+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old oclHashcat Support (https://hashcat.net/forum/forum-38.html)
+--- Thread: WPA handshake messages clarification (/thread-3316.html)
WPA handshake messages clarification - simgunz - 04-22-2014
I need a clarification on which messages of the WPA handshake are necessary to obtain a clean hccap file.
Using the "WPA Clean and Convert Script" I've noticed that when all 4 EAPOL messages are present, only the first two (1/1 and 1/2) are saved to the .cap file in the CleanCaps directory, so I've supposed that only that 2 are the ones required by oclHashcat. Then I've seen that sometimes when the message 2/4 is missing from the original cap file, the script succeed and in the CleanCap file there is only the message 1/2 and 4/4.
So I would like to know which of the four messages are actually necessary to obtain an useful hccap file for oclhashcat.
RE: WPA handshake messages clarification - magnum - 04-22-2014
Here's an excellent writeup:
http://www.aircrack-ng.org/doku.php?id=wpa_capture
RE: WPA handshake messages clarification - simgunz - 04-24-2014
I've already read that page, but it's still not clear to me. The example cap file on that page contains the following EAPOL messages: 1/4 - 4/4 - 3/4 - 4/4 so the message 2/4 is missing, but the cap is actually valid. In a cap I've used to test oclhashcat, the only messages are the 1/4 - 2/4 (after using the WPA clean script) and I can actually retrieve the password. So what is the message 2/4?
From what I've understand the messages 1/4 and the message 4/4 with the same replay counter number are the only two neccessary, and they are considered valid if they are followed by a message 3/4 (and 4/4) with a replay counter increased by one. Is it right?