Empty PMKID file generated by hcxpcaptool
#1
Hi.
I hope I'm not offtopic by asking a question about hcxpcaptool usage.

I'm collecting PMKID packets using bettercap, and according to the logs some data is written to the pcap file. Unfortunately when I try to convert them to a file usable with hashcat it won't write anything.

According to the summary there are PMKIDs, but then they're not written to output.

What can be wrong? Thanks

Code:
hcxpcaptool -z bettercap-wifi-handshakes.pmkid bettercap-wifi-handshakes.pcap

reading from bettercap-wifi-handshakes.pcap

summary capture file:
---------------------
file name........................: bettercap-wifi-handshakes.pcap
file type........................: pcap 2.4
file hardware information........: unknown
capture device vendor information: 000000
file os information..............: unknown
file application information.....: unknown
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 17.09.2019 17:56:11 (GMT)
maximum time stamp...............: 17.09.2019 17:58:56 (GMT)
packets inside...................: 7
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 7
EAPOL packets (total)............: 7
EAPOL packets (WPA2).............: 7
PMKIDs (not zeroed - total)......: 2
PMKIDs (WPA2)....................: 7
PMKIDs from access points........: 2
best PMKIDs (total)..............: 2

summary output file(s):
-----------------------
Reply
#2
No, you're not offtopic.
It is a well known bettercap issue, that should be fixed, now:
https://github.com/bettercap/bettercap/issues/592

Short explanation:
bettercap didn't store ESSID information, so there is nothing to convert by requested option -z or -k.
But there are 2 PMKIDs inside the cap file that can be verified via PMK (-m 16801) and they can be converted by options -Z or -K

If you need a longer explanation (inclusive packet analysis):
https://github.com/ZerBea/hcxtools/issues/110
https://github.com/ZerBea/hcxtools/issues/109

BTW:
Why don't you run hcxdumptool?
It has many advantages. For example this one:
https://github.com/ZerBea/hcxtools/issue...-532537154
Also it provides access point less attack vectors and weak candidate alerts.
Reply
#3
Thank you very much for your answer! Unfortunately I'm on macOS so no hcxdumptool for me (at least now). I will figure out other ways, like -Z seemed to work! Thank you again
Reply
#4
Ok, that is a good reason. And running hcxdumptool through a VM isn't a good idea:
https://github.com/aircrack-ng/rtl8812au...-529123578
Reply