HCCAPX management: Use advanced hints in message_pair stored by hcxtools about endian bitness of replay counter

Fixed missing code section in -m 2500 and -m 2501 to crack corrupted handshakes with a LE endian bitness base
2025-04-02 19:05:29 +02:00 · 2018-06-15 17:00:41 +02:00 · 2018-06-15 17:00:41 +02:00 · 547025ec47
commit 547025ec47
parent 5035b75bd7
8 changed files with 1762 additions and 820 deletions
--- a/OpenCL/inc_types.cl
+++ b/OpenCL/inc_types.cl
@ -1207,6 +1207,8 @@ typedef struct wpa
  u32  hash[4];
  int  nonce_compare;
  int  nonce_error_corrections;
  int  detected_le;
  int  detected_be;
 } wpa_t;
--- a/OpenCL/m02500.cl
+++ b/OpenCL/m02500.cl
--- a/OpenCL/m02501.cl
+++ b/OpenCL/m02501.cl
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -4,6 +4,7 @@
 ## Improvements
 ##
 - HCCAPX management: Use advanced hints in message_pair stored by hcxtools about endian bitness of replay counter
 - OpenCL kernels: Abort session if kernel self-test failed
 - Added JtR-compatible support for hex notation in rules engine
@ -12,6 +13,7 @@
 ##
 - Fixed a missing kernel in -m 5600 in combination with -a 3 and -O if mask is >= 16 characters
 - Fixed missing code section in -m 2500 and -m 2501 to crack corrupted handshakes with a LE endian bitness base
 * changes v4.0.1 -> v4.1.0
--- a/include/interface.h
+++ b/include/interface.h
@ -194,6 +194,8 @@ typedef struct wpa
  u32  hash[4];
  int  nonce_compare;
  int  nonce_error_corrections;
  int  detected_le;
  int  detected_be;
 } wpa_t;
--- a/include/types.h
+++ b/include/types.h
@ -1581,6 +1581,7 @@ typedef struct user_options
  bool         workload_profile_chgd;
  bool         segment_size_chgd;
  bool         hccapx_message_pair_chgd;
  bool         nonce_error_corrections_chgd;
  bool         advice_disable;
  bool         benchmark;
--- a/src/hashes.c
+++ b/src/hashes.c
@ -831,7 +831,54 @@ int hashes_init_stage1 (hashcat_ctx_t *hashcat_ctx)
                  wpa->message_pair      = (u8)  user_options->hccapx_message_pair;
                }
-                wpa->nonce_error_corrections = user_options->nonce_error_corrections;
+                if (wpa->message_pair & (1 << 4))
                {
                  // ap-less attack detected, nc not needed
                  wpa->nonce_error_corrections = 0;
                }
                else
                {
                  if (wpa->message_pair & (1 << 7))
                  {
                    // replaycount not checked, nc needed
                    wpa->nonce_error_corrections = user_options->nonce_error_corrections;
                  }
                  else
                  {
                    // replaycount checked, nc not needed, but we allow user overwrites
                    if (user_options->nonce_error_corrections_chgd == true)
                    {
                      wpa->nonce_error_corrections = user_options->nonce_error_corrections;
                    }
                    else
                    {
                      wpa->nonce_error_corrections = 0;
                    }
                  }
                }
                // now some optimization related to replay counter endianess
                // hcxtools has techniques to detect them
                // since we can not guarantee to get our handshakes from hcxtools we enable both by default
                // this means that we check both even if both are not set!
                // however if one of them is set, we can assume that the endianess has been checked and the other one is not needed
                wpa->detected_le = 1;
                wpa->detected_be = 1;
                if (wpa->message_pair & (1 << 5))
                {
                  wpa->detected_le = 1;
                  wpa->detected_be = 0;
                }
                else if (wpa->message_pair & (1 << 6))
                {
                  wpa->detected_le = 0;
                  wpa->detected_be = 1;
                }
              }
            }
@ -1652,6 +1699,9 @@ int hashes_init_selftest (hashcat_ctx_t *hashcat_ctx)
    wpa_t *wpa = (wpa_t *) st_esalts_buf;
    wpa->detected_le = 1;
    wpa->detected_be = 0;
    wpa->nonce_error_corrections = 3;
  }
  else if (hashconfig->opts_type & OPTS_TYPE_BINARY_HASHFILE)
--- a/src/user_options.c
+++ b/src/user_options.c
@ -396,7 +396,8 @@ int user_options_getopt (hashcat_ctx_t *hashcat_ctx, int argc, char **argv)
      case IDX_LOGFILE_DISABLE:          user_options->logfile_disable           = true;                            break;
      case IDX_HCCAPX_MESSAGE_PAIR:      user_options->hccapx_message_pair       = hc_strtoul (optarg, NULL, 10);
                                         user_options->hccapx_message_pair_chgd  = true;                            break;
-      case IDX_NONCE_ERROR_CORRECTIONS:  user_options->nonce_error_corrections   = hc_strtoul (optarg, NULL, 10);   break;
+      case IDX_NONCE_ERROR_CORRECTIONS:  user_options->nonce_error_corrections   = hc_strtoul (optarg, NULL, 10);
                                         user_options->nonce_error_corrections_chgd = true;                         break;
      case IDX_TRUECRYPT_KEYFILES:       user_options->truecrypt_keyfiles        = optarg;                          break;
      case IDX_VERACRYPT_KEYFILES:       user_options->veracrypt_keyfiles        = optarg;                          break;
      case IDX_VERACRYPT_PIM:            user_options->veracrypt_pim             = hc_strtoul (optarg, NULL, 10);   break;