Handshake file contains not valid handshakes when converting to modern version
#1
Hello everyone,

I'm trying to converting a .cap which should contain a valid handshake to a compatible hashcat format for cracking it.
First of all I want to clarify that I'm testing my own iphone hotspot.

Tshark seems to say that the file is valid and contains a valid handshake while cowpatty seems to say the contrary.

Code:
tshark -r handshake_iphone_XX-XX-XX-XX-XX-XX_2024-12-04T22-44-53.cap -n -Y eapol
12453  26.126857 XX:XX:XX:XX:XX:XX → XX:XX:XX:XX:XX:XX EAPOL 155 Key (Message 1 of 4)
12456  26.159267 XX:XX:XX:XX:XX:XX → XX:XX:XX:XX:XX:XX EAPOL 164 Key (Message 2 of 4)
12458  26.173381 XX:XX:XX:XX:XX:XX → XX:XX:XX:XX:XX:XX EAPOL 221 Key (Message 3 of 4)
17148  39.072576 XX:XX:XX:XX:XX:XX → XX:XX:XX:XX:XX:XX EAPOL 180 Key (Message 2 of 4)
17150  39.084851 XX:XX:XX:XX:XX:XX → XX:XX:XX:XX:XX:XX EAPOL 221 Key (Message 3 of 4)
17152  39.091372 XX:XX:XX:XX:XX:XX → XX:XX:XX:XX:XX:XX EAPOL 133 Key (Message 4 of 4)


tshark: The file "handshake_iphone_XX-XX-XX-XX-XX-XX_2024-12-04T22-44-53.cap" appears to have been cut short in the middle of a packet.

Code:
cowpatty -r handshake_iphone_XXXXX_....cap -s 'iphone di XXXXXX' -c
cowpatty 4.8 - WPA-PSK dictionary attack. <jwright@hasborg.com>

End of pcap capture file, incomplete four-way handshake exchange.  Try using a
different capture.

And in fact cowpatty seems to be right since hashcat conversion tool gives me an error when trying to convert:
https://hashcat.net/cap2hashcat/
Code:
Handshake extraction failed!

hcxpcapngtool 6.3.1 reading from 1368442_1733672727.cap...
failed to read packet 17227

summary capture file
--------------------
file name................................: 1368442_1733672727.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.12.2024 22:44:13
timestamp maximum (GMT)..................: 04.12.2024 22:44:53
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 17227
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 6
ACTION (total)...........................: 16
PROBERESPONSE (total)....................: 52
DEAUTHENTICATION (total).................: 512
AUTHENTICATION (total)...................: 8
AUTHENTICATION (OPEN SYSTEM).............: 2
AUTHENTICATION (SAE).....................: 6
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (SAE SHA256)..........: 2
WPA encrypted............................: 45
EAPOL messages (total)...................: 6
EAPOL RSN messages.......................: 6
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M1 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
EAPOL M2 messages (total)................: 2
EAPOL M2 messages (KDV:0 AKM defined)....: 2 (PMK not recoverable)
EAPOL M3 messages (total)................: 2
EAPOL M3 messages (KDV:0 AKM defined)....: 2 (PMK not recoverable)
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
RSN PMKID (total)........................: 1
RSN PMKID (KDV:0 AKM defined)............: 1 (PMK not recoverable)
packet read error........................: 1

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and
reception. The radiotap header format is a mechanism to supply
additional information about frames, rom the driver to userspace
applications.
https://www.radiotap.org/

Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.

Information: no hashes written to hash files


session summary
---------------
processed cap files...................: 1

I tried multiple times to capture the handshake on the same network but not once worked. 
I have performed the capture using Bettercap.
The strange thing is that with other networks the handshake seems to be captured well and the conversion using https://hashcat.net/cap2hashcat/ works fine.

At this point I'd like to understand by what this problem is caused and how can I avoid it.
Reply
#2
Looks like the dump file contain a WPA3 (SAE) handshake.
Code:
ASSOCIATIONREQUEST (SAE SHA256)..........: 2

WPA3 is not supported by hashcat and there is no need for the converter to convert this EAPOL messages.

Get example dump file from here https://github.com/vanhoefm/wifi-example-captures
e.g.
wget https://github.com/vanhoefm/wifi-example...pa3.pcapng
open it running tshark and you'll see a 4-way handshake:
Code:
$ tshark -r wpa3.pcapng -n -Y eapol
   92 21:48:38,122663902 e2:20:ae:cb:03:04 → d2:c6:b4:ab:58:88 EAPOL 177 2412 Key (Message 1 of 4)
   94 21:48:38,126796696 d2:c6:b4:ab:58:88 → e2:20:ae:cb:03:04 EAPOL 183 2412 Key (Message 2 of 4)
   96 21:48:38,127115096 e2:20:ae:cb:03:04 → d2:c6:b4:ab:58:88 EAPOL 243 2412 Key (Message 3 of 4)
   98 21:48:38,127394652 d2:c6:b4:ab:58:88 → e2:20:ae:cb:03:04 EAPOL 155 2412 Key (Message 4 of 4)
but unfortunately this information is incomplete!

Open the dump file in Wireshark, take a look at the EAPOL M1 messages (or the ASSOCIATIONREQUEST) and you'll see that it is WPA3 (Key Descriptor Version: Unknown (0))
Code:
Key Information: 0x0088
    .... .... .... .000 = Key Descriptor Version: Unknown (0)
    .... .... .... 1... = Key Type: Pairwise Key
    .... .... ..00 .... = Key Index: 0
    .... .... .0.. .... = Install: Not set
    .... .... 1... .... = Key ACK: Set
    .... ...0 .... .... = Key MIC: Not set
    .... ..0. .... .... = Secure: Not set
    .... .0.. .... .... = Error: Not set
    .... 0... .... .... = Request: Not set
    ...0 .... .... .... = Encrypted Key Data: Not set
    ..0. .... .... .... = SMK Message: Not set

compared to WPA2:
Code:
Key Information: 0x008a
    .... .... .... .010 = Key Descriptor Version: AES Cipher, HMAC-SHA1 MIC (2)
    .... .... .... 1... = Key Type: Pairwise Key
    .... .... ..00 .... = Key Index: 0
    .... .... .0.. .... = Install: Not set
    .... .... 1... .... = Key ACK: Set
    .... ...0 .... .... = Key MIC: Not set
    .... ..0. .... .... = Secure: Not set
    .... .0.. .... .... = Error: Not set
    .... 0... .... .... = Request: Not set
    ...0 .... .... .... = Encrypted Key Data: Not set
    ..0. .... .... .... = SMK Message: Not set

or WPA1:
Code:
Key Information: 0x0089
    .... .... .... .001 = Key Descriptor Version: RC4 Cipher, HMAC-MD5 MIC (1)
    .... .... .... 1... = Key Type: Pairwise Key
    .... .... ..00 .... = Key Index: 0
    .... .... .0.. .... = Install: Not set
    .... .... 1... .... = Key ACK: Set
    .... ...0 .... .... = Key MIC: Not set
    .... ..0. .... .... = Secure: Not set
    .... .0.. .... .... = Error: Not set
    .... 0... .... .... = Request: Not set
    ...0 .... .... .... = Encrypted Key Data: Not set
    ..0. .... .... .... = SMK Message: Not set

or WPA2 key version 3:
Code:
Key Information: 0x008b
    .... .... .... .011 = Key Descriptor Version: AES Cipher, AES-128-CMAC MIC (3)
    .... .... .... 1... = Key Type: Pairwise Key
    .... .... ..00 .... = Key Index: 0
    .... .... .0.. .... = Install: Not set
    .... .... 1... .... = Key ACK: Set
    .... ...0 .... .... = Key MIC: Not set
    .... ..0. .... .... = Secure: Not set
    .... .0.. .... .... = Error: Not set
    .... 0... .... .... = Request: Not set
    ...0 .... .... .... = Encrypted Key Data: Not set
    ..0. .... .... .... = SMK Message: Not set

"At this point I'd like to understand by what this problem is caused and how can I avoid it."

The problem: The NETWORK is WPA3 secured (hcxpcapngtool told you that).
A solution: To get an EAPOL M2 message (WPA2) try to downgrade the CLIENT to WPA2 (AP-LESS attack by hcxlabtool/hcxdumptool).

BTW:
Usually WPA3 management frames are protected (Management Frame Protection):
Code:
RSN Capabilities: 0x00cc
    .... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
    .... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
    .... .... .... 11.. = RSN PTKSA Replay Counter capabilities: 16 replay counters per PTKSA/GTKSA/STAKeySA (0x3)
    .... .... ..00 .... = RSN GTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
    .... .... .1.. .... = Management Frame Protection Required: True
    .... .... 1... .... = Management Frame Protection Capable: True
    .... ...0 .... .... = Joint Multi-band RSNA: False
    .... ..0. .... .... = PeerKey Enabled: False
    ..0. .... .... .... = Extended Key ID for Individually Addressed Frames: Not supported
    .0.. .... .... .... = OCVC: False

Another indicator is the RSN-IE of the EAPOL M2 message:
Code:
Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 26
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) SAE (SHA256)
    RSN Capabilities: 0x00c0
    PMKID Count: 0
    PMKID List
    Group Management Cipher Suite: 00:0f:ac (Ieee 802.11) BIP (128)

or the RSN-IE of the ASSOCIATIONREQUET:
Code:
Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 26
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) SAE (SHA256)
    RSN Capabilities: 0x00c0
        .... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
        .... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
        .... .... .... 00.. = RSN PTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
        .... .... ..00 .... = RSN GTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
        .... .... .1.. .... = Management Frame Protection Required: True
        .... .... 1... .... = Management Frame Protection Capable: True
        .... ...0 .... .... = Joint Multi-band RSNA: False
        .... ..0. .... .... = PeerKey Enabled: False
        ..0. .... .... .... = Extended Key ID for Individually Addressed Frames: Not supported
        .0.. .... .... .... = OCVC: False
    PMKID Count: 0
    PMKID List
    Group Management Cipher Suite: 00:0f:ac (Ieee 802.11) BIP (128)

or the RSN-IE of the BEACON/PROBERESPONSE:
Code:
Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 20
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) SAE (SHA256)
    RSN Capabilities: 0x00cc
        .... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
        .... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
        .... .... .... 11.. = RSN PTKSA Replay Counter capabilities: 16 replay counters per PTKSA/GTKSA/STAKeySA (0x3)
        .... .... ..00 .... = RSN GTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
        .... .... .1.. .... = Management Frame Protection Required: True
        .... .... 1... .... = Management Frame Protection Capable: True
        .... ...0 .... .... = Joint Multi-band RSNA: False
        .... ..0. .... .... = PeerKey Enabled: False
        ..0. .... .... .... = Extended Key ID for Individually Addressed Frames: Not supported
        .0.. .... .... .... = OCVC: False

as well as the entire AUTHENTICATION (4 frames to exchange the keys)
Code:
Authentication Algorithm: Simultaneous Authentication of Equals (SAE) (3)
followed by


BTW:
Injecting stupid DEAUTHENTICATION frames is completely useless, because they are ignored!


If you try to convert the example dump file mentioned above, you'll end up here:
Code:
$ hcxpcapngtool wpa3.pcapng
hcxpcapngtool 6.3.5-3-g9f659b0 reading from wpa3.pcapng...

summary capture file
--------------------
file name................................: wpa3.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.2.0-kali2-amd64
application..............................: Dumpcap (Wireshark) 3.0.3 (Git v3.0.3 packaged as 3.0.3-1)
interface name...........................: hwsim0
interface vendor.........................: 000000
openSSL version..........................: 1.0
weak candidate...........................: N/A
MAC ACCESS POINT.........................: 000000000000 (incremented on every new client)
MAC CLIENT...............................: 000000000000
REPLAYCOUNT..............................: 0
ANONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
SNONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
timestamp minimum (timestamp)............: 17.10.2019 21:48:31 (1571348911)
timestamp maximum (timestamp)............: 17.10.2019 21:48:44 (1571348924)
duration of the dump tool (seconds)......: 13
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 167
packets received on 2.4 GHz..............: 167
ESSID (total unique).....................: 1
BEACON (total)...........................: 132
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 11
PROBERESPONSE (total)....................: 1
DEAUTHENTICATION (total).................: 1
AUTHENTICATION (total)...................: 4
AUTHENTICATION (SAE).....................: 4
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (SAE SHA256)..........: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M1 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
EAPOL M2 messages (total)................: 1
EAPOL M2 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
EAPOL M3 messages (total)................: 1
EAPOL M3 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (KDV:0 AKM defined)....: 1 (PMK not recoverable)
RSN PMKID (total)........................: 1
RSN PMKID (KDV:0 AKM defined)............: 1 (PMK not recoverable)

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 157     2417: 1     2422: 1     2427: 1    
2432: 1     2437: 1     2442: 1     2447: 1    
2452: 1     2457: 1     2462: 1    

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
https://hashcat.net/forum/thread-6361.html
Duration of the dump tool was a way too short to capture enough additional information.

Information: no hashes written to hash files


session summary
---------------
processed pcapng files................: 1
Reply
#3
Hi,

Thank you very much for your detailed response. I was suspecting that iPhone is using WPA3, but I was misled by the fact that Bettercap showed it as "WPA2". Also, I don't have any knowledge about new tools (hcxpcapngtool and so on), so I was not able to understand the output. The only part that I not fully understand from your message is when you say:

(12-08-2024, 08:41 PM)ZerBea Wrote: A solution: To get an EAPOL M2 message (WPA2) try to downgrade the CLIENT to WPA2 (AP-LESS attack by hcxlabtool/hcxdumptool).

So with this, you're saying that even if a AP is using WPA3 there is a way to let a client to try to use WPA2, capturing the corresponding handshakes as if the AP is using WPA2 normally?

Also I know nothing about WPA3 protocol, but how is it possible that there are no handshakes using it? I mean, client and AP should exchange information in order to reach authentication somehow.
Reply
#4
"Also I know nothing about WPA3 protocol, but how is it possible that there are no handshakes using it? I mean, client and AP should exchange information in order to reach authentication somehow."

Please take a look this flowchart:
https://www.researchgate.net/figure/WPA3..._344529445

Purpose of the AUTHENTICATION frames is to exchange a PMK (it is not done via PBKDF2 like WPA1, WPA2, WPA2kv3).
This PMK is used in the following 4way handshake to get access to the NETWORK.

Wireshark (wpa3.pcapng) will show you all frames which are mandatory for a successful ASSOCIATION:
Code:
AUTHENTICATION packet 80 (SAE COMMIT)
AUTHENTICATION packet 82 (SAE COMMIT)
AUTHENTICATION packet 84 (SAE CONFIRM)
AUTHENTICATION packet 86 (SAE CONFIRM)
ASSOCIATIONREQUEST packet 88
ASSOCIATIONRESPONSE packet 90
EAPOL M1 packet 92
EAPOL M2 packet 94
EAPOL M3 packet 96
EAPOL M4 packet 98

"So with this, you're saying that even if a AP is using WPA3 there is a way to let a client to try to use WPA2, capturing the corresponding handshakes as if the AP is using WPA2 normally?"
Yes and no!

In detail:
"So with this, you're saying that even if a AP is using WPA3 there is a way to let a client to try to use WPA2,"
Yes. https://typeset.io/questions/downgrade-a...2yxv64p2g6

"capturing the corresponding handshakes as if the AP is using WPA2 normally?"
No. It is mandatory to attack the CLIENT and not the AP!

Setup an AP that is announcing WPA2 encryption. Use the same ESSID as the target WPA3 AP.
If the CLIENT connects to this ROGUE AP, capture its EAPOL M2.
Together with the EAPOL M1 from your ROGUE AP, you can calculate a valid EAPOL MESSAGEPAIR hashcat can work on. This requires an interactive attack.
Running such a successful(!) attack is not witchcraft.
https://wpa-sec.stanev.org/?search=8ce748cdd663
But it can't be done by passive dump tools!

More (basic) information is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Reply
#5
Thank you for your clear and concise support, everything is well explained now!
Reply