hashcat / hashcat-utils

Small utilities that are useful in advanced password cracking
MIT License
1.36k stars 355 forks source link

Networks named 💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ #49

Open Legendaire opened 5 years ago

Legendaire commented 5 years ago

💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ is the name of a network in my area. I was curious to see how the special characters affected these tools. I get this message tricky-02.cap: Oversized packet detected Networks detected: 0 when doing cap2hccapx.exe tricky-02.cap tricky-02.hccapx on a cap file without a handshake.

I tried the 1.9 version on a file where I am certain there was a handshake and simply got this: Networks detected: 0 I know that airodump captured the handshake. Could this be an issue with the odd characters of the ssid or am I missing something?

ZerBea commented 5 years ago

‎Could you please attach the capfile? aircrack-ng handshake detection is known as buggy: https://github.com/aircrack-ng/aircrack-ng/issues/1993

Legendaire commented 5 years ago

I can't actually remember which file it was. Is there a way to figure out which one it was?

On Fri, May 24, 2019 at 3:19 AM ZerBea notifications@github.com wrote:

‎Could you please attach the capfile? aircrack-ng handshake detection is known as buggy: aircrack-ng/aircrack-ng#1993 https://github.com/aircrack-ng/aircrack-ng/issues/1993

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXC63AZFMW5AMVUEBXHDPW66J3A5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWE2OAA#issuecomment-495560448, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXC5MZ2L2S3LOXCIVZTLPW66J3ANCNFSM4HK4NLCQ .

ZerBea commented 5 years ago

You have a filename: tricky-02.cap. So you can search it by name.

Legendaire commented 5 years ago

Grrrrr. Google won't let me send the whole thing uncompressed. I zipped up all the files. Here you go.

On Sun, May 26, 2019 at 1:09 PM ZerBea notifications@github.com wrote:

You have a filename: tricky-02.cap. So you can search it by name.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXCZGJJUCFVJCNXCSSI3PXLVBBA5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWIMRPI#issuecomment-496027837, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXC3TFZISFWXIO64J47LPXLVBBANCNFSM4HK4NLCQ .

ZerBea commented 5 years ago

Hmmm, why google? That will not work. To attach a file a compressed cap file, drag and drop it into the comment box here on git. https://help.github.com/en/articles/file-attachments-on-issues-and-pull-requests

Legendaire commented 5 years ago

tricky-02.zip I didn't realize our conversation was going into this thread. I was just replying via email. I've dragged and dropped the file here. I hope it helps.

ZerBea commented 5 years ago

Ok, that worked. Thanks.

Looks like the AP use emojis within ESSID. That is a new trend: https://medium.com/@bcjordan/emojify-your-wi-fi-c01f4ac0b0ab Unfortunately some clients doesn't understand this: https://www.reddit.com/r/Ubiquiti/comments/7hfusd/using_emoji_characters_in_ssid/

hashcat (hashcat-utils), john (latest) and wpa-sec are able to handle emojis inside an ESSID.

Unfortunately, your capfile doesn't contain a PMKID or a handshake. It also doesn't contain an oversized packet. There is nothing to analyze or to hunt for an issue inside. So, cap2hccapx is doing its job as expected: $ cap2hccapx.bin tricky-02.cap tricky-02.hccapx Networks detected: 0

hcxpcaptool will give us more information about the file: $ hcxpcaptool -V tricky-02.cap reading from tricky-02.cap summary:
file name....................: tricky-02.cap file type....................: pcap 2.4 file hardware information....: unknown file os information..........: unknown file application information.: unknown network type.................: DLT_IEEE802_11 (105) endianness...................: little endian read errors..................: flawless packets inside...............: 24304 skipped packets..............: 0 packets with GPS data........: 0 packets with FCS.............: 0 beacons (with ESSID inside)..: 1 probe responses..............: 24303

Legendaire commented 5 years ago

That is so strange. When I did the capture it said it caught a handshake. If there is no PMKID or handshake then either the capture softare (aircrack-ng) is the issue or I am imagining things. I should post on the aircrack-ng site to see if that is the issue.

On Mon, May 27, 2019 at 2:26 AM ZerBea notifications@github.com wrote:

Ok, that worked. Thanks.

Looks like the AP use emojis within ESSID. That is a new trend: https://medium.com/@bcjordan/emojify-your-wi-fi-c01f4ac0b0ab Unfortunately some clients doesn't understand this:

https://www.reddit.com/r/Ubiquiti/comments/7hfusd/using_emoji_characters_in_ssid/

hashcat (hashcat-utils), john (latest) and wpa-sec are able to handle emojis inside an ESSID.

Unfortunately, your capfile doesn't contain a PMKID or a handshake. It also doesn't contain an oversized packet. There is nothing to analyze or to hunt for an issue inside. So, cap2hccapx is doing it's job as expected: $ cap2hccapx.bin tricky-02.cap tricky-02.hccapx Networks detected: 0

hcxpcaptool will give us more information about the file: $ hcxpcaptool -V tricky-02.cap reading from tricky-02.cap summary: file name....................: tricky-02.cap file type....................: pcap 2.4 file hardware information....: unknown file os information..........: unknown file application information.: unknown network type.................: DLT_IEEE802_11 (105) endianness...................: little endian read errors..................: flawless packets inside...............: 24304 skipped packets..............: 0 packets with GPS data........: 0 packets with FCS.............: 0 beacons (with ESSID inside)..: 1 probe responses..............: 24303

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXC5Y23PNXDIJTCRKD7TPXOSNBA5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWJJOTQ#issuecomment-496146254, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXC4X6AWHVA36WPGIVOTPXOSNBANCNFSM4HK4NLCQ .

ZerBea commented 5 years ago

same result, running wpapcap2john: $ wpapcap2john tricky-02.cap File tricky-02.cap: raw 802.11 1 ESSIDS processed and 0 AP/STA pairs processed 0 handshakes written, 0 RSN IE PMKIDs

BTW: tricky-02.cap doesn't look like an aircrack-ng captured file too much kismet stuff inside the zip file. also it looks like the interface wasn't set properly to monitor mode (only beacons and proberesponses inside)

ZerBea commented 5 years ago

Just compiled aircrack-ng and it is working like expected, too:

$ ./aircrack-ng tricky-02.cap -w testlist Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. BSSID ESSID Encryption 1 B8:27:EB:36:CE:53 💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ Unknown Choosing first network as target. Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. 1 potential targets Packets contained no EAPOL data; unable to process this AP. Quitting aircrack-ng...

Is driver installed in the correct way? https://rioasmara.com/2018/09/15/alfa-awus1900-kali-linux-experience/

Legendaire commented 5 years ago

I was able to capture other handshakes so I would assume it is working. At this point it seems like everything is pointing to the software working. There is likely an "unknown unknown" variable which caused the initial blip. The emoji in the SSID may just be Ad hoc ergo roster hoc. On May 28, 2019 10:55 AM, "ZerBea" notifications@github.com wrote:

Just compiled aircrack-ng and it is working like expected, too:

$ ./aircrack-ng tricky-02.cap -w bekannte Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. BSSID ESSID Encryption 1 B8:27:EB:36:CE:53 💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ Unknown Choosing first network as target. Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. 1 potential targets Packets contained no EAPOL data; unable to process this AP. Quitting aircrack-ng...

Is driver installed in the correct way? https://rioasmara.com/2018/09/15/alfa-awus1900-kali-linux-experience/

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXC7QTDIBNCVSA5EIA2LPXVWYXA5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWM5WZQ#issuecomment-496622438, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXCYHLPITPRZXI66CC73PXVWYXANCNFSM4HK4NLCQ .

careyjames commented 5 years ago

that is a raspberry pi zero w running P4wnP1 aloa