ZerBea / hcxtools

A small set of tools to convert packets from capture files to hash files for use with Hashcat or John the Ripper.
MIT License
2.01k stars 392 forks source link

Issue with cap2hccapx.bin not producing readable hash #332

Closed smarandache1990 closed 9 months ago

smarandache1990 commented 9 months ago

https://hashcat.net/cap2hashcat/ has no issue producing a readable hash that can be used in hashcat. However, cap2hccapx.bin does not. I have provided cat output of both files. I was using a .cap file at first and thought that might be the issue. I then used editcap to convert .cap to .pcap, which did not solve the problem. I ran both .cap and .pcap through https://hashcat.net/cap2hashcat/ and they produced the same output file. I created a md5 hash of both to verify that .cap and .pcap files produce the same extracted hash when using the online version of the tool.

` ┌──(brien㉿kali)-[~/Downloads] └─$ cat 2168007_1708302741.hc22000 WPA0292a9fe85d5656281517162c33c0f62b6cc40d0a4d09648e244a7c4fb434f52502d57494649062267437c90d9185d010b9dabdbbae1b014e4ee435b93e5cdfea39b79eadd4a0103007502010a000000000000000000015a494f36fadc4671749191c507b538920e7b1a42f01fc9faed572e61c5e035ed000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac02000002 WPA02b7703fd2171bec7933ffc900faa6eb5bcc40d0a4d09680822381a9c8434f52502d5749464909f8fed1b3f740126b61ff3a9a2da482712ccbfd73d4e555fefe50568faf70750103007502010a0010000000000000000321c9245f339ac3d486b85a9f8f3bc0092befdecd2859411acab4941f31c94de4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c0000

┌──(brien㉿kali)-[~/Downloads] └─$ ls
2168007_1708302741.hc22000 Hashcat_wireless1.zip Sn1per corp_question1-01.cap generators 2168043_1708303118.hc22000 Phone VBOX_GE corp_question1-01.pcap mic_to_crack.hc22000

┌──(brien㉿kali)-[~/Downloads] └─$ cat 2168043_1708303118.hc22000 WPA0292a9fe85d5656281517162c33c0f62b6cc40d0a4d09648e244a7c4fb434f52502d57494649062267437c90d9185d010b9dabdbbae1b014e4ee435b93e5cdfea39b79eadd4a0103007502010a000000000000000000015a494f36fadc4671749191c507b538920e7b1a42f01fc9faed572e61c5e035ed000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac02000002 WPA02b7703fd2171bec7933ffc900faa6eb5bcc40d0a4d09680822381a9c8434f52502d5749464909f8fed1b3f740126b61ff3a9a2da482712ccbfd73d4e555fefe50568faf70750103007502010a0010000000000000000321c9245f339ac3d486b85a9f8f3bc0092befdecd2859411acab4941f31c94de4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c0000

┌──(brien㉿kali)-[~/Downloads] └─$ cat 2168043_1708303118.hc22000 | md5sum 6e3c01f00421f77a79d7dff41b0dc813 -

┌──(brien㉿kali)-[~/Downloads] └─$ cat 2168007_1708302741.hc22000 | md5sum 6e3c01f00421f77a79d7dff41b0dc813 -

┌──(brien㉿kali)-[~/Downloads] └─$

`

` ┌──(brien㉿kali)-[~/Downloads] └─$ /usr/lib/hashcat-utils/cap2hccapx.bin corp_question1-01.pcap mic_to_crack.hccapx
Networks detected: 1

[*] BSSID=cc:40:d0:a4:d0:96 ESSID=CORP-WIFI (Length: 9) --> STA=80:82:23:81:a9:c8, Message Pair=0, Replay Counter=1 --> STA=80:82:23:81:a9:c8, Message Pair=0, Replay Counter=2 --> STA=80:82:23:81:a9:c8, Message Pair=0, Replay Counter=2 --> STA=80:82:23:81:a9:c8, Message Pair=0, Replay Counter=3 --> STA=80:82:23:81:a9:c8, Message Pair=0, Replay Counter=3 --> STA=48:e2:44:a7:c4:fb, Message Pair=0, Replay Counter=1 --> STA=48:e2:44:a7:c4:fb, Message Pair=2, Replay Counter=1 --> STA=48:e2:44:a7:c4:fb, Message Pair=0, Replay Counter=1 --> STA=48:e2:44:a7:c4:fb, Message Pair=2, Replay Counter=1

Written 9 WPA Handshakes to: mic_to_crack.hccapx

┌──(brien㉿kali)-[~/Downloads] └─$ cat mic_to_crack.hccapx HCPX CORP-WIFI�Wי

��2�F����@ФЖ��!���锝�ڳZ��y���8��zK�f�▒�x��#�����٤��-6�!�J��陖����7�����yu ��٤��-6�!�J��陖����7�����0��� HCPX� CORP-WIFI8gX${9|�t���� ��@ФЖ��!���锝�ڳZ��y���8��zK�f�▒�x��#��ȱ*1y�J�A�А�c��&O�"s^'��PvB��yu �*1y�J�A�А�c��&O�"s^'��PvB��0��� HCPX CORP-WIFI8gX${9|�t���� ��@ФЖ�����Hg������/ ]! �bx(m▒$���#��ȱ1y�J�A�А�c��&O�"s^'��PvB��yu �1y�J�A�А�c��&O�"s^'��PvB��0��� HCPX� CORP-WIFI�p?�y3�����[�@ФЖ�����Hg������/ ]! �bx(m▒$���#���!�$_3��Ԇ�Z��;� +���(YA▒ʴ�1�M�yu !�$_3��Ԇ�Z��;� +���(YA▒ʴ�1�M�0��� HCPX CORP-WIFI�p?�y3�����[�@ФЖ ��ѳ�@ka�:�-��q,��s��U��PV��pu��#���!�$_3��Ԇ�Z��;� +���(YA▒ʴ�1�M�yu !�$_3��Ԇ�Z��;� +���(YA▒ʴ�1�M�0��� HCPX CORP-WIFI�����eb�Qqb�<b��@ФЖ"gC|��▒] ��ۺ����C[������y��JH�D���ZIO6��Fqt����8�{▒B����W.a��5�yu ZIO6��Fqt����8�{▒B����W.a��5�0���HCPX CORP-WIFI�����eb�Qqb�<b��@ФЖ"gC|��▒] ��ۺ����C[������y��JH�D���ZIO6��Fqt����8�{▒B����W.a��5�yu ZIO6��Fqt����8�{▒B����W.a��5�0���HCPX CORP-WIFI/������x~����@ФЖ<�K�Ǐ�Ð��F�����▒▒h�./� ��H�D�����߾��/���v��;���{[U�w�g�em�yu ��߾��/���v��;���{[U�w�g�em�0���HCPX CORP-WIFI/������x~����@ФЖ<�K�Ǐ�Ð��F�����▒▒h�./� ��H�D�����߾��/���v��;���{[U�w�g�em�yu ��߾��/���v��;���{[U�w�g�em�0���

`

ZerBea commented 9 months ago

First of all, I'll close this report, because it is not a hcxtools bug, but more a question that can be discussed here: https://github.com/ZerBea/hcxdumptool/discussions

Second, cap2hccapx is a tool that belongs to hashcat-utils and not to hcxtools https://hashcat.net/wiki/doku.php?id=hashcat_utils It converts EAPOL MESSAGE PAIRs to outdated hashcat 2500 binary format (hccapx).

This old binary hccapx format (hash mode 2500/2501) has been replaced by a new HEX ASCII format (hash mode 22000/22001). https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

smarandache1990 commented 9 months ago

Sorry, I was gonna close this myself as I came across your reply to another user a few years ago here: https://hashcat.net/forum/thread-10544-post-54362.html#pid54362

smarandache1990 commented 9 months ago

@ZerBea would you be able to point me in the right direction about how the MessagePair is produced and what the significants of it is. I know it has something to do with communicating the best way to handle the hash to hashcat. But I'm not sure why https://hashcat.net/cap2hashcat/ produces a different MessagePair than hcxpcapngtool.

┌──(brien㉿kali)-[~/Downloads]
└─$ hcxpcapngtool corp_question1-01.cap -o 21680_hash.hc22000

┌──(brien㉿kali)-[~/Downloads]
└─$ cat 21680_hash.hc22000                 
WPA*02*92a9fe85d5656281517162c33c0f62b6*cc40d0a4d096*48e244a7c4fb*434f52502d57494649*062267437c90d9185d010b9dabdbbae1b014e4ee435b93e5cdfea39b79eadd4a*0103007502010a000000000000000000015a494f36fadc4671749191c507b538920e7b1a42f01fc9faed572e61c5e035ed000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*82
WPA*02*b7703fd2171bec7933ffc900faa6eb5b*cc40d0a4d096*80822381a9c8*434f52502d57494649*09f8fed1b3f740126b61ff3a9a2da482712ccbfd73d4e555fefe50568faf7075*0103007502010a0010000000000000000321c9245f339ac3d486b85a9f8f3bc0092befdecd2859411acab4941f31c94de4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*80

And this is from https://hashcat.net/cap2hashcat/

┌──(brien㉿kali)-[~/Downloads]
└─$ cat 2168043_1708303118.hc22000         
WPA*02*92a9fe85d5656281517162c33c0f62b6*cc40d0a4d096*48e244a7c4fb*434f52502d57494649*062267437c90d9185d010b9dabdbbae1b014e4ee435b93e5cdfea39b79eadd4a*0103007502010a000000000000000000015a494f36fadc4671749191c507b538920e7b1a42f01fc9faed572e61c5e035ed000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*02
WPA*02*b7703fd2171bec7933ffc900faa6eb5b*cc40d0a4d096*80822381a9c8*434f52502d57494649*09f8fed1b3f740126b61ff3a9a2da482712ccbfd73d4e555fefe50568faf7075*0103007502010a0010000000000000000321c9245f339ac3d486b85a9f8f3bc0092befdecd2859411acab4941f31c94de4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*00

Offline MESSAGEPAIR: MESSAGEPAIR=82 MESSAGEPAIR=80

Online MESSAGEPAIR: MESSAGEPAIR=02 MESSAGEPAIR=00

ZerBea commented 9 months ago

https://hashcat.net/cap2hashcat/index.pl is running an older version: hcxpcapngtool 6.3.1 reading from 2183173_1708361180.cap...

compared to; https://github.com/ZerBea/hcxtools hcxpcapngtool 6.3.2-53-g2836d94 reading from wpa-Induction.pcap...

I've made a lot of changes in the meantime, e.g.: https://github.com/ZerBea/hcxtools/commit/80c151fc3edcab8cc49bcfd87888076bfa9d0028

smarandache1990 commented 9 months ago

I see, thanks!!

ZerBea commented 9 months ago

That shouldn't be a problem, because latest hcxtools is always in sync with latest hashcat or JtR.

smarandache1990 commented 9 months ago

Yeah, I'm able to use either one and they both give me the same expected password so there is no issue there. I was just wondering why it was. I probably wouldn't have noticed it but just for fun and created an MD5 hash of both, expecting to see the same hash, but they were different and that's when I noticed the MessagePair values