Handshake extraction failed!
#1
Exclamation 
Hello I have this error message when trying to convert a pcap file from a pmkid sniffer (esp32 marauder).
It has multiple eapol lines that should contain the encoded wifi password in it so I don't know why it doesn't work, thanks for your help !

Handshake extraction failed!
hcxpcapngtool 6.3.1 reading from 930709_1702061198.cap...
summary capture file
--------------------
file name................................: 930709_1702061198.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 01.01.1970 01:10:22
timestamp maximum (GMT)..................: 01.01.1970 01:11:00
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 796
ESSID (total unique).....................: 3
BEACON (total)...........................: 315
BEACON on 2.4 GHz channel (from IE_TAG)..: 1 3
ACTION (total)...........................: 75
PROBEREQUEST (undirected)................: 29
PROBERESPONSE (total)....................: 87
DEAUTHENTICATION (total).................: 1
AUTHENTICATION (total)...................: 1
AUTHENTICATION (OPEN SYSTEM).............: 1
WPA encrypted............................: 97
IPv4 (total).............................: 1
TCP (total)..............................: 1
EAPOL messages (total)...................: 177
EAPOL RSN messages.......................: 177
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 174
EAPOL M3 messages (total)................: 3
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html...lesSection
https://github.com/pcapng/pcapng
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and
reception. The radiotap header format is a mechanism to supply
additional information about frames, rom the driver to userspace
applications.
https://www.radiotap.org/
Information: no hashes written to hash files
session summary
---------------
processed cap files...................: 1
Reply
#2
These is the important information:
Code:
EAPOL M1 messages (total)................: 174
EAPOL M3 messages (total)................: 3

The EAPOL M1 doesn't contain a PMKID and an EAPOL M2 (from the CLIENT) is missing.
As a result there is nthing that can be converted to a hash file hascat can work on.

Convert this example:
https://wiki.wireshark.org/uploads/__moi...ction.pcap
from here:
https://wiki.wireshark.org/SampleCaptures

Compare the status output to your's and you know what I mean.
Reply
#3
(12-08-2023, 09:12 PM)ZerBea Wrote: These is the important information:
Code:
EAPOL M1 messages (total)................: 174
EAPOL M3 messages (total)................: 3

The EAPOL M1 doesn't contain a PMKID and an EAPOL M2 (from the CLIENT) is missing.
As a result there is nthing that can be converted to a hash file hascat can work on.

Convert this example:
https://wiki.wireshark.org/uploads/__moi...ction.pcap
from here:
https://wiki.wireshark.org/SampleCaptures

Compare the status output to your's and you know what I mean.



So it's probably my sniffer that doesn't record all the essential data ?
Reply
#4
Maybe. From what I have read here, the tool does only DEAUTHENTICATION attacks and it doesn't detect a packet loss during reception.
Hcxpcapngtool (no tool) can bring back lost packets.
Reply
#5
(12-08-2023, 10:31 PM)ZerBea Wrote: Maybe. From what I have read here, the tool does only DEAUTHENTICATION attacks and it doesn't detect a packet loss during reception.
Hcxpcapngtool (no tool) can bring back lost packets.

thanks for your help ! solved it was a bad recording
Reply
#6
(12-09-2023, 12:23 AM)dowan35 Wrote:
(12-08-2023, 10:31 PM)ZerBea Wrote: Maybe. From what I have read here, the tool does only DEAUTHENTICATION attacks and it doesn't detect a packet loss during reception.
Hcxpcapngtool (no tool) can bring back lost packets.

thanks for your help ! solved it was a bad recording

Hi mate, i have the same problem with you.
What did you do and worked?
Please help me, i tried 2-3 different networks and i have same problem to all
Reply
#7
If you don't have an EAPOL M1 or an EAPOL M3, the target AP is not in range.
Regardless of the RSSI value get closer to the target AP.

If you don't have an EAPOL M2 or an EAPOL M4, the target CLIENT is not in range.
Regardless of the RSSI value get closer to the target CLIENT.

To avoid this (make sure you get all information hashcat/JtR need to recover the PSK), use an interactive attack tool that is able to detect this and to request missing frames.

Please take a look at the adapter tests:
https://github.com/ZerBea/hcxdumptool/discussions/361
The entire procedure to attack the test target is explained.
Reply