Comments (4)
ZerBea
commented on June 9, 2024
I agree. It looks like EWSA failed while open source tools are working as expected.
Analysis:
Download example dump file from here:
https://github.com/wireshark/wireshark/blob/master/test/captures/wpa-Induction.pcap.gz
Used tools: hcxhash2cap, gunzip, tshark, tcpdump, wpapcap2john, john, aircrack-ng, ls
Procedure to reproduce:
gunzip the archive so that all tools can work on it:
$ gunzip wpa-Induction.pcap.gz
convert it to hccapx:
$ hcxpcapngtool --hccapx=wpa-Induction.hccapx wpa-Induction.pcap
hcxpcapngtool 6.3.1-46-g8e19ff4 reading from wpa-Induction.pcap...
summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:45
timestamp maximum (GMT)..................: 04.01.2007 07:15:26
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to old format hccapx.: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 1093
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
session summary
---------------
processed cap files...................: 1
$ ls
wpa-Induction.hccapx wpa-Induction.pcap
convert it to dump file in cap format:
$ hcxhash2cap --hccapx=wpa-Induction.hccapx -c wpa-Induction.cap
EAPOLs written to capfile(s): 1 (0 skipped)
$ ls
ac wpa-Induction.cap wpa-Induction.hccapx wpa-Induction.pcap
get information about the dump file using tshark:
$ tshark -r 'wpa-Induction.cap' -T fields -e frame.number -e frame.time -e wlan_rsna_eapol.keydes.msgnr -e eapol.keydes.replay_counter -e frame.protocols -e _ws.col.Info
1 Jul 18, 2023 09:39:38.325757000 CEST wlan Beacon frame, SN=325, FN=0, Flags=........, BI=100, SSID="Coherer"
2 Jul 18, 2023 09:39:38.325758000 CEST 1 0 wlan:llc:eapol Key (Message 1 of 4)
3 Jul 18, 2023 09:39:38.325759000 CEST 2 0 wlan:llc:eapol Key (Message 2 of 4)
get information about the dump file using tcpdump (see EWSA requirements: ...or capture file in 'tcpdump' format with 'handshake' packages):
$ tcpdump -r wpa-Induction.cap
reading from file wpa-Induction.cap, link-type IEEE802_11 (802.11), snapshot length 65535
18:20:33.108662 Beacon (Coherer) [1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0 Mbit] ESS CH: 3, PRIVACY
18:20:33.108663 EAPOL key (3) v2, len 95
18:20:33.108664 EAPOL key (3) v2, len 117
Both, tshark and tcpdump show that mandatory information (ESSID, handshake) is present in the dump file.
create wordlist:
$ echo "Induction" > wordlist.txt
convert dump file to john hash file to make sure the dump file is valid:
$ wpapcap2john wpa-Induction.cap > wpa-Induction.john
File wpa-Induction.cap: raw 802.11
Dumping M1/M2 at 0.000002 BSSID 00:0C:41:82:B2:55 ESSID 'Coherer' STA 00:0D:93:82:36:3A
1 ESSIDS processed and 1 AP/STA pairs processed
1 handshakes written, 0 RSN IE PMKIDs
run john to recover the psk:
$ john --no-log -w:wordlist.txt --format=wpapsk-opencl --pot=john.wpa.pot wpa-Induction.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 1 password hash (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 OpenCL])
Note: Minimum length forced to 8 by format
LWS=256 GWS=4980736 (19456 blocks)
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 1 candidate buffered, minimum 4980736 needed for performance.
Induction (Coherer)
1g 0:00:00:00 DONE (2023-07-18 10:07) 25.00g/s 25.00p/s 25.00c/s 25.00C/s Dev#1:35°C Induction
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
run aircrack-ng to recover the psk:
$ ./aircrack-ng -w wordlist.txt wpa-Induction.cap
Aircrack-ng 1.7 rev 1de8fb71
[00:00:00] 1/1 keys tested (134.16 k/s)
Time left: --
KEY FOUND! [ Induction ]
Master Key : A2 88 FC F0 CA AA CD A9 A9 F5 86 33 FF 35 E8 99
2A 01 D9 C1 0B A5 E0 2E FD F8 CB 5D 73 0C E7 BC
Transient Key : B1 CD 79 27 16 76 29 03 F7 23 42 4C D7 D1 65 11
82 A6 44 13 3B FA 4E 0B 75 D9 6D 23 08 35 84 33
15 79 8D 51 1B EA E0 02 83 13 C8 AB 32 F1 2C 7E
CB 71 C8 93 48 26 69 DA AF 0E 92 23 FE 1C 0A ED
EAPOL HMAC : A4 62 A7 02 9A D5 BA 30 B6 AF 0D F3 91 98 8E 45
Untested workflow: hcxpcapngtool -> hashcat
because there is absolutely no need to convert a hc22000, hccapx or hccap file to a limited cap format
and there is absolutely no need to convert a pcapng file to a limited cap format.
Conclusion:
All tools used for the test detect a valid handshake and they are able to recover the PSK.
I guess the problem is about EWSA, because it failed.
"Maybe hcxhash2cap need to add more things to out file when it making convert."
No! EWSA is a commercial product and the source code is not open.
I don't wrestle with closed source tools.
Closed because hcxhash2cap is exactly doing what expected and all open source tools can work on the dump file.
from hcxtools.
ZerBea
commented on June 9, 2024
Please notice:
A conversion from pcapng to pcap or cap is always lossy.
A conversion from pcapng, pcap or cap to hccap, hccapx or hc22000 is always lossy.
A conversion from hccap, hccapx or hc22000 to cap cannot recover the lost information!
from hcxtools.
lab37
commented on June 9, 2024
Thanks.
Problem is about EWSA.
Maybe It refused to work because there were only the M1 and M2.
from hcxtools.
ZerBea
commented on June 9, 2024
As I mentioned here:
#299 (comment)
Due to limited hash format, the conversion is not loss less
https://hashcat.net/wiki/doku.php?id=hccapx
BTW:
The same applies to cleaned dup files.
from hcxtools.
Related Issues (20)
- Error = hcxpcapngtool.c:27:10: fatal error: openssl/core.h: No such file or directory due to missing dependency (openssl >= 3.0) HOT 2
- fatal error: openssl/core.h: No such file or directory HOT 6
- Short, greppable outputs
- Windows/MSYS Make support HOT 2
- handshake detection HOT 40
- NO
- No
- Warning: out of sequence timestamps! hcxpcapngtool/hcxdumptool HOT 9
- wifite ends in an infinite loop HOT 6
- About using - o some questions HOT 17
- atal error: openssl/core.h: No such file or directory HOT 3
- valid message pairs and nonce-error-corrections HOT 29
- hcxhash2cap not working on some files HOT 18
- feature request: hcxhashtool - add import function of deprecatred hccapx hash files HOT 1
- feature request: hcxhashtool - add import function of ancient hccap hash file HOT 1
- please help me in this issue HOT 1
- Maximum of supported interfaces reached HOT 3
- fatal error: openssl/sha.h: No such file or directory (misconfigured KALI distribution) HOT 9
- Issue with cap2hccapx.bin not producing readable hash HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hcxtools.