password found but exhausted !!
#1
Sad 
hello friends
I am new here and very happy to be.
I have a little question.
why hashcat dont stop the cracking work after finding the password ?
I searched for answers on the web but not finding anything.
I have a handshake for my ancien wifi router with 8 numbers password (28449430) and I liked to guessit with hashcat, so, I started to crack the handshake. it was successful BUT after hashcat found the password he continued the process of cracking. And finally, he displayed EXHAUSTED !!!! very strange  !! any explanation or solution please ..

.jpg   hhhh.jpg (Size: 172.63 KB / Downloads: 6)
.jpg   hhhfff.jpg (Size: 181.81 KB / Downloads: 7)
Reply
#2
It's because of the "Recovered" line, only 2 of 3 are found
Code:
Recovered........: 2/3 (66.67%) Digests

This could mean several things, but most likely that your file oor.hccapx doesn't contain only one network, but multiple.

In theory there could also be the case that you recorded a handshake that only deals with one specific network (and access point AP, if we oversimplify it a little bit) but the recorded handshake was recorded when somebody (or a device) used the wrong password or something like this.... so there are multiple scenarios. I'm pretty sure if you use the recommend way of capturing the network traffic with hcxdumptool / hcxtools a lot of incomplete and wrong handshakes are already identified and only the correct/meaninful ones are within the hccapx output. So you should probably use that way of capturing.

Of course you would need to analyze the .hccapx file (also see https://hashcat.net/wiki/doku.php?id=hccapx and you could use hcxtools also here) to find out which (different ?!) networks are listed in the oor.hccapx file.

So hashcat has found 2 of 3 correct matches and therefore it's correct that it reports that NOT ALL of them are cracked and therefore it's exhausted with 2/3 cracked hashes.
Reply
#3
Smile 
(10-24-2020, 03:45 PM)philsmd Wrote: It's because of the "Recovered" line, only 2 of 3 are found
Code:
Recovered........: 2/3 (66.67%) Digests

This could mean several things, but most likely that your file oor.hccapx doesn't contain only one network, but multiple.

In theory there could also be the case that you recorded a handshake that only deals with one specific network (and access point AP, if we oversimplify it a little bit) but the recorded handshake was recorded when somebody (or a device) used the wrong password or something like this.... so there are multiple scenarios. I'm pretty sure if you use the recommend way of capturing the network traffic with hcxdumptool / hcxtools a lot of incomplete and wrong handshakes are already identified and only the correct/meaninful ones are within the hccapx output. So you should probably use that way of capturing.

Of course you would need to analyze the .hccapx file (also see https://hashcat.net/wiki/doku.php?id=hccapx and you could use hcxtools also here) to find out which (different ?!) networks are listed in the oor.hccapx file.

So hashcat has found 2 of 3 correct matches and therefore it's correct that it reports that NOT ALL of them are cracked and therefore it's exhausted with 2/3 cracked hashes.

thank you very much PHIL  Smile you explain me a lot of the things
I will execute your advice and try the methods that you recommended to me Smile .
the way I use to capture handshake is The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux airodump-ng + aireplay-ng.  is that a bad thing ??
is hcxdumptool better than airodump-ng ??
thank you again Big Grin
Reply
#4
Both suites (aircrack-ng and hcxdumptool/hcxtools) have advantages and disadvantages. So this question isn't easy to answer:
airodump-ng, besside-ng, wpaclean, and aireplay-ng are designed to get EAPOL handshakes and PMKIDs to be used by aircrack-ng and to get full benefit of aircrack-ng.

hcxdumptool/hcxtools is designed to be used by hashcat and JtR and to get full benefit of both of them.

I recommend to make up your own mind, by reading both git repositories:
https://github.com/aircrack-ng
https://github.com/ZerBea

Especially the issue section (issues: open and closed) will give you an answer about limitations of both tools.

In addition to that, you can get information about the features of both tools here:
https://forum.aircrack-ng.org/
https://hashcat.net/forum/thread-6661.html

And you can try the example (hash mode 22000) from here:
https://github.com/evilsocket/pwnagotchi...-598597214

The PMKID attack is described here:
https://hashcat.net/forum/thread-7717.html
Reply
#5
Ok ZerBea ! thankyou for your answer.
I will read those articles and then decide which tool is good.
thank you again Smile
Reply
#6
Please share your experiences with with us and tell me, how you decided. I'm very interested in that, because it helps a lot to improve hcxdumptool/hcxtools as WiFi pre-processor to be used by hashcat and JtR.
Reply
#7
(10-27-2020, 08:38 AM)ZerBea Wrote: Please share your experiences with with us and tell me, how you decided. I'm very interested in that, because it helps a lot to improve hcxdumptool/hcxtools as WiFi pre-processor to be used by hashcat and JtR.

Ok my friend !!!!
this 2 months I am busy at work Big Grin  ; but after that I will return to wifi & The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) and will post and share every experience and result here.
You are my hero Smile
Reply
#8
Thanks.
Reply