09-11-2017, 11:21 PM
Clean up CAP and Convert to HCCAPX for use with Hashcat: Crack WPA Handshake with Hashcat using Wordlist
Open captured handshake file with Wireshark and apply the following filter.
eapol || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x08 <--- Wireshark Filter
> Filter Out Complete 4 way Handshake using Wireshark
> Using right click menu mark the 4 handshake packets aswell as the top broadcast packet
- then export. File > Export > Select Marked Packets and save with .cap file extension
After cleaning up the .CAP handshake and exporting you must convert it for use with Hashcat
> Use https://hashcat.net/cap2hccapx/ to convert from .CAP to .HCCAPX
Ready to start cracking using Hashcat. Open a CMD or Terminal prompt, run as Admin/Root and issue the following command (I used windows version of Hashcat hints the .exe in the below hashcat command)
> hashcat64.exe -m 2500 CapturedHandshake.hccapx wordlists/rockyou.txt
NOTES:
When cleaning up CAP file with Wireshark you want to make sure that you
select the correct packets. There will be 5 selected packets in total
Here is what the finished Wireshark output will look like if done properly
No. Tine Source Destination Protocol Length Info
1 0.000000 Actionte_29:79:75 Broadcast 802.11 261 Beacon frame, SN=2579, FN=0, Flags= ........ , BI=100, SSID=NAMEofWIFI
2 141.783428 Actionte_29:79:75 Apple_59:67:41 EAPOL 155 Key (Message 1 of 4)
3 141.810056 Apple_59:67:41 Actionte_29:79:75 EAPOL 155 Key (Message 2 of 4)
4 141.822340 Actionte_29:79:75 Apple_59:67:41 EAPOL 213 Key (Message 3 of 4)
5 141.825929 Apple_59:67:41 Actionte_29:79:75 EAPOL 133 Key (Message 4 of 4)
I believe the Key Message packets 1 thru 4 must be in order starting at 1 and ending in 4.
You cannot select the packets out of order or it will not work
This is a quick write up that I hope will help some people who are having trouble. I also hope that im not reposting something that has already been covered multiple times. Like i said i hope this helps out
-CellToolz
Open captured handshake file with Wireshark and apply the following filter.
eapol || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x08 <--- Wireshark Filter
> Filter Out Complete 4 way Handshake using Wireshark
> Using right click menu mark the 4 handshake packets aswell as the top broadcast packet
- then export. File > Export > Select Marked Packets and save with .cap file extension
After cleaning up the .CAP handshake and exporting you must convert it for use with Hashcat
> Use https://hashcat.net/cap2hccapx/ to convert from .CAP to .HCCAPX
Ready to start cracking using Hashcat. Open a CMD or Terminal prompt, run as Admin/Root and issue the following command (I used windows version of Hashcat hints the .exe in the below hashcat command)
> hashcat64.exe -m 2500 CapturedHandshake.hccapx wordlists/rockyou.txt
NOTES:
When cleaning up CAP file with Wireshark you want to make sure that you
select the correct packets. There will be 5 selected packets in total
Here is what the finished Wireshark output will look like if done properly
No. Tine Source Destination Protocol Length Info
1 0.000000 Actionte_29:79:75 Broadcast 802.11 261 Beacon frame, SN=2579, FN=0, Flags= ........ , BI=100, SSID=NAMEofWIFI
2 141.783428 Actionte_29:79:75 Apple_59:67:41 EAPOL 155 Key (Message 1 of 4)
3 141.810056 Apple_59:67:41 Actionte_29:79:75 EAPOL 155 Key (Message 2 of 4)
4 141.822340 Actionte_29:79:75 Apple_59:67:41 EAPOL 213 Key (Message 3 of 4)
5 141.825929 Apple_59:67:41 Actionte_29:79:75 EAPOL 133 Key (Message 4 of 4)
I believe the Key Message packets 1 thru 4 must be in order starting at 1 and ending in 4.
You cannot select the packets out of order or it will not work
This is a quick write up that I hope will help some people who are having trouble. I also hope that im not reposting something that has already been covered multiple times. Like i said i hope this helps out
-CellToolz