Tip of the day

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
How to create dictionary using hashcat with any rule.file (or check a custom rule.file)

Code:

"hashcat --stdout dictionary.txt -r /usr/share/hashcat/rules/nsa64.rule -o generated_candidates.txt"

------------------------------------------------------------------------------------------------------------------------------------------------------------
"Passwords are like underwear: don't let people see it, change it very often, and you shouldn't share it with strangers"

Chris Pirillo

 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
How to check the Message Integrity Code (MIC) of a 4-ways handshake.

Method 1.:

"wlanhcxinfo -i handshake.hccapx -M"

Note: "wlanhcxinfo" is a part of the hcxtools package.

Method 2.:

Using a python script (coded by Alex, site owner of wpa-sec.stanev.org)

Script usage: "mic.py handshake.hccapx"

Output:

Message Integrity Code: 68e5aa7dda3ed236929ea94c3ed67d9d
Message Integrity Code: a920c43e3c07a1f14d76e2fbe572b2ab
Message Integrity Code: a920c43e3c07a1f14d76e2fbe572b2ab
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Scenario: We have a big bcrypt raw-hashes list -- "raw_hashes.txt". Founds are in the file "found_hashes.txt"
Task: Create left list -- "left_hashes.txt". Field separator: ":"


 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Reading contents of file PMKID.
The columns are the following (PMKID*MAC AP*MAC Station*ESSID -- all hex encoded):
a5eb82aa24792483ce26ea5d6189e442*2c4d5483d610*f0a225a05e8b*4272656e647a73616b


Command:

1.) Preferred solution with "whoismac" - show more info:

"for i in $(cat PMKID); do whoismac -p $i; done"

2.) with "awk" - show only SSID:

"awk -F* '{print $4}' PMKID | while read l; do xxd -r -p <<<$l; echo; done"
 

pasnger57

Active member
Cracker
Joined
Dec 30, 2019
Messages
2,473
Reaction score
15
i have a set of lists one with good Pas Phrases such as

turn off keyboard lights
gen gregory feest
clare novaes
soterro coco
love is my religion i could die for it

but i like to use a rule to Omit the spaces on the line so thay woud look like this

turnoffkeyboardlights
gengregoryfeest
clarenovaes
soterrococo
loveismyreligionicoulddieforit

i just don't know of way to go about it
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
pasnger57 said:
i have a set of lists one with good Pas Phrases such as

but i like to use a rule to Omit the spaces on the line so thay woud look like this

turnoffkeyboardlights
gengregoryfeest
clarenovaes
soterrococo
loveismyreligionicoulddieforit

i just don't know of way to go about it
It's easy with "sed" and "RegEx".

Code:
"sed -r 's/\s*//g' words_with_spaces.txt >words_without_spaces.txt"
 

Milzo

Waldeinsamkeit
Staff member
Super Moderator
Joined
Dec 30, 2019
Messages
17,046
Reaction score
2
purge rule, insert a space after @ symbol

@[space] << not a literal string
 

pasnger57

Active member
Cracker
Joined
Dec 30, 2019
Messages
2,473
Reaction score
15
user said:
purge rule, insert a space after @ symbol

@[space] << not a literal string
THANKYOU

always something simple that eludes us
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
1.: Convert "test.cap" file to "test_converted.hccapx".

Code:
"hcxpcaptool test.cap -o test_converted.hccapx"

start reading from test.cap

summary:
--------
file name....................: test.cap
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11 (105)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 3
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
EAPOL packets................: 2
best handshakes..............: 1 (ap-less: 0)

1 handshake(s) written to test_converted.hccapx

2.: Convert "test_converted.hccapx" to "test.cap"

Code:
"wlanhcx2cap -i test_converted.hccapx -o test.cap"


1 records read from test_converted.hccapx
1 handshake written to single cap file
0 handshakes not written (‎irreversible messagepair)
 

pasnger57

Active member
Cracker
Joined
Dec 30, 2019
Messages
2,473
Reaction score
15
I Like this thread .... hope you don't think im trying to hijack it but its a good ..... so in with it's spirit in mind ....
TIP of the day
Having HUGE words lists are Grate but Cost HDD space to rectify that .ruls for hashcat are the BEST solution
in my exp. i have found the Rules OMIT @ , reverse r , Duplicate d to be the TOP 3 things PPL to do a word for choosing a password

basic example (i know i do not have a good example for omit read above for example) my all time favorite crack pw cam from the reverse rule whit robert_pliskin to nikslilp_trebor


dog
cat
green

god
tac
neerg

dogdog
godgod
greengreen


and now my list of 3 is 9
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Convert hashes to the right format.
Input: salt,hash
Output: hash:salt


root@HELIUM-XR2:~/test# cat raw_hashes.txt

oAZkAse75vY3DUyTwXhW*K$wqoWNvN,ae6a26879f684db2737173fecf6b9199ac5ed5ec0d1b66ac9474ec5fb794fc55
3ZIdz2V538b@L36c@Ces%MWKvkyXri,27aa7b56ecf8f93f72961bddc4a121ce4f251dc3a3ece660f351a88d777ec43d



Code:
"sed -n "s/\(.*\),\([a-f0-9]*\)/\2:\1/p" raw_hashes.txt "

ae6a26879f684db2737173fecf6b9199ac5ed5ec0d1b66ac9474ec5fb794fc55:oAZkAse75vY3DUyTwXhW*K$wqoWNvN
27aa7b56ecf8f93f72961bddc4a121ce4f251dc3a3ece660f351a88d777ec43d:3ZIdz2V538b@L36c@Ces%MWKvkyXri


Code:
" awk 'BEGIN{FS=","; OFS=":"} { print $2, $1 }' raw_hashes.txt "

ae6a26879f684db2737173fecf6b9199ac5ed5ec0d1b66ac9474ec5fb794fc55:oAZkAse75vY3DUyTwXhW*K$wqoWNvN
27aa7b56ecf8f93f72961bddc4a121ce4f251dc3a3ece660f351a88d777ec43d:3ZIdz2V538b@L36c@Ces%MWKvkyXri
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Common hash algorithm in RegEx Format:

md4
(^[0-9a-fA-F]{32}$)

md5
(^[0-9a-fA-F]{32}$)

md5($pass,$salt)
(^[0-9a-fA-F]{32}\:.{1,}$)

md5($salt,$pass)
(^[0-9a-fA-F]{32}\:.{1,}$)

more...
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
hcxpsktool calculates candidates for hashcat based on commandline input, hccapx file and/or 16800 hash file.

usage..: wlanhcx2psk options

example: wlanhcx2psk -i hccapx -W -s | hashcat -m 2500 hccapx

for PMKID file:

"hcxpsktool -z PMKID.txt --weakpass --wpskeys | hashcat -O -m 16800 PMKID.txt"

for hccapx file:

"hcxpsktool - i handshake.hccapx -weakpass --wpskeys | hashcat -O -m 2500 handshake.hccapx"

Options

 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
hashID is a tool written in Python 3 useful to identify the different types of hashes used to encrypt data and passwords. It supports the identification of over 220 unique hash types using regular expressions and it is able to identify a single hash.
The tool is the natural replacement to other similar tools like hash-identifier, which is outdated, and the original HashTag — Password Hash Type Identification (Identify Hashes), which is even older.

Command:

"hashid '422363b0e2f7feadca7517199d784a89' -m"

Analyzing '422363b0e2f7feadca7517199d784a89'
[+] MD2
[+] MD5 [Hashcat Mode: 0]
[+] MD4 [Hashcat Mode: 900]
[+] Double MD5 [Hashcat Mode: 2600]
[+] LM [Hashcat Mode: 3000]
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5 [Hashcat Mode: 8600]
[+] Skype [Hashcat Mode: 23]
[+] Snefru-128
[+] NTLM [Hashcat Mode: 1000]
[+] Domain Cached Credentials [Hashcat Mode: 1100]
[+] Domain Cached Credentials 2 [Hashcat Mode: 2100]
[+] DNSSEC(NSEC3) [Hashcat Mode: 8300]
[+] RAdmin v2.x [Hashcat Mode: 9900]
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Create word file from a book/web page.


Command:

"sed -r -e 's/\W\B|\s/\n/g;s/.*/\L&/' input.txt | sort -u > words.txt"
"perl -lne 'map {$s{lc $_}++ if $_} split /\W+/; END{print for sort keys %s}' input.txt >words.txt"


Graphical tool for custom wordlist generation "Mentalist"
Creating custom word lists spidering a targets website and collecting unique words "CeWL - Custom Word List generator"
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Convert base64 back to md5.

Code:
"echo 4G5qc2WQzGES6QkWAUgl5w== | base64 -d - | xxd -ps"

e06e6a736590cc6112e90916014825e7


And if you want to automate whole thing, use syntax like that:

Code:
"while read line; do echo ${line} | base64 -d - | xxd -ps ; done < b64.txt"


Where b64.txt file contains all of your base64-encoded data:

Code:
"cat b64.txt"

4G5qc2WQzGES6QkWAUgl5w==
P9tKxonBOg3ymr8vOBLnDA==
Lk7X7MxDgnJB8Q2Ara4wgQ==
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Find passwords of Edmodo hashes. MDXFind is able to do it.

Note: of an Edmondo hash (algo: Bcrypt(md5($pass))) we have to delete a char every 2 for the first 65 chars and then append the rest in order to get a valid string. Length should be 60 chars.

Original:
$826y4$31226$dZbD2JfjeZ3TbIe44M0zclck2O4T1l8j7Y7jfl6maZ2ecU900ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$826y4$31226$dObG2MfyeO3TbYew4M0jcgc42M4D1A837Z7Dfg60aO2.cn9n0dbLTywGnOGmVfGO2whcLYnYCPWkRrK
$826y4$31226$dYb22Uf3eY3jbEe34O0DcBcm2M4D1d8h7M7jfA65aM2.cE9B0mbHqwJJXyEQq8tuyKNaynxwrXGD65C
$826y4$31226$dMbj2RfmeM3GbJej4O0TcYc52N4W1U8y7N7mfJ6jaZ2.cN9n0Wb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$826y4$31226$dYbz2NfheO3GbZem4Z0jcccy2M421Y8w7Y7zfZ6iaN2.cY9k0qbmQal.22hZvum3RuYgYbTd/xfHYgG



Correct format:

$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0OFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnW4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqmQal.22hZvum3RuYgYbTd/xfHYgG


"expr length '$2y$12$NmRmMzM4YmNiMDIwYjY3O.t7udSNap87AnPPtjofQ.jqGHnF/0Mgm'"
60


MDXFind Parameters

Command:

./mdxfind -h ^bcryptmd5$ -f hashlist wordlist >> found.txt
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Strip particular handshake (by SSID) using wlanhcx2ssid from captured handshakes by hcxdumptool.

List captured handshakes (hcxdump.hccapx): "wlanhcxinfo -i hcxdump.hccapx -a -s -e -p"

Output format: (MAC AP: MAC station: message pair:SSID)

704f57966e24:9c207ba9ab5c:10:TP-Link_6A24
c04a004a6758:a06faa10ba48:10:TP-LINK_4A5758
000e226ab7b0:1008c15f9559:10:Terminator987


Strip SSID "Terminator987" from hcxdump.hccapx: "wlanhcx2ssid -i hcxdump.hccapx -X Terminator987"

4 records read from hcxdump.hccapx
2 records written

Output:
Terminator987.hccapx
 

freeroute

Moderator
Staff member
Moderator
Super Moderator
Joined
Dec 30, 2019
Messages
19,802
Reaction score
79
Hashcat Benchmarks Comparison

 
Top