Clean up CAP and Convert to HCCAPX for use with Hashcat
#1
Clean up CAP and Convert to HCCAPX for use with Hashcat:   Crack WPA Handshake with Hashcat using Wordlist

Open captured handshake file with Wireshark and apply the following filter.

eapol || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x08  <--- Wireshark Filter
    > Filter Out Complete 4 way Handshake using Wireshark
    > Using right click menu mark the 4 handshake packets aswell as the top broadcast packet
       - then export. File > Export > Select Marked Packets and save with .cap file extension
      
After cleaning up the .CAP handshake and exporting you must convert it for use with Hashcat
    > Use https://hashcat.net/cap2hccapx/ to convert from .CAP to .HCCAPX
    
Ready to start cracking using Hashcat. Open a CMD or Terminal prompt, run as Admin/Root and issue the following command (I used windows version of Hashcat hints the .exe in the below hashcat command)
    > hashcat64.exe -m 2500 CapturedHandshake.hccapx wordlists/rockyou.txt
    
    
NOTES:
    When cleaning up CAP file with Wireshark you want to make sure that you
    select the correct packets. There will be 5 selected packets in total
    Here is what the finished Wireshark output will look like if done properly

    No.  Tine                  Source            Destination         Protocol      Length       Info

    1  0.000000        Actionte_29:79:75     Broadcast                802.11        261       Beacon frame, SN=2579,  FN=0,  Flags= ........ , BI=100, SSID=NAMEofWIFI
    2 141.783428     Actionte_29:79:75     Apple_59:67:41      EAPOL         155       Key (Message 1 of 4)
    3 141.810056     Apple_59:67:41        Actionte_29:79:75   EAPOL         155       Key (Message 2 of 4)
    4 141.822340     Actionte_29:79:75     Apple_59:67:41      EAPOL         213       Key (Message 3 of 4)
    5 141.825929     Apple_59:67:41        Actionte_29:79:75   EAPOL         133       Key (Message 4 of 4)

    
    I believe the Key Message packets 1 thru 4 must be in order starting at 1 and ending in 4.
    You cannot select the packets out of order or it will not work

This is a quick write up that I hope will help some people who are having trouble. I also hope that im not reposting something that has already been covered multiple times.  Like i said i hope this helps out 

-CellToolz
Reply
#2
the main question that comes to my mind here is: why do you need to clean it at all?
doesn't it work also without cleaning it? The output should be 100% the same one.

maybe the only reasons you cleaned it is because there is a file size upload limit on https://hashcat.net/cap2hccapx/ but you didn't mention that this was the reason you used this cleaning process.
I'm very interested in your answer why you had to go through these steps, because from the point of view of cap2hccapx you shouldn't need to do any manipulation of the cap file before converting it.
Reply
#3
(09-12-2017, 08:08 AM)philsmd Wrote: the main question that comes to my mind here is: why do you need to clean it at all?
doesn't it work also without cleaning it? The output should be 100% the same one.

maybe the only reasons you cleaned it is because there is a file size upload limit on https://hashcat.net/cap2hccapx/ but you didn't mention that this was the reason you used this cleaning process.
I'm very interested in your answer why you had to go through these steps, because from the point of view of cap2hccapx you shouldn't need to do any manipulation of the cap file before converting it.

I clean every cap manually, the reason being is that sometimes multiple handshakes are converted and hashcat speed drops by over 50%. I would also be sure to check timestamps and make sure they are from the same client <-> AP handshake.
Reply
#4
it's probably a lot easier to use hcxtools
Reply
#5
(09-12-2017, 10:54 PM)undeath Wrote: it's probably a lot easier to use hcxtools

and a hex editor
Reply
#6
I just want to make sure that a non-experienced user doesn't use a silly filter and cleanup like the one mentioned above.
If you know what you are doing. just do it. at your own risk.

For all other users, you shouldn't cleanup or remove any important info from your cap file, because otherwise cap2hccapx or hcxtools can't work correctly.
There are several other packets that could help to identify a network (ESSID) etc... if you remove any important packets from the cap... the hccapx will be missing a lot of information ("hashes").

So if you are not an experienced cap/wlan (protocol) expert, do not clean the caps. If you have problems with max. number of networks analyzed by cap2hccapx, just increase the MAX to a higher value at your own risk. If you have problems with the max file upload size, just download cap2hccapx and convert the caps locally (or alternatively you could also use hcxtools locally).
If you instead know what you are doing, just go ahead and manipulate the cap file... but at your own risk.
Reply
#7
(09-11-2017, 11:21 PM)CellToolz Wrote:     No.  Tine                  Source            Destination         Protocol      Length       Info

    1  0.000000        Actionte_29:79:75     Broadcast                802.11        261       Beacon frame, SN=2579,  FN=0,  Flags= ........ , BI=100, SSID=NAMEofWIFI
    2 141.783428     Actionte_29:79:75     Apple_59:67:41      EAPOL         155       Key (Message 1 of 4)
    3 141.810056     Apple_59:67:41        Actionte_29:79:75   EAPOL         155       Key (Message 2 of 4)
    4 141.822340     Actionte_29:79:75     Apple_59:67:41      EAPOL         213       Key (Message 3 of 4)
    5 141.825929     Apple_59:67:41        Actionte_29:79:75   EAPOL         133       Key (Message 4 of 4)

This looks exactly as it should and I've never had problems... the beacon is included and all 4 parts of the handshake are included in chronological order, and they are all part of the same handshake. Not sure exactly what unit the timestamps are measured in (seconds, milliseconds... probably seconds) but in this example, they all come within 141.x which is typically a good indicator. If some were 138 and others were 143, I would toss them and find another handshake. Optionally, you can keep a probe response in the cap for further dissection if you desire (AP info in WPS frames, etc.) Not cleaning may end up in having extra handshakes and it will kill speeds greatly. Obviously it may be hard for beginners, but cleaning manually has by far made the process go much smoother. I usually ask people for uncleaned caps in fear that they will butcher them with other tools (wpaclean, etc) but if people are willing to learn how to do it properly, then I, and many others, won't have a problem. The HCCAPX format catches a good amount of issues, but not all of them.
Reply