Separator unmatched on 16800 pmkid

ha$hed · Apr 7, 2019

I'm working on cracking a pmkid file. I have collected pcap file using bettercap.

Then convert using this:

hcxpcaptool -z bettercap-wifi-handshakes.pcap.pmkid bettercap-wifi-handshakes.pcap

They appear to convert:
summary:
file name....................: bettercap-wifi-handshakes.pcap
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 185
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 6
beacons (with ESSID inside)..: 7
probe responses..............: 6
EAPOL packets................: 172
EAPOL PMKIDs.................: 10
best handshakes..............: 5 (ap-less: 0)

4 PMKID(s) written to bettercap-wifi-handshakes.pcap.pmkid

I then try to run hashcat against it and it returns "separator unmatched" for all of my entries. This is a simple 2 digit test below. What is going on here?

hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pcap.pmkid %d%d --force
hashcat (v5.1.0-849-gcf8c815c) starting...

OpenCL Platform #1: The pocl project
Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 256/738 MB allocatable, 1MCU
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 1 (048614...59a934d61726368303332382f322e34): Separator unmatched
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 2 (947be6...d5bc0e1008b148e785*443542433045): Separator unmatched
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 3 (4128f6...4b656e6e65792773204e6574776f726b): Separator unmatched
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 4 (462f44...4b656e6e65792773204e6574776f726b): Separator unmatched

capric0rnu$ · Apr 7, 2019

give us yours PMKIDs

freeroute · Apr 7, 2019

Note.
Hascat and hcxtools changed potfile, outfile and hashlines.
User should read changelog.

02.04.2019
==========
Due to hashcat changes:
"WPA/WPA2 cracking: In the potfile, replace password with PMK in order
to detect already cracked networks across all WPA modes"

WPA/WPA2 cracking: In the potfile, replace password with PMK in order… · hashcat/hashcat@b8d609b

… to detect already cracked networks across all WPA modes

github.com

hcxpcaptool: added new option -k to convert dumpfile to new hashcat PMKID format

new option -k is for hashcat git (> 5.1.0)
potfile changed
outfile changed

Developer pushed an update. Now hcxpacptool will give an info that PMKIDs are stored in old format!!

kevi · Apr 7, 2020

freeroute said:
Note.
Hascat and hcxtools changed potfile, outfile and hashlines.
User should read changelog.

02.04.2019
==========
Due to hashcat changes:
"WPA/WPA2 cracking: In the potfile, replace password with PMK in order
to detect already cracked networks across all WPA modes"

WPA/WPA2 cracking: In the potfile, replace password with PMK in order… · hashcat/hashcat@b8d609b

… to detect already cracked networks across all WPA modes

github.com

hcxpcaptool: added new option -k to convert dumpfile to new hashcat PMKID format

new option -k is for hashcat git (> 5.1.0)
potfile changed
outfile changed

Developer pushed an update. Now hcxpacptool will give an info that PMKIDs are stored in old format!!

What to do if using v5.1.0 stable(without upgrading)
Convrted to pmkid using multicap tried to crack gives above error

freeroute · Apr 7, 2020

Recommendation by the developer of hcxtools/hcxdumptool:
Read the help menu
-k <file> : output PMKID file (hashcat hashmode -m 16800 new format)
-z <file> : output PMKID file (hashcat hashmode -m 16800 old format and john)

pasnger57 · Apr 7, 2020

ha$hed said:
I'm working on cracking a pmkid file. I have collected pcap file using bettercap. <------- per this you you calme you use better cap

Then convert using this:

hcxpcaptool -z bettercap-wifi-handshakes.pcap.pmkid bettercap-wifi-handshakes.pcap <----------- but hear you show your command youand you used hcxpcaptool and just use a name

They appear to convert:
summary:
file name....................: bettercap-wifi-handshakes.pcap
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 185
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 6
beacons (with ESSID inside)..: 7
probe responses..............: 6
EAPOL packets................: 172
EAPOL PMKIDs.................: 10
best handshakes..............: 5 (ap-less: 0)

4 PMKID(s) written to bettercap-wifi-handshakes.pcap.pmkid

I then try to run hashcat against it and it returns "separator unmatched" for all of my entries. This is a simple 2 digit test below. What is going on here?

hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pcap.pmkid %d%d --force
hashcat (v5.1.0-849-gcf8c815c) starting...

OpenCL Platform #1: The pocl project
Device #1: pthread-Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz, 256/738 MB allocatable, 1MCU
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 1 (048614...59a934d61726368303332382f322e34): Separator unmatched
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 2 (947be6...d5bc0e1008b148e785*443542433045): Separator unmatched
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 3 (4128f6...4b656e6e65792773204e6574776f726b): Separator unmatched
Hashfile 'bettercap-wifi-handshakes.pcap.pmkid' on line 4 (462f44...4b656e6e65792773204e6574776f726b): Separator unmatched

and that is just the 1st i can tell what what going wrong hear

pasnger57 · Apr 7, 2020

lest just step back to capture a pmkid ... if butter cap can it i be kool but last i know just hcxdumptool did

i guess youc an stip some pmkids out of old .air dump .caps

pasnger57 · Apr 7, 2020

ok and now that i see buttercap just uses ariodump-ng any how ....

kevi · Apr 7, 2020

Using Hashcat v5.1.0
-k -->rule right
-z -->brain-client
Read both ZerBea tools readme never came across -k or -z in it
Found this instead
hcxhashcattool -->Convert old hashcat (<= 5.1.0) separate potfile (2500 and/or 16800) to new potfile format

kevi · Apr 7, 2020

pasnger57 said:
ok and now that i see buttercap just uses ariodump-ng any how ....

???Its bettercap -->Spoon feed all in one like tool for lazy people who don't want to type command

kevi · Apr 7, 2020

freeroute said:
Recommendation by the developer of hcxtools/hcxdumptool:
Read the help menu
-k <file> : output PMKID file (hashcat hashmode -m 16800 new format)
-z <file> : output PMKID file (hashcat hashmode -m 16800 old format and john)

Got it it is in hcxtool readme?
so multicap converter fails in this

freeroute · Apr 8, 2020

Just a note: detection of M2M3 message on aircrack-ng is broken:
https://github.com/aircrack-ng/aircrack-ng/issues/2136#issue-586206301

kevi · Apr 8, 2020

freeroute said:
Just a note: detection of M2M3 message on aircrack-ng is broken:
https://github.com/aircrack-ng/aircrack-ng/issues/2136#issue-586206301

I was about to ask that
Gald you made a note

Separator unmatched on 16800 pmkid

ha$hed

Member

capric0rnu$

Active member

freeroute

Community Manager

WPA/WPA2 cracking: In the potfile, replace password with PMK in order… · hashcat/hashcat@b8d609b

kevi

Active member

WPA/WPA2 cracking: In the potfile, replace password with PMK in order… · hashcat/hashcat@b8d609b

freeroute

Community Manager

pasnger57

Active member

pasnger57

Active member

pasnger57

Active member

kevi

Active member

kevi

Active member

kevi

Active member

freeroute

Community Manager

kevi

Active member