02-07-2017, 11:49 AM
(02-07-2017, 01:01 AM)rico Wrote: Great stuff, handshake capturing always a tricky business. I just gave cap2hccapx a quick spin but didn't have much luck either I'm afraid. cap2hccapx seems to identify incomplete handshakes as good?
Kind of yes, and it's good you notice it because this is another new feature I forgot to mention in the above introduction text. From your example it's clear that you are facing exactly the problem mentioned above. That is the replay counter collisions (all Replay Counter variables in your dump are 0 while AP and STA are the same). That means with aircrack-ng there's a 50% chance you will not be able to crack it (with the correct password candidate and when exported as .hccap) because of the wrongly mixing of the nonce's. If it works this time it's possible it will not work with the next .cap you're producing.
The problem remains also with hccapx because the damage is done already. However, cap2hccapx knows about hashcats ability to crack N number of handshakes of the same ESSID for the price of one. That's why it's exporting all possible matches (valid combinations of MAC-AP<->MAC-STA and valid replay counter). The time it takes to crack them with hashcat is the same as it would be only one handshake. If you want to verify just capture the runtime of hashcat cracking just one or all four, it's the same. However, the chances to crack at least one of them is 100% (if you have the correct password candidate) and that's the important difference.
One more thing to mentioning:
Quote:t2. Wireshark reports Message 4 of 4 (airodump-ng picks up no handshake)
Note that packet 4 is not needed for cracking with hashcat. This one is dropped.
Quote:Hashfile 'tst260ff.hccapx': Invalid hccapx eapol size
Hashfile 'tst260ff.hccapx': Invalid hccapx signature
Hashfile 'tst260ff.hccapx': Invalid hccapx signature
This one is odd and shouldn't occur. To reproduce locally I need the .cap. Please send it to me.