hashcat Forum
cap to hccapx problem [Zero value timestamps detected] - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: cap to hccapx problem [Zero value timestamps detected] (/thread-8959.html)



cap to hccapx problem [Zero value timestamps detected] - Uraniumhazee - 02-11-2020

I have a problem my friends.
I got a cap files from wifislax.
Normal cap files have at least 100-200 kb sizes but this file is 1 kb
So when i convert it to  HCCAPX  it gives error at hashcat converter page

Zero value timestamps detected in file: in/1620_1581406797.cap.

This prevents correct EAPOL-Key timeout calculation.
Do not use preprocess the capture file with tools such as wpaclean.


Before i could convert this type files from below tool without a problem
https://www.onlinehashcrack.com/tools-cap-to-hccapx-converter.php
But now this tool is under maintenance.
How can i solve this problem?
How can i convert these without getting error?

I added my cap files also.

https://s4.dosya.tc/server9/ywk39k/handshakes.rar.html
Thnaks for your replies



RE: cap to hccapx problem [Zero value timestamps detected] - ZerBea - 02-11-2020

That isn't a cap2hccapx issue.
The timestamps are zeroed in your cap file. Additional you're missing some important frames (authentication, association, undirected proberequest frames).
Code:
$ hcxpcapngtool --hccapx=test.hccapx HAKAN-FC-4A-E9-14-EC-9B.cap
reading from HAKAN-FC-4A-E9-14-EC-9B.cap...

summary capture file
--------------------
file name................................: HAKAN-FC-4A-E9-14-EC-9B.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 01.01.1970 01:00:00
timestamp maximum (GMT)..................: 01.01.1970 01:00:00
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 3
BEACON (total)...........................: 1
EAPOL messages (total)...................: 2
EAPOL RSN messages.......................: 2
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 4999998
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages........................: 1
EAPOL M2 messages........................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to hccapx............: 1 (RC checked)
EAPOL M12E2..............................: 1
PMKID (total)............................: 1
PMKID (best).............................: 1
packets with zeroed timestamps...........: 3

Warning: missing frames!
This dump file contains no important frames like
authentication, association or reassociation.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file contains no undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file doesn't contain enough EAPOL M1 frames.
That makes it impossible to calculate nonce-error-correction values.

Warning: missing timestamps!
This dump file contains frames with zeroed timestamps.
That prevent calculation of EAPOL TIMEOUT values.

Do not clean your cap file.
Do not use tools that do that.
Do not use tools that ignore important frames.

In times of GPU hash cracking tools (hashcat), there is absolutely no need to clean a cap file.
cap2hccapx will not convert deadly cleaned cap files, because you possible waste GPU time if you try to recover the PSK from them.
multicapconverter will do the conversion:
https://github.com/s77rt/multicapconverter
as well as hcxpcapngtool (with a bunch of warnings):
https://github.com/ZerBea

BTW:
You cap files contain PMKIDs. You should use them (hashmode 22000 or 16800) instead of EAPOL (hashmode 2500/hccapx)!


RE: cap to hccapx problem [Zero value timestamps detected] - Uraniumhazee - 02-11-2020

I have a few important questions
I hope you will reply.

First of all i always use hashcat with m 2500 with (converted cap to hccapx) files.

I dont know ashmode 22000 or 16800
I watched this video
https://www.youtube.com/watch?v=DarsUXcHTSU&t=385s

in this video with hcxdumptool he catches hashes
But there is an important question!

How can i get hashes from wifislax files that i sent!

I have a web site and people send me cap files from wifislax handshaker app.
Sometimes files is about 1kb so i cant convert these files to HCCAPX
People only use Wifislax. So this cap files i think cleaned files.

My question is how can i get PMKIDs and how can i use hashmode 22000 or 16800 with these files?

I will use
https://github.com/s77rt/multicapconverter this tool

But how can i use hashmode 22000 or 16800 with these files that i shared

Thanks


RE: cap to hccapx problem [Zero value timestamps detected] - ZerBea - 02-11-2020

The PMKID attack is described here:
https://hashcat.net/forum/thread-7717.html

hashmode 22000 is available by git head of hashcat, here:
https://github.com/hashcat/hashcat

How can i get hashes from wifislax files that i sent?
-> You should ask this question wifislax developers. I do not use wifislax.

But how can i use hashmode 22000 or 16800 with these files that i shared?
-> convert to PMKID+EAPOL, PMKID and/or hccapx:
$ hcxpcapngtool -o test.22000 --pmkid=test.16800 --hccapx=test.hccapx HAKAN-FC-4A-E9-14-EC-9B.cap

run hashcat to recover the PSK from PMKID
$ hashcat -m 16800 test.16800 wordlist

or run hashcat to recover the PSK from EAPOL (old school)
$ hashcat -m 2500 test.hccapx wordlist

or run latest hashcat to recover PSK from PMKID and EAPOL
$ hashcat -m 22000 test.22000 wordlist

Sometimes files is about 1kb so i cant convert these files to HCCAPX.
-> It depend on the quality of the cap file (frames inside the file) and not on its size.

People only use Wifislax. So this cap files i think cleaned files.
-> They are really missing something. Please read this:
https://hashcat.net/forum/thread-6661-post-47500.html#pid47500

I suggest to read something about the basics of 802.11, too:
https://hashcat.net/forum/thread-6661-post-47204.html#pid47204

and the advantages of the new hashformat, here:
https://hashcat.net/forum/thread-6661-post-47158.html#pid47158