wireshark cap clean up does not make sense
#1
Hi,

I have a router that has been decommissioned from a local company. The SSID is SMC-1 and the WPA password is motorhomes. I used hashcat and rockyou.txt to crack and all is good.

I then wanted to breakdown the cap file using wireshark to get the 5 packets (1 + 4 messages) but something I find odd and not what is documented anywhere else.

Attached is a zip file with 3 files in.

The first is the original cap file. (smc1-07.cap)
The Second is the 5 packets I thought I needed for hashcat to crack, it does not! (smc1-07-5packets.cap)
The Third is a cap file with message 1,1 and 4 which hashcat will crack - makes no sense (smc1-07-4packets.cap)

I have included a wordlist and the hccapx files for completeness.


To find my packets I used the wireshark filter of:
eapol or wlan.fc.type_subtype==0x08

Each file has been put through the converter on the hashcat.net site before submitting to hashcat (running on Windows 7).

Please can someone explain why the 3rd cap file works but the 2nd does not.

Thank you
BusiFix
Reply
#2
Update: I have now got it down to

Beacon Frame
Message 1 of 4
Message 2 of 4

When converted to hccapx this will be cracked. Why does this work?

Thanks in advance
BusiFix
Reply
#3
Sorry, file did not attach. It is here http://dropcanvas.com/lfd6o
Reply
#4
Message 1 and 2 have everything you need to "attempt" to crack the handshake... 3 and 4 are used to verify key.

Also be sure that the messages all came from the same exchange, you can't mix and match 1 and 3 from handshake 'a' with 2 and 4 from handshake 'b'. 

Perhaps you entered the password wrong in "smc1-07-5packets.cap" The devices used to join are different in each handshake.
Reply
#5
Thank you replying soxrock2212.

I thought I needed at least 1,2 and 4 for a handshake to be complete. Only needing 1 and 2 makes sense why this now works.

You say the devices are different in smc1-07-5packets.cap. Do you mean different from smc1-07-3packets.cap or different within smc1-0705packets.cap? I agree that the connecting stations are different (samsung (5packets) against oneplust (3packets) but the access point (draytek) is the same and therefore I would expect the same password in both files for the same ssid.
Reply
#6
(02-22-2018, 01:51 PM)BusiFix Wrote: Thank you replying soxrock2212.

I thought I needed at least 1,2 and 4 for a handshake to be complete. Only needing 1 and 2 makes sense why this now works.

You say the devices are different in smc1-07-5packets.cap. Do you mean different from smc1-07-3packets.cap or different within smc1-0705packets.cap? I agree that the connecting stations are different (samsung (5packets) against oneplust (3packets) but the access point (draytek) is the same and therefore I would expect the same password in both files for the same ssid.

My suggestion was that one of your clients did not know the correct key, possibly it was input incorrectly?
Reply