Tip of the day

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
John the Ripper
Display the password candidates generated with a rule (KoreLogicRulesAppendNumbers_and_Specials_Simple rule):

List All the KoreLogicRules:

Bash:
for ruleset in `grep KoreLogicRules /usr/local/src/john/run/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do echo ${ruleset}; done
Bash:
cat password.txt
password

Bash:
/usr/local/src/john/run/./john --wordlist=/root/test/password.txt --rule=KoreLogicRulesAppendNumbers_and_Specials_Simple --stdout >jtr-generated-list.txt
Code:
wc -l jtr-generated-list.txt
75722 jtr-generated-list.txt

Password0
Password1
Password2
Password3
Password4
Password5
Password6
Password7
Password8
Password9
Password!
Password$
Password@
Password#
Password%
...


Hashcat
Display the password candidates generated with a rule (blandyuk.rule):

Bash:
hashcat password.txt -r /usr/share/hashcat/rules/blandyuk.rule --stdout >hashcat-generated-list.txt
or
Bash:
echo password.txt | hashcat -r /usr/share/hashcat/rules/blandyuk.rule --stdout >hashcat-generated-list.txt
or
https://forum.hashkiller.io/index.php?threads/tip-of-the-day.26698/
https://forum.hashkiller.io/index.php?threads/tip-of-the-day.26698/post-171617

Bash:
wc -l hashcat-generated-list.txt
356 hashcat-generated-list.txt

Bash:
less hashcat-generated-list.txt
password
drowssap
passwordpassword
passworddrowssap
ppaasssswwoorrdd
pASSWORD
DROWSSAP
PASSWORDPASSWORD
PASSWORDDROWSSAP
PPAASSSSWWOORRDD
drowssap
passwordpassword
passworddrowssap
ppaasssswwoorrdd
passwordadmin
passwordadmin:
adminpassword
admin:password
pa$$word!
!pa$$word
Pa$$word!
!Pa$$word
pa$$word#
#pa$$word
...
 

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
List all the supported hash formats and their attributes - John The Ripper(Jumbo version)
Bash:
./john --list=format-all-details --format=ssh
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Format label SSH
Disabled in configuration file no
Min. password length 0
Max. password length 10 [worst case UTF-8] to 32 [ASCII]

Min. keys per crypt 2
Max. keys per crypt 16
Flags
Case sensitive yes
Truncates at max. length no
Supports 8-bit characters yes
Converts internally to UTF-16/UCS-2 no
Honours --encoding=NAME n/a
Collisions possible (as in likely) yes
Uses a bitslice implementation no
The split() method unifies case yes
Supports very long hashes yes
Internal mask generation no
A $dynamic$ format no
A dynamic sized salt no
Parallelized with OpenMP yes
Poor OpenMP scalability no
Number of test vectors 12
Algorithm name RSA/DSA/EC/OPENSSH (SSH private keys) 32/32
Format name
Benchmark comment
Benchmark length 7 (0x107, raw)
Binary size 0
Salt size 8228
Tunable cost parameters KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES], iteration count
Example ciphertext (truncated here) $sshng$1$16$570F498F6FF732775EE38648130F600D$1200$1777f12047d4ebab06d052d52946e5e0e73b41d5077b20e1ffe1c97ef9459b8c6844fecc24fdf63314c8889398fa140026339c85336278600e299c0f4c236648ca684f0c122e66d3e860e19eab8b46a564eb101def1c6a38f2f1800040c6b59a66e7b86e145e180f8a126e46544be1e17dd32e4e72f735c9e6b0ca4bbbb32ccf34ba0a7827858b0be32f9e53f13466e2ac78c3fecdf2a51cd7871286a3a91f9c71ae9e857a74bcc06071af6f60d827f7e13ccf6c1be722246c0796f509744c2b1b1452315ea6f86a1c8765d1f0c1d795349b4ea1ba229318b392fe505292cd0c6b4e3e9b2acc13b96943d92fa5635e05b7795989906274b0fb1894102d07facdd8f2122299960e1490823d62bbd5bf6d6c92ed26e68cc2edc93fbffec557a5d187fffe085ded9408ac63293851a684ca10d6e9a4ee9b5c552c827caee1f1c41870fe2d0e79bc4a0b85478fa82a58f947d345122c8ac7c80ba2ae8452b093dda70e2a4329fce70af9cf98e19477a622083664d1e62393a01b20371fc5be9390059f1c4af75d5448a2fbe1aaa46701c696a$SOURCE_HASH$4cc7436df558c3414f9871f6a2ef168d
 

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
ASP.NET 4 hashes

+-----------------------------+--------------------------+
|Password |PasswordSalt |
+------------------------------+--------------------------+
utkfN0EOgljbv5FoZ6+AcZD5iLk=|bEtiVGhPNlZpcUN4a3ExTg==

Hashcat mode, name, format needed:
141 Episerver 6.x < .NET 4 $episerver$*0*bEtiVGhPNlZpcUN4a3ExTg==*utkfN0EOgljbv5FoZ6+AcZD5iLk

The format we need to use involves four “columns” delimited by a star:

The hash signature – “$episerver$”
The version – it’s all “0” which implies SHA1
The base64 encoded salt - bEtiVGhPNlZpcUN4a3ExTg==
The base64 encoded hash - utkfN0EOgljbv5FoZ6+AcZD5iLk


We need this format. Save dumps into a file(base64-format) than convert it:

Bash:
awk -F"|" '{print "$episerver$*0*"$2"*"$1}' base64-format | sed -r 's/.$//' > episerver-141
Outfile:
$episerver$*0*bEtiVGhPNlZpcUN4a3ExTg==*utkfN0EOgljbv5FoZ6+AcZD5iLk

Run hashcat with mode 141.
$episerver$*0*bEtiVGhPNlZpcUN4a3ExTg==*utkfN0EOgljbv5FoZ6+AcZD5iLk:hashcat

Session..........: hashcat
Status...........: Cracked
Hash.Name........: Episerver 6.x < .NET 4
Hash.Target......: $episerver$*0*bEtiVGhPNlZpcUN4a3ExTg==*utkfN0EOgljb...ZD5iLk
Time.Started.....: Sat Apr 4 10:06:46 2020 (1 sec)
Time.Estimated...: Sat Apr 4 10:06:47 2020 (0 secs)
Guess.Mask.......: hashcat [7]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1 H/s (0.02ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat -> hashcat

Started: Sat Apr 4 10:06:29 2020
Stopped: Sat Apr 4 10:06:48 2020
 

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
hcxmactool can be used to convert existing hccapx and PMKID hashes to new 22000 format

--pmkidin=<file> : input PMKID file
--hccapxin=<file> : input HCCAPX file
--pmkideapolout=<file> : output PMKID/EAPOL hash line (22000 format)


hcxpcapngtool will convert best PMKID and best EAPOL.
That can be M1M2, M2M3, M3M4 (if M4 SNONCE isn't not zeroed) or M1M4 (if M4 SNONCE isn't not zeroed)
Running option --all, all EAPOL message pairs are converted.

hcxhashtool will show authenticated / not authenticated clients and prepare them for hashcat

Bash:
hcxpcapngtool --all -o test.22000 handshakes/D-Link_GO-RT-N300-10\:BE\:F5\:6C\:61\:A5.cap
reading from D-Link_GO-RT-N300-10:BE:F5:6C:61:A5.cap...

summary capture file
--------------------
file name................................: D-Link_GO-RT-N300-10:BE:F5:6C:61:A5.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 25.08.2017 08:51:46
timestamp maximum (GMT)..................: 25.08.2017 08:51:46
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 5
BEACON (total)...........................: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 33576
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages........................: 2
EAPOL M2 messages........................: 1
EAPOL M3 messages........................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 2
EAPOL pairs written to combi hash file...: 2 (RC checked)
EAPOL M12E2..............................: 1
EAPOL M32E2..............................: 1
PMKID (total)............................: 2
PMKID (best).............................: 2
PMKID written to combi hash file.........: 2

Warning: missing frames!
This dump file contains no important frames like
authentication, association or reassociation.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file contains no undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
That makes it hard to recover the PSK.


we have 2 EAPOL PAIRS and 2 PMKID:
EAPOL M12E2..............................: 1
EAPOL M32E2..............................: 1
PMKID (total)............................: 2

Bash:
hcxhashtool -i test.22000 --info=stdout
SSID.......: D-Link_GO-RT-N300
MAC_AP.....: 10bef56c61a5 (D-Link International)
MAC_CLIENT.: 00eebd63054e (HTC Corporation)
PMKID......: 2a0bd3b4989f58a171ab9c04bf3e4d0a
HASHLINE...: WPA*01*2a0bd3b4989f58a171ab9c04bf3e4d0a*10bef56c61a5*00eebd63054e*442d4c696e6b5f474f2d52542d4e333030***

SSID.......: D-Link_GO-RT-N300
MAC_AP.....: 10bef56c61a5 (D-Link International)
MAC_CLIENT.: 30751218b7ac (Sony Mobile Communications Inc)
PMKID......: 7fc0e83c67e4e44d5fd6457cf45e227a
HASHLINE...: WPA*01*7fc0e83c67e4e44d5fd6457cf45e227a*10bef56c61a5*30751218b7ac*442d4c696e6b5f474f2d52542d4e333030***

SSID.......: D-Link_GO-RT-N300
MAC_AP.....: 10bef56c61a5 (D-Link International)
MAC_CLIENT.: 00eebd63054e (HTC Corporation)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
RC INFO....: not replycount checked / nc required
MP M1M2 E2.: not authorized
MIC........: 4c49e2dbfb058062143a136b02768a32
HASHLINE...: WPA*02*4c49e2dbfb058062143a136b02768a32*10bef56c61a5*00eebd63054e*442d4c696e6b5f474f2d52542d4e333030*5d331c6cc7068cdea0151907a4474dceed7ba99adfaa7210fc1bb27e885d9766*0103007502010a00000000000000000001f2d89aec0c8873a77653a81f657d9e5378ee0fe28d892d9ef9ee4094582574b5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*a0

SSID.......: D-Link_GO-RT-N300
MAC_AP.....: 10bef56c61a5 (D-Link International)
MAC_CLIENT.: 00eebd63054e (HTC Corporation)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
RC INFO....: not replycount checked / nc required
MP M2M3 E2.: authorized
MIC........: 4c49e2dbfb058062143a136b02768a32
HASHLINE...: WPA*02*4c49e2dbfb058062143a136b02768a32*10bef56c61a5*00eebd63054e*442d4c696e6b5f474f2d52542d4e333030*5d331c6cc7068cdea0151907a4474dceed7ba99adfaa7210fc1bb27e885d9766*0103007502010a00000000000000000001f2d89aec0c8873a77653a81f657d9e5378ee0fe28d892d9ef9ee4094582574b5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*a2

OUI information file...: /root/.hcxtools/oui.txt
OUI entires............: 24944
total lines read.......: 4
valid hash lines.......: 4
PMKID hash lines.......: 2
EAPOL hash lines.......: 2
PMKID written..........: 2
EAPOL written..........: 2


Bash:
hcxhashtool -i test.22000 --authorized -o authorized.22000
OUI information file...: /root/.hcxtools/oui.txt
OUI entires............: 24944
total lines read.......: 4
valid hash lines.......: 4
PMKID hash lines.......: 2
EAPOL hash lines.......: 2
filter by status.......: authorized
EAPOL written..........: 1


verify:
Bash:
hcxhashtool -i authorized.22000 --info=stdout
SSID.......: D-Link_GO-RT-N300
MAC_AP.....: 10bef56c61a5 (D-Link International)
MAC_CLIENT.: 00eebd63054e (HTC Corporation)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
RC INFO....: not replycount checked / nc required
MP M2M3 E2.: authorized
MIC........: 4c49e2dbfb058062143a136b02768a32
HASHLINE...: WPA*02*4c49e2dbfb058062143a136b02768a32*10bef56c61a5*00eebd63054e*442d4c696e6b5f474f2d52542d4e333030*5d331c6cc7068cdea0151907a4474dceed7ba99adfaa7210fc1bb27e885d9766*0103007502010a00000000000000000001f2d89aec0c8873a77653a81f657d9e5378ee0fe28d892d9ef9ee4094582574b5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*a2

OUI information file...: /root/.hcxtools/oui.txt
OUI entires............: 24944
total lines read.......: 1
valid hash lines.......: 1
EAPOL hash lines.......: 1
EAPOL written..........: 1
 
Last edited:

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
Crypt::PBKDF2 - The PBKDF2 password hashing algorithm

"PBKDF2 is a secure password hashing algorithm that uses the techniques of "key strengthening" to make the complexity of a brute-force attack arbitrarily high.
PBKDF2 uses any other cryptographic hash or cipher (by convention, usually HMAC-SHA1, but Crypt::PBKDF2 is fully pluggable), and allows for an arbitrary number of iterations of the hashing function, and a nearly unlimited output hash size (up to 2**32 - 1 times the size of the output of the backend hash).
The hash is salted, as any password hash should be, and the salt may also be of arbitrary size."

Source

In case of Crypt::PBKDF2 hashing algorithm the format looks like:
Code:
{X-PBKDF2}HMACSHA1:AAAD6A:SEvDOw==:1rmVDmR6OgwPEYV5CiwUeYnd+OE=
which is called the ldap-like format. The "ldap" format is intended to be compatible with RFC2307.

In the curly braces we have the identifier of the string format. (X-PBKDF2)
Immediately after that is the identifier of the hashing algorithm. (HMACSHA1)
The next field, separated by a :, is the number of iterations encoded with MIME::Base64. (AAAD6A)
Then the salt and finally the actual hash. (SEvDOw==:1rmVDmR6OgwPEYV5CiwUeYnd+OE=)

Note: The -m 10900 format expect the data given in base64!

Example "ldap" format hashes:
Code:
{X-PBKDF2}HMACSHA2+256:AAAnEA:YFzgFv4SMUziTixiwmW+sQ==:D+dB5k3V22Mm0QUDUDBVpfdMW5E=
{X-PBKDF2}HMACSHA2+256:AAAnEA:4YZ5/Vwc6s0yAwaheERAig==:SNZBfkf1yF8ym0BQ3hCVM2vNbPw=
{X-PBKDF2}HMACSHA2+256:AAAnEA:zsjDY/velgEgwPiX5Dh28w==:tea+rH9WVdu7zFafuVLR6j9kLX4=
{X-PBKDF2}HMACSHA2+256:AAAnEA:D9e4RE2rbqZAjMGyy7hd8w==:itO74QZEgF9gPapytfX/wkf8KvI=
{X-PBKDF2}HMACSHA2+256:AAAnEA:Togwel2qgzyDSi9rhKB45A==:4KHW/hxwjUra6ci4Z4g3c/igOSI=
{X-PBKDF2}HMACSHA2+256:AAAnEA:rCSxE0m/2VyNFUExNSENYA==:C5ampxh36pWsdRmd5LW2hcJL9fU=
1. Number of iterations used:
bash:
Bash:
echo AAAnEA== | base64 -d | xxd -p
00002710

00002710 (hex) == 10000 (dec)
python3:
Code:
Python 3.8.2 (default, Apr  1 2020, 17:29:21)

[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.

import base64

>>> print(int(base64.b64decode('AAAnEA==').hex(), 16))

10000
perl:
Code:
perl -MMIME::Base64 -e 'print unpack ("L>", decode_base64 ("AAAnEA")) . "\n"'

10000
2. Convert ldap-like format into the proper hashcat format.
Code:
sha256:10000:YFzgFv4SMUziTixiwmW+sQ==:D+dB5k3V22Mm0QUDUDBVpfdMW5E=
sha256:10000:4YZ5/Vwc6s0yAwaheERAig==:SNZBfkf1yF8ym0BQ3hCVM2vNbPw=
sha256:10000:zsjDY/velgEgwPiX5Dh28w==:tea+rH9WVdu7zFafuVLR6j9kLX4=
sha256:10000:D9e4RE2rbqZAjMGyy7hd8w==:itO74QZEgF9gPapytfX/wkf8KvI=
sha256:10000:Togwel2qgzyDSi9rhKB45A==:4KHW/hxwjUra6ci4Z4g3c/igOSI=
sha256:10000:rCSxE0m/2VyNFUExNSENYA==:C5ampxh36pWsdRmd5LW2hcJL9fU=
3. Use hashcat with mode 10900 in order to find the password.

Hash name: PBKDF2-HMAC-SHA256
Correct hashcat format: sha256:10000:MTc3MTA0MTQwMjQxNzY=:PYjCU215Mi57AYPKva9j7mvF4Rc5bCnt
Hashcat mode: 10900

Code:
sha256:10000:rCSxE0m/2VyNFUExNSENYA==:C5ampxh36pWsdRmd5LW2hcJL9fU=:admin123
sha256:10000:Togwel2qgzyDSi9rhKB45A==:4KHW/hxwjUra6ci4Z4g3c/igOSI=:root
sha256:10000:4YZ5/Vwc6s0yAwaheERAig==:SNZBfkf1yF8ym0BQ3hCVM2vNbPw=:hashcat
sha256:10000:YFzgFv4SMUziTixiwmW+sQ==:D+dB5k3V22Mm0QUDUDBVpfdMW5E=:password
sha256:10000:zsjDY/velgEgwPiX5Dh28w==:tea+rH9WVdu7zFafuVLR6j9kLX4=:1234567890
                                             
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: PBKDF2-HMAC-SHA256
Hash.Target......: 10900_hash
Time.Started.....: Mon May  4 08:18:48 2020, (1 sec)
Time.Estimated...: Mon May  4 08:18:49 2020, (0 secs)
Guess.Base.......: File (dictionary)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       31 H/s (0.49ms) @ Accel:128 Loops:32 Thr:1 Vec:4
Recovered........: 5/6 (83.33%) Digests, 5/6 (83.33%) Salts
Progress.........: 36/36 (100.00%)
Rejected.........: 0/36 (0.00%)
Restore.Point....: 6/6 (100.00%)
Restore.Sub.#1...: Salt:5 Amplifier:0-1 Iteration:9984-9999
Candidates.#1....: hashcat ->
 

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
Convert edmodo hashes (removing obfuscation) to the correct format for hashcat (mode: 3200).
Another method using mdxfind can be found here.

Method 1: python3
Bash:
cat edmodo-hashes
$826y4$31226$dZbD2JfjeZ3TbIe44M0zclck2O4T1l8j7Y7jfl6maZ2ecU900ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$826y4$31226$dObG2MfyeO3TbYew4M0jcgc42M4D1A837Z7Dfg60aO2.cn9n0dbLTywGnOGmVfGO2whcLYnYCPWkRrK
$826y4$31226$dYb22Uf3eY3jbEe34O0DcBcm2M4D1d8h7M7jfA65aM2.cE9B0mbHqwJJXyEQq8tuyKNaynxwrXGD65C
$826y4$31226$dMbj2RfmeM3GbJej4O0TcYc52N4W1U8y7N7mfJ6jaZ2.cN9n0Wb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$826y4$31226$dYbz2NfheO3GbZem4Z0jcccy2M421Y8w7Y7zfZ6iaN2.cY9k0qbmQal.22hZvum3RuYgYbTd/xfHYgG
$826y4$31226$dYb22Uf1eN32bFel4N02cZcm2Z4G1F8k7M7zfU60aO2.cb9E0bbbuUvfztNr3H20AVlebUxYMp4Xj9G
Run python3 script (attached)
Bash:
./edmodoV3.py edmodo-hashes
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0ObFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndbLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmbHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnWb4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqbmQal.22hZvum3RuYgYbTd/xfHYgG
$2y$12$Y2U1N2FlN2ZmZGFkMzU0O.bEbbbuUvfztNr3H20AVlebUxYMp4Xj9G
Method 2: bash
Bash:
cut -c `seq -s ',' 1 2 64`,65- edmodo-hashes
$2y$12$ZDJjZTI4MzlkOTljYjlmZeU0OFJk9iz8iCE5AODPQx4QkiQjJOVmG
$2y$12$OGMyOTYwMjg4MDA3ZDg0O.nndLTywGnOGmVfGO2whcLYnYCPWkRrK
$2y$12$Y2U3YjE3ODBmMDdhMjA5M.EBmHqwJJXyEQq8tuyKNaynxwrXGD65C
$2y$12$MjRmMGJjOTY5NWUyNmJjZ.NnW4XGh1Z6pprH2h7Iwm43iVzZjozB6
$2y$12$YzNhOGZmZjcyM2YwYzZiN.YkqmQal.22hZvum3RuYgYbTd/xfHYgG
$2y$12$Y2U1N2FlN2ZmZGFkMzU0O.bEbbuUvfztNr3H20AVlebUxYMp4Xj9G
Method 3: c# (can be found here)
 

Attachments

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
Create the correct 8tracks format.
Method 1: bash
Can be found here.

Method 2: python3 script (attached)
Bash:
cat sha1_hash.txt
34a0222322fd0333aa384c1a69335dce6a5a2c93:x4qTsaw9sVwuAa9WcmWs
39e60d89a69fb838a9b011f9647177428aa00879:X4sz3F2DyzVQ4EEddp6p
5cdb24c742a0eb99320e7fb396acd58946706c69:x4vT41D5jshktgzXfkmq
bb2108e9ed077b8331d12568683593e5fe5f56c7:x4ZyfgW9ADqVKhAnzppf
aa5793195607e35f5d59d83731f3c078cb2e4b5a:x52QWecp9BUWRodekA8j
10dffd7eb7381f7b63df74e0feffeddcd0dee46c:x54Z7dzSsxjGHDR3PVJf
Bash:
./8tracks.py sha1_hash.txt
34a0222322fd0333aa384c1a69335dce6a5a2c93:--x4qTsaw9sVwuAa9WcmWs--
39e60d89a69fb838a9b011f9647177428aa00879:--X4sz3F2DyzVQ4EEddp6p--
5cdb24c742a0eb99320e7fb396acd58946706c69:--x4vT41D5jshktgzXfkmq--
bb2108e9ed077b8331d12568683593e5fe5f56c7:--x4ZyfgW9ADqVKhAnzppf--
aa5793195607e35f5d59d83731f3c078cb2e4b5a:--x52QWecp9BUWRodekA8j--
10dffd7eb7381f7b63df74e0feffeddcd0dee46c:--x54Z7dzSsxjGHDR3PVJf--
 

Attachments

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
WordPress passwords, explained and cracked

"This is a WordPress hash: $P$BnPVO4gP9JUMSAM1WlLTHPdH6EDj4e1
For simplicity, we will assume the site uses PHP>5 and the newest phpass portable hash, which is the most common setup.

The first 3 characters $P$ are an ID, telling the system which kind oh hash we have.
Character number 3 (counting from 0) is used to determine how many times the md5() has to process the input string.
Chars from 4 to 12 nPVO4gP9 are the salt, which is a random string appended to the password before hashing, to give it more randomness.
For example, if your password is admin, it gets turned to nPVO4gP9admin and then hashed.
The remaining part for the hash JUMSAM1WlLTHPdH6EDj4e1 is the real randomness, generated by the salt+password passed in an undocumented encode64 function, which performs some bitwise operations on the input string and returns a 22 chars output."

More: https://frenxi.com/cracking-wordpress-password-hash/
 

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
Info.
- hcxdumptool and hcxtools are 100% compatible and we recommend to use the new hash mode -m 22000
- in addition to hcxpcapngtool, multicapconverter is able to convert to 22000, too.
- it is not neccessary to clean cap/pcap/pcapng files. Cleaning a cap will remove some important frames which can help to find the PSK.
- if a cap is too big, gzip is the tool of the choice to compress it.
- all state of the art tools (e.g. Wireshark/tshark) are able to handle gzip compressed files (.gz).

- in addition, you can use tshark to remove unwanted frames but leave important frames:
Bash:
tshark -r input.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype ==0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w cleaned.pcapng
All other tools are not compatible to hashcat's new 22000 hash format. That include wlancap2hcx and hcxpcaptool.

Do not use them any longer.
Previous thread: AP-less attack with hcxtools
 

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
JtR tips - wpa-related

JtR has an amazing feature, that hashcat doesn't have: --single

$ hcxpcapngtool --john=test.john test.cap
$ john --single --format=wpapsk-opencl test.john
or

$ john --single:all --format=wpapsk-opencl test.john

It will test ESSID/BSSID against some rules (--single) or all rules (--single:all)
 

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
Generate candidate passwords or check the rule using John the Ripper
Bash:
./john --wordlist=password.txt --stdout --rules=single > JTR-generated-candidates-with-single.txt
Generated list attached.
 

Attachments

freeroute

Community Manager
Staff member
Community Manager
Super Moderator
Joined
Dec 30, 2019
Messages
20,374
Reaction score
768
Credits
3,811
How-to convert hccapx/pmkid to 22000 format

$ hcxmactool -h
hcxmactool 6.0.3-1-g9200cbe (C) 2020 ZeroBeat
usage: hcxmactool <options>

options:
-o <oui> : filter access point by OUI
-n <nic> : filter access point by NIC
-m <mac> : filter access point by MAC
-a <vendor> : filter access point by VENDOR name
-O <oui> : filter client by OUI
-N <nic> : filter client by NIC
-M <mac> : filter client by MAC
-A <vendor> : filter client by VENDOR name
-h : show this help
-v : show version

--pmkideapolout=<file> : output PMKID/EAPOL hash line (22000 format)
--pmkidin=<file> : input PMKID file
--pmkidout=<file> : output PMKID file
--hccapxin=<file> : input HCCAPX file
--hccapxout=<file> : output HCCAPX file
--help : show this help
--version : show version

Additional PMKID files can be converted via bash commands (cat, awk)

old:16800
00037dfd647e617cce929004a929bb76*cc40d07076b8*a4da222c0cb0*50737963686f746f6d696d65746963

new:22000
WPA*01*00037dfd647e617cce929004a929bb76*cc40d07076b8*a4da222c0cb0*50737963686f746f6d696d65746963***

example:
$ echo "00037dfd647e617cce929004a929bb76*cc40d07076b8*a4da222c0cb0*50737963686f746f6d696d65746963" | awk '{ print "WPA*01*" $0 "***"}'
WPA*01*00037dfd647e617cce929004a929bb76*cc40d07076b8*a4da222c0cb0*50737963686f746f6d696d65746963***

or
cat old.16800 | awk '{ print "WPA*01*" $0 "***"}' > new.22000
 
Top