Parsing multipe wpa handshake from a merged cap file.
#1
Hi all,
I have a cap file (resulted in mergeing multipe wpa cleaned cap files,using: mergecap), but the original cap files that made the final BIG cap files are deleted. So i'm trying to extract the cap files and converting them to hccap, i can do that with: aircrack-ng & -J command but that would convert only 1 cap bassing on the index i give, ex:
Quote:$ aircrack-ng tt1.cap -J out2
Opening tt1.cap
Read xxxx packets.

# BSSID ESSID Encryption

1 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
2 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
3 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
4 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
5 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
6 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
7 XX:XX:XX:XX:XX:XX xx WPA (1 handshake)
........ (real ... :-) )

Index number of target network ? 1

Opening tt1.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: x): xx
[*] Key version: 1
[*] BSSID: XX:XX:XX:XX:XX:XX
[*] STA: XX:XX:XX:XX:XX:XX
[*] anonce:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] snonce:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] Key MIC:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX
[*] eapol:
XX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XXXX:XX:XX:XX:XX:XX

Successfully written to out2.hccap


Quitting aircrack-ng...

$
And i've trying extracting cap files from the big file, using tshark:
Quote:tshark -r tt1.cap wlan.bssid == XX:XX:XX:XX:XX:XX -w out.cap
and when trying to convert them to hccap using aircrack-ng:
Quote:$ aircrack-ng extract.cap -J out3
Opening extract.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.

No networks found, exiting.


Quitting aircrack-ng...
$
Even that when oppening the file with wireshark i see it's -kind of- normal.
There's a solution (a stupid one) is to make a script to open the aircrack-ng with the tt1.cap and enter every time an index until the nth, but that mean that the aircrack-ng will need to read the file every time, it would need days to finish.
So what i need is to extract the cap files from tt1.cap (and them i can convert them with aircrack or cap2hccap) or to undo mergecap.
I've also tried to read the file by parsing it bassing on offset range (i've read http://hashcat.net/wiki/doku.php?id=hccap), but faild cause the every cap in tt1.cap have some random bytes before essid and so i can't parse it by using the range: 0x00-0x187 for every cap.

Thanks and sorry for my bad english.


Messages In This Thread
Parsing multipe wpa handshake from a merged cap file. - by bsec - 01-08-2015, 04:49 PM