Converting cap file to hccapx, SSID name changing! - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: Converting cap file to hccapx, SSID name changing! (/thread-9908.html) |
Converting cap file to hccapx, SSID name changing! - Uraniumhazee - 02-27-2021 Hi. I have a different problem. I am from Turkey and we have these words in our alphabet (ö,ç,ş,ğ etc..) I have a cap file and when i send this file to a cracking servide, SSID is correctly defined = Router SSID (Gül's Home) and it is cracked! But when i convert this file to hccapx or m22000 WPA 01/02 file as well, SSID changes to GxC3xBCl's and in the same service when i send this hccapx, it is not cracked by that service! What must i do for this? For hashcat i need hccapx files but i need true SSID name on it. I can share cap file if you want Thanks RE: Converting cap file to hccapx, SSID name changing! - ZerBea - 02-27-2021 Can you please describe your complete workflow and the command lines you use? Please notice: The output to a terminal depend on the default settings of the terminal. To mak this more universal, hcxtools replace non ASCII characters by a placeholder (e.g.: "."). The hash file should not be affected. You can use a hex editor (e.g.: GHex) to take a look at the ESSID inside the haccapx file. For hashcat you don't need hccapx files. hashcat accept 22000 files, too: Code: 2500 | WPA-EAPOL-PBKDF2 | Network Protocols BTW: Exactly this is one of the reasons to move from 2500 (hccapx) to 22000. You do not need a hex editor any longer to take a look at the hashes. Instead you can use every bash command (tool) to show the content of the hash. We take the example hash from here: https://hashcat.net/wiki/doku.php?id=example_hashes 22000 WPA-PBKDF2-PMKID+EAPOL Code: WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** PMKID type 01: IDENTIFIER * TYPE * PMKID * MAC_AP * MAC_STA * ESSID EAPOL type 02: IDENTIFIER * TYPE * MIC * MAC_AP * MAC_STA * ESSID * EAPOL MESSAGE PAIR We take the ESSID from the 22000 hash line and convert from HEX ASCII to ASCII using a perl command: Code: $ echo "686173686361742d6573736964" | perl -pe 's/(..)/chr(hex($1))/ge' hashcat-essid There is absolutely no reason to use hccapx any longer. RE: Converting cap file to hccapx, SSID name changing! - Uraniumhazee - 02-27-2021 (02-27-2021, 06:15 PM)ZerBea Wrote: Can you please describe your complete workflow and the command lines you use? I will explain what the problem is. In the below there is a 1.cap file and its original SSID name is "Gül's home" When i send this file to a crack service file was cracked. There is no problem. And alsa SSID seen right! For me. I use hashcat. For this i need hccapx file or a pmids hash or WPA 01/02 hash... i cant crack cap files in hashcat you know I use The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) and use this command. hcxpcaptool -z 1.pmkid -o 1.hccapx 1.cap hcxpcapngtool -o 1.22000 --pmkid=1.16800 --hccapx=1.hccapx 1.cap in this file i got a hccapx file and a 1.22000 file! I could not get a 16800 file pmkids! I shared 2 file below When i send these files to a crack service file was not cracked. SSID seen like this "GxC3xBCl's" And algo in hashcat for example i use these commands for hccapx hashcat64.exe -w 3 -a 3 -m 2500 1.hccapx ?d?d?d?d?d?d?d?d for 22000 hashcat.exe -w 3 -a 3 -m 22000 WPA*02 ?d?d?d?d?d?d?d?d each time in hashcat olsa SSID seen "GxC3xBCl's" I think i cant crack this because of this error. In the cracking services i experienced this. How can I make it look right ssid name in hccapx or in 22000 hash? This is my problem. SSID doen not look right? I hope i explained what the problem is. Sorry for my bad English. What do you think about this problem. Thanks RE: Converting cap file to hccapx, SSID name changing! - ZerBea - 02-27-2021 Please mask or remove the 22000 hash line from your comment, because it is against the forum rules to comment real hashes, here. You can remove your attachments, too. First of all, may I ask two questions: What tool did you used to capture the traffic? Why did you ran so many deauthentications? If you take a look inside your capfile, you'll notice in packet 3 a BEACON (the only one), with this ESSID: Tag: SSID parameter set: GxC3xBCl's Code: 3 Feb 21, 2021 08:22:01.616000000 CET GxC3xBCl's But the ESSIDs in the PROBERESPONSE frames are different to the BEACON frame: ESSID changes (detected maximum).........: 1 (information: option --max-essids=<digit> and --all recommended) Code: 37 Feb 21, 2021 08:22:04.598014000 CET Gül's Home You can use tshark to verify this: Code: $ tshark -r 1.cap -T fields -E header=y -e frame.number -e frame.time -e wlan.ssid Every conversion tool will see this captured ESSID and convert it (by default options). BTW: The quality of your captured file is terrible! Too many deauthentications. DEAUTHENTICATION (total).................: 36409 to retrieve a single EAPOL MESSAGE pair: EAPOL pairs (best).......................: 1 Runnig this massive deauthentications you'll spam the entire WiFi channel! You're going to make the AP and the CLIENT "crazy" and they'll reset their EAPOL counters (which result in uncrackable EAPOL messages). Timestamps damaged! They are not in a row. Code: Packet.Nr. Date Time Important frames (from which the PSK can be recovered) are missing. Only one BEACON inside. If this BEACON is wrong, you'll never recover the PSK (explained before)! hcxpcapngtool result in detail (Wireshark and tshark showing a similar result): Code: $ hcxpcapngtool -o test.22000 1.cap In other words, neither a standard conversion tool nor hashcat can work on this capture file. BTW - to answer your questions: "I have a cap file and when i send this file to a cracking servide, SSID is correctly defined = Router SSID (Gül's Home) and it is cracked!" For sure, most of the online services running hcxtools (with advanced options). https://hashcat.net/forum/thread-9893-post-51787.html#pid51787 https://wpa-sec.stanev.org/?search=G%C3%BCl%27s+Home "How can I make it look right ssid name in hccapx or in 22000 hash? This is my problem. SSID doen not look right?" This is not your problem and it is not the problem of hashcat! It is the problem of the tool you used for capturing! If the capturing tool is missing some frames, they are gone for ever! None of the following tools in the workflow (conversion tool to a format hashcat accept, and hashcat itself) can bring it back or is able to recover the PSK from it! However, xcxpcapngtool will provide some options to work on that cap file, but don't rely on it. If you do the conversion again, running option --max-essids=2 you'll get two 22000 hash lines: One which is wrong (ESSID) 477843337842436c2773 You can't recover the PSK from it in hash mode 22000 (by (PBKDF2). But you can verify the hash running hash mode 22001 with the PMK recovered from the correct ESSID: One which is possible the correct ESSID 47c3bc6c277320486f6d65 Hashcat may be able to recover the PSK from it 47c3bc6c277320486f6d65 You can use the recovered PMK to verify the PSK of the hash line with the wrong ESSID by hash mode 22001. Verifying a network by PMK is explained here: https://hashcat.net/forum/thread-9893.html In detail: Code: WPA*02*MIC*MAC_AP*MAC_STA*477843337842436c2773*... Please, be so kind an comment the command lines you used to capture the traffic to convert the captured file to a hash format hashcat accepts to recover the PSK by running hashcat That makes it much easier to figure out, what exactly went wrong in your workflow. |