potfile wpa format/derivation
#1
hashcat versions: 5.1.0 and 6.1.1

I've been looking at hccapx to better understand wpa/wpa2, but there's one thing that befuddles me. I cannot figure out how hashcat creates a 128 bit prefix for found passwords.

hashcat will output something like
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:<ap_mac>:<sta_mac>:<ssid>:<password>
Where the X's are a hex encoding of something. How is this derived?

I've been looking through the source code where -m 2500 (wpa/wpa2) is defined, but I can't see how it's done. https://github.com/hashcat/hashcat/blob/...00-pure.cl

In the rules I'm not supposed to post the actual hash, but I see no problem with that because it's published on hashcat.net as an example for explanation purposes. Once someone gives me the ok I'll post the actual hash. I think it'll be easier to work with a specific example.
Reply
#2
an independent checksum that is used to identify/find the correct hash, see https://github.com/hashcat/hashcat/blob/...#L756-L823

you shouldn't bother too much about it, it's just used internally for the potfile hash lookup and to distinguish the different hashes

it's also recommended to switch to the new hash format -m 22000 = WPA-PBKDF2-PMKID+EAPOL as mentioned in the docs and release notes
Reply
#3
(09-15-2020, 07:50 AM)philsmd Wrote: an independent checksum that is used to identify/find the correct hash, see https://github.com/hashcat/hashcat/blob/...#L756-L823

you shouldn't bother too much about it, it's just used internally for the potfile hash lookup and to distinguish the different hashes

it's also recommended to switch to the new hash format -m 22000 = WPA-PBKDF2-PMKID+EAPOL as mentioned in the docs and release notes

Can you point me to the documentation and release notes that you're referring to.
Reply
#4
To be honest, when I wrote that I believed that we had added a whole paragraph about the new -m 22000 format here: https://hashcat.net/forum/thread-9303.html (but we only mentioned that WPA-PBKDF2-PMKID+EAPOL was added).

I guess the best resource for now is this: https://github.com/hashcat/hashcat/issues/1816 where the format was discuessed
Reply
#5
You can read more about this format (2200x, outfile format and potfile format) and the tools working on it here:
https://hashcat.net/forum/thread-6661-po...l#pid47931
Reply
#6
As an academic exercise, I'm creating an sqlite database to manage cracked/uncracked hashes. I want to use the hash as the primary key, but I didn't know how to produce the hash in the same way as hashcat for -m 2500. Which means I didn't know how to ingest hccapx files uniquely that was compatible with the hashcat potfile.
Reply
#7
As mentioned in this thread:
https://hashcat.net/forum/thread-6661-po...l#pid47931
22000 format is no longer binary. All bash tools (cat, sort, awk, cut, ....) are working on it, on the potfile and on the outfile
A good example (php code inclusive data base) can be found here:
https://github.com/RealEnder/dwpa

Old hashcat use an md5_64 to make the hash unique. That is deprecated (because it spam the potfile) and is removed since v6. I recommend to use 22000 instead of 2500 and/or 16800.
Reply