Converting cap file to hccapx, SSID name changing!
#1
Hi.
I have a different problem.
I am from Turkey and we have these words in our alphabet (ö,ç,ş,ğ etc..) 

I have a cap file and when i send this file to a cracking servide, SSID is correctly defined = Router SSID (Gül's Home) 
and it is cracked!

But when i convert this file to hccapx or m22000 WPA 01/02 file as well, SSID changes to GxC3xBCl's and in the same service when i send this hccapx, it is not cracked by that service!
What must i do for this? For hashcat i need hccapx files but i need true SSID name on it.

I can share cap file if you want

Thanks
Reply
#2
Can you please describe your complete workflow and the command lines you use?

Please notice:
The output to a terminal depend on the default settings of the terminal.
To mak this more universal, hcxtools replace non ASCII characters by a placeholder (e.g.: "."). The hash file should not be affected.
You can use a hex editor (e.g.: GHex) to take a look at the ESSID inside the haccapx file.

For hashcat you don't need hccapx files. hashcat accept 22000 files, too:
Code:
2500  | WPA-EAPOL-PBKDF2                                 | Network Protocols
2501  | WPA-EAPOL-PMK                                    | Network Protocols
16800 | WPA-PMKID-PBKDF2                                 | Network Protocols
16801 | WPA-PMKID-PMK                                    | Network Protocols
22000 | WPA-PBKDF2-PMKID+EAPOL                           | Network Protocols
22001 | WPA-PMK-PMKID+EAPOL                              | Network Protocols

BTW:
Exactly this is one of the reasons to move from 2500 (hccapx) to 22000.
You do not need a hex editor any longer to take a look at the hashes.
Instead you can use every bash command (tool) to show the content of the hash.

We take the example hash from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
22000 WPA-PBKDF2-PMKID+EAPOL
Code:
WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
Format is:
PMKID type 01:
IDENTIFIER * TYPE * PMKID * MAC_AP * MAC_STA * ESSID
EAPOL type 02:
IDENTIFIER * TYPE * MIC * MAC_AP * MAC_STA * ESSID * EAPOL MESSAGE PAIR

We take the ESSID from the 22000 hash line and convert from HEX ASCII to ASCII using a perl command:
Code:
$ echo  "686173686361742d6573736964" | perl -pe 's/(..)/chr(hex($1))/ge'
It will show you the ESSID in ASCII:
hashcat-essid

There is absolutely no reason to use hccapx any longer.
Reply
#3
(02-27-2021, 06:15 PM)ZerBea Wrote: Can you please describe your complete workflow and the command lines you use?

Please notice:
The output to a terminal depend on the default settings of the terminal.
To mak this more universal, hcxtools replace non ASCII characters by a placeholder (e.g.: "."). The hash file should not be affected.
You can use a hex editor (e.g.: GHex) to take a look at the ESSID inside the haccapx file.

For hashcat you don't need hccapx files. hashcat accept 22000 files, too:
Code:
2500  | WPA-EAPOL-PBKDF2                                | Network Protocols
2501  | WPA-EAPOL-PMK                                    | Network Protocols
16800 | WPA-PMKID-PBKDF2                                | Network Protocols
16801 | WPA-PMKID-PMK                                    | Network Protocols
22000 | WPA-PBKDF2-PMKID+EAPOL                          | Network Protocols
22001 | WPA-PMK-PMKID+EAPOL                              | Network Protocols

BTW:
Exactly this is one of the reasons to move from 2500 (hccapx) to 22000.
You do not need a hex editor any longer to take a look at the hashes.
Instead you can use every bash command (tool) to show the content of the hash.

We take the example hash from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
22000 WPA-PBKDF2-PMKID+EAPOL
Code:
WPA*01****
Format is:
PMKID type 01:
IDENTIFIER * TYPE * PMKID * MAC_AP * MAC_STA * ESSID
EAPOL type 02:
IDENTIFIER * TYPE * MIC * MAC_AP * MAC_STA * ESSID * EAPOL MESSAGE PAIR

We take the ESSID from the 22000 hash line and convert from HEX ASCII to ASCII using a perl command:
Code:
$ echo  "686173686361742d6573736964" | perl -pe 's/(..)/chr(hex($1))/ge'
It will show you the ESSID in ASCII
hashcat-essid

There is absolutely no reason to use hccapx any longer.

I will explain what the problem is.
In the below there is a 1.cap file and its original SSID name is "Gül's home"
When i send this file to a crack service file was cracked. There is no problem. And alsa SSID seen right! 

For me.
I use hashcat. For this i need hccapx file or a pmids hash or WPA 01/02 hash... i cant crack cap files in hashcat you know
I use The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) and use this command.

hcxpcaptool -z 1.pmkid -o 1.hccapx 1.cap
hcxpcapngtool -o 1.22000 --pmkid=1.16800 --hccapx=1.hccapx 1.cap

in this file i got a hccapx file and a 1.22000 file! I could not get a 16800 file pmkids!

I shared 2 file below 
When i send these files to a crack service file was not cracked. SSID seen like this "GxC3xBCl's"
And algo in hashcat for example i use these commands

for hccapx 
hashcat64.exe -w 3 -a 3 -m 2500 1.hccapx ?d?d?d?d?d?d?d?d
for 22000 
hashcat.exe -w 3 -a 3 -m 22000 WPA*02 ?d?d?d?d?d?d?d?d

each time in hashcat olsa SSID seen "GxC3xBCl's"
I think i cant crack this because of this error.
In the cracking services i experienced this.


How can I make it look right ssid name in hccapx or in 22000 hash?
This is my problem. SSID doen not look right?

I hope i explained what the problem is.

Sorry for my bad English.
What do you think about this problem.

Thanks
Reply
#4
Please mask or remove the 22000 hash line from your comment, because it is against the forum rules to comment real hashes, here.
You can remove your attachments, too.

First of all, may I ask two questions:
What tool did you used to capture the traffic?
Why did you ran so many deauthentications?

If you take a look inside your capfile, you'll notice in packet 3 a BEACON (the only one), with this ESSID:
Tag: SSID parameter set: GxC3xBCl's
Code:
3    Feb 21, 2021 08:22:01.616000000 CET    GxC3xBCl's

But the ESSIDs in the PROBERESPONSE frames are different to the BEACON frame:
ESSID changes (detected maximum).........: 1 (information: option --max-essids=<digit> and --all recommended)
Code:
37    Feb 21, 2021 08:22:04.598014000 CET    Gül's Home
38    Feb 21, 2021 08:22:04.605181000 CET    Gül's Home
39    Feb 21, 2021 08:22:04.769532000 CET    Gül's Home
That let me assume that your capturing tool picked up the wrong BEACON (and this is an issue of the capturing tool).

You can use tshark to verify this:
Code:
$ tshark -r 1.cap -T fields -E header=y -e frame.number -e frame.time -e wlan.ssid

Every conversion tool will see this captured ESSID and convert it (by default options).

BTW:
The quality of your captured file is terrible!

Too many deauthentications.
DEAUTHENTICATION (total).................: 36409
to retrieve a single EAPOL MESSAGE pair:
EAPOL pairs (best).......................: 1
Runnig this massive deauthentications you'll spam the entire WiFi channel!
You're going to make the AP and the CLIENT "crazy" and they'll reset their EAPOL counters (which result in uncrackable EAPOL messages).

Timestamps damaged! They are not in a row.
Code:
Packet.Nr.  Date Time
67989    Feb 21, 2021 08:33:52.858111000 CET
67990    Feb 21, 2021 08:33:52.858109000 CET
67991    Feb 21, 2021 08:33:52.858111000 CET
67992    Feb 21, 2021 08:33:52.858109000 CET
67993    Feb 21, 2021 08:33:52.858111000 CET
67994    Feb 21, 2021 08:33:52.858111000 CET
...
68235    Feb 21, 2021 08:33:53.474110000 CET
68236    Feb 21, 2021 08:33:53.474109000 CET
68237    Feb 21, 2021 08:33:53.478717000 CET
68238    Feb 21, 2021 08:33:53.478719000 CET
68239    Feb 21, 2021 08:33:53.478717000 CET

Important frames (from which the PSK can be recovered) are missing.

Only one BEACON inside. If this BEACON is wrong, you'll never recover the PSK (explained before)!

hcxpcapngtool result in detail (Wireshark and tshark showing a similar result):
Code:
$ hcxpcapngtool -o test.22000 1.cap
reading from 1.cap...

summary capture file
--------------------
file name................................: 1.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 21.02.2021 08:22:01
timestamp maximum (GMT)..................: 21.02.2021 09:45:52
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 85311
BEACON (total)...........................: 1
ACTION (total)...........................: 126
PROBEREQUEST (directed)..................: 5
PROBERESPONSE............................: 2123
DEAUTHENTICATION (total).................: 36409
DISASSOCIATION (total)...................: 2
AUTHENTICATION (total)...................: 166
AUTHENTICATION (OPEN SYSTEM).............: 166
ASSOCIATIONREQUEST (total)...............: 26
ASSOCIATIONREQUEST (PSK).................: 26
WPA encrypted............................: 683
EAPOL messages (total)...................: 20
EAPOL RSN messages.......................: 20
ESSID (total unique).....................: 2
ESSID changes (detected maximum).........: 1 (information: option --max-essids=<digit> and --all recommended)
EAPOLTIME gap (measured maximum usec)....: 56630291
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 3
EAPOL M1 messages (total)................: 12
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 4
EAPOL M4 messages (total)................: 3
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing tool.

Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.

Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.


session summary
---------------
processed cap files...................: 1

In other words, neither a standard conversion tool nor hashcat can work on this capture file.


BTW - to answer your questions:
"I have a cap file and when i send this file to a cracking servide, SSID is correctly defined = Router SSID (Gül's Home) and it is cracked!"
For sure, most of the online services running hcxtools (with advanced options).
https://hashcat.net/forum/thread-9893-po...l#pid51787
https://wpa-sec.stanev.org/?search=G%C3%BCl%27s+Home

"How can I make it look right ssid name in hccapx or in 22000 hash?
This is my problem. SSID doen not look right?"
This is not your problem and it is not the problem of hashcat!
It is the problem of the tool you used for capturing!
If the capturing tool is missing some frames, they are gone for ever!
None of the following tools in the workflow (conversion tool to a format hashcat accept, and hashcat itself) can bring it back or is able to recover the PSK from it!
However, xcxpcapngtool will provide some options to work on that cap file, but don't rely on it. If you do the conversion again, running option --max-essids=2 you'll get two 22000 hash lines:
One which is wrong (ESSID) 477843337842436c2773
You can't recover the PSK from it in hash mode 22000 (by (PBKDF2).
But you can verify the hash running hash mode 22001 with the PMK recovered from the correct ESSID:
One which is possible the correct ESSID 47c3bc6c277320486f6d65
Hashcat may be able to recover the PSK from it 47c3bc6c277320486f6d65
You can use the recovered PMK to verify the PSK of the hash line with the wrong ESSID by hash mode 22001.
Verifying a network by PMK is explained here:
https://hashcat.net/forum/thread-9893.html

In detail:
Code:
WPA*02*MIC*MAC_AP*MAC_STA*477843337842436c2773*...
WPA*02*MIC*MAC_AP*MAC_STA*47c3bc6c277320486f6d65*...
[code]
You can verify the ESSID by pearl command:
[code]
$ echo "47c3bc6c277320486f6d65" | perl -pe 's/(..)/chr(hex($1))/ge'
Gül's Home

Please, be so kind an comment the command lines you used
to capture the traffic
to convert the captured file to a hash format hashcat accepts
to recover the PSK by running hashcat
That makes it much easier to figure out, what exactly went wrong in your workflow.
Reply