.cap hash extraction
hoping for help

i had an idea playing with hashcat where it says

Added hashes from file bt.hccap: 1 (1 salts)

is there a way you can make hashcat display the loaded hash/salt or is there any program or website i can use to extract the hash/salt

i tried the following

editcap -v -D 0 BTHub3-MQZX.cap /dev/null wich gave me loads of hashes to many to list

wireshark (had a look around reading a big manual on how to use)

capinfos BTHub3-MQZX.cap which gave me 1 SHA1, RIPEMD160, MD5

md5sum BTHub3-MQZX.cap and bt.hccap gave me MD5 hash ee82e86b4e10b3e9aa761e89fe3fff60 and 6efcd68a648a0255606eef37f9e15f45 respectively

tested all hashes with all different -m 0 - 7600 (hashcat did not work took some time) i know the caps good i tried in aircrack and cowpatty with small passlist
and got KEY FOUND! [ 8d9bb4aee3 ]

i stripped my cap down to just the 4 eapol packets which i then ran the stripped cap through the above programs got different hashes c91ab0c98f27612b40e9a5a7d22107f1

!!!!someone please tell me if i can get the hash/salt from my cap file you should be able to if it can load it then you should be able to see it or if those programs gave the right hash were did i go so wrong!!!!

should stress if you dont want to tell me how (the full command) to do it please point me in the right direction and i will figger it out my self


newbie but keen2learn
use the -J option on aircrack to export as hccap. Requires latest aircrack version. https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
thanks for the quick response undeath

i will try to explain what i want in more detail

i used aircrack -J command and got bt.hccap ran the following command

./hashcat-cli32.bin -1 abed3489 -m 2500 --pw-min=10 -s 574776396 -a3 bt.hccap ?1?1?1?1?1?1?1?1?1?1

and got the password

what i want is were it says

Added hashes from file bt.hccap: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

is there a command i can use like (making this up)
./hashcat-cli32.bin -a3 bt.hccap --show-hash --show-salt

so it will display the following
hash:ee82e86b4e10b3e9aa761e89fe3fff60 (but display the hash it loads in bruteforce)

or is there another program or website i can use to achieve this

hope that is a bit clearer question

thanks again undeath

WPA is more complex than simple hash and salt, that's why there is the hccap file. For the hccap file format look here: https://hashcat.net/wiki/doku.php?id=hccap
thanks agian for the quick response undeath

throught i was so on to something here extracting the has because it takes a lot less time cracking a hash than the full .hccap. shame

could you please explain what hashcat uses and what its doing in brute force to crack the password

is there a faster way of cracking wpa/wpa2 wireless key 8d9bb4aee3 other than bruteforce on a dual core laptop was told evil twin ap

which is faster the above hashcat code or cat /dev/urandom| tr -dc 'abde3489' | fold -w 10| head -n 999999181801204736 | aircrack-ng -b 00:8A:AE:99:4F:E4 -w - BTHub3-MQZX.cap (1150.23 k/s)

sorry to be annoying but on to something else understanding hashes, i used the following:

./hashcat-cli32.bin -1 ABCDEFGHIJKLMNOPQRSTUVWXYZ -m (all below) --pw-min=8 --pw-max=8 -a3 hash ?1?1?1?1?1?1?1?1

10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)

and i get

Skipping line: <44hex hash removed by epixoip> (separator unmatched)

what does (separator unmatched) mean relating to the above hash types

if possible can someone tell me what hash type/types it could be help narrow it down


you are specifying a salted hash mode without supplying the hash and salt in "hashConfusedalt" format. it looks like you are just concatenating the salt with the hash.
(08-22-2014, 08:32 PM)keen2learn Wrote: throught i was so on to something here extracting the has because it takes a lot less time cracking a hash than the full .hccap. shame

you can trust the hashcat developers to attack a certain password storage algorithm in the fastest way possible. There are no possible "hacks" or tricks to make this faster (using hashcat) or to convert hash types. This is a very ignorant view on the whole process of hashcracking because it implies the developers (as well as the people developing PSA or cryptographic hashes) don't know what they are doing.

Assume you were right with your assumption: why would anyone try to crack a WPA handshake if he could just convert it to md5 or sha1 and crack it a thousand times faster? Why would anyone have bothered with coming up with the WPA handshake mechanism if the very same thing can be done a thousand times faster?

You're trying being "clever" here but I can assure you, there are people working on this who are a damn times more clever than you are. (please don't read this as an insult, these people are simply tits. esp atom, the hashcat main developer)
sorry if i offended you or the developers in any way not my intentions i was trying to be clever (a bit to clever for 13) leave it to u guys i think


Don't get me wrong, questioning established standards isn't wrong. However, randomly sprouting unreflected ideas is. If you want to give constructive comments and discussions you should read on about how things work. Don't try to make things better you have no idea about how they work.