Please keep in mind that this forum is not a hash cracking service.
But if you want to learn, you're welcome.
https://quoteinvestigator.com/2015/08/28/fish/
How to convert the dump files to hashcat format hc22000 is explained here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
How to install and use hashcat is explained here
https://hashcat.net/wiki/
If you are you are interested in an analyze. Booth files are very bad!
DEAUTHENTICATION frames are directly injected into the AUTHENTICATION sequence.
dump file: 3mr (D8-29-18-15-C9-9C).cap
Code:
packet 2532 AUTHENTICATION request
packet 2534 AUTHENTICATION response
packet 2536 DEAUTHENTICATION
packet 2537 ASSOCIATION request
packet 2539 DEAUTHENTICATION
packet 2540 ASSOCIATION response
packet 2542 DEAUTHENTICATION
packet 2546 DEAUTHENTICATION
packet 2547 EAPOL M1 (PMKID is zeroed by AP)
packet 2551 DEAUTHENTICATION
packet 2552 DEAUTHENTICATION
packet 2554 EAPOL M2
packet 2555 DEAUTHENTICATION
packet 2556 EAPOL M3
packet 2557 DEAUTHENTICATION
packet 2559 EAPOL M3 (repeated due to stupid injected DEAUTHENTICATION frames)
packet 2561 DEAUTHENTICATION
There are a lot of out of sequence time stamps inside:
Code:
packet 14
packet 36
packet 38
packet 40
packet 69
...
packet 2617
packet 2619
packet 2663
packet 2722
packet 2740
As a result, hcxpcapngtool print a lot of warnings after converting this dump file:
Code:
$ hcxpcapngtool '3mr (D8-29-18-15-C9-9C).cap' -o test.hc22000
hcxpcapngtool 6.3.4-45-gfb039b5 reading from 3mr (D8-29-18-15-C9-9C).cap...
summary capture file
--------------------
file name.................................: 3mr (D8-29-18-15-C9-9C).cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (timestamp)............: 05.08.2024 17:53:20 (1722880400)
timestamp maximum (timestamp)............: 05.08.2024 19:04:56 (1722884696)
duration of the dump tool (minutes)......: 71
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 2744
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
ACTION (total)...........................: 5
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 25
DEAUTHENTICATION (total).................: 679
AUTHENTICATION (total)...................: 4
AUTHENTICATION (OPEN SYSTEM).............: 4
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
WPA encrypted............................: 15
EAPOL messages (total)...................: 5
EAPOL RSN messages.......................: 5
EAPOLTIME gap (measured maximum msec)....: 5
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 2
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 2
EAPOL pairs (total)......................: 3
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file....: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
RSN PMKID (useless)......................: 2
Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing/cleaning tool.
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER, renew ANONCE and set PMKID to zero. This could prevent to calculate a valid EAPOL MESSAGE PAIR, to get a valid PMKID or to decrypt the traffic.
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
session summary
---------------
processed cap files...................: 1
