hashcat Forum
After converting a dumpfile.pcapng to .22000 no record - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat-utils, maskprocessor, statsprocessor, md5stress, wikistrip (https://hashcat.net/forum/forum-28.html)
+--- Thread: After converting a dumpfile.pcapng to .22000 no record (/thread-12080.html)



After converting a dumpfile.pcapng to .22000 no record - giogua6304 - 07-23-2024

First of all I want to thank you all the hashcat team for the support to this fantastic set of tools.
Particularly I want to thank Zerbea for the unlimited patience to support people like me, that may be have to study more before to ask.
But after studying, what is the 4 way handshake, the RSN IE, after readind many of the documents of the forum that talk about this argument,  I was not able to understand, that's the reason that I am asking to the experts.

After,
sudo hcxdumptool -i wlxd03745123ff7 -o dumpfile.pcapng --active_beacon --enable_status=15
that captured about 78k of data.
hcxpcapngtool -o hash.hc22000 -E essidlist dumpfile.pcapng
record the essidlist file but no one record register in hash.hc22000.
But reading in wireshark the file I can read many EAPOL packet with RSN IE and PMKID fields.
What I need to investigate more.

.png   wireshark.png (Size: 376.66 KB / Downloads: 5)
Thank you once again
Giovanni

PS: It's possible to send a little donation to support your strong effort?


RE: After converting a dumpfile.pcapng to .22000 no record - ZerBea - 07-23-2024

Can you please add the dump file (zip compressed).

The screenshot doesn't show an EAPOL M2 from a CLIENT. Only M1 and M3 from the AP are recorded.
Due to the missing M2 a valid MESSAGE PAIR can't be converted.

I see the the PMKID, too, but you screenshot doesn't provide information about the AUTHENTICATION KEY MANAGEMENT (AKM).
hashcat is only able to recover the PSK from from a PMKID using AKM PSK (WPA2) or AKM PSK256 (WPA2 key version 3).

RSN Information from BEACON or ASSOCIATIONREQUEST or REASSOCIATIONREQUEST:
Code:
Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 20
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
    RSN Capabilities: 0x0000

Hashcat is not able to recover e.g. AKM FT-PSK. This PMKIDs will not be converted:
Code:
Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 24
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 2
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK 00:0f:ac (Ieee 802.11) FT using PSK
    RSN Capabilities: 0x0000

To figure out, what went wrong, please add the dump file (zip compressed).
Please also comment the complete status output of hcxpcapngtool. It shows what kind of AKMs are in use.

This frames are mandatory to convert a PMKID
Code:
ASSOCIATIONREQUEST, REASSOCIATIONREQUEST or BEACON to get the ESSID & the AKM)
EAPOL MESSAGE M1 to get the PMKID (AKM must be supported by hashcat)
or
Code:
ASSOCIATIONREQUEST, REASSOCIATIONREQUEST or BEACON to get the ESSID & the AKM)
EAPOL MESSAGE M1 & M2 or M2 & M3 or M1 & not zeroed M4 to get a MESSAGE PAIR  (AKM must be supported by hashcat)

If these conditions do not meet hcxpcapngtool doesn't convert the dump file to a hc22000 file.


RE: After converting a dumpfile.pcapng to .22000 no record - giogua6304 - 07-23-2024

Hello and thank you,
Attached the zipped file


RE: After converting a dumpfile.pcapng to .22000 no record - ZerBea - 07-23-2024

Thanks.

The NETWORKS inside the dump file are running WPA3 (SAE (SHA256)):
Code:
Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 24
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 2
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK 00:0f:ac (Ieee 802.11) SAE (SHA256)
    RSN Capabilities: 0x0080

Packets 49 to 52 show a 4 way handshake - but it is a WPA3 handshake!
Please take a look at the RSN-IE of packet 50:
Code:
Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 38
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) SAE (SHA256)
    RSN Capabilities: 0x00cc
    PMKID Count: 1
    PMKID List

The same applies to 55 to 59. Packet 56 RSN-I shows WPA3.
hcxpcapngtool does not convert them, because hashcat has no hash mode to recover a WPA3 PSK.

But hcxpcapngtool showed an information:
Code:
$ hcxpcapngtool -o test.22000 *.pcapng
hcxpcapngtool 6.3.4-33-g62901cb reading from dumpfile.pcapng...

summary capture file
--------------------
...
REASSOCIATIONREQUEST (SAE SHA256)........: 2
EAPOL M1 messages (KDV:0 AKM defined)....: 6 (PMK not recoverable)
EAPOL M2 messages (KDV:0 AKM defined)....: 2 (PMK not recoverable)
EAPOL M3 messages (KDV:0 AKM defined)....: 3 (PMK not recoverable)
EAPOL M4 messages (KDV:0 AKM defined)....: 2 (PMK not recoverable)
RSN PMKID (KDV:0 AKM defined)............: 6 (PMK not recoverable)
...
Information: no hashes written to hash files

session summary
---------------
processed pcapng files................: 1



RE: After converting a dumpfile.pcapng to .22000 no record - giogua6304 - 07-23-2024

Only the last question.
If the Hot Spots are configured in "WPA2/WPA3 Transition Mode" o "Mixed Mode" supporting all the devices in WPA2 what would happen?
Thank you very much I will take more attention next time.


RE: After converting a dumpfile.pcapng to .22000 no record - ZerBea - 07-23-2024

You're welcome.

Thanks you for your offer. But there is no need to do this.
I'm coding this tools to keep my brain trained - that's donation enough for me.

BTW:
The entire 802.11 stuff is really hard core stuff (don't worry).
I have worked in this profession for a very long time - and I'm still learning.