(08-17-2022, 09:11 AM)ZerBea Wrote: If you modify the ESSID, the content becomes unusable and you can't use it to recover the PlainMasterKey (PMK) on WPA1/WPA2/WPA2kv3, because the algorithm depend on the PreSharedKey (PSK) and the ESSID (used during the ASSOCIATION/REASSOCIATION):
In other words, changing the ESSID will lead to uncrackable hashes and hashcat will fail. That is the major reason why modifying an ESSID is not recommended and not allowed by tools like e.g. hcxtools.Code:PMK = PBKDF2(HMAC−SHA1, PSK, ESSID, 4096, 256)
For other purposes (not recovering WPA, WPA2, WPA2kv3) you can remove the entire BEACON frames by tshark:
Code:$ tshark -r old.pcapng -R '!wlan.fc.type_subtype == 0x08' -2 -F pcapng -w beacon_removed.pcapng
Please notice that ESSIDs are present in PROBEREQUEST frames, PROBERESPONSE frames, ASSOCIATIONREQUEST frames, REASSOCIATIONREQUEST frames and some kind of ACTION frames, too.
State of the art tools will take the ESSID from this frames primary, because they (especially ASSOCIATIONREQUEST and REASSOCIATIONREQUEST frames) contain much more information than a simple BEACON.
It's a weird case. I haven't tried cracking the hashes (which I will), but I am positive that the PineAP tool is capturing beacon frames that do not match what stations are responding to and do not match the ESSIDs used to generate the PMKs. I've posted on the Hak5 forums, but so far no one there has responded to me.
Edit: There are no probe or association frames.