PM are disabled because I received too many cracking requests - all other questions should be answered publicly.
tshark is not the best choice to get a handshake. It is a passive tool and doesn't take care about packet loss, EAPOL TIMER values and REPLAY COUNTER values (as all passive tools).
hcxpcapngtool (default options) didn't convert the handshake, because the criteria to calculate a valid MESSAGE PAIR are not met.
Criteria:
M1 M2 -> REPLAY COUNTER value must match and EAPOL TIME GAP between M1 and M2 must be <= 20000 msec!
If these conditions are not to be met it is not possible to get a valid handshake (valid = get a MESSAGEPAIR of which hashcat can get a PSK) by default options of hcxpcapngtool and hashcat (ignore REPLAY COUNTER value if NONCE ERROR CORRECTION is possible).
More information about this conditions:
https://hashcat.net/forum/thread-7514-po...l#pid40512
and NONCE ERROR CORRECTIONs:
https://hashcat.net/forum/thread-6361.html
More about EAPOL TIMERs:
https://community.cisco.com/t5/wireless-...-p/3122477
and REPLAY COUNTERs:
https://etutorials.org/Networking/802.11...n+for+WPA/
BTW:
This will not happen if you use an active tool that interacts with the target (calculate NONCEs, REPLAY COUNT and EAPOL TIME to retrieve a valid hash, detect packet loss).
hcxdumptool and hcxlabtool calculate all this values to get M1M2 challenges from a mobile target (a passive dumper not):
How many (different) challenges should be received can be controlled by stop_client_m2_attacks (hcxdumptool):
or m2attempt (hcxlabtool series):
The higher the value the better! Default setting is low, because this option could prevent that a CLIENT is able to connect to his NETWORK.
On some of my mobile (test) devices a window to ENTER a PSK will appear on the display. That depend on the OS of the mobile device.
On both cases, hcxpcapngtool --all should be used to convert all(!) retrieved/received challenges to a hc22000 file.
It is mandatory that hcxdumptool store the attack hash values to pacpng file format to let hcxpcapngtool work on them. You'll see the same hash / replay count values of hcxdumptool status output on hcxpcapngtool status output, too.
It is also mandatory that hcxpcapngtool store the information about the MESSAGE PAIR to hc22000 file format to let hashcat work on them.
For me (analyst), an (unencrypted) EAPOL M2 is the most important EAPOL MESSAGE!
tshark is not the best choice to get a handshake. It is a passive tool and doesn't take care about packet loss, EAPOL TIMER values and REPLAY COUNTER values (as all passive tools).
hcxpcapngtool (default options) didn't convert the handshake, because the criteria to calculate a valid MESSAGE PAIR are not met.
Criteria:
M1 M2 -> REPLAY COUNTER value must match and EAPOL TIME GAP between M1 and M2 must be <= 20000 msec!
If these conditions are not to be met it is not possible to get a valid handshake (valid = get a MESSAGEPAIR of which hashcat can get a PSK) by default options of hcxpcapngtool and hashcat (ignore REPLAY COUNTER value if NONCE ERROR CORRECTION is possible).
More information about this conditions:
https://hashcat.net/forum/thread-7514-po...l#pid40512
and NONCE ERROR CORRECTIONs:
https://hashcat.net/forum/thread-6361.html
More about EAPOL TIMERs:
https://community.cisco.com/t5/wireless-...-p/3122477
and REPLAY COUNTERs:
https://etutorials.org/Networking/802.11...n+for+WPA/
BTW:
This will not happen if you use an active tool that interacts with the target (calculate NONCEs, REPLAY COUNT and EAPOL TIME to retrieve a valid hash, detect packet loss).
hcxdumptool and hcxlabtool calculate all this values to get M1M2 challenges from a mobile target (a passive dumper not):
Code:
ACCESS POINT (ROGUE)......: 3cb87af43ec0 (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 3cb87af43ec1 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 3cb87af43ec2 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: e00db925c846
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62144
ANONCE....................: 94b3fa60baf0817cf3c18357a018050c89589ef433cf1b0e5795eceddabae3f9
SNONCE....................: ab3e5f717975b4d98b869d936d2ddd9abf04b85ae5344c0f4fda6d8d06df47ec
How many (different) challenges should be received can be controlled by stop_client_m2_attacks (hcxdumptool):
Code:
--stop_client_m2_attacks=<digit> : stop attacks against CLIENTS after 10 M2 frames received
affected: ap-less (EAPOL 2/4 - M2) attack
or m2attempt (hcxlabtool series):
Code:
--m2attempt=<digit> : reject CLIENT request after n received M2 frames
default: 2 received M2 frames
On some of my mobile (test) devices a window to ENTER a PSK will appear on the display. That depend on the OS of the mobile device.
On both cases, hcxpcapngtool --all should be used to convert all(!) retrieved/received challenges to a hc22000 file.
It is mandatory that hcxdumptool store the attack hash values to pacpng file format to let hcxpcapngtool work on them. You'll see the same hash / replay count values of hcxdumptool status output on hcxpcapngtool status output, too.
It is also mandatory that hcxpcapngtool store the information about the MESSAGE PAIR to hc22000 file format to let hashcat work on them.
For me (analyst), an (unencrypted) EAPOL M2 is the most important EAPOL MESSAGE!