Thanks.
The attached hash.hc22000 file does not belong to the dump file Hash-01.cap!
attached hash file:
hash file calculated from the dump file:
running hashcat on this file, the PSK will be recovered:
The attached hash.hc22000 file does not belong to the dump file Hash-01.cap!
attached hash file:
Code:
$ hcxhashtool -i hash.hc22000 --info=stdout
SSID.......: WiFi-2XDJ
MAC_AP.....: c486e9a51414 (HUAWEI TECHNOLOGIES CO.,LTD)
MAC_CLIENT.: 7cb37b743032 (Qingdao Intelligent&Precise Electronics Co.,Ltd.)
PMKID......: 506e98076dc071bd5409a669613af0ba
HASHLINE...: WPA*01*506e98076dc071bd5409a669613af0ba*c486e9a51414*7cb37b743032*576946692d3258444a***
SSID.......: WiFi-2XDJ
MAC_AP.....: c486e9a51414 (HUAWEI TECHNOLOGIES CO.,LTD)
MAC_CLIENT.: 985fd3290ad0 (Microsoft Corporation)
PMKID......: 60fbeee3ab7f89fbcb4944de59204c6f
HASHLINE...: WPA*01*60fbeee3ab7f89fbcb4944de59204c6f*c486e9a51414*985fd3290ad0*576946692d3258444a***
SSID.......: WiFi-2XDJ
MAC_AP.....: c486e9a51414 (HUAWEI TECHNOLOGIES CO.,LTD)
MAC_CLIENT.: 985fd3290ad0 (Microsoft Corporation)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: NC not detected
EAPOL MSG..: 2
MP M2M3 E2.: authorized
MIC........: 4f1640c74e9630e699ce68f8e4d65372
HASHLINE...: WPA*02*4f1640c74e9630e699ce68f8e4d65372*c486e9a51414*985fd3290ad0*576946692d3258444a*742a957ce0c51ee58129345dddda249712b701547bbf8cb994e966536614e82f*0103007502010a00000000000000000001045fe84dd4c4a498551d939f0dc062c6e18862490f8eba22eb9567cc71697e51000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac022800*a2
hash file calculated from the dump file:
Code:
$ hcxpcapngtool Hash-01.cap -o test.hc22000
hcxpcapngtool 6.3.4-25-gc910c18 reading from Hash-01.cap...
summary capture file
--------------------
file name.................................: Hash-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 26.06.2024 02:23:45
timestamp maximum (GMT)..................: 26.06.2024 02:24:25
duration of the dump tool (seconds)......: 39
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 3351
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 11
ACTION (total)...........................: 8
ACTION (containing ESSID)................: 1
PROBERESPONSE (total)....................: 24
DEAUTHENTICATION (total).................: 384
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
WPA encrypted............................: 753
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 43
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER, renew ANONCE and set PMKID to zero. This could prevent to calculate a valid EAPOL MESSAGE PAIR, to get a valid PMKID or to decrypt the traffic.
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.
session summary
---------------
processed cap files...................: 1
$ hcxhashtool -i test.hc22000 --info=stdout
SSID.......: ripsnorter
MAC_AP.....: 10133161d40b (Technicolor Delivery Technologies Belgium NV)
MAC_CLIENT.: 28c21f943ced (SAMSUNG ELECTRO-MECHANICS(THAILAND))
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: hashcat default NC activated
EAPOL MSG..: 2
MP M2M3 E2.: authorized
MIC........: 87ae84defb09695745b9caf69f1d6abd
HASHLINE...: WPA*02*87ae84defb09695745b9caf69f1d6abd*10133161d40b*28c21f943ced*726970736e6f72746572*08abf5b83d3f681fbdd36c1eb19f7dedd35c2eeac21be77e08bf1a7ef9f5ff48*0103007502010a000000000000000000016e1ccb7281fbb93d342c7cf14d59178afef2cf48ede984d3d7ddc0a98b4496da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028c00*82
running hashcat on this file, the PSK will be recovered:
Code:
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: /tmp/test.hc22000
Time.Started.....: Wed Jun 26 07:36:48 2024 (1 sec)
Time.Estimated...: Wed Jun 26 07:36:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/tmp/rockyou.txt.tar.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 165.8 kH/s (11.46ms) @ Accel:256 Loops:64 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 314567/14344383 (2.19%)
Rejected.........: 183495/314567 (58.33%)
Restore.Point....: 0/14344383 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456789 -> brownie01
Hardware.Mon.#1..: Temp: 45c Util: 48% Core:1530MHz Mem:3500MHz Bus:8