02-11-2020, 01:21 AM
(02-10-2020, 04:15 PM)ZerBea Wrote: This information is only available in an original(!) and uncleaned(!) dump file (cap/pcap/pcapng format).
A single BEACON and a single M1 (with PMKID) or a single message pair (M1M2, M2M3, M3M4 not zeroed SNONCE, M1M4 not zeroed SNONCE) is is far from enough to retrieve all this information!
Due to my analysis of dump files submitted to wpa-sec, I noticed many dump files which doesn't contain important frames. Either this frames are not stored by the dump tool or they have been removed/cleaned by the submitter. That will make it hard to recover the PSK.
tshark is a very good tool, to retrieve all information on the command line. If you prefer a GUI, you can use Wireshark.
Hash formats 1680x and 250x (hccapx) only contain pure information, required to recover the PSK.
BTW:
And example, what you're missing on a cleaned dump file or a dump file which doesn't contain this frames is here:
https://hashcat.net/forum/thread-6661-po...l#pid47500
1680x and 250x will be deprecated as soon as release of hashcat 6.0.0
Successor is the new hashline/hashmode 22000, which will give you full advantage of reuse of PBKDF2 over PMKID and EAPOL.
Thank you very much for in-depth reply. This is really helpful.
I knew about tshark and wireshark. I was hoping that there was simpler way
Thanks again !!!