hccapx is deprecated and replaced by a new hash format.
Read about the new format here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
and here:
https://hashcat.net/forum/thread-10253.html
and here:
https://hashcat.net/forum/thread-10357.html
Many DEAUTHENTICATION frames are injected directly into the AUTHENTICATION sequence (which is an ugly/stupid/nasty behavior of either your attack vector or the tools that you have used to perform this attack).
Starting with packet 1397 the CLIENT requested a new AUTHENTICATION sequence. Unfortunately it looks like the DEUTHENTICATION tool didn't notice that.
Analysis done by using tshark/Wireshark.
Goal should it be to retrieve a PMKID or a complete AUTHENTICATION sequence (EAPOL 4way handshake) and not to destroy everything by injecting stupid DEAUTHENTICATION frames.
BTW:
You got a PMKID and you should use it.
PMKID written to combi hash file.........: 1
Read more about the PMKID attack here:
https://hashcat.net/forum/thread-7717.ht...KID+attack
and forget everything you've seen in these old video tutorials.
In detail:
Read about the new format here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
and here:
https://hashcat.net/forum/thread-10253.html
and here:
https://hashcat.net/forum/thread-10357.html
Many DEAUTHENTICATION frames are injected directly into the AUTHENTICATION sequence (which is an ugly/stupid/nasty behavior of either your attack vector or the tools that you have used to perform this attack).
Starting with packet 1397 the CLIENT requested a new AUTHENTICATION sequence. Unfortunately it looks like the DEUTHENTICATION tool didn't notice that.
Code:
packet 1397 REASSOCIATIONREQUEST
packet 1398 DEAUTHENTICATION
packet 1399 DEAUTHENTICATION
packet 1402 DEAUTHENTICATION
packet 1403 DEAUTHENTICATION
packet 1404 DEAUTHENTICATION
packet 1408 DEAUTHENTICATION
packet 1409 DEAUTHENTICATION
packet 1410 DEAUTHENTICATION
packet 1412 M1
packet 1416 M2
packet 1418 DEAUTHENTICATION
packet 1419 M3
packet 1421 DEAUTHENTICATION
packet 1422 DEAUTHENTICATION
packet 1423 DEAUTHENTICATION
packet 1425 M4
Goal should it be to retrieve a PMKID or a complete AUTHENTICATION sequence (EAPOL 4way handshake) and not to destroy everything by injecting stupid DEAUTHENTICATION frames.
BTW:
You got a PMKID and you should use it.
PMKID written to combi hash file.........: 1
Read more about the PMKID attack here:
https://hashcat.net/forum/thread-7717.ht...KID+attack
and forget everything you've seen in these old video tutorials.
In detail:
Code:
$ hcxpcapngtool handshake_si_2C-56-DC-4F-EF-A8_2021-11-03T13-36-56.cap -o /tmp/test.22000
hcxpcapngtool 6.2.4-60-gd82349d reading from handshake_si_2C-56-DC-4F-EF-A8_2021-11-03T13-36-56.cap...
failed to read pcap packet header for packet 1576
summary capture file
--------------------
file name.................................: handshake_si_2C-56-DC-4F-EF-A8_2021-11-03T13-36-56.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 03.11.2021 18:36:36
timestamp maximum (GMT)..................: 03.11.2021 18:36:54
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 1576
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON (detected on 2.4GHz channel)......: 3
ACTION (total)...........................: 4
PROBERESPONSE (total)....................: 72
DEAUTHENTICATION (total).................: 472
AUTHENTICATION (total)...................: 3
AUTHENTICATION (OPEN SYSTEM).............: 3
REASSOCIATIONREQUEST (total).............: 1
REASSOCIATIONREQUEST (PSK)...............: 1
WPA encrypted............................: 43
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum usec)....: 4662
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
PMKID (total)............................: 1
PMKID (best).............................: 1
PMKID written to combi hash file.........: 1
packet read error........................: 1
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.
Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
Warning: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
session summary
---------------
processed cap files...................: 1