Code:
WPA*01*6ad4d529d74c755225770588504731d0*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930***
WPA*01*ac60b839f81746454d2bb743973b70c1*c83a3557d2d1*b072bf54a97b*5054434c5f4c3220323930***
WPA*01*21210939fda7e65a095426fb43ef8c7a*c83a3557d2d1*e4a7c5915cf1*5054434c5f4c3220323930***
WPA*02*83388eaca56640cb56e87a5527fe11e2*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930*949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e70*0103007502010a0000000000000000000df98bbc1103e2852cbd86968b713e0d3063c30dc60df02b5a840e91e63d260172000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac022c24*00

If you take a closer look at the converted hashes, you'll notice that hcacpangtool converted different "best" hashes (a PMKID send from the access point to every CLIENTS and an EAPOL messagepair).
Running hashcat against them will recover the PSK quickly (and without any additional options):
Code:
$ hashcat -m 22000 test.22000 -a 3 11223344
hashcat (v5.1.0-1633-g346637ec) starting...

21210939fda7e65a095426fb43ef8c7a:c83a3557d2d1:e4a7c5915cf1:PTCL_L2 290:11223344
6ad4d529d74c755225770588504731d0:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
ac60b839f81746454d2bb743973b70c1:c83a3557d2d1:b072bf54a97b:PTCL_L2 290:11223344
83388eaca56640cb56e87a5527fe11e2:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Sat Feb  1 20:32:39 2020 (0 secs)
Time.Estimated...: Sat Feb  1 20:32:39 2020 (0 secs)
Guess.Mask.......: 11223344 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       39 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 4/4 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3-7
Candidates.#1....: 11223344 -> 11223344
Hardware.Mon.#1..: Temp: 55c Fan: 35% Util: 55% Core:1873MHz Mem:5005MHz Bus:16

Started: Sat Feb  1 20:32:34 2020
Stopped: Sat Feb  1 20:32:41 2020

Three times from the PMKID and one time from the EAPOL messagepair.

BTW:
You may have noticed that the new hashline is HEX-ASCII. You can use simple bash commands to show it, to sort it and to remove unwanted hashes.
A single PMKID is more than enough to recover the PSK. You can remove the other hashes.

should I use this --nonce-error-corrections=128 in my batch ?
-> that question isn't easy to answer, because it depend on the tools you use to atttack the network, to capture the traffic, to convert the hash and to recover the PSK.
But hcxpcangtool will help you a little bit to choose the nonce-error-corrections values. This is the measured value between the lowest replaycount and the highest replaycount:
REPLAYCOUNT gap (measured maximum).......: 23
Always, you can use this value for hashcat nonce-error-corrections to be on the safe side.
Running hcxdumptool to attack and capture, hcxpcapngtool to convert and latest hashcat to recover the PSKs will give you good results and less noise on the channel (PMKID attack: https://hashcat.net/forum/thread-7717.html).
If you have a PMKID, use it (hashcat old hashmode -m 16800 or hashcat new hashmode -m 22000). Don't waste your GPU time on EAPOL messagepairs (unless you like to discover the secrets of an unauthorized M2).
If you retrieve the PMKID by hand (Wireshark), keep in mind that it can be calculated using a zeroed PMK!
If you run hcxpcapngtool, you will be informed and this kind of PMKID will not be not converted:
PMKID (over zeroed PMK)..................: 1

Additional hcxhashtool will give you an information about the ACCESS POINT, the CLIENT and the state of the authentication:
Code:
$ hcxhashtool -i test.22000 --info=stdout
SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: a8515b2b3452 (Samsung Electronics Co.,Ltd)
PMKID......: 6ad4d529d74c755225770588504731d0
HASHLINE...: WPA*01*6ad4d529d74c755225770588504731d0*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930***

SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: b072bf54a97b (Murata Manufacturing Co., Ltd.)
PMKID......: ac60b839f81746454d2bb743973b70c1
HASHLINE...: WPA*01*ac60b839f81746454d2bb743973b70c1*c83a3557d2d1*b072bf54a97b*5054434c5f4c3220323930***

SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: e4a7c5915cf1 (HUAWEI TECHNOLOGIES CO.,LTD)
PMKID......: 21210939fda7e65a095426fb43ef8c7a
HASHLINE...: WPA*01*21210939fda7e65a095426fb43ef8c7a*c83a3557d2d1*e4a7c5915cf1*5054434c5f4c3220323930***

SSID.......: PTCL_L2 290
MAC_AP.....: c83a3557d2d1 (Tenda Technology Co., Ltd.)
MAC_CLIENT.: a8515b2b3452 (Samsung Electronics Co.,Ltd)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 13
RC INFO....: replycount checked
MP M1M2 E2.: not authorized
MIC........: 83388eaca56640cb56e87a5527fe11e2
HASHLINE...: WPA*02*83388eaca56640cb56e87a5527fe11e2*c83a3557d2d1*a8515b2b3452*5054434c5f4c3220323930*949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e70*0103007502010a0000000000000000000df98bbc1103e2852cbd86968b713e0d3063c30dc60df02b5a840e91e63d260172000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac022c24*00

And even if you decide to convert all(!) hashes, your attempt will be successful:
Code:
$ hcxpcapngtool --all -o test.22000 ptcl_l2-test-01.cap
reading from ptcl_l2-test-01.cap...

summary capture file
--------------------
file name................................: ptcl_l2-test-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 22.01.2020 23:09:00
timestamp maximum (GMT)..................: 22.01.2020 23:11:52
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 70694
BEACON (total)...........................: 1
PROBEREQUEST (directed)..................: 17
PROBERESONSE.............................: 574
DEAUTHENTICATION (total).................: 10779
DISASSOCIATION (total)...................: 4
AUTHENTICATION (total)...................: 30
AUTHENTICATION (OPEN SYSTEM).............: 30
ASSOCIATIONREQUEST (total)...............: 7
ASSOCIATIONREQUEST (PSK).................: 7
REASSOCIATIONREQUEST (total).............: 6
REASSOCIATIONREQUEST (PSK)...............: 6
WPA encrypted............................: 17929
EAPOL messages (total)...................: 275
EAPOL RSN messages.......................: 275
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 518630
REPLAYCOUNT gap (measured maximum).......: 23
EAPOL M1 messages........................: 264
EAPOL M2 messages........................: 4
EAPOL M3 messages........................: 5
EAPOL M4 messages........................: 2
EAPOL pairs (total)......................: 26
EAPOL pairs (best).......................: 26
EAPOL pairs written to combi hash file...: 26 (RC checked)
EAPOL M12E2..............................: 22
EAPOL M32E2..............................: 4
PMKID (total)............................: 270
PMKID (best).............................: 270
PMKID written to combi hash file.........: 270

$ hashcat -m 22000 test.22000 --nonce-error-corrections=8 -a 3 11223344
hashcat (v5.1.0-1633-g346637ec) starting...

2356d59821bb6d62813c41a375951f77:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
2596f54e999999f40e18dcad30662816:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
21210939fda7e65a095426fb43ef8c7a:c83a3557d2d1:e4a7c5915cf1:PTCL_L2 290:11223344
6ad4d529d74c755225770588504731d0:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
2356d59821bb6d62813c41a375951f77:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
ac60b839f81746454d2bb743973b70c1:c83a3557d2d1:b072bf54a97b:PTCL_L2 290:11223344
83388eaca56640cb56e87a5527fe11e2:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
3389a0f054251b47a226412e078920b5:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
3389a0f054251b47a226412e078920b5:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
83388eaca56640cb56e87a5527fe11e2:c83a3557d2d1:a8515b2b3452:PTCL_L2 290:11223344
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Sat Feb  1 20:48:40 2020 (0 secs)
Time.Estimated...: Sat Feb  1 20:48:40 2020 (0 secs)
Guess.Mask.......: 11223344 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       36 H/s (0.71ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 10/10 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9-19
Candidates.#1....: 11223344 -> 11223344
Hardware.Mon.#1..: Temp: 57c Fan: 38% Util: 55% Core:1860MHz Mem:5005MHz Bus:16

Started: Sat Feb  1 20:48:36 2020
Stopped: Sat Feb  1 20:48:42 2020

By option --all, hcxpcapngtool will convert all PMKIDs and all EAPOL messagepairs. That included many duplicates, but hashcat recovered the PSKs successful from them, too.

In that case you should use at least nonce-error-corrections=8 to recover all PSKs.
Reply
#14
is there any script for The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux which can automate hcxdumptool capture and hcxpcapngtool convert process
Reply
#15
No, you have to code it by yourself. It is very simple:
https://github.com/ZerBea/hcxtools/issue...-581013958
Reply
#16
One last question: Which options have you used to capture the dumpfile?

I noticed that all(!) undirected proberequest frames are not present (filtered out).
This frames may contain information about PSKs. So it is definitely not a good idea to remove them from your cap file!

Code:
$ hcxpcapngtool ptcl_l2-test-01.cap
reading from ptcl_l2-test-01.cap...

summary capture file
--------------------
file name................................: ptcl_l2-test-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 22.01.2020 23:09:00
timestamp maximum (GMT)..................: 22.01.2020 23:11:52
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 70694
BEACON (total)...........................: 1
PROBEREQUEST (directed)..................: 17
PROBERESONSE.............................: 574
DEAUTHENTICATION (total).................: 10779
DISASSOCIATION (total)...................: 4
AUTHENTICATION (total)...................: 30
AUTHENTICATION (OPEN SYSTEM).............: 30
ASSOCIATIONREQUEST (total)...............: 7
ASSOCIATIONREQUEST (PSK).................: 7
REASSOCIATIONREQUEST (total).............: 6
REASSOCIATIONREQUEST (PSK)...............: 6
WPA encrypted............................: 17929
EAPOL messages (total)...................: 275
EAPOL RSN messages.......................: 275
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 518630
REPLAYCOUNT gap for NC (measured maximum): 6
EAPOL M1 messages........................: 264
EAPOL M2 messages........................: 4
EAPOL M3 messages........................: 5
EAPOL M4 messages........................: 2
EAPOL pairs (total)......................: 26
EAPOL pairs (best).......................: 1
EAPOL M12E2..............................: 1
PMKID (total)............................: 270
PMKID (best).............................: 3

Warning: missing frames!
This dump file contains no undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
That makes it hard to recover the PSK.

BTW:
Again, thanks for the cap file. It reminded me to add several warnings (hcxpcapngtool), to inform about missing frames, zeroed timestamps, broken timestamps, bit errors (PLCP errors).
Reply