HCCAPX management: Use advanced hints in message_pair stored by hcxtools about endian bitness of replay counter

Fixed missing code section in -m 2500 and -m 2501 to crack corrupted handshakes with a LE endian bitness base
2024-12-27 05:13:45 +01:00 · 2018-06-15 17:00:41 +02:00 · 2018-06-15 17:00:41 +02:00 · 547025ec47
commit 547025ec47
parent 5035b75bd7
8 changed files with 1762 additions and 820 deletions
--- a/OpenCL/inc_types.cl
+++ b/OpenCL/inc_types.cl
@ -1207,6 +1207,8 @@ typedef struct wpa
  u32  hash[4];
  int  nonce_compare;
  int  nonce_error_corrections;
+  int  detected_le;
+  int  detected_be;

 } wpa_t;

--- a/OpenCL/m02500.cl
+++ b/OpenCL/m02500.cl
--- a/OpenCL/m02501.cl
+++ b/OpenCL/m02501.cl
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -4,6 +4,7 @@
 ## Improvements
 ##

+- HCCAPX management: Use advanced hints in message_pair stored by hcxtools about endian bitness of replay counter
 - OpenCL kernels: Abort session if kernel self-test failed
 - Added JtR-compatible support for hex notation in rules engine

@ -12,6 +13,7 @@
 ##

 - Fixed a missing kernel in -m 5600 in combination with -a 3 and -O if mask is >= 16 characters
+- Fixed missing code section in -m 2500 and -m 2501 to crack corrupted handshakes with a LE endian bitness base

 * changes v4.0.1 -> v4.1.0

--- a/include/interface.h
+++ b/include/interface.h
@ -194,6 +194,8 @@ typedef struct wpa
  u32  hash[4];
  int  nonce_compare;
  int  nonce_error_corrections;
+  int  detected_le;
+  int  detected_be;

 } wpa_t;

--- a/include/types.h
+++ b/include/types.h
@ -1581,6 +1581,7 @@ typedef struct user_options
  bool         workload_profile_chgd;
  bool         segment_size_chgd;
  bool         hccapx_message_pair_chgd;
+  bool         nonce_error_corrections_chgd;

  bool         advice_disable;
  bool         benchmark;
--- a/src/hashes.c
+++ b/src/hashes.c
@ -831,7 +831,54 @@ int hashes_init_stage1 (hashcat_ctx_t *hashcat_ctx)
                  wpa->message_pair      = (u8)  user_options->hccapx_message_pair;
                }

-                wpa->nonce_error_corrections = user_options->nonce_error_corrections;
+                if (wpa->message_pair & (1 << 4))
+                {
+                  // ap-less attack detected, nc not needed
+
+                  wpa->nonce_error_corrections = 0;
+                }
+                else
+                {
+                  if (wpa->message_pair & (1 << 7))
+                  {
+                    // replaycount not checked, nc needed
+
+                    wpa->nonce_error_corrections = user_options->nonce_error_corrections;
+                  }
+                  else
+                  {
+                    // replaycount checked, nc not needed, but we allow user overwrites
+
+                    if (user_options->nonce_error_corrections_chgd == true)
+                    {
+                      wpa->nonce_error_corrections = user_options->nonce_error_corrections;
+                    }
+                    else
+                    {
+                      wpa->nonce_error_corrections = 0;
+                    }
+                  }
+                }
+
+                // now some optimization related to replay counter endianess
+                // hcxtools has techniques to detect them
+                // since we can not guarantee to get our handshakes from hcxtools we enable both by default
+                // this means that we check both even if both are not set!
+                // however if one of them is set, we can assume that the endianess has been checked and the other one is not needed
+
+                wpa->detected_le = 1;
+                wpa->detected_be = 1;
+
+                if (wpa->message_pair & (1 << 5))
+                {
+                  wpa->detected_le = 1;
+                  wpa->detected_be = 0;
+                }
+                else if (wpa->message_pair & (1 << 6))
+                {
+                  wpa->detected_le = 0;
+                  wpa->detected_be = 1;
+                }
              }
            }

@ -1652,6 +1699,9 @@ int hashes_init_selftest (hashcat_ctx_t *hashcat_ctx)

    wpa_t *wpa = (wpa_t *) st_esalts_buf;

+    wpa->detected_le = 1;
+    wpa->detected_be = 0;
+
    wpa->nonce_error_corrections = 3;
  }
  else if (hashconfig->opts_type & OPTS_TYPE_BINARY_HASHFILE)
--- a/src/user_options.c
+++ b/src/user_options.c
@ -396,7 +396,8 @@ int user_options_getopt (hashcat_ctx_t *hashcat_ctx, int argc, char **argv)
      case IDX_LOGFILE_DISABLE:          user_options->logfile_disable           = true;                            break;
      case IDX_HCCAPX_MESSAGE_PAIR:      user_options->hccapx_message_pair       = hc_strtoul (optarg, NULL, 10);
                                         user_options->hccapx_message_pair_chgd  = true;                            break;
-      case IDX_NONCE_ERROR_CORRECTIONS:  user_options->nonce_error_corrections   = hc_strtoul (optarg, NULL, 10);   break;
+      case IDX_NONCE_ERROR_CORRECTIONS:  user_options->nonce_error_corrections   = hc_strtoul (optarg, NULL, 10);
+                                         user_options->nonce_error_corrections_chgd = true;                         break;
      case IDX_TRUECRYPT_KEYFILES:       user_options->truecrypt_keyfiles        = optarg;                          break;
      case IDX_VERACRYPT_KEYFILES:       user_options->veracrypt_keyfiles        = optarg;                          break;
      case IDX_VERACRYPT_PIM:            user_options->veracrypt_pim             = hc_strtoul (optarg, NULL, 10);   break;