Change ESSID in .pcapng
#1
First off, I know that editing .pcapng files is highly not recommended. My issue is that I have a collection of handshakes captured by my WiFi Pineapple (Evil Twin). I can't use them because the beacon frames contain the same ESSID. I've been researching tools that would allow me to edit the SSID fields but have not found a workable solution yet.
Reply
#2
If you modify the ESSID, the content becomes unusable and you can't use it to recover the PlainMasterKey (PMK) on WPA1/WPA2/WPA2kv3, because the algorithm depend on the PreSharedKey (PSK) and the ESSID (used during the ASSOCIATION/REASSOCIATION):
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, ESSID, 4096, 256)
In other words, changing the ESSID will lead to uncrackable hashes and hashcat will fail. That is the major reason why modifying an ESSID is not recommended and not allowed by tools like e.g. hcxtools.


For other purposes (not recovering WPA, WPA2, WPA2kv3) you can remove the entire BEACON frames by tshark:
Code:
$ tshark -r old.pcapng -R '!wlan.fc.type_subtype == 0x08' -2 -F pcapng -w beacon_removed.pcapng

Please notice that ESSIDs are present in PROBEREQUEST frames, PROBERESPONSE frames, ASSOCIATIONREQUEST frames, REASSOCIATIONREQUEST frames and some kind of ACTION frames, too.
State of the art tools will take the ESSID from this frames primary, because they (especially ASSOCIATIONREQUEST and REASSOCIATIONREQUEST frames) contain much more information than a simple BEACON.
Reply
#3
(08-17-2022, 09:11 AM)ZerBea Wrote: If you modify the ESSID, the content becomes unusable and you can't use it to recover the PlainMasterKey (PMK) on WPA1/WPA2/WPA2kv3, because the algorithm depend on the PreSharedKey (PSK) and the ESSID (used during the ASSOCIATION/REASSOCIATION):
Code:
PMK = PBKDF2(HMAC−SHA1, PSK, ESSID, 4096, 256)
In other words, changing the ESSID will lead to uncrackable hashes and hashcat will fail. That is the major reason why modifying an ESSID is not recommended and not allowed by tools like e.g. hcxtools.


For other purposes (not recovering WPA, WPA2, WPA2kv3) you can remove the entire BEACON frames by tshark:
Code:
$ tshark -r old.pcapng -R '!wlan.fc.type_subtype == 0x08' -2 -F pcapng -w beacon_removed.pcapng

Please notice that ESSIDs are present in PROBEREQUEST frames, PROBERESPONSE frames, ASSOCIATIONREQUEST frames, REASSOCIATIONREQUEST frames and some kind of ACTION frames, too.
State of the art tools will take the ESSID from this frames primary, because they (especially ASSOCIATIONREQUEST and REASSOCIATIONREQUEST frames) contain much more information than a simple BEACON.

It's a weird case. I haven't tried cracking the hashes (which I will), but I am positive that the PineAP tool is capturing beacon frames that do not match what stations are responding to and do not match the ESSIDs used to generate the PMKs. I've posted on the Hak5 forums, but so far no one there has responded to me.

Edit: There are no probe or association frames.
Reply
#4
Try to convert them by hcxpcapngtool.
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

BTW:
"There are no probe or association frames."
In that case you will miss something important:
https://github.com/evilsocket/pwnagotchi...-598597214
I recommend not to use tools that depend on BEACONs only.

As far as I know hcxdumptool is working on the pinapples:
https://forums.hak5.org/topic/44213-pmki...ineapples/
Reply