wireshark cap clean up does not make sense - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: wireshark cap clean up does not make sense (/thread-7311.html) |
wireshark cap clean up does not make sense - BusiFix - 02-20-2018 Hi, I have a router that has been decommissioned from a local company. The SSID is SMC-1 and the WPA password is motorhomes. I used hashcat and rockyou.txt to crack and all is good. I then wanted to breakdown the cap file using wireshark to get the 5 packets (1 + 4 messages) but something I find odd and not what is documented anywhere else. Attached is a zip file with 3 files in. The first is the original cap file. (smc1-07.cap) The Second is the 5 packets I thought I needed for hashcat to crack, it does not! (smc1-07-5packets.cap) The Third is a cap file with message 1,1 and 4 which hashcat will crack - makes no sense (smc1-07-4packets.cap) I have included a wordlist and the hccapx files for completeness. To find my packets I used the wireshark filter of: eapol or wlan.fc.type_subtype==0x08 Each file has been put through the converter on the hashcat.net site before submitting to hashcat (running on Windows 7). Please can someone explain why the 3rd cap file works but the 2nd does not. Thank you BusiFix RE: wireshark cap clean up does not make sense - BusiFix - 02-20-2018 Update: I have now got it down to Beacon Frame Message 1 of 4 Message 2 of 4 When converted to hccapx this will be cracked. Why does this work? Thanks in advance BusiFix RE: wireshark cap clean up does not make sense - BusiFix - 02-20-2018 Sorry, file did not attach. It is here http://dropcanvas.com/lfd6o RE: wireshark cap clean up does not make sense - soxrok2212 - 02-20-2018 Message 1 and 2 have everything you need to "attempt" to crack the handshake... 3 and 4 are used to verify key. Also be sure that the messages all came from the same exchange, you can't mix and match 1 and 3 from handshake 'a' with 2 and 4 from handshake 'b'. Perhaps you entered the password wrong in "smc1-07-5packets.cap" The devices used to join are different in each handshake. RE: wireshark cap clean up does not make sense - BusiFix - 02-22-2018 Thank you replying soxrock2212. I thought I needed at least 1,2 and 4 for a handshake to be complete. Only needing 1 and 2 makes sense why this now works. You say the devices are different in smc1-07-5packets.cap. Do you mean different from smc1-07-3packets.cap or different within smc1-0705packets.cap? I agree that the connecting stations are different (samsung (5packets) against oneplust (3packets) but the access point (draytek) is the same and therefore I would expect the same password in both files for the same ssid. RE: wireshark cap clean up does not make sense - soxrok2212 - 02-23-2018 (02-22-2018, 01:51 PM)BusiFix Wrote: Thank you replying soxrock2212. My suggestion was that one of your clients did not know the correct key, possibly it was input incorrectly? |