Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Jan 2013 9:58:29 -0500
From:  <jfoug@....net>
To: john-users@...ts.openwall.com
Cc: Dhiru Kholia <dhiru.kholia@...il.com>
Subject: Re: can't get jtr to ID this


---- Dhiru Kholia <dhiru.kholia@...il.com> wrote: 
> On Tue, Jan 29, 2013 at 8:23 AM, Solar Designer <solar@...nwall.com> wrote:
> > On Mon, Jan 28, 2013 at 09:41:14PM -0500, jfoug@....net wrote:
> >> I have also been working on a wpapcap2john which properly converts straight from pcap files, into JtR input.
> >
> > Cool!  This is a very welcome contribution too.  Thank you!
> 
> :-(. I wrote a similar patch few days back.
> 
> -- 
> Dhiru

I believe your code also has bugs when building the hash file, building invalid hashes. It appears you cut the code (along with bugs) from aircrack.  I will get some cap file built that displays this problem.

Ok, I have include 2 .cap files. They are from the same session. The DeJong-1.cap is filtered to contain the beacon, and all eapol packets.  The 'correct' 4way, is the msg2/msg3 pair.  The DeJong-1a.cap is the beacon, and just the msg2/msg3 pair, all other eapol have been removed.  

aircrack-ng converts the first file (the DeJong-1.cap) into this (which is bogus):

$WPAPSK$DeJong#s75pna/..0P4F8XWX3mppql6.SM7HkkaftIxYY7oEIMrwTujO4Fq1xKFOSQT9ttNubyjIGgqG/o7Mdg3TTqKzcIZxM3EWDhTT23TOU21.3w0.kc............0............................................................................................................................................................................................................................................................................................................................../X.....U...5zb/r58Bre2vUr.FMlKNOk

Your code converts both files into this:  (which is bogus)
$WPAPSK$DeJong#s75pna/..0P4F8XW2szvS3NKiph6ewhflOefVTWMqjlurBIOc2/Br.vG1iAT9ttNubyjIGgqG/o7Mdg3TTqKzcIZxM3EWDhTT23TOU61.7Q02wc.2..........C5mySKSdzfp2fBYUR0K8P/LrxZju37TK/I6XvLrl/Lqc.....................IEE.........................................C7TjBWw1SlbYeSxAlV2EJnO6dMUeDHIuqOrRzMuQ6N6saN4KK.skPxmPG4U8w57e9F45GeL273Hd......................................................................................................................................0P.....U...AYvNCzLYXPiy8UFGcpqMPA

Aircrack-ng converts the 2nd file into this (proper hash). My code outputs this for either file.

$WPAPSK$DeJong#s75pna/..0P4F8XW2szvS3NKiph6ewhflOefVTWMqjlurBIOc2/Br.vG1iAT9ttNubyjIGgqG/o7Mdg3TTqKzcIZxM3EWDhTT23TOU21.5Q0.Ec............B2szvS3NKiph6ewhflOefVTWMqjlurBIOc2/Br.vG1iA.................................................................41.K.E..1uk2.E..1uk2.E..1uk0D...................................................................................................................................................................................../v.....U...AxwpokwAhviXJsfS5CtaOg

That is the valid hash.  The password is:   password23

I have included the source I have written.  NOTE, it may not have 'all' ways of producing a correct hash.  But so far, all situations I have thrown at it HAVE found valid results.   Here is the tut I used for figuring this stuff out http://aircrack-ng.org/doku.php?id=wpa_capture , along with aircrack-ng, wireshark and hccap2john, for reverse engineer exactly what data went where.   My code is absolutely not right, or portable when it comes to BE. It was written in VC, but compiles and works just fine on 32 or 64 bit backtrack (ubuntu??).     NOTE, the only 'matches' I am using are 12 and 23  The reason for 2, is that the full Authentication block within the 2 packet (with the mic zero'd out), becomes the proper eapol field.  I image that field could be reconstructed in other ways, but that method appears to be solid, and works for the above 2 combinations.

Again, the very detailed explanation within the tut (and the iEEE 802.11 spec) gave me the info I needed, to be able to pull the right packets, and 'make' aircrack-ng work every time. Once i got to that point, getting the software to automatically do what I was doing by hand, was not that hard.

Jim.
View attachment "wpapcap2john.h" of type "text/plain" (7398 bytes)

View attachment "wpapcap2john.cpp" of type "text/plain" (11843 bytes)

Download attachment "DeJong-1.cap" of type "application/octet-stream" (18173 bytes)

Download attachment "DeJong-1a.cap" of type "application/octet-stream" (714 bytes)

Download attachment "d.in" of type "application/octet-stream" (1723 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.