Parsing multipe wpa handshake from a merged cap file.
#1
Hi all,
I have a cap file (resulted in mergeing multipe wpa cleaned cap files,using: mergecap), but the original cap files that made the final BIG cap files are deleted. So i'm trying to extract the cap files and converting them to hccap, i can do that with: aircrack-ng & -J command but that would convert only 1 cap bassing on the index i give, ex:
Quote:$ aircrack-ng tt1.cap -J out2
Opening tt1.cap
Read xxxx packets.

# BSSID ESSID Encryption

1 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
2 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
3 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
4 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
5 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
6 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
7 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
........ (real ... :-) )

Index number of target network ? 1

Opening tt1.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: x): xx
[*] Key version: 1
[*] BSSID: XX:XX:XX:XX:XX:XX
[*] STA: XX:XX:XX:XX:XX:XX
[*] anonce:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] snonce:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] Key MIC:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] eapol:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX

Successfully written to out2.hccap


Quitting aircrack-ng...

$
And i've trying extracting cap files from the big file, using tshark:
Quote:tshark -r tt1.cap wlan.bssid == XX:XX:XX:XX:XX:XX -w out.cap
and when trying to convert them to hccap using aircrack-ng:
Quote:$ aircrack-ng extract.cap -J out3
Opening extract.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.

No networks found, exiting.


Quitting aircrack-ng...
$
Even that when oppening the file with wireshark i see it's -kind of- normal.
There's a solution (a stupid one) is to make a script to open the aircrack-ng with the tt1.cap and enter every time an index until the nth, but that mean that the aircrack-ng will need to read the file every time, it would need days to finish.
So what i need is to extract the cap files from tt1.cap (and them i can convert them with aircrack or cap2hccap) or to undo mergecap.
I've also tried to read the file by parsing it bassing on offset range (i've read http://hashcat.net/wiki/doku.php?id=hccap), but faild cause the every cap in tt1.cap have some random bytes before essid and so i can't parse it by using the range: 0x00-0x187 for every cap.

Thanks and sorry for my bad english.
#2
Can aircrack read the extract.cap (the one output by tshark) without using the -J?

If not, I'd say tshark destroyed it, at least for using it with aircrack
#3
(01-09-2015, 11:52 AM)atom Wrote: Can aircrack read the extract.cap (the one output by tshark) without using the -J?

If not, I'd say tshark destroyed it, at least for using it with aircrack

No it can't:
Quote:$ tshark -r tt1.cap wlan.bssid == xx:xx:xx:xx:xx:xx -w extract.cap
$ aircrack-ng extract.cap
Opening extract.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.

No networks found, exiting.


Quitting aircrack-ng...
$
But when i specify -b option for aircrack it work:
Quote:$ aircrack-ng -w ../../hash/wlist/rockyou_sorted.txt extract.cap
Opening extract.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.

No networks found, exiting.


Quitting aircrack-ng...
$ aircrack-ng -w ../../hash/wlist/r_sorted.txt -b xx:xx:xx:xx:xx:xx tt1.cap
Opening tt1.cap
Reading packets, please wait...

Aircrack-ng 1.2 rc1


[00:00:01] 9812 keys tested (942.14 k/s)


Current passphrase: dee4life


Master Key : xx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xx

Transient Key : xx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xx

EAPOL HMAC : xx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xx
^C
Quitting aircrack-ng...
$
#4
In that case don't use the combination of tshark + aircrack for convert. You can use cap2hccap I think it has an builtin filter.
#5
(01-09-2015, 04:59 PM)atom Wrote: In that case don't use the combination of tshark + aircrack for convert. You can use cap2hccap I think it has an builtin filter.

That's it Big Grin
Quote:$./cap2hccap.bin -e 'xx' tt1.cap c2h.out
[info ] writing handshake for "xx".
$

and c2h.out is valid when testing it with hashcat.
Many thanks atom.