Posts: 19
Threads: 5
Joined: Jan 2014
Hello ya!!!
It's been a couple of years since I posted or used hashcat. Had some family issue plus new career that keep me busy outside of the house.
I choose to come back and man things have change since the last time I was here..
I finally have a good gpu to run my hash cracking. Enough of the small talk . I been trying to figure this out and I'm sorry but I haven't found it or I'm missing something.
I set a wireless router and had my daughter enter a password. I did the following .
started
airodump-ng --bssid <ssid> -c 11 -w homelab wlan1mon
I did a deauth
aireplay-ng -0 10 -a <ssid> wlan1mon
after a few seconds I was able to capture a handshake. left it running for 3 mins then stopped it.
Since there is a new format .22000 I can't figure out how to convert the .cap file to that format. I tried finding tutorial but there something missing.
I have installed hcxdumptool and hcxpcapngtool as well. I keep reading you have to convert the pcapng but I don't have that in my folder where the .cap file is located.
If someone has steps how to concert .cap file to .22000 format that would be great. I know there is a site to upload this but I want to learn the command. My thought is what happens is site goes down or I don't have internet access to upload the file.
Any kind of help would be awesome or a tutorial I could would be great.
Thanks,
Posts: 1,013
Threads: 2
Joined: Jun 2017
03-19-2024, 11:42 PM
(This post was last modified: 03-19-2024, 11:45 PM by ZerBea.)
Posts: 1,013
Threads: 2
Joined: Jun 2017
04-23-2024, 09:48 AM
(This post was last modified: 04-23-2024, 10:01 AM by ZerBea.)
An example will be used to show how the conversion of a handshake/PMKID works:
The workflow (command line):
Code:
$ wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap
$ hcxpcapngtool -o induction.hc22000 wpa-Induction.pcap
$ hashcat -m 22000 induction.hc22000 -a 3 Induction
In detail (inclusive expected results):
get Wireshark demo dump file from here:
https://wiki.wireshark.org/SampleCaptures
Code:
$ wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap
wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap
--2024-04-23 09:21:44-- https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving wiki.wireshark.org (wiki.wireshark.org)... 2606:4700:20::681a:bf0, 2606:4700:20::681a:af0, 2606:4700:20::ac43:4b27, ...
Connecting to wiki.wireshark.org (wiki.wireshark.org)|2606:4700:20::681a:bf0|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap [following]
--2024-04-23 09:21:44-- https://gitlab.com/wireshark/wireshark/-/wikis/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap
Resolving gitlab.com (gitlab.com)... 2606:4700:90:0:f22e:fbec:5bed:a9b9, 172.65.251.78
Connecting to gitlab.com (gitlab.com)|2606:4700:90:0:f22e:fbec:5bed:a9b9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 179298 (175K) [application/octet-stream]
Saving to: 'wpa-Induction.pcap'
wpa-Induction.pcap 100%[=============================>] 175.10K --.-KB/s in 0.09s
2024-04-23 09:21:45 (1.85 MB/s) - 'wpa-Induction.pcap' saved [179298/179298]
convert to hc.22000 hash file
Code:
$ hcxpcapngtool -o induction.hc22000 wpa-Induction.pcap
hcxpcapngtool 6.3.4-7-gb3b3b0d reading from wpa-Induction.pcap...
summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:45
timestamp maximum (GMT)..................: 04.01.2007 07:15:26
duration of the dump tool (seconds)......: 40
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 1093
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.
session summary
---------------
processed cap files...................: 1
recover PSK:
Code:
$ hashcat -m 22000 induction.hc22000 -a 3 Induction
hashcat (v6.2.6-848-gc1a10518f) starting
...
a462a7029ad5ba30b6af0df391988e45:000c4182b255:000d9382363a:Coherer:Induction
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: induction.hc22000
Time.Started.....: Tue Apr 23 09:24:47 2024 (0 secs)
Time.Estimated...: Tue Apr 23 09:24:47 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: Induction [9]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 87 H/s (0.45ms) @ Accel:8 Loops:256 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Induction -> Induction
Hardware.Mon.#1..: Temp: 30c Fan: 0% Util: 41% Core:2595MHz Mem:10802MHz Bus:16
Started: Tue Apr 23 09:24:45 2024
Stopped: Tue Apr 23 09:24:48 2024
