Jump to content

Delayed-AP-Attack-Mine besside & wpa.cap check?


akmartinez

Recommended Posts

Hello everyone,

I'm having a problem with the wpa.cap file created by besside through the Delayed-AP-Attack-Mine payload.

I see the Owl loot saved the besside.log, wpa.cap, and wep.cap files.  The log tells me some WPA handshakes were captured and looks like there are no errors.

I followed the readme.md associated with the payload and did an "airacrack-ng -J filebase wpa.cap" and received a success message in creating a hashcat filebase.hccap file for the SSID I'm testing on.

When I run "hashcat -m 2500 filebase.hccap -w /wordlist" (wordlist is not the full name/path) I get an error that mode 2500 has be deprecated and to use mode 22000.
I used mode 22000 and then receive an error messaed of an unmatched separator.

I'm still a little new to some of this but I tried to do some research and so far can't see what I might be doing wrong.  If anyone can nudge me in the right direction I'd appreciate it.

Also if it's relevant, could it be I need to do an update/upgrade on the distro and apps installed on the Owl?  if that's possible?

Here is some of the input/output from using aircrack-ng and hashcat...

----------
$ hashcat -m 22000 filebase.hccap /usr/share/fern-wifi-cracker/extras/wordlists/common.txt

hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-Intel(R) Core(TM) i9-10850K CPU @ 3.60GHz, 63289/126643 MB (16384 MB allocatable), 20MCU

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashfile 'filebase.hccap' on line 1 (test): Separator unmatched
Hashfile 'filebase.hccap' on line 2 (): Separator unmatched
No hashes loaded.

Started: Mon Mar 13 11:01:55 2023
Stopped: Mon Mar 13 11:01:55 2023


----------
aircrack-ng -J filebase wpa.cap
Reading packets, please wait...
Opening wpa.cap
Read 12 packets.

   #  BSSID              ESSID                     Encryption

   1  A6:04:60:xx:xx:xx  hiding from forum                WPA (1 handshake)
   2  A6:04:60:xx:xx:xx  hiding from forum                WPA (1 handshake)
   3  AA:04:60:xx:xx:xx  hiding from forum                WPA (1 handshake)
   4  AA:04:60:xx:xx:xx  hiding from forum               WPA (1 handshake)

Index number of target network ? 1

Reading packets, please wait...
Opening wpa.cap
Read 12 packets.

1 potential targets

Building Hashcat file...

[*] ESSID (length: 10): test
[*] Key version: 2
[*] BSSID: A6:04:60:xx:xx:xx
[*] STA: D0:E7:xx:xx:xx:xx
[*] anonce:
        removed for forum
[*] snonce:
     removed for forum
[*] Key MIC:
    removed for forum
[*] eapol:
    removed for forum
    
   

Successfully written to filebase.hccap

 

----------
 

hashcat -m 22000 filebase.hccap /usr/share/fern-wifi-cracker/extras/wordlists/common.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-Intel(R) Core(TM) i9-10850K CPU @ 3.60GHz, 63289/126643 MB (16384 MB allocatable), 20MCU

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashfile 'filebase.hccap' on line 1 (test): Separator unmatched
Hashfile 'filebase.hccap' on line 2 (): Separator unmatched
No hashes loaded.

Started: Mon Mar 13 11:03:09 2023
Stopped: Mon Mar 13 11:03:09 2023

Link to comment
Share on other sites

8 hours ago, akmartinez said:

When I run "hashcat -m 2500 filebase.hccap -w /wordlist" (wordlist is not the full name/path) I get an error that mode 2500 has be deprecated and to use mode 22000.

Mode 2500 is (as you mention) deprecated since Hashcat 6.0.0
https://hashcat.net/forum/thread-10253.html

8 hours ago, akmartinez said:

I used mode 22000 and then receive an error messaed of an unmatched separator.

You can't just change the "m" flag mode/type to 22000 and expect that Hashcat will accept the input file "as is".

The input needs to be converted to 22000 format using this online tool (or locally/offline using hcxpcapngtool)
https://hashcat.net/cap2hashcat/

However, besside-ng specifically is one of the "source tools" that should be avoided. The payload is 4 years old and things happen over time, especially fast when in the cyber sec domain. Tools evolve.

8 hours ago, akmartinez said:

Also if it's relevant, could it be I need to do an update/upgrade on the distro and apps installed on the Owl?

I wouldn't do that without specific knowledge and also be prepared that Owl things could break. You could try to build your own ipk:s of tools needed, but in this specific case you won't be more happy using a more recent version of besside-ng if you plan to use Hashcat since it's still something to avoid (according to Hashcat).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...