arno/hashcat
1
0
Fork 0
mirror of https://github.com/hashcat/hashcat.git synced 2025-04-05 01:06:00 +00:00
Code Issues Releases Wiki Activity

Add -m 2501 module

Browse Source
This commit is contained in:
jsteube 2019-01-20 10:41:16 +01:00
parent 35265d43f3
commit 355ae342f7
5 changed files with 854 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/interface_migrate.h
View File

@ -938,7 +938,6 @@ typedef enum kern_type
KERN_TYPE_STDOUT = 2000,
KERN_TYPE_DCC2 = 2100,
KERN_TYPE_MD5ASA = 2410,
KERN_TYPE_WPA_EAPOL_PMK = 2501,
KERN_TYPE_MD55 = 2600,
KERN_TYPE_MD55_PWSLT1 = 2610,
KERN_TYPE_MD55_PWSLT2 = 2710,
@ -1108,7 +1107,6 @@ typedef enum kern_type
typedef enum rounds_count
{
ROUNDS_DCC2 = 10240,
ROUNDS_WPA_PMK = 1,
ROUNDS_BCRYPT = (1 << 5),
ROUNDS_PSAFE3 = 2048,
ROUNDS_ANDROIDPIN = 1024,

38
src/interface_migrate.c
View File

@ -60,7 +60,6 @@
" 10900 | PBKDF2-HMAC-SHA256 | Generic KDF",
" 12100 | PBKDF2-HMAC-SHA512 | Generic KDF",
" 23 | Skype | Network Protocols",
" 2501 | WPA-EAPOL-PMK | Network Protocols",
" 16800 | WPA-PMKID-PBKDF2 | Network Protocols",
" 16801 | WPA-PMKID-PMK | Network Protocols",
" 4800 | iSCSI CHAP authentication, MD5(CHAP) | Network Protocols",
@ -256,7 +255,6 @@ static const char *ST_PASS_HASHCAT_EXCL3 = "hashcat!!!";
static const char *ST_PASS_HASHCAT_ONE = "hashcat1";
static const char *ST_PASS_HASHCAT_ONET3 = "hashcat1hashcat1hashcat1";
static const char *ST_PASS_HEX_02501 = "7f620a599c445155935a35634638fa67b4aafecb92e0bd8625388757a63c2dda";
static const char *ST_PASS_BIN_09710 = "\x91\xb2\xe0\x62\xb9";
static const char *ST_PASS_BIN_09810 = "\xb8\xf6\x36\x19\xca";
static const char *ST_PASS_BIN_10410 = "\x6a\x8a\xed\xcc\xb7";
@ -319,7 +317,6 @@ static const char *ST_HASH_01750 = "138c00f17a1a0363f274817c91118f019aff09f937bf
static const char *ST_HASH_01760 = "7d02921299935179d509e6dd4f3d0f2944e3451ea9de3af16baead6a7297e5653577d2473a0fff743d9fe78a89bd49296114319989dc7e7870fc7f62bc96accb:114";
static const char *ST_HASH_01800 = "$6$72820166$U4DVzpcYxgw7MVVDGGvB2/H5lRistD5.Ah4upwENR5UtffLR4X4SxSzfREv8z6wVl0jRFX40/KnYVvK4829kD1";
static const char *ST_HASH_02100 = "$DCC2$10240#6848#e2829c8af2232fa53797e2f0e35e4626";
static const char *ST_HASH_02501 = "4843505804000000000235380000000000000000000000000000000000000000000000000000000000000151aecc428f182acefbd1a9e62d369a079265784da83ba4cf88375c44c830e6e5aa5d6faf352aa496a9ee129fb8292f7435df5420b823a1cd402aed449cced04f552c5b5acfebf06ae96a09c96d9a01c443a17aa62258c4f651a68aa67b0001030077fe010900200000000000000001a4cf88375c44c830e6e5aa5d6faf352aa496a9ee129fb8292f7435df5420b8230000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f20200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
static const char *ST_HASH_02410 = "YjDBNr.A0AN7DA8s:4684";
static const char *ST_HASH_02600 = "a936af92b0ae20b1ff6c3347a72e5fbe";
static const char *ST_HASH_02611 = "28f9975808ae2bdc5847b1cda26033ea:308";
@ -533,7 +530,6 @@ static const char *HT_01760 = "HMAC-SHA512 (key = $salt)";
static const char *HT_01800 = "sha512crypt $6$, SHA512 (Unix)";
static const char *HT_02100 = "Domain Cached Credentials 2 (DCC2), MS Cache 2";
static const char *HT_02410 = "Cisco-ASA MD5";
static const char *HT_02501 = "WPA-EAPOL-PMK";
static const char *HT_02600 = "md5(md5($pass))";
static const char *HT_03000 = "LM";
static const char *HT_03100 = "Oracle H: Type (Oracle 7+)";
@ -17369,8 +17365,6 @@ void hashconfig_benchmark_defaults (hashcat_ctx_t *hashcat_ctx, salt_t *salt, vo
break;
case 2410: salt->salt_len = 4;
break;
case 2501: memcpy (salt->salt_buf, "hashcat.net", 11);
break;
case 3100: salt->salt_len = 1;
break;
case 5800: salt->salt_len = 16;
@ -17464,8 +17458,6 @@ void hashconfig_benchmark_defaults (hashcat_ctx_t *hashcat_ctx, salt_t *salt, vo
switch (hashconfig->hash_mode)
{
case 2501: ((wpa_eapol_t *) esalt)->eapol_len = 128;
break;
case 5300: ((ikepsk_t *) esalt)->nr_len = 1;
((ikepsk_t *) esalt)->msg_len[5] = 1;
break;
@ -17545,8 +17537,6 @@ void hashconfig_benchmark_defaults (hashcat_ctx_t *hashcat_ctx, salt_t *salt, vo
break;
case 2100: salt->salt_iter = ROUNDS_DCC2;
break;
case 2501: salt->salt_iter = ROUNDS_WPA_PMK;
break;
case 3200: salt->salt_iter = ROUNDS_BCRYPT;
break;
case 5200: salt->salt_iter = ROUNDS_PSAFE3;
@ -22306,28 +22296,6 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
hashconfig->st_pass = ST_PASS_HASHCAT_PLAIN;
break;
case 2501: hashconfig->hash_type = HASH_TYPE_WPA_EAPOL;
hashconfig->salt_type = SALT_TYPE_EMBEDDED;
hashconfig->attack_exec = ATTACK_EXEC_OUTSIDE_KERNEL;
hashconfig->opts_type = OPTS_TYPE_PT_GENERATE_LE
| OPTS_TYPE_AUX1
| OPTS_TYPE_AUX2
| OPTS_TYPE_AUX3
| OPTS_TYPE_DEEP_COMP_KERNEL
| OPTS_TYPE_BINARY_HASHFILE;
hashconfig->kern_type = KERN_TYPE_WPA_EAPOL_PMK;
hashconfig->dgst_size = DGST_SIZE_4_4;
hashconfig->parse_func = wpa_eapol_parse_hash;
hashconfig->opti_type = OPTI_TYPE_ZERO_BYTE
| OPTI_TYPE_SLOW_HASH_SIMD_LOOP;
hashconfig->dgst_pos0 = 0;
hashconfig->dgst_pos1 = 1;
hashconfig->dgst_pos2 = 2;
hashconfig->dgst_pos3 = 3;
hashconfig->st_hash = ST_HASH_02501;
hashconfig->st_pass = ST_PASS_HEX_02501;
break;
case 2600: hashconfig->hash_type = HASH_TYPE_MD5;
hashconfig->salt_type = SALT_TYPE_VIRTUAL;
hashconfig->attack_exec = ATTACK_EXEC_INSIDE_KERNEL;
@ -25882,7 +25850,6 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
switch (hashconfig->hash_mode)
{
case 2501: hashconfig->esalt_size = sizeof (wpa_eapol_t); break;
case 5300: hashconfig->esalt_size = sizeof (ikepsk_t); break;
case 5400: hashconfig->esalt_size = sizeof (ikepsk_t); break;
case 5500: hashconfig->esalt_size = sizeof (netntlm_t); break;
@ -25992,7 +25959,6 @@ int hashconfig_init (hashcat_ctx_t *hashcat_ctx)
{
case 1800: hashconfig->tmp_size = sizeof (sha512crypt_tmp_t); break;
case 2100: hashconfig->tmp_size = sizeof (dcc2_tmp_t); break;
case 2501: hashconfig->tmp_size = sizeof (wpa_pmk_tmp_t); break;
case 3200: hashconfig->tmp_size = sizeof (bcrypt_tmp_t); break;
case 5200: hashconfig->tmp_size = sizeof (pwsafe3_tmp_t); break;
case 5800: hashconfig->tmp_size = sizeof (androidpin_tmp_t); break;
@ -26103,7 +26069,6 @@ u32 default_pw_min (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED co
switch (hashconfig->hash_mode)
{
case 2501: pw_min = 64; break; // WPA-EAPOL-PMK: fixed
case 9710: pw_min = 5; break; // RC4-40 fixed
case 9810: pw_min = 5; break; // RC4-40 fixed
case 10410: pw_min = 5; break; // RC4-40 fixed
@ -26172,7 +26137,6 @@ u32 default_pw_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED co
{
case 112: pw_max = 30; break; // https://www.toadworld.com/platforms/oracle/b/weblog/archive/2013/11/12/oracle-12c-passwords
case 2100: pw_max = PW_MAX; break;
case 2501: pw_max = 64; break; // WPA-EAPOL-PMK: fixed length
case 3000: pw_max = 7; break; // LM max
case 3100: pw_max = 30; break; // http://www.red-database-security.de/whitepaper/oracle_passwords.html
case 3200: pw_max = 72; break; // Underlaying Blowfish max
@ -26337,8 +26301,6 @@ const char *default_benchmark_mask (MAYBE_UNUSED const hashconfig_t *hashconfig,
{
switch (hashconfig->hash_mode)
{
case 2501: mask = "?a?a?a?a?a?a?a?axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
break;
case 9710: mask = "?b?b?b?b?b";
break;
case 9810: mask = "?b?b?b?b?b";

3
src/modules/module_02500.c
View File

@ -24,7 +24,8 @@ static const u32 HASH_TYPE = HASH_TYPE_GENERIC;
static const u64 KERN_TYPE = 2500;
static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE
| OPTI_TYPE_SLOW_HASH_SIMD_LOOP;
static const u64 OPTS_TYPE = OPTS_TYPE_PT_GENERATE_LE
static const u64 OPTS_TYPE = OPTS_TYPE_STATE_BUFFER_LE
| OPTS_TYPE_PT_GENERATE_LE
| OPTS_TYPE_AUX1
| OPTS_TYPE_AUX2
| OPTS_TYPE_AUX3

851
src/modules/module_02501.c Normal file
View File

@ -0,0 +1,851 @@
/**
* Author......: See docs/credits.txt
* License.....: MIT
*/
#include "common.h"
#include "types.h"
#include "modules.h"
#include "bitops.h"
#include "convert.h"
#include "shared.h"
#include "memory.h"
#include "cpu_md5.h"
static const u32 ATTACK_EXEC = ATTACK_EXEC_OUTSIDE_KERNEL;
static const u32 DGST_POS0 = 0;
static const u32 DGST_POS1 = 1;
static const u32 DGST_POS2 = 2;
static const u32 DGST_POS3 = 3;
static const u32 DGST_SIZE = DGST_SIZE_4_4;
static const u32 HASH_CATEGORY = HASH_CATEGORY_NETWORK_PROTOCOL;
static const char *HASH_NAME = "WPA-EAPOL-PMK";
static const u32 HASH_TYPE = HASH_TYPE_GENERIC;
static const u64 KERN_TYPE = 2501;
static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE
| OPTI_TYPE_SLOW_HASH_SIMD_LOOP;
static const u64 OPTS_TYPE = OPTS_TYPE_STATE_BUFFER_LE
| OPTS_TYPE_PT_GENERATE_LE
| OPTS_TYPE_AUX1
| OPTS_TYPE_AUX2
| OPTS_TYPE_AUX3
| OPTS_TYPE_DEEP_COMP_KERNEL
| OPTS_TYPE_BINARY_HASHFILE;
static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED;
static const char *ST_PASS = "7f620a599c445155935a35634638fa67b4aafecb92e0bd8625388757a63c2dda";
static const char *ST_HASH = "4843505804000000000235380000000000000000000000000000000000000000000000000000000000000151aecc428f182acefbd1a9e62d369a079265784da83ba4cf88375c44c830e6e5aa5d6faf352aa496a9ee129fb8292f7435df5420b823a1cd402aed449cced04f552c5b5acfebf06ae96a09c96d9a01c443a17aa62258c4f651a68aa67b0001030077fe010900200000000000000001a4cf88375c44c830e6e5aa5d6faf352aa496a9ee129fb8292f7435df5420b8230000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f20200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; }
u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; }
u32 module_dgst_pos1 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS1; }
u32 module_dgst_pos2 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS2; }
u32 module_dgst_pos3 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS3; }
u32 module_dgst_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_SIZE; }
u32 module_hash_category (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_CATEGORY; }
const char *module_hash_name (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_NAME; }
u32 module_hash_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_TYPE; }
u64 module_kern_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return KERN_TYPE; }
u32 module_opti_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTI_TYPE; }
u64 module_opts_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTS_TYPE; }
u32 module_salt_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return SALT_TYPE; }
const char *module_st_hash (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_HASH; }
const char *module_st_pass (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_PASS; }
static const u32 ROUNDS_WPA_PMK = 1;
typedef struct wpa_eapol
{
u32 pke[32];
u32 eapol[64 + 16];
u16 eapol_len;
u8 message_pair;
int message_pair_chgd;
u8 keyver;
u8 orig_mac_ap[6];
u8 orig_mac_sta[6];
u8 orig_nonce_ap[32];
u8 orig_nonce_sta[32];
u8 essid_len;
u8 essid[32];
u32 keymic[4];
u32 hash[4];
int nonce_compare;
int nonce_error_corrections;
int detected_le;
int detected_be;
} wpa_eapol_t;
typedef struct wpa_pbkdf2_tmp
{
u32 ipad[5];
u32 opad[5];
u32 dgst[10];
u32 out[10];
} wpa_pbkdf2_tmp_t;
#define HCCAPX_VERSION 4
#define HCCAPX_SIGNATURE 0x58504348 // HCPX
// this is required to force mingw to accept the packed attribute
#pragma pack(push,1)
struct hccapx
{
u32 signature;
u32 version;
u8 message_pair;
u8 essid_len;
u8 essid[32];
u8 keyver;
u8 keymic[16];
u8 mac_ap[6];
u8 nonce_ap[32];
u8 mac_sta[6];
u8 nonce_sta[32];
u16 eapol_len;
u8 eapol[256];
} __attribute__((packed));
typedef struct hccapx hccapx_t;
#pragma pack(pop)
static void to_hccapx_t (const hashes_t *hashes, hccapx_t *hccapx, const u32 salt_pos, const u32 digest_pos)
{
const salt_t *salts_buf = hashes->salts_buf;
const void *esalts_buf = hashes->esalts_buf;
memset (hccapx, 0, sizeof (hccapx_t));
hccapx->signature = HCCAPX_SIGNATURE;
hccapx->version = HCCAPX_VERSION;
const salt_t *salt = &salts_buf[salt_pos];
const u32 digest_cur = salt->digests_offset + digest_pos;
hccapx->essid_len = salt->salt_len;
memcpy (hccapx->essid, salt->salt_buf, hccapx->essid_len);
wpa_eapol_t *wpa_eapols = (wpa_eapol_t *) esalts_buf;
wpa_eapol_t *wpa_eapol = &wpa_eapols[digest_cur];
hccapx->message_pair = wpa_eapol->message_pair;
hccapx->keyver = wpa_eapol->keyver;
hccapx->eapol_len = wpa_eapol->eapol_len;
if (wpa_eapol->keyver != 1)
{
u32 eapol_tmp[64] = { 0 };
for (u32 i = 0; i < 64; i++)
{
eapol_tmp[i] = byte_swap_32 (wpa_eapol->eapol[i]);
}
memcpy (hccapx->eapol, eapol_tmp, wpa_eapol->eapol_len);
}
else
{
memcpy (hccapx->eapol, wpa_eapol->eapol, wpa_eapol->eapol_len);
}
memcpy (hccapx->mac_ap, wpa_eapol->orig_mac_ap, 6);
memcpy (hccapx->mac_sta, wpa_eapol->orig_mac_sta, 6);
memcpy (hccapx->nonce_ap, wpa_eapol->orig_nonce_ap, 32);
memcpy (hccapx->nonce_sta, wpa_eapol->orig_nonce_sta, 32);
if (wpa_eapol->keyver != 1)
{
u32 digest_tmp[4];
digest_tmp[0] = byte_swap_32 (wpa_eapol->keymic[0]);
digest_tmp[1] = byte_swap_32 (wpa_eapol->keymic[1]);
digest_tmp[2] = byte_swap_32 (wpa_eapol->keymic[2]);
digest_tmp[3] = byte_swap_32 (wpa_eapol->keymic[3]);
memcpy (hccapx->keymic, digest_tmp, 16);
}
else
{
memcpy (hccapx->keymic, wpa_eapol->keymic, 16);
}
}
static int check_old_hccap (const char *hashfile)
{
FILE *fp = fopen (hashfile, "rb");
if (fp == NULL) return -1;
u32 signature;
const size_t nread = hc_fread (&signature, sizeof (u32), 1, fp);
fclose (fp);
if (nread != 1) return -1;
if (signature == HCCAPX_SIGNATURE) return 0;
return 1;
}
const char *module_benchmark_mask (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
const char *mask = "?a?a?a?a?a?a?a?axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
return mask;
}
u64 module_tmp_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
const u64 tmp_size = (const u64) sizeof (wpa_pbkdf2_tmp_t);
return tmp_size;
}
u64 module_esalt_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
const u64 esalt_size = (const u64) sizeof (wpa_eapol_t);
return esalt_size;
}
u32 module_pw_min (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
const u32 pw_min = 64;
return pw_min;
}
u32 module_pw_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
{
const u32 pw_max = 64;
return pw_max;
}
int module_hash_decode_outfile (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len)
{
u32 *digest = (u32 *) digest_buf;
// here we have in line_hash_buf: hash:macap:macsta:essid:password
char *sep_pos = strrchr (line_buf, ':');
if (sep_pos == NULL) return (PARSER_HASH_ENCODING);
if ((line_buf + 32 + 1 + 12 + 1 + 12) != sep_pos) return (PARSER_HASH_LENGTH);
char *essid_pos = sep_pos + 1;
const int essid_len = strlen (essid_pos);
u8 tmp_buf[128] = { 0 };
int tmp_len = essid_len;
memcpy (tmp_buf, essid_pos, essid_len);
if (is_hexify (tmp_buf, tmp_len) == true)
{
tmp_len = exec_unhexify (tmp_buf, tmp_len, tmp_buf, sizeof (tmp_buf));
}
if (tmp_len > 32) return (PARSER_HASH_VALUE);
memcpy (salt->salt_buf, tmp_buf, tmp_len);
salt->salt_len = tmp_len;
salt->salt_iter = ROUNDS_WPA_PMK - 1;
digest[0] = hex_to_u32 ((const u8 *) &line_buf[ 0]);
digest[1] = hex_to_u32 ((const u8 *) &line_buf[ 8]);
digest[2] = hex_to_u32 ((const u8 *) &line_buf[16]);
digest[3] = hex_to_u32 ((const u8 *) &line_buf[24]);
digest[0] = byte_swap_32 (digest[0]);
digest[1] = byte_swap_32 (digest[1]);
digest[2] = byte_swap_32 (digest[2]);
digest[3] = byte_swap_32 (digest[3]);
return PARSER_OK;
}
int module_hash_encode_status (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size)
{
wpa_eapol_t *wpa_eapol = (wpa_eapol_t *) esalt_buf;
const int line_len = snprintf (line_buf, line_size, "%s (AP:%02x:%02x:%02x:%02x:%02x:%02x STA:%02x:%02x:%02x:%02x:%02x:%02x)",
(char *) salt->salt_buf,
wpa_eapol->orig_mac_ap[0],
wpa_eapol->orig_mac_ap[1],
wpa_eapol->orig_mac_ap[2],
wpa_eapol->orig_mac_ap[3],
wpa_eapol->orig_mac_ap[4],
wpa_eapol->orig_mac_ap[5],
wpa_eapol->orig_mac_sta[0],
wpa_eapol->orig_mac_sta[1],
wpa_eapol->orig_mac_sta[2],
wpa_eapol->orig_mac_sta[3],
wpa_eapol->orig_mac_sta[4],
wpa_eapol->orig_mac_sta[5]);
return line_len;
}
int module_hash_init_selftest (MAYBE_UNUSED const hashconfig_t *hashconfig, hash_t *hash)
{
char *tmpdata = (char *) hcmalloc (sizeof (hccapx_t));
const size_t st_hash_len = strlen (hashconfig->st_hash);
for (size_t i = 0, j = 0; j < st_hash_len; i += 1, j += 2)
{
const u8 c = hex_to_u8 ((const u8 *) hashconfig->st_hash + j);
tmpdata[i] = c;
}
int parser_status = module_hash_decode (hashconfig, hash->digest, hash->salt, hash->esalt, hash->hash_info, tmpdata, sizeof (hccapx_t));
wpa_eapol_t *wpa_eapol = (wpa_eapol_t *) hash->esalt;
wpa_eapol->detected_le = 1;
wpa_eapol->detected_be = 0;
wpa_eapol->nonce_error_corrections = 3;
hcfree (tmpdata);
return parser_status;
}
int module_hash_binary_save (MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED const u32 salt_pos, MAYBE_UNUSED const u32 digest_pos, char **buf)
{
hccapx_t *hccapx = hcmalloc (sizeof (hccapx_t));
to_hccapx_t (hashes, hccapx, salt_pos, digest_pos);
*buf = (char *) hccapx;
return sizeof (hccapx_t);
}
int module_hash_binary_parse (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra, hashes_t *hashes)
{
// hashes->hashlist_mode = HL_MODE_FILE; ???
hash_t *hashes_buf = hashes->hashes_buf;
int hashes_cnt = 0;
FILE *fp = fopen (hashes->hashfile, "rb");
if (fp == NULL) return -1;
char *in = (char *) hcmalloc (sizeof (hccapx_t));
while (!feof (fp))
{
const size_t nread = hc_fread (in, sizeof (hccapx_t), 1, fp);
if (nread == 0) break;
memset (hashes_buf[hashes_cnt].salt, 0, sizeof (salt_t));
memset (hashes_buf[hashes_cnt].esalt, 0, sizeof (wpa_eapol_t));
wpa_eapol_t *wpa_eapol = (wpa_eapol_t *) hashes_buf[hashes_cnt].esalt;
if (user_options->hccapx_message_pair_chgd == true)
{
wpa_eapol->message_pair_chgd = (int) user_options->hccapx_message_pair_chgd;
wpa_eapol->message_pair = (u8) user_options->hccapx_message_pair;
}
if (wpa_eapol->message_pair & (1 << 4))
{
// ap-less attack detected, nc not needed
wpa_eapol->nonce_error_corrections = 0;
}
else
{
if (wpa_eapol->message_pair & (1 << 7))
{
// replaycount not checked, nc needed
wpa_eapol->nonce_error_corrections = user_options->nonce_error_corrections;
}
else
{
// replaycount checked, nc not needed, but we allow user overwrites
if (user_options->nonce_error_corrections_chgd == true)
{
wpa_eapol->nonce_error_corrections = user_options->nonce_error_corrections;
}
else
{
wpa_eapol->nonce_error_corrections = 0;
}
}
}
// now some optimization related to replay counter endianess
// hcxtools has techniques to detect them
// since we can not guarantee to get our handshakes from hcxtools we enable both by default
// this means that we check both even if both are not set!
// however if one of them is set, we can assume that the endianess has been checked and the other one is not needed
wpa_eapol->detected_le = 1;
wpa_eapol->detected_be = 1;
if (wpa_eapol->message_pair & (1 << 5))
{
wpa_eapol->detected_le = 1;
wpa_eapol->detected_be = 0;
}
else if (wpa_eapol->message_pair & (1 << 6))
{
wpa_eapol->detected_le = 0;
wpa_eapol->detected_be = 1;
}
hash_t *hash = &hashes_buf[hashes_cnt];
const int parser_status = module_hash_decode (hashconfig, hash->digest, hash->salt, hash->esalt, hash->hash_info, in, sizeof (hccapx_t));
if (parser_status != PARSER_OK) continue;
hashes_cnt++;
}
hcfree (in);
fclose (fp);
return hashes_cnt;
}
int module_hash_binary_count (MAYBE_UNUSED const hashes_t *hashes)
{
struct stat st;
if (stat (hashes->hashfile, &st) == -1) return -1;
return st.st_size / sizeof (hccapx_t);
}
u32 module_deep_comp_kernel (MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED const u32 salt_pos, MAYBE_UNUSED const u32 digest_pos)
{
const u32 digests_offset = hashes->salts_buf[salt_pos].digests_offset;
wpa_eapol_t *wpa_eapols = (wpa_eapol_t *) hashes->esalts_buf;
wpa_eapol_t *wpa_eapol = &wpa_eapols[digests_offset + digest_pos];
if (wpa_eapol->keyver == 1)
{
return KERN_RUN_AUX1;
}
else if (wpa_eapol->keyver == 2)
{
return KERN_RUN_AUX2;
}
else if (wpa_eapol->keyver == 3)
{
return KERN_RUN_AUX3;
}
return 0;
}
int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len)
{
u32 *digest = (u32 *) digest_buf;
wpa_eapol_t *wpa_eapol = (wpa_eapol_t *) esalt_buf;
// the *wpa was partially initialized beforehand, we can not simply memset it to zero
hccapx_t in;
memcpy (&in, line_buf, sizeof (hccapx_t));
if (in.signature != HCCAPX_SIGNATURE) return (PARSER_HCCAPX_SIGNATURE);
if (in.version != HCCAPX_VERSION) return (PARSER_HCCAPX_VERSION);
if (in.eapol_len < 1 || in.eapol_len > 255) return (PARSER_HCCAPX_EAPOL_LEN);
memcpy (wpa_eapol->keymic, in.keymic, 16);
/*
http://www.one-net.eu/jsw/j_sec/m_ptype.html
The phrase "Pairwise key expansion"
Access Point Address (referred to as Authenticator Address AA)
Supplicant Address (referred to as Supplicant Address SA)
Access Point Nonce (referred to as Authenticator Anonce)
Wireless Device Nonce (referred to as Supplicant Nonce Snonce)
*/
u32 salt_len = in.essid_len;
if (salt_len > 32) return (PARSER_SALT_LENGTH);
memcpy (salt->salt_buf, in.essid, in.essid_len);
salt->salt_len = salt_len;
salt->salt_iter = ROUNDS_WPA_PMK - 1;
memcpy (wpa_eapol->essid, in.essid, in.essid_len);
wpa_eapol->essid_len = in.essid_len;
wpa_eapol->keyver = in.keyver;
if ((wpa_eapol->keyver != 1) && (wpa_eapol->keyver != 2) && (wpa_eapol->keyver != 3)) return (PARSER_SALT_VALUE);
u8 *pke_ptr = (u8 *) wpa_eapol->pke;
memset (pke_ptr, 0, 128);
if ((wpa_eapol->keyver == 1) || (wpa_eapol->keyver == 2))
{
memcpy (pke_ptr, "Pairwise key expansion", 23);
if (memcmp (in.mac_ap, in.mac_sta, 6) < 0)
{
memcpy (pke_ptr + 23, in.mac_ap, 6);
memcpy (pke_ptr + 29, in.mac_sta, 6);
}
else
{
memcpy (pke_ptr + 23, in.mac_sta, 6);
memcpy (pke_ptr + 29, in.mac_ap, 6);
}
wpa_eapol->nonce_compare = memcmp (in.nonce_ap, in.nonce_sta, 32);
if (wpa_eapol->nonce_compare < 0)
{
memcpy (pke_ptr + 35, in.nonce_ap, 32);
memcpy (pke_ptr + 67, in.nonce_sta, 32);
}
else
{
memcpy (pke_ptr + 35, in.nonce_sta, 32);
memcpy (pke_ptr + 67, in.nonce_ap, 32);
}
}
else if (wpa_eapol->keyver == 3)
{
pke_ptr[0] = 1;
pke_ptr[1] = 0;
memcpy (pke_ptr + 2, "Pairwise key expansion", 22);
if (memcmp (in.mac_ap, in.mac_sta, 6) < 0)
{
memcpy (pke_ptr + 24, in.mac_ap, 6);
memcpy (pke_ptr + 30, in.mac_sta, 6);
}
else
{
memcpy (pke_ptr + 24, in.mac_sta, 6);
memcpy (pke_ptr + 30, in.mac_ap, 6);
}
wpa_eapol->nonce_compare = memcmp (in.nonce_ap, in.nonce_sta, 32);
if (wpa_eapol->nonce_compare < 0)
{
memcpy (pke_ptr + 36, in.nonce_ap, 32);
memcpy (pke_ptr + 68, in.nonce_sta, 32);
}
else
{
memcpy (pke_ptr + 36, in.nonce_sta, 32);
memcpy (pke_ptr + 68, in.nonce_ap, 32);
}
pke_ptr[100] = 0x80;
pke_ptr[101] = 1;
}
for (int i = 0; i < 32; i++)
{
wpa_eapol->pke[i] = byte_swap_32 (wpa_eapol->pke[i]);
}
memcpy (wpa_eapol->orig_mac_ap, in.mac_ap, 6);
memcpy (wpa_eapol->orig_mac_sta, in.mac_sta, 6);
memcpy (wpa_eapol->orig_nonce_ap, in.nonce_ap, 32);
memcpy (wpa_eapol->orig_nonce_sta, in.nonce_sta, 32);
u8 message_pair_orig = in.message_pair;
in.message_pair &= 0x7f; // ignore the highest bit (it is used to indicate if the replay counters did match)
if (wpa_eapol->message_pair_chgd == true)
{
if (wpa_eapol->message_pair != in.message_pair) return (PARSER_HCCAPX_MESSAGE_PAIR);
}
wpa_eapol->message_pair = message_pair_orig;
wpa_eapol->eapol_len = in.eapol_len;
u8 *eapol_ptr = (u8 *) wpa_eapol->eapol;
memcpy (eapol_ptr, in.eapol, wpa_eapol->eapol_len);
memset (eapol_ptr + wpa_eapol->eapol_len, 0, (256 + 64) - wpa_eapol->eapol_len);
eapol_ptr[wpa_eapol->eapol_len] = 0x80;
if (wpa_eapol->keyver == 1)
{
// nothing to do
}
else if (wpa_eapol->keyver == 2)
{
wpa_eapol->keymic[0] = byte_swap_32 (wpa_eapol->keymic[0]);
wpa_eapol->keymic[1] = byte_swap_32 (wpa_eapol->keymic[1]);
wpa_eapol->keymic[2] = byte_swap_32 (wpa_eapol->keymic[2]);
wpa_eapol->keymic[3] = byte_swap_32 (wpa_eapol->keymic[3]);
for (int i = 0; i < 64; i++)
{
wpa_eapol->eapol[i] = byte_swap_32 (wpa_eapol->eapol[i]);
}
}
else if (wpa_eapol->keyver == 3)
{
// nothing to do
}
// Create a hash of the nonce as ESSID is not unique enough
// Not a regular MD5 but good enough
// We can also ignore cases where we should bzero the work buffer
u32 hash[4];
hash[0] = 0;
hash[1] = 1;
hash[2] = 2;
hash[3] = 3;
u32 block[16];
memset (block, 0, sizeof (block));
u8 *block_ptr = (u8 *) block;
for (int i = 0; i < 16; i++) block[i] = salt->salt_buf[i];
md5_64 (block, hash);
for (int i = 0; i < 16; i++) block[i] = wpa_eapol->pke[i + 0];
md5_64 (block, hash);
for (int i = 0; i < 16; i++) block[i] = wpa_eapol->pke[i + 16];
md5_64 (block, hash);
for (int i = 0; i < 16; i++) block[i] = wpa_eapol->eapol[i + 0];
md5_64 (block, hash);
for (int i = 0; i < 16; i++) block[i] = wpa_eapol->eapol[i + 16];
md5_64 (block, hash);
for (int i = 0; i < 16; i++) block[i] = wpa_eapol->eapol[i + 32];
md5_64 (block, hash);
for (int i = 0; i < 16; i++) block[i] = wpa_eapol->eapol[i + 48];
md5_64 (block, hash);
for (int i = 0; i < 6; i++) block_ptr[i + 0] = wpa_eapol->orig_mac_ap[i];
for (int i = 0; i < 6; i++) block_ptr[i + 6] = wpa_eapol->orig_mac_sta[i];
md5_64 (block, hash);
for (int i = 0; i < 32; i++) block_ptr[i + 0] = wpa_eapol->orig_nonce_ap[i];
for (int i = 0; i < 32; i++) block_ptr[i + 32] = wpa_eapol->orig_nonce_sta[i];
md5_64 (block, hash);
block[0] = wpa_eapol->keymic[0];
block[1] = wpa_eapol->keymic[1];
block[2] = wpa_eapol->keymic[2];
block[3] = wpa_eapol->keymic[3];
md5_64 (block, hash);
wpa_eapol->hash[0] = hash[0];
wpa_eapol->hash[1] = hash[1];
wpa_eapol->hash[2] = hash[2];
wpa_eapol->hash[3] = hash[3];
// make all this stuff unique
digest[0] = wpa_eapol->hash[0];
digest[1] = wpa_eapol->hash[1];
digest[2] = wpa_eapol->hash[2];
digest[3] = wpa_eapol->hash[3];
return (PARSER_OK);
}
int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size)
{
const wpa_eapol_t *wpa_eapol = (const wpa_eapol_t *) esalt_buf;
int line_len = 0;
if (need_hexify (wpa_eapol->essid, wpa_eapol->essid_len, hashconfig->separator, 0) == true)
{
char tmp_buf[128];
int tmp_len = 0;
tmp_buf[tmp_len++] = '$';
tmp_buf[tmp_len++] = 'H';
tmp_buf[tmp_len++] = 'E';
tmp_buf[tmp_len++] = 'X';
tmp_buf[tmp_len++] = '[';
exec_hexify (wpa_eapol->essid, wpa_eapol->essid_len, (u8 *) tmp_buf + tmp_len);
tmp_len += wpa_eapol->essid_len * 2;
tmp_buf[tmp_len++] = ']';
tmp_buf[tmp_len++] = 0;
line_len = snprintf (line_buf, line_size, "%08x%08x%08x%08x:%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s",
wpa_eapol->hash[0],
wpa_eapol->hash[1],
wpa_eapol->hash[2],
wpa_eapol->hash[3],
wpa_eapol->orig_mac_ap[0],
wpa_eapol->orig_mac_ap[1],
wpa_eapol->orig_mac_ap[2],
wpa_eapol->orig_mac_ap[3],
wpa_eapol->orig_mac_ap[4],
wpa_eapol->orig_mac_ap[5],
wpa_eapol->orig_mac_sta[0],
wpa_eapol->orig_mac_sta[1],
wpa_eapol->orig_mac_sta[2],
wpa_eapol->orig_mac_sta[3],
wpa_eapol->orig_mac_sta[4],
wpa_eapol->orig_mac_sta[5],
tmp_buf);
}
else
{
line_len = snprintf (line_buf, line_size, "%08x%08x%08x%08x:%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s",
wpa_eapol->hash[0],
wpa_eapol->hash[1],
wpa_eapol->hash[2],
wpa_eapol->hash[3],
wpa_eapol->orig_mac_ap[0],
wpa_eapol->orig_mac_ap[1],
wpa_eapol->orig_mac_ap[2],
wpa_eapol->orig_mac_ap[3],
wpa_eapol->orig_mac_ap[4],
wpa_eapol->orig_mac_ap[5],
wpa_eapol->orig_mac_sta[0],
wpa_eapol->orig_mac_sta[1],
wpa_eapol->orig_mac_sta[2],
wpa_eapol->orig_mac_sta[3],
wpa_eapol->orig_mac_sta[4],
wpa_eapol->orig_mac_sta[5],
wpa_eapol->essid);
}
return line_len;
}
void module_init (module_ctx_t *module_ctx)
{
module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT;
module_ctx->module_interface_version = MODULE_INTERFACE_VERSION_CURRENT;
module_ctx->module_attack_exec = module_attack_exec;
module_ctx->module_benchmark_esalt = MODULE_DEFAULT;
module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT;
module_ctx->module_benchmark_mask = module_benchmark_mask;
module_ctx->module_benchmark_salt = MODULE_DEFAULT;
module_ctx->module_build_plain_postprocess = MODULE_DEFAULT;
module_ctx->module_deep_comp_kernel = module_deep_comp_kernel;
module_ctx->module_dgst_pos0 = module_dgst_pos0;
module_ctx->module_dgst_pos1 = module_dgst_pos1;
module_ctx->module_dgst_pos2 = module_dgst_pos2;
module_ctx->module_dgst_pos3 = module_dgst_pos3;
module_ctx->module_dgst_size = module_dgst_size;
module_ctx->module_dictstat_disable = MODULE_DEFAULT;
module_ctx->module_esalt_size = module_esalt_size;
module_ctx->module_extra_buffer_size = MODULE_DEFAULT;
module_ctx->module_forced_outfile_format = MODULE_DEFAULT;
module_ctx->module_hash_binary_count = module_hash_binary_count;
module_ctx->module_hash_binary_parse = module_hash_binary_parse;
module_ctx->module_hash_binary_save = module_hash_binary_save;
module_ctx->module_hash_binary_verify = MODULE_DEFAULT;
module_ctx->module_hash_decode_outfile = module_hash_decode_outfile;
module_ctx->module_hash_decode_zero_hash = MODULE_DEFAULT;
module_ctx->module_hash_decode = module_hash_decode;
module_ctx->module_hash_encode_status = module_hash_encode_status;
module_ctx->module_hash_encode = module_hash_encode;
module_ctx->module_hash_init_selftest = module_hash_init_selftest;
module_ctx->module_hash_mode = MODULE_DEFAULT;
module_ctx->module_hash_category = module_hash_category;
module_ctx->module_hash_name = module_hash_name;
module_ctx->module_hash_type = module_hash_type;
module_ctx->module_hlfmt_disable = MODULE_DEFAULT;
module_ctx->module_hook12 = MODULE_DEFAULT;
module_ctx->module_hook23 = MODULE_DEFAULT;
module_ctx->module_hook_salt_size = MODULE_DEFAULT;
module_ctx->module_hook_size = MODULE_DEFAULT;
module_ctx->module_jit_build_options = MODULE_DEFAULT;
module_ctx->module_kernel_accel_max = MODULE_DEFAULT;
module_ctx->module_kernel_accel_min = MODULE_DEFAULT;
module_ctx->module_kernel_loops_max = MODULE_DEFAULT;
module_ctx->module_kernel_loops_min = MODULE_DEFAULT;
module_ctx->module_kernel_threads_max = MODULE_DEFAULT;
module_ctx->module_kernel_threads_min = MODULE_DEFAULT;
module_ctx->module_kern_type = module_kern_type;
module_ctx->module_opti_type = module_opti_type;
module_ctx->module_opts_type = module_opts_type;
module_ctx->module_outfile_check_disable = MODULE_DEFAULT;
module_ctx->module_outfile_check_nocomp = MODULE_DEFAULT;
module_ctx->module_potfile_disable = MODULE_DEFAULT;
module_ctx->module_potfile_keep_all_hashes = MODULE_DEFAULT;
module_ctx->module_pwdump_column = MODULE_DEFAULT;
module_ctx->module_pw_max = module_pw_max;
module_ctx->module_pw_min = module_pw_min;
module_ctx->module_salt_max = MODULE_DEFAULT;
module_ctx->module_salt_min = MODULE_DEFAULT;
module_ctx->module_salt_type = module_salt_type;
module_ctx->module_separator = MODULE_DEFAULT;
module_ctx->module_st_hash = module_st_hash;
module_ctx->module_st_pass = module_st_pass;
module_ctx->module_tmp_size = module_tmp_size;
module_ctx->module_unstable_warning = MODULE_DEFAULT;
module_ctx->module_warmup_disable = MODULE_DEFAULT;
}

2
tools/test_modules/m02500.pm
View File

@ -15,7 +15,7 @@ use Digest::SHA qw (sha1 sha256);
use Digest::HMAC qw (hmac);
use MIME::Base64 qw (encode_base64);
sub module_constraints { [[8, 255], [0, 32], [8, 255], [0, 32], [-1, -1]] }
sub module_constraints { [[8, 63], [0, 32], [8, 63], [0, 32], [-1, -1]] }
sub module_generate_hash
{