01-17-2018, 04:26 PM
(01-17-2018, 12:21 PM)ZerBea Wrote: Hi JohnDN90.
That is a nice tool, and a really like that idea. There is also another attempt to do this (https://github.com/hashcat/hashcat-utils/pull/39). I decided to support both with an option to convert raw handshakes (complete unfiltered) from a cap/pcap/pcapng to a hccapx file. Now you can improve your tools...
... and there is no longer need for hcxtools to do this (so I can remove this ones and focus on the attacker/dumper, the conversion tool and EAP authentications).
Please keep in mind that some tools (aircrack suite) only strip M1M2, even if they have M2 or M3. Keep also in mind that the messagepair 0 is used for an ap-less attack. The handshakes are 100% crackable because the attacker asks the client for for the hash data as long as he didn't receive the comlete EAPOL frame.
Cheers
Hi ZerBea,
Thanks for the link to your tool. Looks like you really put a lot of work into it and have several nice features, I look forward to trying it out.
I still don't have a complete understanding of which messages are needed to successfully crack, but your comment starting my searching a little more and it looks like any of the message combinations listed at https://hashcat.net/wiki/doku.php?id=hccapx are crackable (assuming the correct password was used for the client which created the handshake)? If so, that means even the "bad" handshakes according to Pyrit should be crackable, looking at a few of these in Wireshark they contain M1 and M2. If that's the cause, I'll probably modify the strip_best_handshakes and separate_best_handshakes commands so they output a "bad" handshake if there isn't anything better available.