hashcat Forum

Full Version: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
manually calculate hashcat's "--nonce-error-corrections" using hcxtools

If you use wlancap2hcx, you'll get a proposal for the --nonce-error-corrections value of hashcat.
It looks like this:
hashcat --nonce-error-corrections is working on that file (that means you can use the default value) or
you should use hashcat --nonce-error-corrections=16 (or greater) on ...
you should use hashcat --nonce-error-corrections=32 (or greater) on ...
you should use hashcat --nonce-error-corrections=64 (or greater) on ...

If, you like, you can calculate this value manually:
use wlanhcxinfo option -a -A to get  the required informations:
$ wlanhcxinfo -i yourhccapxfile.hccapx -a -A
This will show you all anonces (anonce = nonce transmited by the access point).
You will get something like this:
mac_ap          anonce
-----------------------------------------------------------------------------------------------------
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a5
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a6
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a8
(for little endian ap's)

xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3ae7cde0
xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3de7cde0
xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa40e7cde0
(for big endian ap's)


You can see, the last byte is counting up.
Also you can see that there are gaps between the values (caused by packetloss of the dumper).
Now take the highest value and substract the lowest value (little endian: 0xa8 - 0xa1 = 7, big endian: 0x40 - 0x3a = 6).
The result is the lowest value you should use for hashcat --nonce-error-corrections!

Keep in mind: This will only work on hccpax files converted from uncleaned(!) and unreduced(!) cap files.
It doesn't work on a single handshake!!!!

Background informations:
-------------------------------
An access point uses several different EAPOL-timers like this:
EAP-Identity-Request Timeout (seconds)
EAP-Identity-Request Max Retries
EAP Key-Index for Dynamic WEP
EAP Max-Login Ignore Identity Response
EAP-Request Timeout (seconds)
EAP-Request Max Retries
EAPOL-Key Timeout (milliseconds)
EAPOL-Key Max Retries
EAP-Broadcast Key Interval

Calculating an anonce, releasing an anonce, calculation of the replaycount, releasing a replaycount, accepting an authentication, all this depends on that timers.
Knowing the "secrets" about this timers allows us to use nonce-error-corrections (and other features build-in in hashcat and hcxtools).
Disregarding this (by cleaning caps, reducing caps to only one handshake, capturing only one handshake, using to much deauthentications) possible will let you fail calculating the key!

Why will you possible fail?
wlanhcxinfo will show you this using the options -a -A -R
Well, let's take a look into the replaycount (-R):

$ wlanhcxinfo -i yourhccapxfile.hccapx -a -A -R
mac_ap          anonce                                                                                          replaycount
-------------------------------------------------------------------------------------------------------------------------------
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1:0000000000000000
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1:0000000000000000
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a5:0000000000000000
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a6:0000000000000000
xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a8:0000000000000000
(on the little endian ap)


xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3ae7cde0:0000000000000001
xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3de7cde0:0000000000000000
xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa40e7cde0:0000000000000001
(on the big endian ap)

In both cases the ap's received to much deauthentications and didn't receive their clients packets.
So they resetted their replaycounters.
Without using nonce-error-corrections, in many cases you are not able to calculate the password because the M2 and/or M4 of the client doesn't match!
Sending more (than mutch) deauthentications causes ap's to release their complete anonce. In that case not even nonce-error-corrections will work!


update hcxtools 4.0.0-rc1:
Added new option -I to wlanhcxmnc:
-I          : show mac_ap and anonces

now you can use
$ wlanhcxmnc -i yourfile.hccapx -I
to get the required informations for hashcat's nonce-error-corrections

stdout is used for printing this informations. So it's possible to redirect the output to a file
$ wlanhcxmnc -i yourfile.hccapx -I > apinfos

wlanhcxinfo option -a -A no longer needed for this purpose!
some words about hcxtools (https://github.com/ZerBea/hcxtools) and hcxkeys (https://github.com/ZerBea/hcxkeys):
Main purpose of both toolsets is to conduct an analysis and compile statistics on WiFi, together with hashcat!
That means:
wlanhhcxcat, wlangenpmk, wlangenpmkocl (and pwhash) are to slow for cracking purposes!!
This tools are only usefull to calculate, show and test single hashes.
Do not try to use them as crackers. hashcat can do this much better and faster!
calculate hashcat's "--nonce-error-corrections" using hcxtools

In some special cases hashcat isn't able to do nonce-error-corrections.

If you use wlanhcxinfo option -a -A to get  the required informations and you see this:
mac_ap           anonce
-----------------------------------------------------------------------------------------------------
xxxxxxxxxxxx:4a8d0509f2a10031e819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316
xxxxxxxxxxxx:4a8d0509f2a10034e819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316
xxxxxxxxxxxx:4a8d0509f2a10037e819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316
xxxxxxxxxxxx:4a8d0509f2a1003ae819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316
xxxxxxxxxxxx:4a8d0509f2a1003ce819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316
xxxxxxxxxxxx:4a8d0509f2a1003ee819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316

Byte 7 is incremented.
There are gaps between the values (caused by packetloss of the dumper).

Now it's time for wlanhcxmnc. This tool will do the nonce-err-corrections for hashcat.
Calculate the nonce-err-corrections value as in post 61 described: 0x3e - 0x31 = 0xd
Then run:
wlanhcxmnc -i yourfile.hccapx -a xxxxxxxxxxxx -o correctedfile.hccapx -b 7 -n d

wlanhcxmnc will correct the nonce values for this ap xxxxxxxxxxxx and save them to a file.

Now you can run hashcat with --nonce-error-corrections=0 on that file.
This is possible, because the nonce-error-corrections is allready done by wlanhcxmnc!


update hcxtools 4.0.0-rc1:
Added new option -I to wlanhcxmnc:
-I          : show mac_ap and anonces

now you can use
$ wlanhcxmnc -i yourfile.hccapx -I
to get the required informations for hashcat's nonce-error-corrections

stdout is used for printing this informations. So it's possible to redirect the output to a file
$ wlanhcxmnc -i yourfile.hccapx -I > apinfos

wlanhcxinfo option -a -A no longer needed for this purpose!
update hcxtools (4.0.0-rc1): https://github.com/ZerBea/hcxtools
Added new tool wlanjohn2hcx to convert john wpapsk hashfiles to hccapx.
$ wlanjohn2hcx -h
wlanjohn2hcx 4.0.0-rc1 (C) 2017 ZeroBeat
usage: wlanjohn2hcx <options> [input.john] [input.john] ...
options:
-o <file> : output hccapx file
-e <file> : output ESSID list
wlanhcx2cap update:
set M1 replaycount = (M4 replaycount-1) if M4 EAPOL is used
attention: somtimes wireshark can't handle wlanhcx2cap files if group keys are used
that means handshake in cap file is correct and all tools working on that cap, but wireshark output is wrong (M2 is shown as M4)
I have tested the most used wpa cracking tools hascat (google: about 274,000 results), aircrack-ng (google: about 535,000 results) and John the Ripper jumbo (google: about 311,000 results) how they work on wpa using their own conversion tools and how they work closely together with hcxtools.

Overview of the tests:
1. cap2hccapx -> hashcat
2. wpapcap2john -> john
3. aircrack-ng
4. wlancap2hcx -> hashcat
5. wlancap2hcx -> wlanhcx2john -> john


1. Test: cap2hccapx -> hashcat
(https://github.com/hashcat/hashcat-utils)
$ time cap2hccapx 20170228.cap cap2hccapx.hccapx
Written 12736 WPA Handshakes to: cap2hccapx.hccapx
real 4m37,154s
user 4m36,964s
sys 0m0,170s

a) no nonce-error-correction
$ hashcat -m 2500 --nonce-error-corrections=0 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 cap2hccapx.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: cap2hccapx.hccapx
Time.Started.....: Wed Sep 27 10:05:30 2017 (1 min, 40 secs)
Time.Estimated...: Wed Sep 27 10:07:10 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   403.0 kH/s (0.93ms)
Recovered........: 1297/8967 (14.46%) Digests, 227/1059 (21.44%) Salts
Recovered/Time...: CUR:681,N/A,N/A AVG:782,46927,1126251 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 84% Util: 10% Core:1847MHz Mem:5005MHz Bus:16

b) nonce-error-correction 8 (default)
$ hashcat -m 2500 --nonce-error-corrections=8 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 cap2hccapx.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: cap2hccapx.hccapx
Time.Started.....: Wed Sep 27 10:07:45 2017 (2 mins, 47 secs)
Time.Estimated...: Wed Sep 27 10:10:32 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   264.7 kH/s (0.94ms)
Recovered........: 1901/8967 (21.20%) Digests, 242/1059 (22.85%) Salts
Recovered/Time...: CUR:702,N/A,N/A AVG:682,40959,983039 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 71c Fan: 33% Util: 24% Core:1847MHz Mem:5005MHz Bus:16


2. Test: wpapcap2john -> john
(https://github.com/magnumripper/JohnTheRipper)
$ time wpapcap2john 20170228.cap > wpapcap2john.john
Dumping 212780 unverified auths
18500 ESSIDS processed
real 0m49,941s
user 0m44,413s
sys 0m1,621s

as of today nonce-error-corrections isn't implemented in JtR (but in progress for the next update)
$ john -w:wlan --format=wpapsk-opencl --pot=john.pot wpapcap2john.john
Device 0: GeForce GTX 1080 Ti
Local worksize (LWS) 64, global worksize (GWS) 2097152
Loaded 7481 password hashes with 7481 different salts (wpapsk-opencl, WPA/WPA2 PSK [PBKDF2-SHA1 OpenCL])
1767g 0:00:01:18 DONE (2017-09-27 09:44) 22.57g/s 476.3p/s 3563Kc/s 3563KC/s GPU:79°C util:99% fan:60%


3. Test: aircrack-ng
(http://svn.aircrack-ng.org/trunk/)
$ time aircrack-ng -J aircrackng 20170228.cap
Opening 20170228.cap
Reading packets, please wait...
Index number of target network ? 17887
Opening 20170228.cap
Reading packets, please wait...
Building Hashcat (1.00) file...
Successfully written to aircrackng.hccap
Quitting aircrack-ng...
real 3m17,601s
user 1m40,430s
sys 0m0,107s

Remarks:
only hashes from 16927 up to 17887 displayed
only 1 hash written to hashfile
only support hashcat 1.0 hccap format
real handshakes detected:
$ aircrack-ng  20170228.cap | grep "1 hand" > aircrackhandshakes
$ wc -l aircrackhandshakes
1356 aircrackhandshakes found (5 with empty ESSIDs)
I didn't have the time to test 1356 single hashes!

now the same, but using wpaclen on 20170228.cap
$ wpaclean wpaclean.cap 20170228.cap
$ aircrack-ng wpaclean.cap | grep "1 hand" > aircrackhandshakescleaned
$ wc -l aircrackhandshakescleaned
1305 aircrackhandshakescleaned
I didn't have the time to test 1305 single hashes!

$ wlancap2hcx -o wpacleaned.hccapx wpaclean.cap
start reading from wpaclean.cap
4056 packets processed (4056 wlan, 0 lan, 0 loopback)
total 1259 usefull wpa handshakes
found 1 handshake with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
found 30 WPA1 RC4 Cipher, HMAC-MD5
found 1229 WPA2 AES Cipher, HMAC-SHA1
found 68 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
warning: use of wpaclean detected

a) no nonce-error-correction on that cleaned cap
$ hashcat -m 2500 --nonce-error-corrections=0 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wpacleaned.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wpacleaned.hccapx
Time.Started.....: Wed Sep 27 11:50:11 2017 (1 min, 31 secs)
Time.Estimated...: Wed Sep 27 11:51:42 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   417.6 kH/s (0.95ms)
Recovered........: 356/1257 (28.32%) Digests, 266/1016 (26.18%) Salts
Recovered/Time...: CUR:221,N/A,N/A AVG:234,14046,337111 (Min,Hour,Day)
Progress.........: 37881560/37881560 (100.00%)
Rejected.........: 0/37881560 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 78% Util: 66% Core:1860MHz Mem:5005MHz Bus:16

a) nonce-error-correction 8 (default) on that cleaned cap
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wpacleaned.hccapx
Time.Started.....: Wed Sep 27 11:52:14 2017 (1 min, 40 secs)
Time.Estimated...: Wed Sep 27 11:53:54 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   378.6 kH/s (0.94ms)
Recovered........: 365/1257 (29.04%) Digests, 273/1016 (26.87%) Salts
Recovered/Time...: CUR:202,N/A,N/A AVG:218,13091,314184 (Min,Hour,Day)
Progress.........: 37881560/37881560 (100.00%)
Rejected.........: 0/37881560 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 75% Util: 44% Core:1860MHz Mem:5005MHz Bus:16


4. Test: wlancap2hcx -> hashcat
(https://github.com/ZerBea/hcxtools)
$ time wlancap2hcx -o wlancap2hcx.hccapx 20170228.cap
start reading from 20170228.cap
1396632 packets processed (1396632 wlan, 0 lan, 0 loopback)
total 18537 usefull wpa handshakes
found 21 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
found 184 WPA1 RC4 Cipher, HMAC-MD5
found 18353 WPA2 AES Cipher, HMAC-SHA1
found 1431 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx
found WDS or Mesh packets
real 0m0,911s
user 0m0,760s
sys 0m0,149s

a) no nonce-error-correction
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wlancap2hcx.hccapx
Time.Started.....: Wed Sep 27 09:58:34 2017 (1 min, 40 secs)
Time.Estimated...: Wed Sep 27 10:00:14 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   407.1 kH/s (0.93ms)
Recovered........: 2871/11989 (23.95%) Digests, 266/1059 (25.12%) Salts
Recovered/Time...: CUR:2017,N/A,N/A AVG:1713,102790,2466976 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 71% Util: 49% Core:1860MHz Mem:5005MHz Bus:16

b) nonce-error-correction 8 (default)
$ hashcat -m 2500 --nonce-error-corrections=8 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wlancap2hcx.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wlancap2hcx.hccapx
Time.Started.....: Wed Sep 27 10:01:29 2017 (3 mins, 13 secs)
Time.Estimated...: Wed Sep 27 10:04:42 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   290.9 kH/s (0.94ms)
Recovered........: 2969/11989 (24.76%) Digests, 282/1059 (26.63%) Salts
Recovered/Time...: CUR:870,N/A,N/A AVG:922,55330,1327926 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 72c Fan: 42% Util: 75% Core:1860MHz Mem:5005MHz Bus:16


5. Test: wlancap2hcx -> wlanhcx2john -> john
(https://github.com/ZerBea/hcxtools)
$ time wlancap2hcx -o wlancap2hcx.hccapx 20170228.cap
start reading from 20170228.cap
1396632 packets processed (1396632 wlan, 0 lan, 0 loopback)
total 18537 usefull wpa handshakes
found 21 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
found 184 WPA1 RC4 Cipher, HMAC-MD5
found 18353 WPA2 AES Cipher, HMAC-SHA1
found 1431 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx
found WDS or Mesh packets
real 0m0,911s
user 0m0,760s
sys 0m0,149s

$ wlanhcx2john -o wlanhcx2john.john wlancap2hcx.hccapx
18537 records read from wlancap2hcx.hccapx
18537 records written to wlanhcx2john.john

as of today nonce-error-corrections isn't implemented in JtR (but in progress for the next update)
$ john -w:wlan --format=wpapsk-opencl --pot=john.pot wlanhcx2john.john
Device 0: GeForce GTX 1080 Ti
Local worksize (LWS) 64, global worksize (GWS) 2097152
Loaded 11984 password hashes with 11984 different salts (wpapsk-opencl, WPA/WPA2 PSK [PBKDF2-SHA1 OpenCL])
2871g 0:00:01:23 DONE (2017-09-27 10:12) 34.21g/s 444.3p/s 5325Kc/s 5325KC/s GPU:81°C util:99% fan:62%

Well, no conclusion from me, so make your own conclusion about all tools, results and features (nonce-error-corrections).
And if you decide to follow hcxtools recommendations:
you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx

$ hashcat -m 2500 --nonce-error-corrections=64 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wlancap2hcx.hccapx wlan
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wlancap2hcx.hccapx
Time.Started.....: Wed Sep 27 17:24:21 2017 (14 mins, 17 secs)
Time.Estimated...: Wed Sep 27 17:38:38 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:    96197 H/s (0.94ms)
Recovered........: 2976/11989 (24.82%) Digests, 285/1059 (26.91%) Salts
Recovered/Time...: CUR:94,N/A,N/A AVG:208,12499,299983 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 75c Fan: 42% Util:  8% Core:1847MHz Mem:5005MHz Bus:16

you will get some more hits!
update hcxtools (better plainmasterkey handling): https://github.com/ZerBea/hcxtools

added new option -O to wlancap2hcx:
-O <file> : output hccapx file without ESSIDs (WPA/WPA2/WPA2 AES-128-CMAC: use hashcat -m 2501 only)

All handshakes without ESSID went into this file, mainly handshakes from the second part of an expanded EAPOL authentication (like RADIUS / ENTERPRISE). This handshakes are crackable using captured plainmasterkeys from wlan-traffic (wlancap2hcx option -f) or pre-computed plainmasterkeys.

example:
$ wlancap2hcx -O noessid.hccapx test.cap
start reading from test.cap
12089037 packets processed (12089037 wlan, 0 lan, 0 loopback)
total 286811 usefull wpa handshakes
found 85 handshakes with zeroed plainmasterkeys (use hashcat -m 2501 with a zeroed plainmasterkey)
found 2467 handshakes without ESSIDs (use hashcat -m 2501)

$ hashcat -m 2501 --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundhashcat.2501 noessid.hccapx pmklist
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2 PMK
Hash.Target......: noessid.hccapx
Time.Started.....: Mon Oct  2 13:22:05 2017 (0 secs)
Time.Estimated...: Mon Oct  2 13:22:05 2017 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   288.1 kH/s (0.00ms)
Recovered........: 25/252 (9.92%) Digests, 0/1 (0.00%) Salts
Progress.........: 48164/48164 (100.00%)
Rejected.........: 0/48164 (0.00%)
Restore.Point....: 48164/48164 (100.00%)
Candidates.#1....: 00.... -> ff....
HWMon.Dev.#1.....: Temp: 34c Fan: 33% Util: 62% Core:1911MHz Mem:5005MHz Bus:16

Do not wonder about this 2 values:
wlancap2hcx:  found 2467 handshakes without ESSIDs
hashcat:         Recovered........: 25/252 (9.92%) Digests, 0/1 (0.00%) Salts

In this case wlancap2hcx doesn't test dupes, because hashcat makes it better.
If you like to test this new feature do the following steps:

1) Download example cap from wireshark examples (https://wiki.wireshark.org/SampleCaptures)
File: wpa-eap-tls.pcap.gz
https://wiki.wireshark.org/SampleCapture...ls.pcap.gz

2) gunzip the cap
$ gunzip wpa-eap-tls.pcap.gz

3) get the demo plainmasterkeys from (https://wiki.wireshark.org/SampleCaptures)
Wifi / Wireless LAN captures / 802.11
File: wpa-eap-tls.pcap.gz
Description: 802.11 capture with WPA-EAP. PSK's to decode:
a500........
7925........
23a9........
and copy them to your pmklist

4) use wlancap2hcx to convert the cap file:
$ wlancap2hcx -O test.hccapx wpa-eap-tls.pcap
start reading from wpa-eap-tls.pcap
86 packets processed (86 wlan, 0 lan, 0 loopback)
total 2 usefull wpa handshakes
found 2 handshakes without ESSIDs (use hashcat -m 2501)
found 2 WPA2 AES Cipher, HMAC-SHA1
found EAP-TLS Authentication
found WPA encrypted data packets

5) run hashcat:
$ hashcat -m 2501 --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundhashcat.2501 test.hccapx pmklist
hashcat (4.0.0-rc2) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2 PMK
Hash.Target......:  (AP:10:6f:3f:0e:33:3c STA:24:77:03:d2:5e:a8)
Time.Started.....: Mon Oct  2 16:38:18 2017 (0 secs)
Time.Estimated...: Mon Oct  2 16:38:18 2017 (0 secs)
Guess.Base.......: File (pw)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.00ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3/3 (100.00%)
Rejected.........: 0/3 (0.00%)
Restore.Point....: 0/3 (0.00%)
Candidates.#1....: a500.... -> 23a9....
HWMon.Dev.#1.....: Temp: 41c Fan: 29% Util:  4% Core:1835MHz Mem:5005MHz Bus:16
advanced wpa cracking: Entering the "royal class"

needed tools:
combinator3 (hashcat-utils)
wlancap2hcx (hcxtools)
wlangenpmk or wlangenpmkocl (hcxkeys)
hashcat (hashcat)

1) download demo caps from here:
https://github.com/magnumripper/JohnTheR...n.pcap.zip
https://github.com/magnumripper/JohnTheR...c.pcap.zip
and unzip them.

2) create 3 txt files:
file1, file2 and file3

and:
write this 4 essids to file1:
default
hello
home
networkname

and:
write this delimiter to file2:
:

and:
write this 4 demo passwords to file3:
password
12345678
mypassword
test1234

3) use combinator3 to create the psklist
combinator3 file1 file2 file3 > psklist

4) use wlangenpmkocl or wlangenpmk to create the pmklist
$ wlangenpmk -I psklist -a pmklist
16 plainmasterkeys generated, 0 password(s) skipped

5) use wlancap2hcx to convert the pcaps
$ wlancap2hcx -O test.hccapx *.pcap
start reading from normal-wpa-traffic.pcap
5 packets processed (0 wlan, 5 lan, 0 loopback)
total 2 usefull wpa handshakes
found 2 handshakes without ESSIDs (use hashcat -m 2501)
found 2 WPA2 AES Cipher, HMAC-SHA1
start reading from WPA-PSK-SHA256-session.pcap
28 packets processed (0 wlan, 28 lan, 0 loopback)
total 12 usefull wpa handshakes
found 12 handshakes without ESSIDs (use hashcat -m 2501)
found 12 WPA2 AES Cipher, AES-128-CMAC

6) use hashcat to crack them
$ hashcat -m 2501 --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundhashcat.2501 test.hccapx pmklist
hashcat (4.0.0-rc2) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2 PMK
Hash.Target......: test.hccapx
Time.Started.....: Tue Oct 3 15:34:39 2017 (0 secs)
Time.Estimated...: Tue Oct 3 15:34:39 2017 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 0 H/s (0.00ms)
Recovered........: 11/11 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 16/16 (100.00%)
Rejected.........: 0/16 (0.00%)
Restore.Point....: 0/16 (0.00%)
Candidates.#1....: b9d4.... -> 83c0....

Don't wonder about the different values (wlancap2hcx = 2+12 handshakes, hashcat only 11 handshakes).
wlancap2hcx doesn't make a dupe check on hashcat -m 2501 mode.