From dd55c1eb66975df1ab4eba408753ed915accecd2 Mon Sep 17 00:00:00 2001
From: Jens Steube <jens.steube@gmail.com>
Date: Sun, 19 Feb 2017 14:45:27 +0100
Subject: [PATCH] WPA: Changed format for outfile and potfile from
 essid:mac1:mac2 to hash:mac_ap:mac_sta:essid Fixes
 https://github.com/hashcat/hashcat/issues/1113

---
 OpenCL/inc_types.cl |  2 ++
 docs/changes.txt    |  2 +-
 include/convert.h   |  3 +++
 include/interface.h |  2 ++
 src/convert.c       | 30 +++++++++++++++++++++++++++++
 src/interface.c     | 46 +++++++++++++++++++++++++++++++++++++++++++--
 src/potfile.c       | 13 +++++++++----
 src/wordlist.c      | 22 +++-------------------
 8 files changed, 94 insertions(+), 26 deletions(-)

diff --git a/OpenCL/inc_types.cl b/OpenCL/inc_types.cl
index 84898c653..22a04ac23 100644
--- a/OpenCL/inc_types.cl
+++ b/OpenCL/inc_types.cl
@@ -796,6 +796,8 @@ typedef struct wpa
   u8   orig_nonce_ap[32];
   u8   orig_nonce_sta[32];
   int  essid_reuse;
+  u8   essid_len;
+  u8   essid[32];
 
 } wpa_t;
 
diff --git a/docs/changes.txt b/docs/changes.txt
index 7dec920ac..0c5dbf447 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -93,7 +93,7 @@
 - Threads: Restored strerror as %m is unsupported by the BSDs
 - Wordlists: Disable dictstat handling for hash-mode 3000 as it virtually creates words in the wordlist which is not the case for other modes
 - Wordlists: Fixed memory leak in case access a file in a wordlist folder fails
-- WPA: Changed format for outfile and potfile from essid:mac1:mac2 to hash:essid
+- WPA: Changed format for outfile and potfile from essid:mac1:mac2 to hash:mac_ap:mac_sta:essid
 - WPA: Changed format for outfile_check from essid:mac1:mac2 to hash
 
 * changes v3.20 -> v3.30:
diff --git a/include/convert.h b/include/convert.h
index 96343babe..d15b538ab 100644
--- a/include/convert.h
+++ b/include/convert.h
@@ -8,6 +8,9 @@
 
 #include <ctype.h>
 
+bool is_hexify (const u8 *buf, const int len);
+int exec_unhexify (const u8 *in_buf, const int in_len, u8 *out_buf, const int out_sz);
+
 bool need_hexify (const u8 *buf, const int len, const char separator, bool always_ascii);
 void exec_hexify (const u8 *buf, const int len, u8 *out);
 
diff --git a/include/interface.h b/include/interface.h
index 8e8c9d81b..2700c9236 100644
--- a/include/interface.h
+++ b/include/interface.h
@@ -184,6 +184,8 @@ typedef struct wpa
   u8   orig_nonce_ap[32];
   u8   orig_nonce_sta[32];
   int  essid_reuse;
+  u8   essid_len;
+  u8   essid[32];
 
 } wpa_t;
 
diff --git a/src/convert.c b/src/convert.c
index efac523ef..4a4cbbadb 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -87,6 +87,36 @@ static bool matches_separator (const u8 *buf, const int len, const char separato
   return false;
 }
 
+bool is_hexify (const u8 *buf, const int len)
+{
+  if (len < 6) return false; // $HEX[] = 6
+
+  if (buf[0]       != '$') return (false);
+  if (buf[1]       != 'H') return (false);
+  if (buf[2]       != 'E') return (false);
+  if (buf[3]       != 'X') return (false);
+  if (buf[4]       != '[') return (false);
+  if (buf[len - 1] != ']') return (false);
+
+  return true;
+}
+
+int exec_unhexify (const u8 *in_buf, const int in_len, u8 *out_buf, const int out_sz)
+{
+  int i, j;
+
+  for (i = 0, j = 5; j < in_len - 1; i += 1, j += 2)
+  {
+    const u8 c = hex_to_u8 (&in_buf[j]);
+
+    out_buf[i] = c;
+  }
+
+  memset (out_buf + i, 0, out_sz - i);
+
+  return (i);
+}
+
 bool need_hexify (const u8 *buf, const int len, const char separator, bool always_ascii)
 {
   bool rc = false;
diff --git a/src/interface.c b/src/interface.c
index 74fe62ea1..ab8d11a70 100644
--- a/src/interface.c
+++ b/src/interface.c
@@ -2740,6 +2740,10 @@ int wpa_parse_hash (u8 *input_buf, u32 input_len, hash_t *hash_buf, MAYBE_UNUSED
 
   salt->salt_iter = ROUNDS_WPA2 - 1;
 
+  memcpy (wpa->essid, in.essid, in.essid_len);
+
+  wpa->essid_len = in.essid_len;
+
   u8 *pke_ptr = (u8 *) wpa->pke;
 
   memcpy (pke_ptr, "Pairwise key expansion", 23);
@@ -15676,12 +15680,50 @@ int ascii_digest (hashcat_ctx_t *hashcat_ctx, char *out_buf, const size_t out_le
   }
   else if (hash_mode == 2500)
   {
-    snprintf (out_buf, out_len - 1, "%08x%08x%08x%08x:%s",
+    wpa_t *wpas = (wpa_t *) esalts_buf;
+
+    wpa_t *wpa = &wpas[salt_pos];
+
+    char *essid = (char *) wpa->essid;
+
+    char tmp_buf[HCBUFSIZ_TINY];
+    int  tmp_len = 0;
+
+    if (need_hexify (wpa->essid, wpa->essid_len, hashconfig->separator, 0) == true)
+    {
+      tmp_buf[tmp_len++] = '$';
+      tmp_buf[tmp_len++] = 'H';
+      tmp_buf[tmp_len++] = 'E';
+      tmp_buf[tmp_len++] = 'X';
+      tmp_buf[tmp_len++] = '[';
+
+      exec_hexify (wpa->essid, wpa->essid_len, (u8 *) tmp_buf + tmp_len);
+
+      tmp_len += wpa->essid_len * 2;
+
+      tmp_buf[tmp_len++] = ']';
+
+      essid = tmp_buf;
+    }
+
+    snprintf (out_buf, out_len - 1, "%08x%08x%08x%08x:%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x:%s",
       salt.salt_buf[12],
       salt.salt_buf[13],
       salt.salt_buf[14],
       salt.salt_buf[15],
-      (char *) salt.salt_buf);
+      wpa->orig_mac_ap[0],
+      wpa->orig_mac_ap[1],
+      wpa->orig_mac_ap[2],
+      wpa->orig_mac_ap[3],
+      wpa->orig_mac_ap[4],
+      wpa->orig_mac_ap[5],
+      wpa->orig_mac_sta[0],
+      wpa->orig_mac_sta[1],
+      wpa->orig_mac_sta[2],
+      wpa->orig_mac_sta[3],
+      wpa->orig_mac_sta[4],
+      wpa->orig_mac_sta[5],
+      essid);
   }
   else if (hash_mode == 4400)
   {
diff --git a/src/potfile.c b/src/potfile.c
index 2d1ec1db5..935c2fc8f 100644
--- a/src/potfile.c
+++ b/src/potfile.c
@@ -451,7 +451,7 @@ int potfile_remove_parse (hashcat_ctx_t *hashcat_ctx)
     }
     else if (hashconfig->hash_mode == 2500)
     {
-      // here we have in line_hash_buf: hash:essid (without the plain)
+      // here we have in line_hash_buf: hash:macap:macsta:essid:password
 
       char *sep_pos = strrchr (line_hash_buf, ':');
 
@@ -463,13 +463,18 @@ int potfile_remove_parse (hashcat_ctx_t *hashcat_ctx)
 
       const size_t hash_len = strlen (hash_pos);
 
-      if (hash_len != 32) continue;
+      if (hash_len != 32 + 1 + 12 + 1 + 12) continue;
 
       char *essid_pos = sep_pos + 1;
 
-      const size_t essid_len = strlen (essid_pos);
+      int essid_len = (int) strlen (essid_pos);
 
-      if (essid_len > 36) continue;
+      if (is_hexify ((const u8 *) essid_pos, (const int) essid_len) == true)
+      {
+        essid_len = exec_unhexify ((const u8 *) essid_pos, (int) essid_len, (u8 *) essid_pos, (int) essid_len);
+      }
+
+      if (essid_len > 32) continue;
 
       if (hashconfig->is_salted)
       {
diff --git a/src/wordlist.c b/src/wordlist.c
index 08a6a98be..4eff8b0a8 100644
--- a/src/wordlist.c
+++ b/src/wordlist.c
@@ -34,27 +34,11 @@ u32 convert_from_hex (hashcat_ctx_t *hashcat_ctx, char *line_buf, const u32 line
     return (i);
   }
 
-  if (line_len >= 6) // $HEX[] = 6
+  if (is_hexify (line_buf, line_len) == true)
   {
-    if (line_buf[0]            != '$') return (line_len);
-    if (line_buf[1]            != 'H') return (line_len);
-    if (line_buf[2]            != 'E') return (line_len);
-    if (line_buf[3]            != 'X') return (line_len);
-    if (line_buf[4]            != '[') return (line_len);
-    if (line_buf[line_len - 1] != ']') return (line_len);
+    const int new_len = exec_unhexify ((const u8 *) line_buf, (int) line_len, (u8 *) line_buf, (int) line_len);
 
-    size_t i, j;
-
-    for (i = 0, j = 5; j < line_len - 1; i += 1, j += 2)
-    {
-      const u8 c = hex_to_u8 ((const u8 *) &line_buf[j]);
-
-      line_buf[i] = c;
-    }
-
-    memset (line_buf + i, 0, line_len - i);
-
-    return (i);
+    return (u32) new_len;
   }
 
   return (line_len);