john icon indicating copy to clipboard operation
john copied to clipboard
verified publisher icon openwall

Adopt hcxtools' (and hashcat's) new unified WPA input line format

Open magnumripper opened this issue 6 years ago • 4 comments

See https://github.com/hashcat/hashcat/issues/1816#issuecomment-566546059

The new format is:

SIGNATURE*TYPE*PMKID/MIC*MACAP*MACSTA*ESSID*ANONCE*EAPOL*MESSAGEPAIR

Some notes:

  • SIGNATURE = "WPA"
  • TYPE = 01 for PMKID, 02 for EAPOL, others to follow
  • PMKID/MIC = PMKID if TYPE==01, MIC if TYPE==02
  • MACAP = MAC of AP
  • MACSTA = MAC of station
  • ESSID = ESSID
  • ANONCE = ANONCE
  • EAPOL = EAPOL (SNONCE is in here)
  • MESSAGEPAIR = Bitmask:
0: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
1: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
2: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
3: x (unused)
4: ap-less attack (set to 1) - no nonce-error-corrections necessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

All fields are encoded in hex except SIGNATURE.

This is a great improvement to our old hack of simply Base-64 encoding the (deprecated) hccap struct.

A corresponding pot line in JtR will only contain ESSID and calculated PMK, something like

WPA*00*PMK***ESSID***:password

That is: TYPE is set to 00, next field is PMK and all other fields but ESSID are empty.

magnumripper avatar Dec 19 '19 07:12 magnumripper

Hm no, that won't work. We need to preserve the input in order to match it for --show

magnumripper avatar Dec 19 '19 07:12 magnumripper

OK maybe not. Let's say we have a pot line of WPA*00*pmk*essid:psk. To match it to input lines at load time, we'd need to try that PMK for post-processing each input line with matching ESSID, and if it passes we know we have a hit without needing to do the heavy PBKDF2 part.

Still, for a 1,000,000 entry input file and a 250,000 entry pot file, that will be some hard work at load time, or for --show. I'll need to try that out. Also, I'm not sure yet our current format interface allows this without fugly hacks.

magnumripper avatar Dec 19 '19 10:12 magnumripper

The new hasline alone is worth it and will be a huge improvement for all.

ZerBea avatar Dec 21 '19 20:12 ZerBea

Now we have another (portable) conversion tool for the new hash line: https://github.com/s77rt/cap2hccapx/issues/1

ZerBea avatar Dec 27 '19 21:12 ZerBea