No cracked password showing up

[lw3eov]

System configuration

Version: 1.9.0-jumbo-1 Build: linux-gnu 64-bit x86_64 XOP AC OMP Section [opencl-devices] not found.

$john miarchivo --mask=0142082?d?d?d 2020/04/04 18:16:07.646840 system_key.go:126: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7 Warning: detected hash type "wpapsk", but the string is also recognized as "wpapsk-pmk" Use the "--format=wpapsk-pmk" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 33 password hashes with 33 different salts (wpapsk, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 128/128 XOP 4x2]) Cost 1 (key version [0:PMKID 1:WPA 2:WPA2 3:802.11w]) is 2 for all loaded hashes Will run 8 OpenMP threads Note: Minimum length forced to 2 by format Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:00 N/A 0g/s 7692p/s 253846c/s 253846C/s 0142082654..0142082777 Session completed

$ john --show miarchivo 2020/04/04 19:37:17.183686 system_key.go:126: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7 0 password hashes cracked, 66 left

[claudioandre-br]

Please, share the file 24229_1585779530.hccapx. We need it to check if the 2john tool is working properly.

[lw3eov]

https://mega.nz/file/7MsDnKoK#HQVded-LnCDXgHs1qg3GwxrUI3BywuT5InF6gNdNIMQ

[claudioandre-br]

@magnumripper, The user @lw3eov is reporting a false negative.

• As reported, the expected password is 0142082734.
• The hccapx file is attached.
• I was able to generate the "hash" file using: hccapx2john.py 24229_1585779530.hccapx > wpa.txt
• I see no errors. Well, I've never see the special --single in action before (33 versus 66):

  $ john wpa.txt --wordlist
  Loaded 33 password hashes with no different salts (wpapsk, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 128/128 SSE2 4x])

  $ john wpa.txt --single
  Loaded 66 password hashes with no different salts (wpapsk, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 128/128 SSE2 4x])

  ---

  That said, I'm not able to crack it. Is WPA not crack-able in some circumstances? Is is a JtR bug? Please, clarify.

[lw3eov]

what does a false negative means? (as mentioned by claudioandre-br)

please try the command you asked me to execute: john miarchivo --mask=0142082?d?d?d

The original .cap file was cracked successfully using Elcomsoft Wireless Security Auditor version 5 for Windows. (In case this comment is useful)

[magnumripper]

@magnumripper, The user @lw3eov is reporting a false negative.

Is he really? Where does anyone say the password should be 0142082734? I seriously doubt that's the correct password. OTOH it could be that the sniffed data is somehow incomplete.

[lw3eov]

I can upload the .cap file so you can try by yourself if you don't trust me

[magnumripper]

what does a false negative means? (as mentioned by claudioandre-br)

If you know the password should crack as 0142082734, a false negative means some bug make JtR not crack it. Hashcat ALSO does not crack it though...

[magnumripper]

Oh I do trust you, I just can't find where you stated that 0142082734 is the correct password. Where did you do so?

[lw3eov]

I was editing a previous message in this post when I saw your new post, please use the refresh button in your browser.

[magnumripper]

I see. I will have a look at the data. Is the complete pcap very large?

[lw3eov]

https://mega.nz/file/2cl3DChI#D0KXsuHpDhhRLO20PySTkNg0jfXwJNYbdBuegRVilJI

There you find the .cap file. I've got that from Wifite in Kali Linux

[magnumripper]

$ ../run/wpapcap2john handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap > 4243.in
File handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap: raw 802.11
Dumping M3/M2 at 5.129024 BSSID C8:3D:D4:FE:50:60 ESSID 'Fibertel WiFi343 2.4GHz' STA C4:34:6B:0E:66:0A

1 ESSIDS processed and 1 AP/STA pairs processed
1 handshakes written, 0 RSN IE PMKIDs

$ ../run/john 4243.in -mask=0142082?d?d?d
Using default input encoding: UTF-8
Loaded 1 password hash (wpapsk, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 256/256 AVX2 8x])
Will run 16 OpenMP threads
Note: Minimum length forced to 8 by format
Press 'q' or Ctrl-C to abort, almost any other key for status
0142082734       (Fibertel WiFi343 2.4GHz:c4346b0e660a)
1g 0:00:00:00 N/A 25.00g/s 25000p/s 25000c/s 25000C/s 0142082208..0142082777
No remaining hashes
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

No problem. What did you use to produce the hccapx file? Whatever tool that was might have a bug.

[lw3eov]

I used this online tool: https://hashcat.net/cap2hccapx/

[magnumripper]

That's strange. You might want to report this to the hashcat crew.

[magnumripper]

Wait a minute... the hccapx file you supplied (that we can't crack) is 786 bytes. When I pass the pcap you supplied now to https://hashcat.net/cap2hccapx/ I get a file of 1179 bytes (and that file is crackable).

[lw3eov]

Interesting is that Elcomsoft Wireless Security Auditor version 5 for Windows gives a warning but then it finds the password using mask attack:

[magnumripper]

Are you sure you used the same pcap to feed Elcomsoft? That warning means we don't have a sniffed M3 (so we can crack what the client tried as a password but we don't know if it's correct) but in the pcap you gave us now, we do have an M3.

[lw3eov]

Yes, that is what the website https://hashcat.net/cap2hccapx/ gives you, you can try by yourself:

[lw3eov]

Elcomsoft uses cap files so I used the original cap file: handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap

[magnumripper]

Sure, try cracking 26393_1586115549.hccapx now. I could (well I got a different file name).

[magnumripper]

In my testing, I can use the pcap and crack it. Or I can feed that pcap to https://hashcat.net/cap2hccapx/ and crack that. The only thing I can not crack is the 24229_1585779530.hccapx you gave us in https://github.com/magnumripper/JohnTheRipper/issues/4243#issuecomment-609101648

So something trashed that file at some point, but there's no problem with JtR

[lw3eov]

I experienced problems when saving to and reading from different folders using JtR. I will now use always the run folder to store the .hccapx files. Elcomsoft does not like .hccapx files so I can't try that. Do you think using dropbox to store the files can be an issue with JtR reading it from that shared folder?

[magnumripper]

I experienced problems when saving to and reading from different folders using JtR. I will now use always the run folder to store the .hccapx files.

This shouldn't really be a problem but then again I never use Windows so I wouldn't know about that. BTW I'm so often editing source files so my normal "home" in the john tree is src/ and because of that I always use ../run/john but my input files are normally in src or in ~/Desktop.

Elcomsoft does not like .hccapx files so I can't try that.

JtR can use hccap/hccapx files, but if you have a pcap, that's what you should prefer (using wpapcap2john).

Do you think using dropbox to store the files can be an issue?

It shouldn't, and anyway you did have problems cracking that file even before posting it to dropbox, right? I guess something went wrong when you tried that cap2hccapx web service the first time. You too can crack it now (using a later convert), right?

[lw3eov]

This is what I've just done:

1) Uploaded and converted the .cap file with the online tool mentioned 2) Downloaded the .hccapx saving it to /home/m/Downloads/john-1.9.0-jumbo-1/run/ 3) m@m-desktop:~/Downloads/john-1.9.0-jumbo-1/run$ python hccapx2john.py 26563_1586116293.hccapx > mi5archivo 4) m@m-desktop:~/Downloads/john-1.9.0-jumbo-1/run$ john mi5archivo --mask=0142082?d?d?d 2020/04/05 16:53:18.215228 system_key.go:126: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7 Warning: detected hash type "wpapsk", but the string is also recognized as "wpapsk-pmk" Use the "--format=wpapsk-pmk" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 66 password hashes with 66 different salts (wpapsk, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 128/128 XOP 4x2]) Remaining 65 password hashes with 65 different salts Cost 1 (key version [0:PMKID 1:WPA 2:WPA2 3:802.11w]) is 2 for all loaded hashes Will run 8 OpenMP threads Note: Minimum length forced to 2 by format Press 'q' or Ctrl-C to abort, almost any other key for status 0142082734 (Fibertel WiFi343 2.4GHz) 1g 0:00:00:00 N/A 5.263g/s 5263p/s 340884c/s 340884C/s 0142082654..0142082777 Warning: passwords printed above might not be all those cracked Use the "--show" option to display all of the cracked passwords reliably Session completed 5) m@m-desktop:~/Downloads/john-1.9.0-jumbo-1/run$ john --show mi5archivo 2020/04/05 16:57:28.481448 system_key.go:126: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7 Fibertel WiFi343 2.4GHz:0142082734:c4346b0e660a:c83dd4fe5060:c83dd4fe5060::WPA2:not verified:26563_1586116293.hccapx Fibertel WiFi343 2.4GHz:0142082734:c4346b0e660a:c83dd4fe5060:c83dd4fe5060::WPA2:not verified:26563_1586116293.hccapx Fibertel WiFi343 2.4GHz:0142082734:c4346b0e660a:c83dd4fe5060:c83dd4fe5060::WPA2:not verified:26563_1586116293.hccapx

3 password hashes cracked, 96 left

[solardiz]

On Sun, Apr 05, 2020 at 12:54:08PM -0700, magnum wrote:

JtR can use hccap/hccapx files, but if you have a pcap, that's what you should prefer (using wpapcap2john).

BTW, do we have this preference stated anywhere, preferably in relevant and prominent places (maybe also in help messages from those programs)?

[magnumripper]

3 password hashes cracked, 96 left

The "96 left" seem to be "fuzz versions" of the same hash. They will never crack. In some situations you will need to fuzz input data to be able to crack it but I consider that "experts only" and I never had to use that myself so far (maybe I'm just not an expert?).

do we have this preference stated anywhere

Probably not. I guess I couldn't see why anyone would go through the trouble of converting a perfectly fine pcap to hashcat format before supplying it to john?

[magnumripper]

...but point taken, we could want to clarify that.

[lw3eov]

Do you mean I can feed handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap to john? how? do I need to download something extra? or john-1.9.0-jumbo-1 comes with the tool I need for that?

[magnumripper]

It's a two-step process just like with hccaps.

user@large:run$ ./wpapcap2john sniff.pcap >sniff.in

user@large:run$ ./john sniff.in

[magnumripper]

BTW for WPA cracking in particular, using bleeding-jumbo from this repo is recommended over using the latest release of Jumbo. The handling of "same salt exploitation" is way better.

[magnumripper]

Anyway @lw3eov thanks for reporting, not sure of the cause but there was never a problem with our code in this case so I hope you agree this issue is closed?

[lw3eov]

Please help me to get the software working before you close it

[lw3eov]

I am not very familiar with Linux and need further help. I only have wpapcap2john.c and wpapcap2john.h at /home/m/Downloads/john-1.9.0-jumbo-1/src/wpapcap2john.c However at m@m-desktop:/snap/john-the-ripper/297/run$ I have a wpapcap2john I can run using ./wpapcap2john but that folder is read only. I've done this and this is what I get:

m@m-desktop:/snap/john-the-ripper/297/run$ ./wpapcap2john /home/m/Desktop/Dropbox/hs/handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap >/home/m/Desktop/sniff.in File handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap: raw 802.11 Dumping M3/M2 at 5.129024 BSSID C8:3D:D4:FE:50:60 ESSID 'Fibertel WiFi343 2.4GHz' STA C4:34:6B:0E:66:0A

1 ESSIDS processed and 1 AP/STA pairs processed 1 handshakes written, 0 RSN IE PMKIDs m@m-desktop:/snap/john-the-ripper/297/run$ ./john sniff.in /home/m/Desktop/sniff.in ./john: error while loading shared libraries: librexgen.so.1.4: cannot open shared object file: No such file or directory

So then I copied the sniff.in file to ~/Downloads/john-1.9.0-jumbo-1/run and I tried this:

m@m-desktop:~/Downloads/john-1.9.0-jumbo-1/run$ john sniff.in --mask=0142082?d?d?d 2020/04/05 17:29:55.947437 system_key.go:126: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7 Warning: detected hash type "wpapsk", but the string is also recognized as "wpapsk-pmk" Use the "--format=wpapsk-pmk" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (wpapsk, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 128/128 XOP 4x2]) No password hashes left to crack (see FAQ)

[magnumripper]

It is closed but we can still write to it. This is merely a support issue (and we're on a bug tracker here, not a support forum) and should rather be discussed on the john-users mailing list. But anyway,

./john: error while loading shared libraries: librexgen.so.1.4: cannot open shared object file: No such file or directory

I'm not sure how you'd ever get that problem. Is this on Kali?

No password hashes left to crack (see FAQ)

Because you already cracked it? Try john -show sniff.in

[lw3eov]

I've been using Ubuntu 18.04.4 LTS bionic all the time. The only time I used kali was to get the handshake

[lw3eov]

Already cracked you mean using Elcomsoft or using this last command on john? Where does it say it is cracked? I am confused. Can you suggest a user guide on john? I have not find much info on it.

m@m-desktop:~/Downloads/john-1.9.0-jumbo-1/run$ john -show sniff.in 2020/04/05 17:36:06.624515 system_key.go:126: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7 Fibertel WiFi343 2.4GHz:0142082734:c4346b0e660a:c83dd4fe5060:c83dd4fe5060::WPA2, verified:handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap

1 password hash cracked, 0 left

[lw3eov]

If it is cracked where is the password? what is the meaning of following error message I am getting?: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7

[solardiz]

@lw3eov Do you see it shows your cracked password right there, on this line? -

Fibertel WiFi343 2.4GHz:0142082734:c4346b0e660a:c83dd4fe5060:c83dd4fe5060::WPA2, verified:handshake_FibertelWiFi34324GHz_C8-3D-D4-FE-50-60_2020-03-29T06-58-21.cap

The plaintext password is the second colon-separated field in --show output.

[magnumripper]

@solardiz we might want to change this, so no uid/gid/gecos/etc fields are showed.

[lw3eov]

yes, you are right, this software requires a lot of concentration

[magnumripper]

😆 we keep you on your toes 😉

[magnumripper]

Perhaps this would be a whole lot more clear (mock-up)

$ john -show sniff.in
Fibertel WiFi343 2.4GHz:    0142082734

That'd be "login name", "colon", "tab", "password" and nothing more.

[lw3eov]

could you please comment on one of my previous messages where I was asking about the fact that I have John inside Downloads folder but also at snap folder and I cannot just use one of them and delete the other?

[magnumripper]

I'm so old my beard looks like Santa's - I've never used that snap thingy in my entire life. That would be a great john-users thread though (I could learn from it).

[lw3eov]

I don't mind deleting the snap installation and making a new one without using snap. I used snap as it worked while many other instructions I've found did not work for me

[solardiz]

$ john -show sniff.in
Fibertel WiFi343 2.4GHz:  0142082734

That'd be "login name", "colon", "tab", "password" and nothing more.

That'd be incompatible with what we have now, and --show output is meant to be not only human-readable, but also parsed by scripts.

[magnumripper]

I can always add optional color (when output is a TTY). I have more of that on my to-do list (#3511)

[claudioandre-br]

m@m-desktop:/snap/john-the-ripper/297/run$ ./john sniff.in /home/m/Desktop/sniff.in ./john: error while loading shared libraries: librexgen.so.1.4: cannot open shared object file: No such file or directory

You shouldn't run the JtR binary itself, you should run JtR's "public name".

Why cd to a strange folder as /bla/297/run?

Just run john. From anywhere. Open a terminal, in ANY folder and (notice, no ./):

$ john sniff.in 

BTW: if you prefer to use Windows, you can use a Windows package.

[claudioandre-br]

what is the meaning of following error message I am getting?: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7

It is a warning from Linux itself. No related to JtR, WPA, or the cracking process. You can ignore it.

[lw3eov]

I prefer to use and learn using Linux

m@m-desktop:~$ john sniff.in /home/m/Desktop/sni2ff.in 2020/04/05 18:02:32.855634 system_key.go:126: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 7 stat: sniff.in: No such file or directory

The file is at desktop!