Any Other ways of cracking Wpa2
#13
PSK == PreSharedKey == WPA Password

I took a look at the uncleaned dump file. It reflects exactly what I wrote:
894233 stupid DEUTHENTICATION frames have been injected:
Code:
DEAUTHENTICATION (total).................: 894233
...
Warning: excessive number of deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER, renew ANONCE and set PMKID to zero. This could prevent to calculate a valid EAPOL MESSAGE PAIR, to get a valid PMKID or to decrypt the traffic.
Mostly this DEAUTHENTICATION frames are useless, because they are addressed to broadcast FF:FF:FF:FF:FF:FF.

More than half an hour your attack tool flooded the entire channel (transmitting mostly useless DEAUTHENTICATION frames):
Code:
timestamp minimum (timestamp)............: 22.07.2024 09:25:51 (1721640351)
timestamp maximum (timestamp)............: 22.07.2024 10:01:51 (1721642511)
to get a single EAPOL MESSAGEPAIR:
Code:
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL M32E2 (authorized).................: 1

Please take a look at packet 67210 -> you got an EAPOL M1
But instead of waiting to get an EAPOL M2 to complete the handshake, the attack tool injected hundreds of stupid DEAUTHENTICATION frames. The CLIENT has no chance to reply.

The same on packet 80985. Again no chance for the CLIENT to reply.
The same on packet 96062. Again no chance for the CLIENT to reply, because the attack tool still floods the channel with DEAUTHENTICATION frames.......

No undirected PROBEREQUESTs inside the dump file from which you can "possible" get more information:
Code:
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.https://hashcat.net/forum/thread-12096-post-61265.html#pid61265
https://hashcat.net/forum/thread-12096-p...l#pid61265

Your attack device can either transmit or receive (but not both at the same time on the same channel).
At the time your attack tool transmitted this 894233 stupid DEUTHENTICATION frames you have received nothing(!) from the target.

BTW:
This "noisy" attack can be easy detected by every intrusion detection system.

Please note:
hashcat does not attack a NETWORK! It is only able to recover the PSK from a hash (brute force by word list, by rule, by mask or by a combination of them).
The real attack has to be done on the air. If this attack failed, hashcat will fail, too (or it will take a long time to brute force the PSK).


BTW 2:
The RADIOTAP header has been not recorded:
Code:
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/

You can get some good information of the quality of the packet from it.
Example what is missing in your dump file:
Code:
Radiotap Header v0, Length 24
    Header revision: 0
    Header pad: 0
    Header length: 24
    Present flags
        Present flags word: 0xa000402e
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..1. = Flags: Present
            .... .... .... .... .... .... .... .1.. = Rate: Present
            .... .... .... .... .... .... .... 1... = Channel: Present
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 0... .... .... = Antenna: Absent
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .1.. .... .... .... = RX flags: Present
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..1. .... .... .... .... .... .... .... = Radiotap NS next: True
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            1... .... .... .... .... .... .... .... = Ext: Present
        Present flags word: 0x00000820
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..0. = Flags: Absent
            .... .... .... .... .... .... .... .0.. = Rate: Absent
            .... .... .... .... .... .... .... 0... = Channel: Absent
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 1... .... .... = Antenna: Present
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .0.. .... .... .... = RX flags: Absent
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..0. .... .... .... .... .... .... .... = Radiotap NS next: False
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            0... .... .... .... .... .... .... .... = Ext: Absent
    Flags: 0x00
        .... ...0 = CFP: False
        .... ..0. = Preamble: Long
        .... .0.. = WEP: False
        .... 0... = Fragmentation: False
        ...0 .... = FCS at end: False
        ..0. .... = Data Pad: False
        .0.. .... = Bad FCS: False
        0... .... = Short GI: False
    Data Rate: 1,0 Mb/s
    Channel frequency: 2412 [BG 1]
    Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
        .... .... .... ...0 = 700 MHz spectrum: False
        .... .... .... ..0. = 800 MHz spectrum: False
        .... .... .... .0.. = 900 MHz spectrum: False
        .... .... ...0 .... = Turbo: False
        .... .... ..1. .... = Complementary Code Keying (CCK): True
        .... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
        .... .... 1... .... = 2 GHz spectrum: True
        .... ...0 .... .... = 5 GHz spectrum: False
        .... ..0. .... .... = Passive: False
        .... .0.. .... .... = Dynamic CCK-OFDM: False
        .... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
        ...0 .... .... .... = GSM (900MHz): False
        ..0. .... .... .... = Static Turbo: False
        .0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
        0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
    Antenna signal: -70 dBm
    RX flags: 0x0000
        .... .... .... .... .... ..0. = Bad PLCP: False
    Antenna signal: -70 dBm
    Antenna: 0

BTW: 3:
The format of your dump file is cap. This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html...lesSection
https://github.com/pcapng/pcapng

State of the art dump file format is pcapng. The leading network analyzer tools (Wireshark, tshark) use this format as default.


But in the end your attack was successful (if it was only the goal to get an EAPOL 4way handshake) you got a it (packets 66396-66400). It can be converted to a hc22000 file hashcat can work on.
Unfortunately (on that entire key space) it will take a human life time to get the PSK by brute force methods.
Reply


Messages In This Thread
Any Other ways of cracking Wpa2 - by Brian - 07-29-2024, 03:30 PM
RE: Any Other ways of cracking Wpa2 - by slyexe - 07-30-2024, 02:08 AM
RE: Any Other ways of cracking Wpa2 - by Brian - 07-30-2024, 02:42 PM
RE: Any Other ways of cracking Wpa2 - by ZerBea - 07-30-2024, 07:42 AM
RE: Any Other ways of cracking Wpa2 - by Brian - 07-30-2024, 02:50 PM
RE: Any Other ways of cracking Wpa2 - by ZerBea - 07-30-2024, 05:27 PM
RE: Any Other ways of cracking Wpa2 - by Brian - 07-30-2024, 06:48 PM
RE: Any Other ways of cracking Wpa2 - by Brian - 07-30-2024, 10:43 PM
RE: Any Other ways of cracking Wpa2 - by ZerBea - 07-30-2024, 07:49 PM
RE: Any Other ways of cracking Wpa2 - by Brian - 07-30-2024, 10:51 PM
RE: Any Other ways of cracking Wpa2 - by ZerBea - 07-31-2024, 07:37 AM
RE: Any Other ways of cracking Wpa2 - by ZerBea - 07-31-2024, 11:20 AM
RE: Any Other ways of cracking Wpa2 - by Brian - 07-31-2024, 08:20 PM