No handshakes when trying to convert to hccapx
#1
Hello. I have a *.cap file from aircrack-ng, with caputured handshake. However, when trying to convert it to hccapx using cap2hccapx, I get the following output:
Code:
Networks detected: 1

BSSID=xx:xx:xx:xx:xx:xx ESSID=xxxxxxxxxx (Length: 10)

Written 0 WPA Handshakes to: out.hccapx

Maybe the problem is that the *.cap file contains only "Message 1 of 4" and "Message 2 of 4" (thats what I see in Wireshark after applying filter "eapol").

However, i tried uploading it on website gpuhash.me and they claim to have cracked it successfully. Please what can I do in order to crack it by myself using hashcat?

Thanks a lot.
#2
Upload the cap here:
https://wpa-sec.stanev.org/?nets
#3
E: thanks man, it found the key, but its the same as the SSID Big Grin

i assume that the handshake was just unsuccessful attempt to connect to that network, with wrong password, because of only 1/4 and 2/4 handshakes.
#4
(05-18-2018, 05:53 PM)kexec Wrote: Maybe the problem is that the *.cap file contains only "Message 1 of 4" and "Message 2 of 4" (thats what I see in Wireshark after applying filter "eapol").

If you have M1 and M2 within the cap, then it's considered valid to be cracked. Weird how it won't convert for you. In Wireshark, filter, then manually mark the broadcast packet of the AP and M1+M2

Then go to: File > export specified packets > marked packets only

It should convert.
#5
...or simple use hcxtools for capturing and conversion, as they provide nonce-error-corrections and more...
BTW:
hcxtools running in background of wpa-sec and they did the conversion!
#6
Please can anyone look at this cap? Its straight from aircrack-ng (airodump-ng). If I open it in aircrack, it says 1 handshake, but cap2hccapx says "Written 0 WPA Handshakes to: xxxx".

https://www54.zippyshare.com/v/O84Wo9uQ/file.html
#7
Hi kexec.
That is a typical aircrack capture. You captured 125954 packets (3.949.735 Bytes) for only one unauthorized handshake (tons of useless frames inside).
$ hcxpcaptool -o test.hccapx -E wordlist *.cap
start reading from madagaskar-03.cap

summary:
--------
file name..............: madagaskar-03.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 125954
skipped packets........: 0
packets with FCS.......: 0
beacons................: 1
association requests...: 1
authentications........: 2
EAPOL packets..........: 5
best handshakes........: 1 (ap-less: 0)

1 handshake(s) written to test.hccapx

$ wlanhcxinfo -i test.hccapx
total hashes read from file.......: 1
handshakes from clients...........: 0
little endian router detected.....: 0
big endian router detected........: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 1
802.1x Version 2004...............: 0
WPA1 RC4 Cipher, HMAC-MD5.........: 0
WPA2 AES Cipher, HMAC-SHA1........: 1
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 0
message pair M12E2................: 1 (0 not replaycount checked)
message pair M14E4................: 0 (0 not replaycount checked)
message pair M32E2................: 0 (0 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)

You have only one M1/M2 (not authorized) handshake.

Took me only milliseconds to retrieve the PSK for this handshake (using hcxtools):

$ hashcat -m 2500 test.hccapx wordlist
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: Madagaskar (AP:00:24:38:28:e7:c0 STA:00:87:01:c8:f5:66)
Time.Started.....: Tue May 22 09:54:10 2018 (0 secs)
Time.Estimated...: Tue May 22 09:54:10 2018 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 27 H/s (0.12ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Candidates.#1....: Madagaskar -> Madagaskar
HWMon.Dev.#1.....: Temp: 37c Fan: 29% Util: 38% Core:1506MHz Mem:5005MHz Bus:16
#8
Thanks, I have already got the password using the wpa-sec.stanev.org website.

I am curious, why the cap2hccapx (from hashcat-utils) can't convert this cap file to hccapx. I see that you successfully converted it to hccapx using hcxpcaptool, so it is a bug in hashcat's cap2hccapx? And why you needed to pass a wordlist to hcxpcaptool if you converted it only?

If I understand correctly, if I have M1+M2 handshakes only (= unauthorized), then someone unsuccessfully attempted to connect to the wifi (with a wrong password). But I can still crack this used password, am I right?

Btw, please which wordlist do you use? Is it public available or a private one?

Btw2, sorry for noob questions, but i tried to compile hcxtools on KaliLinux, but ended up with an error: https://pastebin.com/he55Kep6
Any ideas, please?

Thanks a lot.
#9
Hi kexec.

I see that you successfully converted it to hccapx using hcxpcaptool, so it is a bug in hashcat's cap2hccapx?
hcxpcaptool is completely different to other tools, so it will convert your cap.
And if you clean up your cap by wireshark (remove useless garbage), cap2hccapx will convert it, too:
$ ./cap2hccapx Madagaskar.pcap test.hccapx
Networks detected: 1

[*] BSSID=00:24:38:28:e7:c0 ESSID=Madagaskar (Length: 10)
--> STA=00:87:01:c8:f5:66, Message Pair=0, Replay Counter=1

Written 1 WPA Handshakes to: test.hccapx


And why you needed to pass a wordlist to hcxpcaptool if you converted it only?
We didn't pass a wordlist to hcxpcaptool. Instead we retrieved a possible list with passwords from hcxpcaptool (see readme about features).
In combination with hcxdumptool, we are able to retrieve passwords, identities, usernames and more from the WiFi traffic. You can pass this lists to hashcat (raw or modifed by rules).

If I understand correctly, if I have M1+M2 handshakes only (= unauthorized), then someone unsuccessfully attempted to connect to the wifi (with a wrong password). But I can still crack this used password, am I right?
Yes, you understand it correctly. M1 and M2 matches each other, so you are able to crack this hash - it is 100%valid but, in this case, unauthorized.

Sorry for noob questions, but i tried to compile hcxtools on KaliLinux, but ended up with an error:...
There are no stupid questions but only stupid answers!
From the readme:
To install requirements on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) use the following 'apt-get install libpcap-dev libcurl4-openssl-dev libssl-dev zlib1g-dev'

You should consider to install hcxpcaptool, too, because it's the successor of wlandump-ng (but requiere latest kernel and latest driver).
#10
Thanks for answer.

So the problem is that if cap contains a lot of garbage packets, cap2hccapx cant convert it? How to determine which packets are not needed and I can delete them from .cap file?

Quote:hcxpcaptool:
-E <file> : output wordlist (autohex enabled) to use as input wordlist for cracker

wlancap2hcx:
"-E <file> : output wordlist (autohex disabled) to use as hashcat input wordlist (hashcat -m 2500, john WPAPSK-PMK)"

Please, how is this "possible list with passwords" generated? I tried it now on a larger .cap file (with multiple networks) and the output is list of SSIDs.


By the way, according to this, hcxtools are preinstalled on KaliLinux, but I couldnt run any of the hcxtools (wlandump-ng, hcxpcaptool) in default state. Is is still valid? Or am I doing sth wrong?