New hccapx format explained
#31
Yeah, I understood that. It's very likely wpaclean will break you cap (as aircrack-ng -J does) so there's no easy way to filter it. That's why I said that cap2hccapx supports filtering. He just need to call it several times, each time with a different ESSID as 3rd parameter.

Also note that cap2hccapx doesn't want any preprocessed .cap files. Feed it as-is.
#32
Information 
Also, I have a test AP here whose password is known. cap2hccapx extracts dosens of handshakes from my .cap files off that AP. Yet the known password isn't being cracked. I'm assuming 100% of all of those handshakes are bad. But I'm having trouble understanding how it's grabbing handshakes when the only machine connected to the AP is not re-authenticating (i'm not running any de-auth attacks, just casually sniffing).
#33
That's a feature, I explained it in the initial post. We also want to be able to crack the password the user set, not just the password on the AP (for man-in-the-middle attacks). Please re-read the post.
#34
Information 
I get the part about the non-authenticated handshakes. I guess I'm missing something important about how the protocol works which I will have to research on my own, because the MACS indicate that these non-auth handshakes are all coming from a machine which has the correct password stored and is already fully authenticated with the AP. There are no rogue clients trying to log into that AP causing non-auths to be captured. It's my own lack of understanding or flat out fuck-up for sure. I'll look into it some more. Thanks.
#35
Maybe you're not the only one interested in that AP, i.e. MAC address spoofer out there?
#36
https://hashcat.net/wiki/doku.php?id=hccapx
"Message pair table"

If Messages of the handshake are M1+M3 then it's uncrackable? (same for M2 + M4)
If yes, why don't you add it to the table, assign a value 0 for uncrackable pair messages
It should be look like:


Format: Messages of the handshake  ==> message_pair value
M1 + M3 ==> 0
M2 + M4 ==> 0

M1 + M2 ==> 1
M1 + M4 ==> 2
M2 + M3 ==> 3
M2 + M3 ==> 4
M3 + M4 ==> 5
M3 + M4 ==> 6

////
EDIT:
Maybe cuz those messages pair can never happen?
#37
Hi, guys. Is there any way to separate with native commands lots of handshakes in a singe file? Eg i have 4 hs for the same AP but 3 of these are not full like 1+3 or 2+4, but the last contains the full 1+2+3+4 set. How can i get only the last hash with new version?
#38
Unless the password changed in that 4 hour window then there's no need to do what you're proposing as there's no performance penalty with multiple handshakes for the same AP. If you still really need it, just edit out hours 1-3 from the .cap file...

EDIT: "i have 4 hs for the same AP". Seems I misread that as 4 hours (hrs), not 4 handshakes. Same answer though, just leave them all in the .hccapx file or edit the .cap file to only contain the hs you want.
#39
(02-16-2017, 08:28 PM)c4p0ne Wrote: Also, I have a test AP here whose password is known. cap2hccapx extracts dosens of handshakes from my .cap files off that AP. Yet the known password isn't being cracked. I'm assuming 100% of all of those handshakes are bad. But I'm having trouble understanding how it's grabbing handshakes when the only machine connected to the AP is not re-authenticating (i'm not running any de-auth attacks, just casually sniffing).

I think there is a problem with this new tool... 

Testing my own AP, I captured the handshake (using aircrack) and used a wordlist with 1 word (because I know the password).

Older version of hashcat, aircrack-ng to convert to .hccap -- success!

Hashcat 3.4, using the SAME .cap and converting it to .hccapx with cap2hccapx -- FAIL - hashcat exhausted.

.... confused.
#40
(03-09-2017, 06:50 PM)TheFool Wrote:
(02-16-2017, 08:28 PM)c4p0ne Wrote: Also, I have a test AP here whose password is known. cap2hccapx extracts dosens of handshakes from my .cap files off that AP. Yet the known password isn't being cracked. I'm assuming 100% of all of those handshakes are bad. But I'm having trouble understanding how it's grabbing handshakes when the only machine connected to the AP is not re-authenticating (i'm not running any de-auth attacks, just casually sniffing).

I think there is a problem with this new tool... 

Testing my own AP, I captured the handshake (using aircrack) and used a wordlist with 1 word (because I know the password).

Older version of hashcat, aircrack-ng to convert to .hccap -- success!

Hashcat 3.4, using the SAME .cap and converting it to .hccapx with cap2hccapx -- FAIL - hashcat exhausted.

.... confused.

Please upload that .cap file let me test it