Posts: 5,185
Threads: 230
Joined: Apr 2010
Yeah, I understood that. It's very likely wpaclean will break you cap (as aircrack-ng -J does) so there's no easy way to filter it. That's why I said that cap2hccapx supports filtering. He just need to call it several times, each time with a different ESSID as 3rd parameter.
Also note that cap2hccapx doesn't want any preprocessed .cap files. Feed it as-is.
Posts: 44
Threads: 7
Joined: May 2010
02-16-2017, 08:28 PM
Also, I have a test AP here whose password is known. cap2hccapx extracts dosens of handshakes from my .cap files off that AP. Yet the known password isn't being cracked. I'm assuming 100% of all of those handshakes are bad. But I'm having trouble understanding how it's grabbing handshakes when the only machine connected to the AP is not re-authenticating (i'm not running any de-auth attacks, just casually sniffing).
Posts: 5,185
Threads: 230
Joined: Apr 2010
That's a feature, I explained it in the initial post. We also want to be able to crack the password the user set, not just the password on the AP (for man-in-the-middle attacks). Please re-read the post.
Posts: 44
Threads: 7
Joined: May 2010
02-16-2017, 10:06 PM
(This post was last modified: 02-16-2017, 10:08 PM by c4p0ne.)
I get the part about the non-authenticated handshakes. I guess I'm missing something important about how the protocol works which I will have to research on my own, because the MACS indicate that these non-auth handshakes are all coming from a machine which has the correct password stored and is already fully authenticated with the AP. There are no rogue clients trying to log into that AP causing non-auths to be captured. It's my own lack of understanding or flat out fuck-up for sure. I'll look into it some more. Thanks.
Posts: 230
Threads: 4
Joined: Aug 2015
Maybe you're not the only one interested in that AP, i.e. MAC address spoofer out there?
Posts: 12
Threads: 3
Joined: Feb 2017
02-26-2017, 01:52 PM
(This post was last modified: 02-26-2017, 02:02 PM by abdou99.)
https://hashcat.net/wiki/doku.php?id=hccapx
"Message pair table"
If Messages of the handshake are M1+M3 then it's uncrackable? (same for M2 + M4)
If yes, why don't you add it to the table, assign a value 0 for uncrackable pair messages
It should be look like:
Format: Messages of the handshake ==> message_pair value
M1 + M3 ==> 0
M2 + M4 ==> 0
M1 + M2 ==> 1
M1 + M4 ==> 2
M2 + M3 ==> 3
M2 + M3 ==> 4
M3 + M4 ==> 5
M3 + M4 ==> 6
////
EDIT:
Maybe cuz those messages pair can never happen?
Posts: 1
Threads: 0
Joined: Feb 2017
Hi, guys. Is there any way to separate with native commands lots of handshakes in a singe file? Eg i have 4 hs for the same AP but 3 of these are not full like 1+3 or 2+4, but the last contains the full 1+2+3+4 set. How can i get only the last hash with new version?
Posts: 230
Threads: 4
Joined: Aug 2015
02-26-2017, 10:56 PM
(This post was last modified: 02-27-2017, 01:34 AM by rico.
Edit Reason: bad abbreviation above
)
Unless the password changed in that 4 hour window then there's no need to do what you're proposing as there's no performance penalty with multiple handshakes for the same AP. If you still really need it, just edit out hours 1-3 from the .cap file...
EDIT: "i have 4 hs for the same AP". Seems I misread that as 4 hours (hrs), not 4 handshakes. Same answer though, just leave them all in the .hccapx file or edit the .cap file to only contain the hs you want.
Posts: 7
Threads: 1
Joined: Dec 2016
(02-16-2017, 08:28 PM)c4p0ne Wrote: Also, I have a test AP here whose password is known. cap2hccapx extracts dosens of handshakes from my .cap files off that AP. Yet the known password isn't being cracked. I'm assuming 100% of all of those handshakes are bad. But I'm having trouble understanding how it's grabbing handshakes when the only machine connected to the AP is not re-authenticating (i'm not running any de-auth attacks, just casually sniffing).
I think there is a problem with this new tool...
Testing my own AP, I captured the handshake (using aircrack) and used a wordlist with 1 word (because I know the password).
Older version of hashcat, aircrack-ng to convert to .hccap -- success!
Hashcat 3.4, using the SAME .cap and converting it to .hccapx with cap2hccapx -- FAIL - hashcat exhausted.
.... confused.
Posts: 12
Threads: 3
Joined: Feb 2017
(03-09-2017, 06:50 PM)TheFool Wrote: (02-16-2017, 08:28 PM)c4p0ne Wrote: Also, I have a test AP here whose password is known. cap2hccapx extracts dosens of handshakes from my .cap files off that AP. Yet the known password isn't being cracked. I'm assuming 100% of all of those handshakes are bad. But I'm having trouble understanding how it's grabbing handshakes when the only machine connected to the AP is not re-authenticating (i'm not running any de-auth attacks, just casually sniffing).
I think there is a problem with this new tool...
Testing my own AP, I captured the handshake (using aircrack) and used a wordlist with 1 word (because I know the password).
Older version of hashcat, aircrack-ng to convert to .hccap -- success!
Hashcat 3.4, using the SAME .cap and converting it to .hccapx with cap2hccapx -- FAIL - hashcat exhausted.
.... confused.
Please upload that .cap file let me test it