Delayed-AP-Attack-Mine besside & wpa.cap check?

[akmartinez]

Hello everyone,

I'm having a problem with the wpa.cap file created by besside through the Delayed-AP-Attack-Mine payload.

I see the Owl loot saved the besside.log, wpa.cap, and wep.cap files.  The log tells me some WPA handshakes were captured and looks like there are no errors.

I followed the readme.md associated with the payload and did an "airacrack-ng -J filebase wpa.cap" and received a success message in creating a hashcat filebase.hccap file for the SSID I'm testing on.

When I run "hashcat -m 2500 filebase.hccap -w /wordlist" (wordlist is not the full name/path) I get an error that mode 2500 has be deprecated and to use mode 22000.
I used mode 22000 and then receive an error messaed of an unmatched separator.

I'm still a little new to some of this but I tried to do some research and so far can't see what I might be doing wrong.  If anyone can nudge me in the right direction I'd appreciate it.

Also if it's relevant, could it be I need to do an update/upgrade on the distro and apps installed on the Owl?  if that's possible?

Here is some of the input/output from using aircrack-ng and hashcat...

----------
$ hashcat -m 22000 filebase.hccap /usr/share/fern-wifi-cracker/extras/wordlists/common.txt

hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-Intel(R) Core(TM) i9-10850K CPU @ 3.60GHz, 63289/126643 MB (16384 MB allocatable), 20MCU

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashfile 'filebase.hccap' on line 1 (test): Separator unmatched
Hashfile 'filebase.hccap' on line 2 (): Separator unmatched
No hashes loaded.

Started: Mon Mar 13 11:01:55 2023
Stopped: Mon Mar 13 11:01:55 2023

----------
aircrack-ng -J filebase wpa.cap
Reading packets, please wait...
Opening wpa.cap
Read 12 packets.

   #  BSSID              ESSID                     Encryption

   1  A6:04:60:xx:xx:xx  hiding from forum                WPA (1 handshake)
   2  A6:04:60:xx:xx:xx  hiding from forum                WPA (1 handshake)
   3  AA:04:60:xx:xx:xx  hiding from forum                WPA (1 handshake)
   4  AA:04:60:xx:xx:xx  hiding from forum               WPA (1 handshake)

Index number of target network ? 1

Reading packets, please wait...
Opening wpa.cap
Read 12 packets.

1 potential targets

Building Hashcat file...

[*] ESSID (length: 10): test
[*] Key version: 2
[*] BSSID: A6:04:60:xx:xx:xx
[*] STA: D0:E7:xx:xx:xx:xx
[*] anonce:
        removed for forum
[*] snonce:
     removed for forum
[*] Key MIC:
    removed for forum
[*] eapol:
    removed for forum
    
   

Successfully written to filebase.hccap

 

----------
 

hashcat -m 22000 filebase.hccap /usr/share/fern-wifi-cracker/extras/wordlists/common.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-Intel(R) Core(TM) i9-10850K CPU @ 3.60GHz, 63289/126643 MB (16384 MB allocatable), 20MCU

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashfile 'filebase.hccap' on line 1 (test): Separator unmatched
Hashfile 'filebase.hccap' on line 2 (): Separator unmatched
No hashes loaded.

Started: Mon Mar 13 11:03:09 2023
Stopped: Mon Mar 13 11:03:09 2023

[dark_pyrro]

8 hours ago, akmartinez said:

When I run "hashcat -m 2500 filebase.hccap -w /wordlist" (wordlist is not the full name/path) I get an error that mode 2500 has be deprecated and to use mode 22000.

Mode 2500 is (as you mention) deprecated since Hashcat 6.0.0
https://hashcat.net/forum/thread-10253.html

8 hours ago, akmartinez said:

I used mode 22000 and then receive an error messaed of an unmatched separator.

You can't just change the "m" flag mode/type to 22000 and expect that Hashcat will accept the input file "as is".

The input needs to be converted to 22000 format using this online tool (or locally/offline using hcxpcapngtool)
https://hashcat.net/cap2hashcat/

However, besside-ng specifically is one of the "source tools" that should be avoided. The payload is 4 years old and things happen over time, especially fast when in the cyber sec domain. Tools evolve.

8 hours ago, akmartinez said:

Also if it's relevant, could it be I need to do an update/upgrade on the distro and apps installed on the Owl?

I wouldn't do that without specific knowledge and also be prepared that Owl things could break. You could try to build your own ipk:s of tools needed, but in this specific case you won't be more happy using a more recent version of besside-ng if you plan to use Hashcat since it's still something to avoid (according to Hashcat).

[River]

I'm interested in a payload like this that's not four years old. When I searched the payload library there were no payloads for the owl? Where did this payload come from curious?

[dark_pyrro]

What payload library? Did you check GitHub?