Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[burakkucat]

Attached below is the ASCII text equivalent of your initial capture attempt.

Building on what 4uture has recommended, I will suggest that you power off either the HG8240 or the SRX300.

Begin a Wireshark capture and once it is active, power on whichever device is currently off. Very soon, after power on, you should see at least two, possibly three, lines which show as "PPP CHAP" in the "Protocol" column. They are the lines that you will require.

Back in Reply #21 I showed a (spoof) example from one of my own capture attempts.

[psychopomp1]

Ok looks like I've got my username at least which ends @BURST.NET as this is the same as what is shown on my Fluidone portal. But how do I get the password?

Edit: removed my captures from public view

[burakkucat]

For some reason I am unable to download your latest capture file. 

I agree with your deduction, "blah-blah@BURST.net" appears to be your login username to the bRAS.

Will you please reload that capture file into Wireshark, filter the display for "chap" and then see how many Challenge-Response line pairs are present. Looking at the image you've displayed, there are three line pairs and only the third pairing has a following "Success" line.

If you look a little deeper into Wireshark, you will find that there is an option to print out the capture. From there, just instruct it to print to a file. The print to a file option also has its own options . . . you should be able to find what is required to print out in a similar format to that of my (spoof) example. All being well, you will have an ASCII text file containing a header and five lines of data. That ASCII text file can then be attached to a forum post.

[psychopomp1]

Does this help? This is the only info which contains PPP CHAP

[burakkucat]

Yes, that's the good stuff. 

You will need the data from lines 65 & 66 and, maybe, some help from 3b.

With that b*cat goes to his sleepy-spot. 

[bishbashbosh]

Hi Psycopomp,

I believe this is the command you will likely need. As discussed privately, I don't have a proper GPU so rely on CPU power only inside a VM with 8 cores. This limits me to 200MHs so your experience should be significantly quicker.  You are very lucky in that the info you shared with me contains a challenge value from FluidOne PPP server of 16 bytes which fits nicely in the iSCSI/CHAP method.

You might need to use hashcat64.exe if using Windies.

So this is using the native CHAP method and using some test data I knocked up. The first hex value is the MD5 hash The second value is the challenge from the PPP server and the third value is the identifier.

hashcat -m 4800 -a 3 -w 3 --increment --hex-charset -1 ?d?u?l  474ffb3942b64d75345dc4baeee27c24:99999999999999999999999999999999:02 ?1?1?1?1?1?1?1?1

This should reveal a password of "AbCdEf"

This is all test data so replace the 99s with the challenge value and identifier from line 58 and the MD5 hash from line 59. Challenge ends in 5376 and hash ends in d90c. 

[bishbashbosh]

Just an observation. hashcat with method 4800 (CHAP) is 200MHs and native MD5 is 300MHs despite using the same test data. I'd use native but I can't get the increment function to work with straight MD5.

It's probably me.

[psychopomp1]

Thanks bish.

Followed your instructions exactly but got the following error:



I suspect its because i'm running the 32 bit version of hashcat on my desktop pc (its a Win 7 32 bit system). Will try it on my laptop which has a 64 bit Win 7.

[psychopomp1]

Tried on my Win 7 (64 but) notebook but still having issues.

First of all when i try to run a benchmark

hashcat64.exe -b

I get the error

Hashtype: MD4
clSetKernelArg<>: CL_INVALID_MEM_OBJECT

If i still go ahead with the full command I get the error

Hash <code from line 58 & 59>: Line-length exception
No hashes loaded

I'm totally lost

My notebook Thinkpad X220 doesn't have a dedicated GPU, i think built-in GPU is only 128mb.

[bishbashbosh]

Hi, you should make sure you have hashcat working before trying to run a crack. It's likely to be down to openCL drivers.

https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_do_i_install_hashcat

[psychopomp1]

Ok had to uninstall the Intel HD graphics driver on my pc before I was able to install the OpenCL software. The benchmark ran ok this time.

However still getting the 'no hashes loaded' error when i run the full command, i have PM'd you the exact command I'm typing. I suspect a syntax error somewhere.

Cheers

[4uture]

Hi, I can see from your screenshot that you are including 0x (which means hex) at the start of the hashes. This is not needed. An MD5 hash is always 32 (hex) characters long.

[psychopomp1]

Thanks , will retry without 0x. Just to confirm I also need to add :02 at the end of the challenge line as shown in bish's example?
Cheers

[4uture]

The :02 is an identifier that you get from the packet capture. If bishbashbosh told you :02, then it's probably correct.

[psychopomp1]

Cheers 4uture.

I think i'm getting somewhere at last!



Now bish said my password will be in form of AbCdEf, does that mean its definitely 6 characters long & is shown above in Candidates.#1 field or do I have to wait until the pc finishes processing?

Cheers