The basics:
To recover the PSK of a WPA1, WPA2 or WPA2 key version 3 network you need either a 4way handshake (which contain M2 or not zeroed M4 and either a M1 or M3) or a PMKID and the network name ESSID.
But there are much more useful frames and information that can help to recover a PSK.
hcxpcapngtool is an analysis tool that will take additional information from the dumpfile and parse it to hashcat. That will make it easier to recover the PSK.
Unfortunately the tools that you use to attack the target and to dump the traffic to a cap/pcap file do not take care about this! hcxpcapngtool detect this missing frames as well as the missing radio tap information and give you a warning.
Please notice: It is only a warning and not an ERROR
To get rid of this, I suggest to use hcxdumptool (attack and dump):
You may have noticed that this dumpfile in pcapng format, taken by hcxdumptool, contain a full radio tap header and much more information than your dumpfile.
To make it clear to you what is missing in your dump file, please read this:
https://github.com/evilsocket/pwnagotchi/issues/835
and get the example mentioned there:
https://github.com/evilsocket/pwnagotchi...nctest.zip
now try it:
and you'll know what I mean.
Do not wonder about the pcap file format. The example was converted from pcapng to pcap so that old school tools (e.g. based on libpcap) are able to handle it. Unfortunately neither cap nor pcap file format is able to store additional comment fields that will help to recover the PSK.
To recover the PSK of a WPA1, WPA2 or WPA2 key version 3 network you need either a 4way handshake (which contain M2 or not zeroed M4 and either a M1 or M3) or a PMKID and the network name ESSID.
But there are much more useful frames and information that can help to recover a PSK.
hcxpcapngtool is an analysis tool that will take additional information from the dumpfile and parse it to hashcat. That will make it easier to recover the PSK.
Unfortunately the tools that you use to attack the target and to dump the traffic to a cap/pcap file do not take care about this! hcxpcapngtool detect this missing frames as well as the missing radio tap information and give you a warning.
Please notice: It is only a warning and not an ERROR
To get rid of this, I suggest to use hcxdumptool (attack and dump):
Code:
$ hcxpcapngtool -o test.22000 -E wordlist -I wordlist -U wordlist hcxdumptool.pcapng
hcxpcapngtool 6.2.4-83-g48d77b7 reading from hcxdumptool.pcapng...
summary capture file
--------------------
file name.................................: hcxdumptool.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.10.32-2-ARCH
application..............................: hcxdumptool 6.2.4-14-g69872e0
interface name...........................: wlan0
interface vendor.........................: 00e061
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 00bb3a0d66ce (incremented on every new client)
MAC CLIENT...............................: f0a225ad2c04
REPLAYCOUNT..............................: 61865
ANONCE...................................: 6b27634f5e19df3b62aea9255ecc1ccbf0c22028b0d28427389080355947207c
SNONCE...................................: 523b2d541ed34297a92a2a52a3e79d07f2d391fe41100e66d5e1b55e02f49211
timestamp minimum (GMT)..................: 29.04.2021 11:29:42
timestamp maximum (GMT)..................: 29.04.2021 21:55:51
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 15573
packets received on 2.4 GHz..............: 14529
ESSID (total unique).....................: 1270
BEACON (total)...........................: 1968
BEACON (detected on 2.4 GHz channel).....: 1 3 4 5 6 7 8 9 10 11 13
BEACON (SSID unset)......................: 117
BEACON (SSID zeroed).....................: 20
PROBEREQUEST.............................: 245
PROBEREQUEST (directed)..................: 16
PROBERESPONSE (total)....................: 759
AUTHENTICATION (total)...................: 347
AUTHENTICATION (OPEN SYSTEM).............: 347
ASSOCIATIONREQUEST (total)...............: 45
ASSOCIATIONREQUEST (PSK).................: 45
REASSOCIATIONREQUEST (total).............: 24
REASSOCIATIONREQUEST (PSK)...............: 24
EAP (total)..............................: 6
EAP CODE request.........................: 4
EAP-TLS messages.........................: 4
EAPOL messages (total)...................: 11685
EAPOL RSN messages.......................: 11664
EAPOL WPA messages.......................: 21
EAPOLTIME gap (measured maximum usec)....: 60667444
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 12
EAPOL M1 messages (total)................: 4378
EAPOL M2 messages (total)................: 6833
EAPOL M3 messages (total)................: 222
EAPOL M4 messages (total)................: 252
EAPOL pairs (total)......................: 38361
EAPOL pairs (best).......................: 50
EAPOL ROGUE pairs........................: 30
EAPOL pairs written to combi hash file....: 50 (RC checked)
EAPOL M12E2 (challenge)..................: 35
EAPOL M32E2 (authorized).................: 13
EAPOL M34E4 (authorized).................: 2
PMKID (useless)..........................: 32
PMKID (total)............................: 349
PMKID (best).............................: 108
PMKID ROGUE..............................: 95
PMKID written to combi hash file.........: 108
session summary
---------------
processed pcapng files................: 1To make it clear to you what is missing in your dump file, please read this:
https://github.com/evilsocket/pwnagotchi/issues/835
and get the example mentioned there:
https://github.com/evilsocket/pwnagotchi...nctest.zip
now try it:
Code:
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlistDo not wonder about the pcap file format. The example was converted from pcapng to pcap so that old school tools (e.g. based on libpcap) are able to handle it. Unfortunately neither cap nor pcap file format is able to store additional comment fields that will help to recover the PSK.