My goal today is to create one master 100% crackable hccapx from all of the pcap files from the last week created from hcxdumptool.
I have created a processing script that has two ways of attempting to doing this:
~/cap/Combined/tools/hcxtools/wlancap2hcx -p output/merged.pcap *.pcap
cat *.pcap > output/merged_cat.pcap
#old method using wlancap
~/cap/Combined/tools/hcxtools/wlancap2hcx -Z -D -o output/current_wlan_p.hccapx output/merged.pcap
~/cap/Combined/tools/hcxtools/wlancap2hcx -Z -D -o output/current_wlan_cat.hccapx output/merged_cat.pcap
#newer hcxpcaptool
~/cap/Combined/tools/hcxtools/hcxpcaptool -o output/current_new_p.hccapx output/merged.pcap
~/cap/Combined/tools/hcxtools/hcxpcaptool -o output/current_new_cat.hccapx output/merged_cat.pcap
Results:
---
15K May 2 18:02 current_new_cat.hccapx
3.6M May 2 18:02 current_new_p.hccapx
188K May 2 18:02 current_wlan_cat.hccapx
251K May 2 18:02 current_wlan_p.hccapx
22M May 2 18:02 merged.pcap
60M May 2 18:02 merged_cat.pcap
---
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_wlan_p.hccapx
total hashes read from file.......: 653
handshakes from clients...........: 393
little endinan router detected....: 0
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 481
802.1x Version 2004...............: 172
WPA1 RC4 Cipher, HMAC-MD5.........: 3
WPA2 AES Cipher, HMAC-SHA1........: 648
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 1
message pair M12E2................: 539 (27 not replaycount checked)
message pair M14E4................: 14 (8 not replaycount checked)
message pair M32E2................: 100 (43 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_wlan_cat.hccapx
total hashes read from file.......: 489
handshakes from clients...........: 276
little endinan router detected....: 0
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 360
802.1x Version 2004...............: 129
WPA1 RC4 Cipher, HMAC-MD5.........: 0
WPA2 AES Cipher, HMAC-SHA1........: 487
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 1
message pair M12E2................: 402 (26 not replaycount checked)
message pair M14E4................: 14 (8 not replaycount checked)
message pair M32E2................: 73 (36 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_new_p.hccapx
total hashes read from file.......: 9530
handshakes from clients...........: 8867
little endinan router detected....: 97
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 6486
802.1x Version 2004...............: 3044
WPA1 RC4 Cipher, HMAC-MD5.........: 2
WPA2 AES Cipher, HMAC-SHA1........: 9528
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 0
message pair M12E2................: 9200 (29 not replaycount checked)
message pair M14E4................: 240 (118 not replaycount checked)
message pair M32E2................: 90 (2 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_new_cat.hccapx
total hashes read from file.......: 39
handshakes from clients...........: 26
little endinan router detected....: 0
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 23
802.1x Version 2004...............: 16
WPA1 RC4 Cipher, HMAC-MD5.........: 0
WPA2 AES Cipher, HMAC-SHA1........: 39
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 0
message pair M12E2................: 35 (1 not replaycount checked)
message pair M14E4................: 0 (0 not replaycount checked)
message pair M32E2................: 4 (0 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
---
My questions:
1. What is the better merge method? I know I have many duplicate handshakes
2. Something seems very wrong with the hcxpcaptool method I am using, any thoughts on way I have so few handshakes in the current_new_cat.hccapx?
3. I want the hccapx file to be as clean as possible, if I feed a cracked wordlist into Hashcat and --remove, I do not want to see for example, ATT722 in the potfile and still in the Hashcat processed hccapx file.
I have created a processing script that has two ways of attempting to doing this:
~/cap/Combined/tools/hcxtools/wlancap2hcx -p output/merged.pcap *.pcap
cat *.pcap > output/merged_cat.pcap
#old method using wlancap
~/cap/Combined/tools/hcxtools/wlancap2hcx -Z -D -o output/current_wlan_p.hccapx output/merged.pcap
~/cap/Combined/tools/hcxtools/wlancap2hcx -Z -D -o output/current_wlan_cat.hccapx output/merged_cat.pcap
#newer hcxpcaptool
~/cap/Combined/tools/hcxtools/hcxpcaptool -o output/current_new_p.hccapx output/merged.pcap
~/cap/Combined/tools/hcxtools/hcxpcaptool -o output/current_new_cat.hccapx output/merged_cat.pcap
Results:
---
15K May 2 18:02 current_new_cat.hccapx
3.6M May 2 18:02 current_new_p.hccapx
188K May 2 18:02 current_wlan_cat.hccapx
251K May 2 18:02 current_wlan_p.hccapx
22M May 2 18:02 merged.pcap
60M May 2 18:02 merged_cat.pcap
---
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_wlan_p.hccapx
total hashes read from file.......: 653
handshakes from clients...........: 393
little endinan router detected....: 0
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 481
802.1x Version 2004...............: 172
WPA1 RC4 Cipher, HMAC-MD5.........: 3
WPA2 AES Cipher, HMAC-SHA1........: 648
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 1
message pair M12E2................: 539 (27 not replaycount checked)
message pair M14E4................: 14 (8 not replaycount checked)
message pair M32E2................: 100 (43 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_wlan_cat.hccapx
total hashes read from file.......: 489
handshakes from clients...........: 276
little endinan router detected....: 0
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 360
802.1x Version 2004...............: 129
WPA1 RC4 Cipher, HMAC-MD5.........: 0
WPA2 AES Cipher, HMAC-SHA1........: 487
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 1
message pair M12E2................: 402 (26 not replaycount checked)
message pair M14E4................: 14 (8 not replaycount checked)
message pair M32E2................: 73 (36 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_new_p.hccapx
total hashes read from file.......: 9530
handshakes from clients...........: 8867
little endinan router detected....: 97
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 6486
802.1x Version 2004...............: 3044
WPA1 RC4 Cipher, HMAC-MD5.........: 2
WPA2 AES Cipher, HMAC-SHA1........: 9528
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 0
message pair M12E2................: 9200 (29 not replaycount checked)
message pair M14E4................: 240 (118 not replaycount checked)
message pair M32E2................: 90 (2 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
MBP:~/cap/Combined$ ./tools/hcxtools/wlanhcxinfo -i output/current_new_cat.hccapx
total hashes read from file.......: 39
handshakes from clients...........: 26
little endinan router detected....: 0
big endinan router detected.......: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 23
802.1x Version 2004...............: 16
WPA1 RC4 Cipher, HMAC-MD5.........: 0
WPA2 AES Cipher, HMAC-SHA1........: 39
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 0
message pair M12E2................: 35 (1 not replaycount checked)
message pair M14E4................: 0 (0 not replaycount checked)
message pair M32E2................: 4 (0 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
nonce-error-corrections is working on that file
---
My questions:
1. What is the better merge method? I know I have many duplicate handshakes
2. Something seems very wrong with the hcxpcaptool method I am using, any thoughts on way I have so few handshakes in the current_new_cat.hccapx?
3. I want the hccapx file to be as clean as possible, if I feed a cracked wordlist into Hashcat and --remove, I do not want to see for example, ATT722 in the potfile and still in the Hashcat processed hccapx file.