i8igmac Posted June 6, 2017 Share Posted June 6, 2017 (Pyrit Example command below) First ill start with my problem of pyrit. Output logging is hacky, after 15 hours of work, there should be something logged to the file like "Password is or was not found" Notice 2>&1 should log both stdout and stderr to a file. if I grep threw the log file, the Password String does not exist. (15 hours of work) if I test this with a small dictionary file, I achieve different results, Password string exist and is grepable. (5 minutes of work) pyrit -r handshakes.cap -i Rocktastic12a -b XX:XX:XX:XX:XX attack_passthrough 2>&1 | tee -a resaults.log love the application, it works for the most part but it seems there has not been much improvement since 2014. So, what about hashcat. this is my first attempt poking around, I knew of its existence but felt that pyrit works just fine so no need to bother with hashcat. (Hashcat) I have installed then ran the examples provided and I like the detailed output. Rocktastic cracked an enormous amount of the example hashs. Pretty cool... now when i try to run hashcat on my handshake.cap file, I notice I have to convert to hashcat format with cap2hccapcx. I installed hashcat-utils-1.8 and ran cap2hccapx in my aircrack capture file and see this error. hashcat-utils-1.8/src $ ./cap2hccapx.bin ../../out.pcap-01.cap output.hccapx Zero value timestamps detected in file: ../../out.pcap-01.cap. This prevents correct EAPOL-Key timeout calculation. Do not use preprocess the capture file with tools such as wpaclean. If I remember, this file was straight from aircrack. I did not run cleanup tools. I tried another tool that converts cap files to hashcat format hcxtools. This attempt just looks ugly when I pass the newly generated cap.hccapx.... could a outdated version of aircrack(1.2 rc4) be the cause of this struggle? The good news is, hashcat is updated consistently and has a large irc channel. Quote Link to comment Share on other sites More sharing options...
digip Posted June 6, 2017 Share Posted June 6, 2017 (edited) I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show" where hashfile.txt was what you were trying to crack, and if found, it will show you what hashes were cracked. With the other tools, I've dabbled with hashcat, but i don't have a GPU to use with it(since I use it in a VM) and have always had to use the older CPU only version, where John just seems so much faster in this respect when I can fork 40 threads on a rockyou.txt file and crack in minutes(if not hours depending on the hash type). edit: forgot to mention, you have to convert the pcap file to use with john. Also note, you can pipe crunch directly into aircrack if you want to brute all possible combos, but anything over 8 in length is going to take forever, where good wordlists are better suited. GPU cracking on a high end rig is probably the way to go these days though, I just don't have that kind of budget. Edited June 6, 2017 by digip Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 6, 2017 Author Share Posted June 6, 2017 (edited) Ill check out john. Also looking into opencl vs cuda.. I currently hacked up a logging function with pyrit. I would hate to see 100hours of work go by and failure to see a success... this function would also allow me to recover the attack from any location of the word list... Im running 2 gpu's and 2 decent cpu's... blew all the dust out of the fans for the long haul. 14000psk's 22000psk's a 3rd gpu sitting on a bench, I expect 40,000 psk's from this gpu and pyrit... I'm want to try extreme over clicking with home brew cooling... I would like to see how much I can squeeze out of a dirt cheap gpu but also keep things stable. Edited June 6, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
digip Posted June 6, 2017 Share Posted June 6, 2017 I haven't used pyrit yet,. but check the man pages or documentation. Nearly all of these tools log found passwords. Quote Link to comment Share on other sites More sharing options...
EvilMog Posted June 7, 2017 Share Posted June 7, 2017 Disclaimer: I am not a hashcat developer but I am on Team Hashcat, I am going to apologize for some corrections but they need to be made. 1) wpaclean is part of the aircrack-ng suite, it should not be used for extracting hashes from wpa traffic for use in hashcat, the format it extracts in has been superceded and any requests for support using it will be denied. There is an alternative wlandump from hcxtools https://github.com/ZerBea/hcxtools which is supported under the most recent versions of hashcat and these tools are very specific and purpose built, other tools in the suite include: wlandump-ng Small, fast and simple but powerfull WLAN scanner wlanresponse Extreme fast deauthentication/authentication/response tool wlanrcascan Small, fast and simple passive WLAN channel assignment scanner (status output) pioff Turns Raspberry Pi off via GPIO switch wlancapinfo Shows info of pcap file wlancap2hcx Converts cap to hccapx (recommended for use with wlandump-ng and wlanresponse) wlanhcx2cap Converts hccapx to cap wlanhc2hcx Converts hccap to hccapx wlanhcx2essid Merges hccapx containing the same ESSID wlanhcx2ssid Strips BSSID, ESSID, OUI wlanhcx2john Converts hccapx to format expected by John the Ripper wlanhcxinfo Shows detailed info from contents of hccapxfile wlanhcxmnc Manually do nonce correction on byte number xx of a nonce whoismac Show vendor information pwhash Generate hash of a word by using a given charset 2) from your post "I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show" hashcat has had this support for some time with --show, also --username if you are using a dump with usernames so there is no need to use john 3) from your post "I've dabbled with hashcat, but i don't have a GPU to use with it" Hashcat supports CPU as of 3.00 with the correct opencl libraries 4) from your post "had to use the older CPU only version, where John just seems so much faster in this respect " hashcats opencl cpu code is multiple times faster than johns native cpu code because of algorithms are optimized on math level 5) from your post "you can pipe crunch directly into aircrack" Crunch is a legacy processor, you really should be using hashcat-utils maskprocessor instead, its much faster. That being said you don't need to use it as hashcat has it built in with -a 3 plus its markov-chain optimized In summary stop using legacy tools like pyrit they haven't been updated in ages and no new research is being done, the guy who is writing hcxtools is the one who pushes WPA cracking today. There's not been any improvement on wpa based attacks since a long time for aircrack-ng and pyrit and both fail to do deauth attacks cleanly (without creating invalid handshakes) For some good reading: WPA Cracking with hashcathttps://hashcat.net/forum/thread-6150.html New parameter: --nonce-error-correctionshttps://hashcat.net/forum/thread-6361.html hashcat v3.00 release noteshttps://hashcat.net/forum/thread-5559.html For anything else please visit the hashcat forums, wiki and IRC channel Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 7, 2017 Author Share Posted June 7, 2017 (edited) 3 hours ago, EvilMog said: Disclaimer: I am not a hashcat developer but I am on Team Hashcat, I am going to apologize for some corrections but they need to be made. 1) wpaclean is part of the aircrack-ng suite, it should not be used for extracting hashes from wpa traffic for use in hashcat, the format it extracts in has been superceded and any requests for support using it will be denied. There is an alternative wlandump from hcxtools https://github.com/ZerBea/hcxtools which is supported under the most recent versions of hashcat and these tools are very specific and purpose built, other tools in the suite include: wlandump-ng Small, fast and simple but powerfull WLAN scanner wlanresponse Extreme fast deauthentication/authentication/response tool wlanrcascan Small, fast and simple passive WLAN channel assignment scanner (status output) pioff Turns Raspberry Pi off via GPIO switch wlancapinfo Shows info of pcap file wlancap2hcx Converts cap to hccapx (recommended for use with wlandump-ng and wlanresponse) wlanhcx2cap Converts hccapx to cap wlanhc2hcx Converts hccap to hccapx wlanhcx2essid Merges hccapx containing the same ESSID wlanhcx2ssid Strips BSSID, ESSID, OUI wlanhcx2john Converts hccapx to format expected by John the Ripper wlanhcxinfo Shows detailed info from contents of hccapxfile wlanhcxmnc Manually do nonce correction on byte number xx of a nonce whoismac Show vendor information pwhash Generate hash of a word by using a given charset 2) from your post "I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show" hashcat has had this support for some time with --show, also --username if you are using a dump with usernames so there is no need to use john 3) from your post "I've dabbled with hashcat, but i don't have a GPU to use with it" Hashcat supports CPU as of 3.00 with the correct opencl libraries 4) from your post "had to use the older CPU only version, where John just seems so much faster in this respect " hashcats opencl cpu code is multiple times faster than johns native cpu code because of algorithms are optimized on math level 5) from your post "you can pipe crunch directly into aircrack" Crunch is a legacy processor, you really should be using hashcat-utils maskprocessor instead, its much faster. That being said you don't need to use it as hashcat has it built in with -a 3 plus its markov-chain optimized In summary stop using legacy tools like pyrit they haven't been updated in ages and no new research is being done, the guy who is writing hcxtools is the one who pushes WPA cracking today. There's not been any improvement on wpa based attacks since a long time for aircrack-ng and pyrit and both fail to do deauth attacks cleanly (without creating invalid handshakes) For some good reading: WPA Cracking with hashcathttps://hashcat.net/forum/thread-6150.html New parameter: --nonce-error-correctionshttps://hashcat.net/forum/thread-6361.html hashcat v3.00 release noteshttps://hashcat.net/forum/thread-5559.html For anything else please visit the hashcat forums, wiki and IRC channel I did try out hcxtools, the hccapx generated with no errors but when i attampt to start hashcat, (ill try and post the resaults) just looks like a ugly mess... it says no hashes loaded. There was no cleaning done by any scripted tools. Its a fresh cap file from aircrack-ng 1.2 rc4. Edited June 8, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
digip Posted June 8, 2017 Share Posted June 8, 2017 Quote 2) from your post "I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show"hashcat has had this support for some time with --show, also --username if you are using a dump with usernames so there is no need to use john Good to know. As for speed, I'm using these in a Kali VM, and personally, John has been faster for me with wordlists, but just my experience. In Kali, the latest would only run on GPU, I had to remove and install the older version of hashcat to use it against the CPU in my VM, but that was a while ago, using 2016.1 or 2, and haven't tried recently. Using --fork=## john is also plenty fast for my needs. I'm not dumping databases with thousands of hashes that need cracking. It's mostly one offs from vulnhub CTFs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.