The last field of the hash line (...*xx) contain a bitmask with detailed information about the MESSAGEPAIR (machine readable and much more information than a simple yes or no):
In your case
on the first hash:
on the second first hash:
Now you can run bash tools to get all MESSAGEPAIRs you want:
or, if you don't want NC to be in use:
Some more examples:
BTW:
I took a look at the attached cap file:
The capture file appears to have been cut short in the middle of a packet (packet 16063).
It looks like your capturing tool doesn't handle timestamps correctly.
You injected too many deauthentications. Some of them are injected directly into the authentication sequence between an EAPOL M1 and an EAPOL M2 message (packet 1187 - 1197). This mostly happens if you use stupid deauthentication tools which doesn't evaluate incoming frames.
Directed PROBEREQUEST frames are not stored or filtered out. From this frames we possible can get PSKs in the clear.
The radiotap header was removed.
Ancient cap file format is used to store packets.
Code:
bitmask of message pair field:
2,1,0:
000 = M1+M2, EAPOL from M2 (challenge)
001 = M1+M4, EAPOL from M4 if not zeroed (authorized)
010 = M2+M3, EAPOL from M2 (authorized)
011 = M2+M3, EAPOL from M3 (authorized) - unused
100 = M3+M4, EAPOL from M3 (authorized) - unused
101 = M3+M4, EAPOL from M4 if not zeroed (authorized)
3: reserved
4: ap-less attack (set to 1) - no nonce-error-corrections necessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessaryIn your case
on the first hash:
Code:
...*00 = bitmask 00000000 = M1+M2, EAPOL from M2 (challenge)Code:
...*02 = bitmask 00000010 = M2+M3, EAPOL from M2 (authorized)Now you can run bash tools to get all MESSAGEPAIRs you want:
Code:
001 = M1+M4, EAPOL from M4 if not zeroed (authorized)
$ cat hashfile.hc22000 | grep "WPA.02" | grep "1$"
010 = M2+M3, EAPOL from M2 (authorized)
$ cat hashfile.hc22000 | grep "WPA.02" | grep "2$"
101 = M3+M4, EAPOL from M4 if not zeroed (authorized)
$ cat hashfile.hc22000 | grep "WPA.02" | grep "5$"or, if you don't want NC to be in use:
Code:
001 = M1+M4, EAPOL from M4 if not zeroed (authorized)
$ cat hashfile.hc22000 | grep "WPA.02" | grep "01$"
010 = M2+M3, EAPOL from M2 (authorized)
$ cat hashfile.hc22000 | grep "WPA.02" | grep "02$"
101 = M3+M4, EAPOL from M4 if not zeroed (authorized)
$ cat hashfile.hc22000 | grep "WPA.02" | grep "05$"Some more examples:
Code:
Get all PMKIDs, sort by MAC_AP:
$ cat hash.hc22000 | grep WPA.01 | sort -t "*" -k 4
Get all PMKIDs, sort by ESSID:
$ cat hash.hc22000 | grep WPA.01 | sort -t "*" -k 6
Get all authenticated MESSAGEPAIRs, NC not required, sort by MAC_AP:
$ cat hash.hc22000 | grep WPA.02 | grep 02$ | sort -t "*" -k 4
Get all authenticated MESSAGEPAIRs, NC not required, sort by ESSID:
$ cat hash.hc22000 | grep WPA.02 | grep 02$ | sort -t "*" -k 6BTW:
I took a look at the attached cap file:
The capture file appears to have been cut short in the middle of a packet (packet 16063).
It looks like your capturing tool doesn't handle timestamps correctly.
You injected too many deauthentications. Some of them are injected directly into the authentication sequence between an EAPOL M1 and an EAPOL M2 message (packet 1187 - 1197). This mostly happens if you use stupid deauthentication tools which doesn't evaluate incoming frames.
Directed PROBEREQUEST frames are not stored or filtered out. From this frames we possible can get PSKs in the clear.
The radiotap header was removed.
Ancient cap file format is used to store packets.
Code:
$ hcxpcapngtool -o test.22000 123456789_19901013ld.cap
hcxpcapngtool 6.2.4-1-g34a4170 reading from 123456789_19901013ld.cap...
failed to read pcap packet header for packet 16063
summary capture file
--------------------
file name................................: 123456789_19901013ld.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 10.04.2016 06:06:45
timestamp maximum (GMT)..................: 10.04.2016 07:18:21
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 16063
BEACON (total)...........................: 1
ACTION (total)...........................: 38
PROBEREQUEST (directed)..................: 5
PROBERESPONSE (total)....................: 106
DEAUTHENTICATION (total).................: 770
AUTHENTICATION (total)...................: 5
AUTHENTICATION (OPEN SYSTEM).............: 5
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
WPA encrypted............................: 41
EAPOL messages (total)...................: 34
EAPOL RSN messages.......................: 34
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 42501
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 3
EAPOL M1 messages (total)................: 5
EAPOL M2 messages (total)................: 27
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 28
EAPOL pairs (best).......................: 2
EAPOL pairs written to combi hash file...: 2 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 1
packet read error........................: 1
Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing tool.
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.
Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
session summary
---------------
processed cap files...................: 1