The MESSAGEPAIR field is very limited (8 bi only). It only hold basic information about the AUTHENTICATION state (CHALLENGE/AUTHORIZED), the type of the ROUTER (BE/LE), NC (mandatory/not mandatory) and AP-LESS attack on a CLIENT (M1M2ROGUE). That's all. We can't get more information from the hash line.
But, depending on the quality of the dump file, hcxpcapngtool provide much more information, e.g.:
Regarding hashcat, nonce-error-corrections=170 should be fine to be on the bright side.
Please notice!
Deadly filtered or cleaned dump files do not contain this information any longer.
Make up your own mind.
Example is taken from here:
https://github.com/wireshark/wireshark/b...on.pcap.gz
Not enough M1 frames to calculate an exact value, but NC == 8 should be fine and hashcat will be able to recover the PSK.
Well, this is an example dump file - so it should really be fine.
But if we clean the dump file:
and convert it again:
The results looks different, because most of the (useful) information got lost.
That include timestamps, AUTHENTICATION state and NC.
hashcat is able to recover the PSK from this hash line, too, because the source is a demo dump file of good quality.
But this may fail on poor quality dump files:
https://github.com/ZerBea/hcxtools/issues/265
But, depending on the quality of the dump file, hcxpcapngtool provide much more information, e.g.:
Code:
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 170
...
EAPOL pairs written to 22000 hash file...: 1 (RC checked)Regarding hashcat, nonce-error-corrections=170 should be fine to be on the bright side.
Please notice!
Deadly filtered or cleaned dump files do not contain this information any longer.
Make up your own mind.
Example is taken from here:
https://github.com/wireshark/wireshark/b...on.pcap.gz
Code:
$ hcxpcapngtool wpa-Induction.pcap -o test.22000
hcxpcapngtool 6.3.1-53-g747e304 reading from wpa-Induction.pcap...
summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:45
timestamp maximum (GMT)..................: 04.01.2007 07:15:26
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 1093
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
session summary
---------------
processed cap files...................: 1
$ cat test.22000
WPA*02*a462a........020000*02Not enough M1 frames to calculate an exact value, but NC == 8 should be fine and hashcat will be able to recover the PSK.
Well, this is an example dump file - so it should really be fine.
But if we clean the dump file:
Code:
$ ./wpaclean cleaned.cap wpa-Induction.pcap
Pwning wpa-Induction.pcap (1/1 100%)
Net 00:0c:41:82:b2:55 Coherer
Doneand convert it again:
Code:
$ ./wpaclean cleaned.cap wpa-Induction.pcap
Pwning wpa-Induction.pcap (1/1 100%)
Net 00:0c:41:82:b2:55 Coherer
Done
[zerobeat@tux1 aircrack-ng]$ hcxpcapngtool cleaned.cap -o cleaned.22000
hcxpcapngtool 6.3.1-53-g747e304 reading from cleaned.cap...
summary capture file
--------------------
file name................................: cleaned.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:51
timestamp maximum (GMT)..................: 04.01.2007 07:14:51
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 3
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
EAPOL messages (total)...................: 2
EAPOL RSN messages.......................: 2
EAPOLTIME gap (measured maximum msec)....: 1
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing/cleaning tool.
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and
reception. The radiotap header format is a mechanism to supply
additional information about frames, rom the driver to userspace
applications.
https://www.radiotap.org/
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
Information: missing frames!
This dump file does not contain important frames like
authentication, association or reassociation.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Information: missing EAPOL M3 frames!
This dump file does not contain EAPOL M3 frames (possible packet loss).
It strongly recommended to recapture the traffic or
to use --all option to convert all possible EAPOL MESSAGE PAIRs.
session summary
---------------
processed cap files...................: 1
$ cat cleaned.22000
WPA*02*a462a........020000*00The results looks different, because most of the (useful) information got lost.
That include timestamps, AUTHENTICATION state and NC.
hashcat is able to recover the PSK from this hash line, too, because the source is a demo dump file of good quality.
But this may fail on poor quality dump files:
https://github.com/ZerBea/hcxtools/issues/265