1
0
mirror of https://github.com/hashcat/hashcat.git synced 2024-12-23 07:08:19 +00:00

Make use of message_pair and set default for nonce_error_corrections in -m 22000

This commit is contained in:
Jens Steube 2019-12-16 12:47:48 +01:00
parent 2a04354401
commit 784eeb257b
3 changed files with 144 additions and 109 deletions

View File

@ -42,13 +42,13 @@ typedef struct wpa_pbkdf2_tmp
typedef struct wpa typedef struct wpa
{ {
u8 orig_mac_ap[6];
u8 orig_mac_sta[6];
u8 essid_len;
u32 essid_buf[16]; u32 essid_buf[16];
u32 essid_len;
u8 type; // 1 = PMKID, 2 = EAPOL u32 mac_ap[2];
u8 extra; u32 mac_sta[2];
u32 type; // 1 = PMKID, 2 = EAPOL
// PMKID specific // PMKID specific
@ -60,15 +60,14 @@ typedef struct wpa
u32 keymic[4]; u32 keymic[4];
u32 anonce[8]; u32 anonce[8];
u8 keyver; u32 keyver;
u32 eapol[64 + 16]; u32 eapol[64 + 16];
u16 eapol_len; u32 eapol_len;
u32 pke[32]; u32 pke[32];
u8 message_pair; u32 message_pair;
int message_pair_chgd;
int nonce_compare; int nonce_compare;
int nonce_error_corrections; int nonce_error_corrections;
int detected_le; int detected_le;

View File

@ -204,6 +204,9 @@ int module_hash_binary_save (MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED c
tmp_buf[tmp_len] = 0; tmp_buf[tmp_len] = 0;
const u8 *mac_ap = (const u8 *) wpa->mac_ap;
const u8 *mac_sta = (const u8 *) wpa->mac_sta;
if (wpa->type == 1) if (wpa->type == 1)
{ {
const int len = hc_asprintf (buf, "WPA:01:%08x%08x%08x%08x:%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s:::" EOL, const int len = hc_asprintf (buf, "WPA:01:%08x%08x%08x%08x:%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s:::" EOL,
@ -211,18 +214,18 @@ int module_hash_binary_save (MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED c
byte_swap_32 (wpa->pmkid[1]), byte_swap_32 (wpa->pmkid[1]),
byte_swap_32 (wpa->pmkid[2]), byte_swap_32 (wpa->pmkid[2]),
byte_swap_32 (wpa->pmkid[3]), byte_swap_32 (wpa->pmkid[3]),
wpa->orig_mac_ap[0], mac_ap[0],
wpa->orig_mac_ap[1], mac_ap[1],
wpa->orig_mac_ap[2], mac_ap[2],
wpa->orig_mac_ap[3], mac_ap[3],
wpa->orig_mac_ap[4], mac_ap[4],
wpa->orig_mac_ap[5], mac_ap[5],
wpa->orig_mac_sta[0], mac_sta[0],
wpa->orig_mac_sta[1], mac_sta[1],
wpa->orig_mac_sta[2], mac_sta[2],
wpa->orig_mac_sta[3], mac_sta[3],
wpa->orig_mac_sta[4], mac_sta[4],
wpa->orig_mac_sta[5], mac_sta[5],
tmp_buf); tmp_buf);
return len; return len;
@ -255,18 +258,18 @@ int module_hash_binary_save (MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED c
wpa->keymic[1], wpa->keymic[1],
wpa->keymic[2], wpa->keymic[2],
wpa->keymic[3], wpa->keymic[3],
wpa->orig_mac_ap[0], mac_ap[0],
wpa->orig_mac_ap[1], mac_ap[1],
wpa->orig_mac_ap[2], mac_ap[2],
wpa->orig_mac_ap[3], mac_ap[3],
wpa->orig_mac_ap[4], mac_ap[4],
wpa->orig_mac_ap[5], mac_ap[5],
wpa->orig_mac_sta[0], mac_sta[0],
wpa->orig_mac_sta[1], mac_sta[1],
wpa->orig_mac_sta[2], mac_sta[2],
wpa->orig_mac_sta[3], mac_sta[3],
wpa->orig_mac_sta[4], mac_sta[4],
wpa->orig_mac_sta[5], mac_sta[5],
tmp_buf, tmp_buf,
byte_swap_32 (wpa->anonce[0]), byte_swap_32 (wpa->anonce[0]),
byte_swap_32 (wpa->anonce[1]), byte_swap_32 (wpa->anonce[1]),
@ -277,7 +280,7 @@ int module_hash_binary_save (MAYBE_UNUSED const hashes_t *hashes, MAYBE_UNUSED c
byte_swap_32 (wpa->anonce[6]), byte_swap_32 (wpa->anonce[6]),
byte_swap_32 (wpa->anonce[7]), byte_swap_32 (wpa->anonce[7]),
tmp2_buf, tmp2_buf,
wpa->extra); wpa->message_pair);
return len; return len;
} }
@ -493,25 +496,28 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
// mac_ap // mac_ap
u8 *mac_ap = (u8 *) wpa->mac_ap;
u8 *mac_sta = (u8 *) wpa->mac_sta;
const u8 *macap_buf = token.buf[3]; const u8 *macap_buf = token.buf[3];
wpa->orig_mac_ap[0] = hex_to_u8 (macap_buf + 0); mac_ap[0] = hex_to_u8 (macap_buf + 0);
wpa->orig_mac_ap[1] = hex_to_u8 (macap_buf + 2); mac_ap[1] = hex_to_u8 (macap_buf + 2);
wpa->orig_mac_ap[2] = hex_to_u8 (macap_buf + 4); mac_ap[2] = hex_to_u8 (macap_buf + 4);
wpa->orig_mac_ap[3] = hex_to_u8 (macap_buf + 6); mac_ap[3] = hex_to_u8 (macap_buf + 6);
wpa->orig_mac_ap[4] = hex_to_u8 (macap_buf + 8); mac_ap[4] = hex_to_u8 (macap_buf + 8);
wpa->orig_mac_ap[5] = hex_to_u8 (macap_buf + 10); mac_ap[5] = hex_to_u8 (macap_buf + 10);
// mac_sta // mac_sta
const u8 *macsta_buf = token.buf[4]; const u8 *macsta_buf = token.buf[4];
wpa->orig_mac_sta[0] = hex_to_u8 (macsta_buf + 0); mac_sta[0] = hex_to_u8 (macsta_buf + 0);
wpa->orig_mac_sta[1] = hex_to_u8 (macsta_buf + 2); mac_sta[1] = hex_to_u8 (macsta_buf + 2);
wpa->orig_mac_sta[2] = hex_to_u8 (macsta_buf + 4); mac_sta[2] = hex_to_u8 (macsta_buf + 4);
wpa->orig_mac_sta[3] = hex_to_u8 (macsta_buf + 6); mac_sta[3] = hex_to_u8 (macsta_buf + 6);
wpa->orig_mac_sta[4] = hex_to_u8 (macsta_buf + 8); mac_sta[4] = hex_to_u8 (macsta_buf + 8);
wpa->orig_mac_sta[5] = hex_to_u8 (macsta_buf + 10); mac_sta[5] = hex_to_u8 (macsta_buf + 10);
// essid // essid
@ -557,18 +563,18 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
wpa->pmkid_data[0] = 0x204b4d50; // "PMK " wpa->pmkid_data[0] = 0x204b4d50; // "PMK "
wpa->pmkid_data[1] = 0x656d614e; // "Name" wpa->pmkid_data[1] = 0x656d614e; // "Name"
wpa->pmkid_data[2] = (wpa->orig_mac_ap[0] << 0) wpa->pmkid_data[2] = (mac_ap[0] << 0)
| (wpa->orig_mac_ap[1] << 8) | (mac_ap[1] << 8)
| (wpa->orig_mac_ap[2] << 16) | (mac_ap[2] << 16)
| (wpa->orig_mac_ap[3] << 24); | (mac_ap[3] << 24);
wpa->pmkid_data[3] = (wpa->orig_mac_ap[4] << 0) wpa->pmkid_data[3] = (mac_ap[4] << 0)
| (wpa->orig_mac_ap[5] << 8) | (mac_ap[5] << 8)
| (wpa->orig_mac_sta[0] << 16) | (mac_sta[0] << 16)
| (wpa->orig_mac_sta[1] << 24); | (mac_sta[1] << 24);
wpa->pmkid_data[4] = (wpa->orig_mac_sta[2] << 0) wpa->pmkid_data[4] = (mac_sta[2] << 0)
| (wpa->orig_mac_sta[3] << 8) | (mac_sta[3] << 8)
| (wpa->orig_mac_sta[4] << 16) | (mac_sta[4] << 16)
| (wpa->orig_mac_sta[5] << 24); | (mac_sta[5] << 24);
// hash // hash
@ -638,15 +644,15 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
{ {
memcpy (pke_ptr, "Pairwise key expansion\x00", 23); memcpy (pke_ptr, "Pairwise key expansion\x00", 23);
if (memcmp (wpa->orig_mac_ap, wpa->orig_mac_sta, 6) < 0) if (memcmp (mac_ap, mac_sta, 6) < 0)
{ {
memcpy (pke_ptr + 23, wpa->orig_mac_ap, 6); memcpy (pke_ptr + 23, mac_ap, 6);
memcpy (pke_ptr + 29, wpa->orig_mac_sta, 6); memcpy (pke_ptr + 29, mac_sta, 6);
} }
else else
{ {
memcpy (pke_ptr + 23, wpa->orig_mac_sta, 6); memcpy (pke_ptr + 23, mac_sta, 6);
memcpy (pke_ptr + 29, wpa->orig_mac_ap, 6); memcpy (pke_ptr + 29, mac_ap, 6);
} }
wpa->nonce_compare = memcmp (wpa->anonce, auth_packet->wpa_key_nonce, 32); wpa->nonce_compare = memcmp (wpa->anonce, auth_packet->wpa_key_nonce, 32);
@ -669,15 +675,15 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
memcpy (pke_ptr + 2, "Pairwise key expansion", 22); memcpy (pke_ptr + 2, "Pairwise key expansion", 22);
if (memcmp (wpa->orig_mac_ap, wpa->orig_mac_sta, 6) < 0) if (memcmp (mac_ap, mac_sta, 6) < 0)
{ {
memcpy (pke_ptr + 24, wpa->orig_mac_ap, 6); memcpy (pke_ptr + 24, mac_ap, 6);
memcpy (pke_ptr + 30, wpa->orig_mac_sta, 6); memcpy (pke_ptr + 30, mac_sta, 6);
} }
else else
{ {
memcpy (pke_ptr + 24, wpa->orig_mac_sta, 6); memcpy (pke_ptr + 24, mac_sta, 6);
memcpy (pke_ptr + 30, wpa->orig_mac_ap, 6); memcpy (pke_ptr + 30, mac_ap, 6);
} }
wpa->nonce_compare = memcmp (wpa->anonce, auth_packet->wpa_key_nonce, 32); wpa->nonce_compare = memcmp (wpa->anonce, auth_packet->wpa_key_nonce, 32);
@ -715,19 +721,45 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
eapol_ptr[wpa->eapol_len] = 0x80; eapol_ptr[wpa->eapol_len] = 0x80;
} }
// extra // message_pair
const u8 *extra_pos = token.buf[8]; const u8 *extra_pos = token.buf[8];
wpa->extra = hex_to_u8 (extra_pos); wpa->message_pair = hex_to_u8 (extra_pos);
// todo stuff if (wpa->message_pair & (1 << 4))
{
// ap-less attack detected, nc not needed
wpa->message_pair = wpa->extra; wpa->nonce_error_corrections = 0;
wpa->message_pair_chgd = 0; }
wpa->nonce_error_corrections = 0; else
wpa->detected_le = 0; {
wpa->detected_be = 0; if (wpa->message_pair & (1 << 7))
{
// replaycount not checked, nc needed
wpa->nonce_error_corrections = NONCE_ERROR_CORRECTIONS;
}
else
{
wpa->nonce_error_corrections = 0;
}
}
wpa->detected_le = 1;
wpa->detected_be = 1;
if (wpa->message_pair & (1 << 5))
{
wpa->detected_le = 1;
wpa->detected_be = 0;
}
else if (wpa->message_pair & (1 << 6))
{
wpa->detected_le = 0;
wpa->detected_be = 1;
}
// mic // mic
@ -788,8 +820,9 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
md5_transform (block + 0, block + 4, block + 8, block + 12, hash); md5_transform (block + 0, block + 4, block + 8, block + 12, hash);
memcpy (block_ptr + 0, wpa->orig_mac_ap, 6); for (int i = 0; i < 2; i++) block[0 + i] = wpa->mac_ap[i];
memcpy (block_ptr + 6, wpa->orig_mac_sta, 6); for (int i = 0; i < 2; i++) block[2 + i] = wpa->mac_ap[i];
for (int i = 0; i < 12; i++) block[4 + i] = 0;
md5_transform (block + 0, block + 4, block + 8, block + 12, hash); md5_transform (block + 0, block + 4, block + 8, block + 12, hash);
@ -822,6 +855,9 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
int line_len = 0; int line_len = 0;
const u8 *mac_ap = (const u8 *) wpa->mac_ap;
const u8 *mac_sta = (const u8 *) wpa->mac_sta;
if (need_hexify ((const u8 *) wpa->essid_buf, wpa->essid_len, ':', 0) == true) if (need_hexify ((const u8 *) wpa->essid_buf, wpa->essid_len, ':', 0) == true)
{ {
char tmp_buf[128]; char tmp_buf[128];
@ -843,35 +879,35 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
tmp_buf[tmp_len++] = 0; tmp_buf[tmp_len++] = 0;
line_len = snprintf (line_buf, line_size, "%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s", line_len = snprintf (line_buf, line_size, "%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s",
wpa->orig_mac_ap[0], mac_ap[0],
wpa->orig_mac_ap[1], mac_ap[1],
wpa->orig_mac_ap[2], mac_ap[2],
wpa->orig_mac_ap[3], mac_ap[3],
wpa->orig_mac_ap[4], mac_ap[4],
wpa->orig_mac_ap[5], mac_ap[5],
wpa->orig_mac_sta[0], mac_sta[0],
wpa->orig_mac_sta[1], mac_sta[1],
wpa->orig_mac_sta[2], mac_sta[2],
wpa->orig_mac_sta[3], mac_sta[3],
wpa->orig_mac_sta[4], mac_sta[4],
wpa->orig_mac_sta[5], mac_sta[5],
tmp_buf); tmp_buf);
} }
else else
{ {
line_len = snprintf (line_buf, line_size, "%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s", line_len = snprintf (line_buf, line_size, "%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s",
wpa->orig_mac_ap[0], mac_ap[0],
wpa->orig_mac_ap[1], mac_ap[1],
wpa->orig_mac_ap[2], mac_ap[2],
wpa->orig_mac_ap[3], mac_ap[3],
wpa->orig_mac_ap[4], mac_ap[4],
wpa->orig_mac_ap[5], mac_ap[5],
wpa->orig_mac_sta[0], mac_sta[0],
wpa->orig_mac_sta[1], mac_sta[1],
wpa->orig_mac_sta[2], mac_sta[2],
wpa->orig_mac_sta[3], mac_sta[3],
wpa->orig_mac_sta[4], mac_sta[4],
wpa->orig_mac_sta[5], mac_sta[5],
(const char *) wpa->essid_buf); (const char *) wpa->essid_buf);
} }

View File

@ -27,7 +27,7 @@ sub module_generate_hash
my $essid = shift; my $essid = shift;
my $anonce = shift; my $anonce = shift;
my $eapol = shift; my $eapol = shift;
my $extra = shift; my $mp = shift;
my $hash; my $hash;
@ -88,13 +88,13 @@ sub module_generate_hash
$macsta = pack ("H*", $macsta); $macsta = pack ("H*", $macsta);
} }
if (!defined ($extra)) if (!defined ($mp))
{ {
$extra = "\x00"; $mp = "\x00";
} }
else else
{ {
$extra = pack ("H*", $extra); $mp = pack ("H*", $mp);
} }
my $keyver; my $keyver;
@ -172,7 +172,7 @@ sub module_generate_hash
$mic = substr ($mic, 0, 16); $mic = substr ($mic, 0, 16);
$hash = sprintf ("WPA:%02x:%s:%s:%s:%s:%s:%s:%s", $type, unpack ("H*", $mic), unpack ("H*", $macap), unpack ("H*", $macsta), $essid, unpack ("H*", $anonce), unpack ("H*", $eapol), unpack ("H*", $extra)); $hash = sprintf ("WPA:%02x:%s:%s:%s:%s:%s:%s:%s", $type, unpack ("H*", $mic), unpack ("H*", $macap), unpack ("H*", $macsta), $essid, unpack ("H*", $anonce), unpack ("H*", $eapol), unpack ("H*", $mp));
} }
return $hash; return $hash;
@ -186,13 +186,13 @@ sub module_verify_hash
return unless scalar @data == 10; return unless scalar @data == 10;
my ($signature, $type, undef, $macap, $macsta, $essid, $anonce, $eapol, $extra, $word) = @data; my ($signature, $type, undef, $macap, $macsta, $essid, $anonce, $eapol, $mp, $word) = @data;
return unless ($signature eq "WPA"); return unless ($signature eq "WPA");
my $word_packed = pack_if_HEX_notation ($word); my $word_packed = pack_if_HEX_notation ($word);
my $new_hash = module_generate_hash ($word_packed, undef, $type, $macap, $macsta, $essid, $anonce, $eapol, $extra); my $new_hash = module_generate_hash ($word_packed, undef, $type, $macap, $macsta, $essid, $anonce, $eapol, $mp);
return ($new_hash, $word); return ($new_hash, $word);
} }