fastest way to check 1 (one) password [16800] ?
#1
hello

I want to check only 1 password against a PMKID.
I know I can kill a mosquito with a bazooka:


Code:
hashcat -a 3 -m 16800 file.pmkid passwordToTest

but I want to do it in a slow machine without GPU in which hashcat takes several seconds to init

is there another tool to do that or any other config?

appreciate
Reply
#2
hcxpmktool or hcxhashtool should do it offline and hcxdumptool will do it during capturing.
example hashes 2500, 16800 and 22000 taken from here:
https://hashcat.net/wiki/doku.php?id=example_hashes

converted 16800 to hash line 22000 (prepend WPA*01*, append ***):
Code:
$ time hcxpmktool -i WPA*01*2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a*** -p 'hashcat!'

ESSID.............: �HqbFZwK�����:
PSK  .............: hashcat!
PMK...............: 5b13d4babb3714ccc62c9f71864bc984efd6a55f237c7a87fc2151e1ca658a9d
PMKID (calculated): 2582a8281bf9d4308d6f5731d0e61c61
PMKID (hash line).: 2582a8281bf9d4308d6f5731d0e61c61 (equal)

real    0m0,006s
user    0m0,006s
sys    0m0,000s

compared to hashcat -m 16800
Code:
$ time hashcat -m 16800 test.16800 -a 3 'hashcat!'
hashcat (v6.1.1-120-g15bf8b730) starting...

CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1080 Ti, 10899/11175 MB, 28MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.153) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1080 Ti, skipped

4604ba734d4e:89acf0e761f4:$HEX[ed487162465a774bfba60eb603a39f3a]:hashcat!
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: 4604ba734d4e:89acf0e761f4:$HEX[ed487162465a774bfba6...39f3a]
Time.Started.....: Wed Mar  3 21:06:09 2021 (0 secs)
Time.Estimated...: Wed Mar  3 21:06:09 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       22 H/s (0.43ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 41c Fan: 32% Util: 74% Core:1657MHz Mem:5005MHz Bus:16

Started: Wed Mar  3 21:06:08 2021
Stopped: Wed Mar  3 21:06:11 2021

real    0m2,930s
user    0m0,667s
sys    0m0,481s

Or use hashmode -22000 (instead of deprecated 16800 hash mode):
Code:
$ time hcxpmktool -i WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***  -p 'hashcat!'

ESSID.............: hashcat-essid
PSK  .............: hashcat!
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)

real    0m0,006s
user    0m0,006s
sys    0m0,000s


compared to hashcat -m 22000:
Code:
hashcat (v6.1.1-120-g15bf8b730) starting...

CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1080 Ti, 10899/11175 MB, 28MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.153) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1080 Ti, skipped


4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Wed Mar  3 21:04:07 2021 (0 secs)
Time.Estimated...: Wed Mar  3 21:04:07 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       28 H/s (0.41ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 49c Fan: 31% Util: 22% Core:1657MHz Mem:5005MHz Bus:16

Started: Wed Mar  3 21:04:06 2021
Stopped: Wed Mar  3 21:04:08 2021

real    0m2,879s
user    0m0,619s
sys    0m0,508s

It works also on EAPOL message pairs (WPA*02*)
converted hccapx to hash line 22000 (hcxpcapngtool will do that directly from cap/pcap and pcapng files):
Code:
$ time hcxpmktool -i WPA*02*dd380bd54bc9c316dce31562c22c87d1*aef50f22801c*987bdcf9f950*38333831353333343036303033383037363835383831353233*1e33f3eca3a1f2216a52b60c87191e7473ac54ecb023ac5989becf1e3c7e4509*01030077fe010900200000000000000001faf192b205d47b81f43f91f850c81976da019e00722f3958370692ab0562f70b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*00 -p 'hashcat!'

ESSID.............: 8381533406003807685881523
PSK  .............: hashcat!
PMK...............: 27728647ac66c5edea4d448fd2c1da57cf02e6347b1465a0d43142c6bd6e37b6
PMKID (calculated): c64249a2e8ea4e47cfddb5df6eb39fde
MIC (calculated)..: dd380bd54bc9c316dce31562c22c87d1
MIC (hash line)...: dd380bd54bc9c316dce31562c22c87d1 (equal)


real    0m0,008s
user    0m0,008s
sys    0m0,000s

compared to hashcat -m 2500 (deprecated hccapx)
Code:
$ time hashcat -m 2500 hashcat.hccapx -a 3 'hashcat!'
hashcat (v6.1.1-120-g15bf8b730) starting...

CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1080 Ti, 10883/11175 MB, 28MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.153) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1080 Ti, skipped

aef50f22801c:987bdcf9f950:8381533406003807685881523:hashcat!
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: 8381533406003807685881523 (AP:ae:f5:0f:22:80:1c STA:98:7b:dc:f9:f9:50)
Time.Started.....: Wed Mar  3 21:17:13 2021 (0 secs)
Time.Estimated...: Wed Mar  3 21:17:13 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       31 H/s (0.41ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 50c Fan: 33% Util: 35% Core:1657MHz Mem:5005MHz Bus:16

Started: Wed Mar  3 21:17:12 2021
Stopped: Wed Mar  3 21:17:15 2021

real    0m2,899s
user    0m0,652s
sys    0m0,478s

or use hcxhashtool with option on a 22000 hash file:
Code:
-i <file>   : input PMKID/EAPOL hash file
--psk=<PSK>                  : pre-shared key to test
                               due to PBKDF2 calculation this is a very slow process
                               no nonce error corrections
--pmk=<PMK>                  : plain master key to test
                               no nonce error corrections

test2.22000 contain all 3 example hashes in a single file:
Code:
WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
WPA*01*2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a***
WPA*02*dd380bd54bc9c316dce31562c22c87d1*aef50f22801c*987bdcf9f950*38333831353333343036303033383037363835383831353233*1e33f3eca3a1f2216a52b60c87191e7473ac54ecb023ac5989becf1e3c7e4509*01030077fe010900200000000000000001faf192b205d47b81f43f91f850c81976da019e00722f3958370692ab0562f70b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*00

To test a complete hashfile (new hashcat mode -m 22000) against a single PSK or PMK:
Code:
$ time hcxhashtool -i testall3.22000 --psk='hashcat!'
f4747f87f9f4:fc690c158264:hashcat-essid:88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc:hashcat!
89acf0e761f4:4604ba734d4e:$HEX[ed487162465a774bfba60eb603a39f3a]:5b13d4babb3714ccc62c9f71864bc984efd6a55f237c7a87fc2151e1ca658a9d:hashcat!
987bdcf9f950:aef50f22801c:8381533406003807685881523:27728647ac66c5edea4d448fd2c1da57cf02e6347b1465a0d43142c6bd6e37b6:hashcat!

OUI information file...: /home/zerobeat/.hcxtools/oui.txt
OUI entires............: 29508
total lines read.......: 3
valid hash lines.......: 3
PMKID hash lines.......: 2
EAPOL hash lines.......: 1

real    0m0,128s
user    0m0,122s
sys    0m0,007s

compared to hashcat hash mode -m 22000:
Code:
$ time hashcat -m 22000 testall3.22000 -a 3 'hashcat!'
hashcat (v6.1.1-120-g15bf8b730) starting...

CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1080 Ti, 10879/11175 MB, 28MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.153) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1080 Ti, skipped

4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:hashcat!
2582a8281bf9d4308d6f5731d0e61c61:4604ba734d4e:89acf0e761f4:$HEX[ed487162465a774bfba60eb603a39f3a]:hashcat!
dd380bd54bc9c316dce31562c22c87d1:aef50f22801c:987bdcf9f950:8381533406003807685881523:hashcat!
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: testall3.22000
Time.Started.....: Wed Mar  3 21:34:27 2021 (0 secs)
Time.Estimated...: Wed Mar  3 21:34:27 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       27 H/s (0.41ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 3/3 (100.00%) Digests, 3/3 (100.00%) Salts
Progress.........: 3/3 (100.00%)
Rejected.........: 0/3 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 46c Fan: 36% Util: 76% Core:1657MHz Mem:5005MHz Bus:16

Started: Wed Mar  3 21:34:26 2021
Stopped: Wed Mar  3 21:34:28 2021

real    0m2,277s
user    0m0,627s
sys    0m0,579s

Fast enough?

Or use hcxdumptool with option weakcandidate to verify PSK during capturing:
Code:
--weakcandidate=<password>         : use this pre shared key (8...63 characters) for weak candidate alert
                                     will be saved to pcapng to inform hcxpcaptool
                                     default: 12345678


BTW:
hcxdumptool/hcxtools are designed to run on small systems like a Raspberry Pi.
Reply
#3
@ZerBea: thanks for your time explaining it so detailed.
That was even more than I was looking for (didn't know about m 22000, will read more about it!)

cheers!
Reply
#4
You can follow the discussion about 22000 hash mode here:
https://github.com/hashcat/hashcat/issues/1816
main advantages:
pay the price (PBKDF2) only once for PMKID and EAPOL (instead of twice 16800 and 2500)
no longer binary (hashes can be commented on every website without taking care about character encoding, all bash tools and commands are working on a 22000 hash line)

BTW:
If the invoice (PBKDF2) has already been paid, I recommend to get the PMK from hashcat potfile and use it instead of the PSK. Verifying a PMK is a thousand times (exactly 4096 * 2) faster!
Format in hashcat potfile is the the result of PBKDF2 calculation:
PMK * ESSID : PSK

explained here:
https://hashcat.net/forum/thread-9893-page-4.html

Please notice:
This will only work if you would like to verify a PMK or to test a single PSK, because we're doing this on CPU.
In every other case, hashcat is much, much faster!
Reply