Hashcat + wlangenpmkocl how to convert back to plaintext ?
#21
I fully agree. It is mandatory to acquire new knowledge.
2005 is ok to acquire knowledge about 802.11 because there are no big changes in protocol.

BTW:
I'm running Arch on all my systems (also for daily use). Build from scratch:
XFCE, because I don't need an oversized desktop environment (no desktop environment on RPI's - a terminal is more than enough here)
Only services enabled that I really need.
Only tools installed that I really need (that include gcc suite).
No third party drivers (I don't buy hardware that require a third party driver. if you have some time, DuckDuckGo for this: "K A L I and rtl8812au issue" and you know what I mean).
I'm only interested in radio transmission systems, methods (that include the all types of modulation) and protocols (that include all protocols used on radio frequencies as well as the whole crypto part).
Reply
#22
(02-23-2021, 01:30 AM)ZerBea Wrote: Running wlangenpmkocl as super user (sudo) is not a good idea and absolutely not necessary.
Option -A is a good idea, because you'll get the PMK and the PSK. In combination with the ESSID you have all parts of the PBKDF2 algo.

Using different kinds of rules and masks (also in hybrid mode) is a very good idea on word lists, but not on a PMK list.

I'm doing this by:
capture traffic -> hcxdumptool
convert hash and data of PROBEREQUESTs -> hcxpcapngtool (-o -E)
get raw word list from hcxpcapngtool -E -> hcxeiutool -s
feeding hashcat with hcxeiutool -s output
sort the list and run hashcat task on hash and wordlist

commands:
Code:
$ sudo hcxdumptool -i interface -o dump.pcapng --enable_status=1
for some hours
$ hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
$ hcxeiutool -i trafficwords -s raw.list
$ hashcat --stdout -r "hcxessid.rule" cs.list | sort | uniq > word.list
$ hashcat -m 22000 --nonce-error-corrections=0 hash.22000 word.list

nonce-error-corrections=0 because I trust in hcxdumptool/hcxpcapngtool and expect no packet loss.

NC is explained here:
https://hashcat.net/forum/thread-6361.html
and referenced here, too:
https://github.com/s3inlc/hashtopolis/is...-783516615

BTW:
Here you can find the successor of wifite:
https://github.com/kimocoder/wifite2

In your example above:
$ sudo hcxdumptool -i interface -o dump.pcapng --enable_status=1
for some hours
$ hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
$ hcxeiutool -i trafficwords -s raw.list
$ hashcat --stdout -r "hcxessid.rule" cs.list | sort | uniq > word.list
$ hashcat -m 22000 --nonce-error-corrections=0 hash.22000 word.list

Should cs.list be raw.list instead?
Reply
#23
(02-24-2021, 10:57 AM)ZerBea Wrote: I fully agree. It is mandatory to acquire new knowledge.
2005 is ok to acquire knowledge about 802.11 because there are no big changes in protocol.

BTW:
I'm running Arch on all my systems (also for daily use). Build from scratch:
XFCE, because I don't need an oversized desktop environment (no desktop environment on RPI's - a terminal is more than enough here)
Only services enabled that I really need.
Only tools installed that I really need (that include gcc suite).
No third party drivers (I don't buy hardware that require a third party driver. if you have some time, DuckDuckGo for this: "K A L I and rtl8812au issue" and you know what I mean).
I'm only interested in radio transmission systems, methods (that include the all types of modulation) and protocols (that include all protocols used on radio frequencies as well as the whole crypto part).

(02-24-2021, 06:00 PM)walterlacka Wrote:
(02-23-2021, 01:30 AM)ZerBea Wrote: Running wlangenpmkocl as super user (sudo) is not a good idea and absolutely not necessary.
Option -A is a good idea, because you'll get the PMK and the PSK. In combination with the ESSID you have all parts of the PBKDF2 algo.

Using different kinds of rules and masks (also in hybrid mode) is a very good idea on word lists, but not on a PMK list.

I'm doing this by:
capture traffic -> hcxdumptool
convert hash and data of PROBEREQUESTs -> hcxpcapngtool (-o -E)
get raw word list from hcxpcapngtool -E -> hcxeiutool -s
feeding hashcat with hcxeiutool -s output
sort the list and run hashcat task on hash and wordlist

commands:
Code:
$ sudo hcxdumptool -i interface -o dump.pcapng --enable_status=1
for some hours
$ hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
$ hcxeiutool -i trafficwords -s raw.list
$ hashcat --stdout -r "hcxessid.rule" cs.list | sort | uniq > word.list
$ hashcat -m 22000 --nonce-error-corrections=0 hash.22000 word.list

nonce-error-corrections=0 because I trust in hcxdumptool/hcxpcapngtool and expect no packet loss.

NC is explained here:
https://hashcat.net/forum/thread-6361.html
and referenced here, too:
https://github.com/s3inlc/hashtopolis/is...-783516615

BTW:
Here you can find the successor of wifite:
https://github.com/kimocoder/wifite2

In your example above:
$ sudo hcxdumptool -i interface -o dump.pcapng --enable_status=1
for some hours
$ hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
$ hcxeiutool -i trafficwords -s raw.list
$ hashcat --stdout -r "hcxessid.rule" cs.list | sort | uniq > word.list
$ hashcat -m 22000 --nonce-error-corrections=0 hash.22000 word.list

Should cs.list be raw.list instead?

Interesting, no I dedicated my laptop to ka li so wanted to fancify a little hehe. I got a HackRF I'm learning how to play with. GNU/Radio and GQRX are awesome. Can't seem to hear VHF and UHF frequencies though but I do see the signals. I think it's a modulation issue perhaps ? Anyway that's a totally separate problem, one massive headache at a time haha

Ok so I've re-read everything and I understand much better now, going to integrate your method in my experiment tonight. I'm wondering what Walter said though is line 5 cs.list supposed to be raw.list ?

I'm going to re-read your post again in case I'm missing a clue

EDIT: Oh wait. No it is NOT because I want the RAW at the end to compare so I don't have to re-brute force ? Also why is it bad to run something as sudo when you're not supposed to ? Sometimes I run sudo just in case.

EDIT2: I just realized something. I actually need mode 22001 because I'm using PMKs no ? How does this affect your capture ?
Reply
#24
The only tool that need sudo is hcxdumptool. All other tools don't need this.
I never understood why K A L I used a root-model.

You can use old modes (250x and 1680x) or instead of the 2 modes 22001 (combined mode).
Advantage of 22000:
If you have a PMKID and an EAPOL message pair for the same ESSID, PBKDF2 is only run once!
Reply
#25
(02-25-2021, 07:02 AM)ZerBea Wrote: The only tool that need sudo is hcxdumptool. All other tools don't need this.
I never understood why K A L I used a root-model.

You can use old modes (250x and 1680x) or instead of the 2 modes 22001 (combined mode).
Advantage of 22000:
If you have a PMKID and an EAPOL message pair for the same ESSID, PBKDF2 is only run once!

ohhhhhhhh! I get it now. Thank you ZerBea. I thought that 2501 and 22001 where basically the same as 2500/22000 BUT strictly for PMK usage.
Reply
#26
(02-25-2021, 07:02 AM)ZerBea Wrote: The only tool that need sudo is hcxdumptool. All other tools don't need this.
I never understood why K A L I used a root-model.

You can use old modes (250x and 1680x) or instead of the 2 modes 22001 (combined mode).
Advantage of 22000:
If you have a PMKID and an EAPOL message pair for the same ESSID, PBKDF2 is only run once!

First off I Just noticed you're the one who wrote the hcxtools. So thank you for your work can't believe I didn't notice jeez.

Now The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) comes with hcxtools pre installed but it doesn't have hcxeiutool that you're using. when I git your repo and I try to sudo make hcxhashtool.c fails fatal error because there's no such  file or dir curl/curl.h I do have the latest version of curl however. Can I just 'make' the hcxeiutool ? The rest are running fine. (I've downloaded your other tools as well those run well)

EDIT: Ah awesome finally got hcxeiutools to work. So for anyone else using K*ALI even though you have CURL it's not the right version obviously, so help yourself to Zerbea's readme and:
# sudo apt-get install pkg-config libcurl4-openssl-dev libssl-dev zlib1g-dev
In the hcxtools dir...
# make
# sudo make install

Thank you Zerbea!
Reply
#27
(02-24-2021, 06:00 PM)walterlacka Wrote:
(02-23-2021, 01:30 AM)ZerBea Wrote: Running wlangenpmkocl as super user (sudo) is not a good idea and absolutely not necessary.
Option -A is a good idea, because you'll get the PMK and the PSK. In combination with the ESSID you have all parts of the PBKDF2 algo.

Using different kinds of rules and masks (also in hybrid mode) is a very good idea on word lists, but not on a PMK list.

I'm doing this by:
capture traffic -> hcxdumptool
convert hash and data of PROBEREQUESTs -> hcxpcapngtool (-o -E)
get raw word list from hcxpcapngtool -E -> hcxeiutool -s
feeding hashcat with hcxeiutool -s output
sort the list and run hashcat task on hash and wordlist

commands:
Code:
$ sudo hcxdumptool -i interface -o dump.pcapng --enable_status=1
for some hours
$ hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
$ hcxeiutool -i trafficwords -s raw.list
$ hashcat --stdout -r "hcxessid.rule" cs.list | sort | uniq > word.list
$ hashcat -m 22000 --nonce-error-corrections=0 hash.22000 word.list

nonce-error-corrections=0 because I trust in hcxdumptool/hcxpcapngtool and expect no packet loss.

NC is explained here:
https://hashcat.net/forum/thread-6361.html
and referenced here, too:
https://github.com/s3inlc/hashtopolis/is...-783516615

BTW:
Here you can find the successor of wifite:
https://github.com/kimocoder/wifite2

In your example above:
$ sudo hcxdumptool -i interface -o dump.pcapng --enable_status=1
for some hours
$ hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
$ hcxeiutool -i trafficwords -s raw.list
$ hashcat --stdout -r "hcxessid.rule" cs.list | sort | uniq > word.list
$ hashcat -m 22000 --nonce-error-corrections=0 hash.22000 word.list

Should cs.list be raw.list instead?

There's a few mistakes here I'm fixing it now. This question is answered by hcxpcapngtool -help. I'm still practicing the command. I'll post the solution shortly
Reply
#28
Yes. It's an ugly copy and paste error:
$ hashcat --stdout -r "hcxessid.rule" raw.list | sort | uniq > word.list

The hcxessid.rule will append some digits (1..9999, 123, 1234, ...) to the cleaned -E output of hcxpcapngtool.

BTW:
hcxtools are running in back ground of several online WPA PSK auditoring services, e.g.:
https://wpa-sec.stanev.org/
To see how they are implemented, take a look at the source:
https://github.com/RealEnder/dwpa
Reply
#29
(02-27-2021, 06:00 PM)ZerBea Wrote: Yes. It's an ugly copy and paste error
$ hashcat --stdout -r "hcxessid.rule" raw.list | sort | uniq > word.list

Hiya !

Also in my case I had top create a empty word.list and give it read/write permissions so if anybody else is in that predicament.

This is a very eloquent method I really like this thank you so much for the teaching session I can integrate this into my attack pattern now. I still haven't managed to crack the handshake but I'm doing this much more properly now so thanks for that. Major progress made here, plus I learnt some stuff about python thanks to having to make the other packages you host.
Reply
#30
(02-27-2021, 06:00 PM)ZerBea Wrote: Yes. It's an ugly copy and paste error:
$ hashcat --stdout -r "hcxessid.rule" raw.list | sort | uniq > word.list

The hcxessid.rule will append some digits (1..9999, 123, 1234, ...) to the cleaned -E output of hcxpcapngtool.

BTW:
hcxtools are running in back ground of several online WPA PSK auditoring services, e.g.:
https://wpa-sec.stanev.org/
To see how they are implemented, take a look at the source:
https://github.com/RealEnder/dwpa

Hey how's it going ?

I'm studying your method and I'm having quite some trouble understanding, maybe when you've got some time if you would shed some light:

hcxdumptool -i iface -o dump.pcagng --enable_status=1
So this is self explanatory also what a nice little tool. May I ask you how long you've been doing this ?

hcxpcapngtool -E trafficwords -o hash.22000 dump.pcapng
This is where I start to raise an eyebrow. Now technically I don't need -E if I want to substitute my own wordlist correct? We'll discuss that further down the line as it come sup again. Right now I'm curious to see why you generate your wordlist this way. I definitely think it's intelligent, but what is the reasoning, to the untrained eye like mine feels like you're really limiting your possibilities there.

hcxeiutool -i trafficwords -s raw.list
So here I can just say -i /usr/share/wordlists/whatever -s raw.list Correct ? From what I see the format isn't changed so it should be legit.

hashcat --stdout -r "hcxessid.rule" raw.list | sort | uniq > word.list
Instead let's say I do
hashcat --stdout -r dive.rule raw.list ....

Now we move over to the cracking rig: (win7 12cpu/32gb ram/gtx680)
hashcat -m 22000 -w 4 --nonce-error-corrections=0 hash.22000 word.list

This is where things get complicated.
First of all what happens if I do
hashcat -m 22000 -r rules\base64.rule -w 4 --nonce-error-corrections=0 hash.22000
Notice that I've changed the ruleset

or what happens if I do something even crazier like this ?
hashcat -a 6 -m 22000 -w 4 --nonce-error-corrections=0 hash.22000 word.list rockyou-1-60.hcmask
So now we have the embedded rule from the earlier hashcat on top of the hybrid mask.

I'm going to try all these possibilities now and share the results, but wondering if you have any comments.
If this works though it would have to be with a PMK as I anticipate plaintext will take several revolutions of time. So will need to integrate that into your method which shouldn't be a big deal looks like your tool support all this stuff and more.

Anyway once I'm done testing I'll be lookin over those sources. I still don't fully understand how all this works if you sat me down in front of a paper I would fail.

fyi attached the NSA rule keys I stumbled on and testing with. It was from a hashcat lecture. They seem pretty good I like how they mangle the words. Forgive me if they're deprecated or everyone already knows about it. Thought it would be useful for those that don't have 'em.

https://filebin.net/oaqo19oqthhrizh0
Reply