dedup extra handshakes to speedup cracking time. …

[ChrisLundquist]

This will make less work by removing extra salts.

$ ./a.out test.hashcat foo
Read 966 handshakes
Filtered: 835 handshakes
Wrote: 131 handshakes

$ ./a.out foo foo
Read 131 handshakes
Filtered: 0 handshakes
Wrote: 131 handshakes

[ChrisLundquist]

speed up in practice:

Before

Session..........: hashcat
Status...........: Quit
Hash.Type........: WPA/WPA2
Hash.Target......: .\total.hashcat
Time.Started.....: Sat Jan 13 22:58:13 2018 (26 secs)
Time.Estimated...: Mon Jan 15 01:30:23 2018 (1 day, 2 hours)
Guess.Base.......: File (.\rockyou.txt)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   373.7 kH/s (6.51ms)
Speed.Dev.#2.....:   373.8 kH/s (6.63ms)
Speed.Dev.#*.....:   747.5 kH/s
Recovered........: 1/535 (0.19%) Digests, 1/67 (1.49%) Salts
Progress.........: 1530568060/74002677056 (2.07%)
Rejected.........: 1511071100/1530568060 (98.73%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#1....: 1234567893 -> classica3
Candidates.#2....: 021119933 -> LIMERICK3
HWMon.Dev.#1.....: Temp: 54c Fan: 33% Util:100% Core:1987MHz Mem:5005MHz Bus:16
HWMon.Dev.#2.....: Temp: 55c Fan: 33% Util:100% Core:1974MHz Mem:5005MHz Bus:16

After:

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA/WPA2
Hash.Target......: .\total.hashcat
Time.Started.....: Sun Jan 14 11:21:18 2018 (5 mins, 35 secs)
Time.Estimated...: Mon Jan 15 07:54:38 2018 (20 hours, 27 mins)
Guess.Base.......: File (.\rockyou.txt)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   505.7 kH/s (6.34ms)
Speed.Dev.#2.....:   503.1 kH/s (6.36ms)
Speed.Dev.#*.....:  1008.9 kH/s
Recovered........: 2/71 (2.82%) Digests, 2/71 (2.82%) Salts
Progress.........: 1975511244/78420747328 (2.52%)
Rejected.........: 1601284300/1975511244 (81.06%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#1....: 0211199312 -> downpour12
Candidates.#2....: 1234567897 -> classica7
HWMon.Dev.#1.....: Temp: 75c Fan: 43% Util: 99% Core:1885MHz Mem:5005MHz Bus:16
HWMon.Dev.#2.....: Temp: 77c Fan: 64% Util: 99% Core:1885MHz Mem:5005MHz Bus:16

It appears fewer salts helps keep the GPUs busier and we don't lose hash rate.

[ZerBea]

Possible that you are going in the wrong direction. Stripping by ESSID and message_pair is not a good idea and you will lose many crackable handshakes and grep uncrackables instead.

Choosing a good mix of handshakes and hashcat parameters is a better way: $ hashcat -m 2500 --benchmark hashcat (v4.0.1-78-g185104b5) starting in benchmark mode... Device #1: GeForce GTX 1080 Ti, 2792/11169 MB allocatable, 28MCU Speed.Dev.#1.....: 540.8 kH/s (52.79ms)

real life example 1: Speed.Dev.#1.....: 534.5 kH/s (6.59ms) Recovered........: 0/12885 (0.00%) Digests, 0/8523 (0.00%) Salts

real life example 2: Speed.Dev.#1.....: 515.8 kH/s (6.78ms) Recovered........: 1/1092035 (0.00%) Digests, 1/156394 (0.00%) Salts

real life example 3 (royal class): Speed.Dev.#1.....: 525.7 kH/s (6.56ms) Recovered........: 137675/1195893 (11.51%) Digests, 30551/186091 (16.42%) Salts

[jsteube]

I agree to @ZerBea because the use multiple handshakes is done on purpose. It's exactly what aircrack & co. is missing and it's one of the reason we started this extra format.

Maybe check out the --nonce-error-corrections 0 to the hashcat commandline, it can have a big performance impact on hccapx files with many handshakes. Of course make sure you have a clean recording before you use it in real life.

[ChrisLundquist]

Hmm, I'd love to learn more here. The above code keeps one of each type of message pair for every network.

In Ruby this would be roughly:

filtered_handshakes = handshakes.sort.uniq { |handshake| handshake.essid + handshake.message_pair }

We can see that hashcat disregards some portion of these since it only cares about 71 digests out of the 131. Off the top of my head, it was trying crack handshakes with message pairs 3+4 since that shows a complete login.

Is there currently an attack that leverages redundancy between multiple authentications for WPA? (WEP has this for sure)

In practice the above was my phone connecting to my wifi network as I came and went. The only other way I've found to remove extraneous work, is to feed the pot into hashcat so it cracks each new capture's salt/nonce.

My goal is to understand what value we'd be losing by removing these duplicates.

As @ZerBea showed, 1080TIs should be around 500kH/s and 374kH/s seems like a notable drop.

[jsteube]

We also want to crack handshakes recorded on a fake AP (to get the password the client is using). Read here for more information: https://hashcat.net/forum/thread-6273.html