blackice55 Posted April 21, 2016 Posted April 21, 2016 hi! I would like to know if I need to clean my wpa handshake captured with aircrack-ng before converting it to hccap for cracking it in hascat? When I use the tool wpaclean in kali-linux It seems to remove important part of 4 ways handshake... Can I just use the file with all the junk traffic and the full handhsake inside it without having problems? I dont want to spend a day to crack a broken handshake. https://goo.gl/photos/R6C3uqt3p8UtiKsp6If I got the 4 way handshake like this picture for the same client I should be ok even with a .cap file not clean? Quote
i8igmac Posted April 22, 2016 Posted April 22, 2016 I have cleaned cap files before. When the are super large and only want the relevant information... processing extremely large pcap files eat up resources and causes delay results if you plan on processing the file multiple times over and over again... You should be fine. Quote
digininja Posted April 22, 2016 Posted April 22, 2016 Most tools just pull the hashes out and work on those so once the process starts the rest of the pcap is forgotten. Quote
b0N3z Posted April 22, 2016 Posted April 22, 2016 Ive run large pcap files and they will skyrocket my cpu temps (95C), but smaller ones will keep it more reasonable(75C) Quote
digininja Posted April 22, 2016 Posted April 22, 2016 Have you read the official guide on the Hashcat site? https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 Quote
blackice55 Posted April 22, 2016 Author Posted April 22, 2016 Thx for all the responsse! I can confirm that this is working without a problem! hascat is pulling the important information from the pcap file by himself and crack the password like diginija said. I prefer not cleaning the file to prevent myself from beaking an otherwise perfect handshake! Quote
digininja Posted April 22, 2016 Posted April 22, 2016 You could always just extract the handshake yourself in Wireshark. Load the file, filter by eap and then save the packets that are left as pcap, not pcapng. Quote
blackice55 Posted April 24, 2016 Author Posted April 24, 2016 I capture a new handhsake yesterday, But it seem I had a lot of broken one before aircrack-ng finaly detect a good one. By looking at the last 4 packet with the eapol filter in wireshark I was able to see that it was a good handshake because the packet 1,2,3,4 were here. I also check that the replay value was the same for the first 2 packet and the same for the last 2 packet and I make sur that the nouce value was the the same for the first and third packet. I followed this page to make sure everything was good : http://aircrack-ng.org/doku.php?id=wpa_capture&DokuWiki=074d5917c87bb3032d8c42de85f2e8da After that I selected the 4 good eapol packet and selected one brocast becon frame and put it in a new file like on the pictures. https://goo.gl/photos/qUrziqhd9wChXsLA6 https://goo.gl/photos/hcFQa4S9uLqoJ9Sb8 Do you guys see any error in the way I am making sure that the .cap handshake is good before converting it to hccap? Quote
digininja Posted April 24, 2016 Posted April 24, 2016 what is indicating that the handshake is broken? Did you save the capture from wireshark? if so, did you use pcapng or traditional pcap format? Quote
blackice55 Posted April 25, 2016 Author Posted April 25, 2016 I was not very clear sorry. I got multiples handshake first with only 1 or 2 eapol packet, and after that I got the full 4 way handshake. Here is the picture to show the capture. https://goo.gl/photos/2itrAV2xrC4bJZFu9 and here is the new clean .cap file: http://www.filedropper.com/bell919 Do you see any problem in this handshake? Quote
digininja Posted April 25, 2016 Posted April 25, 2016 aircrack-ng doesn't see any problems: $ aircrack-ng bell919.cap Opening /home/robin/Desktop/bell919.cap Read 5 packets. # BSSID ESSID Encryption 1 54:64:D9:EA:47:8F BELL919 WPA (1 handshake) Choosing first network as target. Opening bell919.cap We have to assume you have permission to test this AP so have the person who knows the PSK put it in a file and test that it will work. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.