+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: General Help (https://hashcat.net/forum/forum-8.html)
+--- Thread: Parsing multipe wpa handshake from a merged cap file. (/thread-3963.html)
Parsing multipe wpa handshake from a merged cap file. - bsec - 01-08-2015
Hi all,
I have a cap file (resulted in mergeing multipe wpa cleaned cap files,using: mergecap), but the original cap files that made the final BIG cap files are deleted. So i'm trying to extract the cap files and converting them to hccap, i can do that with: aircrack-ng & -J command but that would convert only 1 cap bassing on the index i give, ex:
Quote:$ aircrack-ng tt1.cap -J out2And i've trying extracting cap files from the big file, using tshark:
Opening tt1.cap
Read xxxx packets.
# BSSID ESSID Encryption
1 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
2 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
3 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
4 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
5 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
6 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
7 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
........ (real ... :-) )
Index number of target network ? 1
Opening tt1.cap
Reading packets, please wait...
Building Hashcat (1.00) file...
[*] ESSID (length: x): xx
[*] Key version: 1
[*] BSSID: XX:XX:XX:XX:XX:XX
[*] STA: XX:XX:XX:XX:XX:XX
[*] anonce:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] snonce:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] Key MIC:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] eapol:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
Successfully written to out2.hccap
Quitting aircrack-ng...
$
Quote:tshark -r tt1.cap wlan.bssid == XX:XX:XX:XX:XX:XX -w out.capand when trying to convert them to hccap using aircrack-ng:
Quote:$ aircrack-ng extract.cap -J out3Even that when oppening the file with wireshark i see it's -kind of- normal.
Opening extract.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.
No networks found, exiting.
Quitting aircrack-ng...
$
There's a solution (a stupid one) is to make a script to open the aircrack-ng with the tt1.cap and enter every time an index until the nth, but that mean that the aircrack-ng will need to read the file every time, it would need days to finish.
So what i need is to extract the cap files from tt1.cap (and them i can convert them with aircrack or cap2hccap) or to undo mergecap.
I've also tried to read the file by parsing it bassing on offset range (i've read http://hashcat.net/wiki/doku.php?id=hccap), but faild cause the every cap in tt1.cap have some random bytes before essid and so i can't parse it by using the range: 0x00-0x187 for every cap.
Thanks and sorry for my bad english.
RE: Parsing multipe wpa handshake from a merged cap file. - atom - 01-09-2015
Can aircrack read the extract.cap (the one output by tshark) without using the -J?
If not, I'd say tshark destroyed it, at least for using it with aircrack
RE: Parsing multipe wpa handshake from a merged cap file. - bsec - 01-09-2015
(01-09-2015, 11:52 AM)atom Wrote: Can aircrack read the extract.cap (the one output by tshark) without using the -J?
If not, I'd say tshark destroyed it, at least for using it with aircrack
No it can't:
Quote:$ tshark -r tt1.cap wlan.bssid == xx:xx:xx:xx:xx:xx -w extract.capBut when i specify -b option for aircrack it work:
$ aircrack-ng extract.cap
Opening extract.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.
No networks found, exiting.
Quitting aircrack-ng...
$
Quote:$ aircrack-ng -w ../../hash/wlist/rockyou_sorted.txt extract.cap
Opening extract.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.
No networks found, exiting.
Quitting aircrack-ng...
$ aircrack-ng -w ../../hash/wlist/r_sorted.txt -b xx:xx:xx:xx:xx:xx tt1.cap
Opening tt1.cap
Reading packets, please wait...
Aircrack-ng 1.2 rc1
[00:00:01] 9812 keys tested (942.14 k/s)
Current passphrase: dee4life
Master Key : xx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xx
Transient Key : xx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xx
EAPOL HMAC : xx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xxxx:xx:xx:xx:xx:xx
^C
Quitting aircrack-ng...
$
RE: Parsing multipe wpa handshake from a merged cap file. - atom - 01-09-2015
In that case don't use the combination of tshark + aircrack for convert. You can use cap2hccap I think it has an builtin filter.
RE: Parsing multipe wpa handshake from a merged cap file. - bsec - 01-09-2015
(01-09-2015, 04:59 PM)atom Wrote: In that case don't use the combination of tshark + aircrack for convert. You can use cap2hccap I think it has an builtin filter.
That's it
Quote:$./cap2hccap.bin -e 'xx' tt1.cap c2h.out
[info ] writing handshake for "xx".
$
and c2h.out is valid when testing it with hashcat.
Many thanks atom.