I am going through and finding some ancient hccap and hccapx files.

Added hccapx to hc22000 converter by this commit: <a class="commit-link" data-hove

Thank you <a class="user-mention notranslate" data-hovercard-type="user" data-hovercar

Added hccap to hc22000 converter by this commit: <a class="commit-link" data-hover

Also a couple of errors in the usage section of hcxhashtool.c: <div class="snippet

hcxhash2cap not working on some files,about zerbea/hcxtools

Comments (18)

ZerBea commented on June 9, 2024

For sure it doesn't work on some has files, because the conversion from a dump file to a hash file is not loss less.
Only the following MESSGAGE PAIRs can be converted back
M1M2E2
M2M3E2
M1M4E4

This MESSAGE PAIRs can't be converted back, because it produce calculate invalid hashes
M2M3E3
M3M4E3

The reason why there is no direct converter.
We don't know the state of a hccap or a hccapx file (it could be converted from an invalid message pair) and the hc22000 file might be crappy, too.
If we convert hccap/hccapx to cap, good conversion tools (hcxpcapngtool) detect that it came from a crappy source and it print a warning.

from hcxtools.

ZerBea commented on June 9, 2024

Maybe add to tool to convert from hccap/hccapx to 22000 format directly and do not skip anything?
Let me think awhile about this problem.

from hcxtools.

ZerBea commented on June 9, 2024

Added two feature requests to import old formats.

Closed this report, because conversion from dump file to hash file is not loss less.

from hcxtools.

ZerBea commented on June 9, 2024

Added hccapx to hc22000 converter by this commit:
7956a90
and option hccapx= has been changed to hccapx-out=

$ hcxhashtool -h:
--hccapx-in=<file>           : inputput deprecated hccapx file
--hccapx-out=<file>          : output to deprecated hccapx file

hccap converter will follow, soon.

from hcxtools.

StrongWind1 commented on June 9, 2024

Thank you @ZerBea ! Yes my whole goal is to just convert these to the 22000 format. The hcxhash2cap was just an intermediate step. I understand these old formats are not lossless "and the hc22000 file might be crappy, too." but that is okay for my use case.

With this new option every (multiple) hccapx structs in a file will be converted? How are you handling the MESSAGEPAIR conversion from the old hccapx format and the new 22000 format?

from hcxtools.

ZerBea commented on June 9, 2024

All hash structs of a hccapx file are converted to hc22000.
The requirements are:
hccapx must be 393 bytes (in case of one hash only) or a multiple of that (in case of more hashes).
hccapx version 3 or 4

The MESSAGEPAIR is directly taken from the hccapx struct (unmodified). It is impossible to calculate a MESSAGEPAIR from a lossy hash file.

A hccap file does not have a MESSAGEPAIR. The MESSAGEPAIR will be that of a crappy dump file.

from hcxtools.

ZerBea commented on June 9, 2024

To reproduce the process:
get the example dumpfile from Wireshark sample captures:
wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap

get hashcat-utils from here and compile them
https://github.com/hashcat/hashcat-utils/releases/

convert dump file to hccapx format:

$ ./cap2hccapx.bin wpa-Induction.pcap deprecated.hccapx 
Networks detected: 1

[*] BSSID=00:0c:41:82:b2:55 ESSID=Coherer (Length: 7)
 --> STA=00:0d:93:82:36:3a, Message Pair=0, Replay Counter=0
 --> STA=00:0d:93:82:36:3a, Message Pair=2, Replay Counter=0

Written 2 WPA Handshakes to: deprecated.hccapx

convert hccapx to hc22000 format:

$ hcxhashtool --hccapx-in=deprecated.hccapx -o converted.hc22000

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entries...................: 34539
total lines read..............: 2
valid hash lines..............: 2
EAPOL hash lines..............: 2
EAPOL written.................: 2

convert the dump file to a hc22000 file by hcxpcapngtool. We do not use --all to get all handshake. Instead we run hcxpcapngtool by default options to gget only the best one:
$ hcxpcapngtool -o hash.hc22000 wpa-Induction.pcap

compare both hc22000 files:

$ cat converted.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*00
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02

$ cat hash.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02

from hcxtools.

ZerBea commented on June 9, 2024

Added hccap to hc22000 converter by this commit:
e5d04c5
and option hccap= has been changed to hccap-out=

$ hcxhashtool -h:
--hccap-in=<file>            : inputput ancient hccap file
--hccap-out=<file>           : output to ancient hccap file

from hcxtools.

StrongWind1 commented on June 9, 2024

Still confused about the MP being set. I am getting different MPs then your commands above.

I am running all this using:
Linux debian12-template 6.1.0-15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1 (2023-12-09) x86_64 GNU/Linux

and latest git commit for hcxhashtools and hashcat-utils compiled with

Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.2.0 (Debian 12.2.0-14)

Commands:

$ root@debian12-template ~/test# ll
total 192
drwxr-xr-x  4 root root   4096 Dec 17 23:48 ./
drwx------ 14 root root   4096 Dec 17 23:45 ../
drwxr-xr-x  3 root root   4096 Dec 17 23:48 cap2hccap/
drwxr-xr-x  6 root root   4096 Dec 17 23:47 hashcat-utils/
-rw-r--r--  1 root root 179298 Mar 13  2023 wpa-Induction.pcap

$ root@debian12-template ~/test# cap2hccap/cap2hccap.bin wpa-Induction.pcap ancient.hccap
[info    ]      writing handshake for "Coherer".

$ root@debian12-template ~/test# hashcat-utils/src/cap2hccapx.bin wpa-Induction.pcap deprecated.hccapx
Networks detected: 1

[*] BSSID=00:0c:41:82:b2:55 ESSID=Coherer (Length: 7)
 --> STA=00:0d:93:82:36:3a, Message Pair=0, Replay Counter=0
 --> STA=00:0d:93:82:36:3a, Message Pair=2, Replay Counter=0

Written 2 WPA Handshakes to: deprecated.hccapx

$ root@debian12-template ~/test# ~/hcxtools/hcxhashtool --hccap-in=ancient.hccap -o ancient.hc22000

OUI information file..........: N/A
total lines read..............: 1
valid hash lines..............: 1
EAPOL hash lines..............: 1
EAPOL written.................: 1

$ root@debian12-template ~/test# ~/hcxtools/hcxhashtool --hccapx-in=deprecated.hccapx -o deprecated.hc22000

OUI information file..........: N/A
total lines read..............: 2
valid hash lines..............: 2
EAPOL hash lines..............: 2
EAPOL written.................: 2

$ root@debian12-template ~/test# ~/hcxtools/hcxpcapngtool wpa-Induction.pcap -o best.22000
hcxpcapngtool 6.3.2-28-ga589864 reading from wpa-Induction.pcap...

summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 01:14:45
timestamp maximum (GMT)..................: 04.01.2007 01:15:26
duration of the dump tool (seconds)......: 40
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2412: 1093

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.


session summary
---------------
processed cap files...................: 1

$ root@debian12-template ~/test# ~/hcxtools/hcxpcapngtool wpa-Induction.pcap --all -o all.22000
hcxpcapngtool 6.3.2-28-ga589864 reading from wpa-Induction.pcap...

summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 01:14:45
timestamp maximum (GMT)..................: 04.01.2007 01:15:26
duration of the dump tool (seconds)......: 40
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 3
EAPOL pairs (useful).....................: 3
EAPOL pairs written to 22000 hash file...: 3 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 1
EAPOL M32E3 (authorized).................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
RSN PMKID (useful).......................: 1
RSN PMKID written to 22000 hash file.....: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2412: 1093

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.


session summary
---------------
processed cap files...................: 1

That outputs:

$ root@debian12-template ~/test# cat ancient.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80

$ root@debian12-template ~/test# cat deprecated.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*00
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02

$ root@debian12-template ~/test# cat best.22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80

$ root@debian12-template ~/test# cat all.22000
WPA*01*592da88096c461da246c69001e877f3d*000c4182b255*000d9382363a*436f6865726572***01
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*82
WPA*02*7d0af6df51e99cde7a187453f0f93537*000c4182b255*000d9382363a*436f6865726572*cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386*020300af0213ca001000000000000000013e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933f57b949771c867989f49d04ed47c6934cf020000000000000000000000000000000000000000000000000000000000000050cfa72cde35b2c1e2319255806ab364179fd9673041b9a5939fa1a2010d2ac794e25168055f794ddc1fdfae3521f4446bfd11da98345f543df6ce199df8fe48f8cdd17adca87bf45711183c496d41aa0c*13

It looks like my MP are different when using hcxpcapngtool.
HCCAP converted using hcxhashtool is set to 0x80 correctly
HCCAPX converted using hcxhashtool is set to 0x00 and 0x02 correctly

hcxpcapngtool with best handshake is set to 0x80. I expect it to 0x02 for M2+M3, EAPOL from M2 (authorized) and replaycount is correct.

Also when using --all with hcxpcapngtool (ignoring the WPA*01 and the last hash with MP 13) the other two hashes have MP of 0x80 and 0x82 when these should be 0x00 and 0x02, right?

I am assuming the way cap2hccapx is doing replay count checking is different then hcxpcapngtool is and that is why there is a difference? Also why did when you ran hcxpcapngtool it produced 0x02 for you and 0x80 for me when running the same command?

from hcxtools.

StrongWind1 commented on June 9, 2024

Also a couple of errors in the usage section of hcxhashtool.c:

	"--hccapx-in=<file>           : inputput deprecated hccapx file\n"
	"                                MESSSAGEPAIR is taken from the hccapx source\n"
	"--hccapx-out=<file>          : output to deprecated hccapx file\n"
	"--hccap-in=<file>            : input to ancient hccap file\n"
	"--hccap-out=<file>           : output to ancient hccap file\n"
	"                                MESSSAGEPAIR is calculated from the EAPOL MESSAGE\n"
	"                                due to missing information, the worst case value is calculated\n"
	"--hccap=<file>               : output to ancient hccap file\n"

to:

	"--hccapx-in=<file>           : input deprecated hccapx file\n"
	"                                 MESSSAGEPAIR is taken from the hccapx source\n"
	"--hccapx-out=<file>         : output to deprecated hccapx file\n"
	"--hccap-in=<file>             : input to ancient hccap file\n"
	"                                MESSSAGEPAIR is calculated from the EAPOL MESSAGE\n"
	"                                due to missing information, the worst case value is calculated\n"
	"--hccap-out=<file>           : output to ancient hccap file\n"

correct inputput , move hccap message to the hccap in portion, delete --hccap=

from hcxtools.

ZerBea commented on June 9, 2024

Thanks for testing.
Help has been fixed by latest commit.

hcxpcapngtool with best handshake is set to 0x80. I expect it to 0x02 for M2+M3, EAPOL from M2 (authorized) and replaycount is correct.
No, best is always a MESSAGPAIR of 2 EAPOL MESSAGES with the lowest time gap

Jan  4, 2007 07:14:51.509261000 CET	1	0	3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933
Jan  4, 2007 07:14:51.510267000 CET	2	0	cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386
Jan  4, 2007 07:14:51.515265000 CET	3	1	3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933
Jan  4, 2007 07:14:51.515281000 CET	4	1	0000000000000000000000000000000000000000000000000000000000000000

M1M2 510267000 - 509261000 = 1006000
M2M3 515265000 - 510267000 = 4998000

The dump file contains too less M1 or M3 MESSAGES

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.

We take the worst case and activate default NC

The PMKID is an initial PMKID calculated from a zeroed PMK. That makes it useless:
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)

$ echo "0000000000000000000000000000000000000000000000000000000000000000" > pmk
$ hashcat -m 22001 /tmp/test.22000 pmk
hashcat (v6.2.6-846-g4d412c8e0) starting
...
592da88096c461da246c69001e877f3d:000c4182b255:000d9382363a:Coherer:0000000000000000000000000000000000000000000000000000000000000000
                                                          
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)
Hash.Target......: /tmp/test.22000
Time.Started.....: Mon Dec 18 08:04:13 2023 (1 sec)
Time.Estimated...: Mon Dec 18 08:04:14 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pmk)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1627 H/s (0.00ms) @ Accel:128 Loops:1024 Thr:512 Vec:1
Recovered........: 1/3 (33.33%) Digests (total), 1/3 (33.33%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2-5Candidate.Engine.: Device Generator
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> 0000000000000000000000000000000000000000000000000000000000000000
Hardware.Mon.#1..: Temp: 25c Fan:  0% Util:  6% Core:2505MHz Mem:10802MHz Bus:16

Started: Mon Dec 18 08:04:13 2023
Stopped: Mon Dec 18 08:04:15 2023

All in detail:

1 WPA*01*592da88096c461da246c69001e877f3d*000c4182b255*000d9382363a*436f6865726572***01
2 WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80
3 WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*82
4 WPA*02*7d0af6df51e99cde7a187453f0f93537*000c4182b255*000d9382363a*436f6865726572*cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386*020300af0213ca001000000000000000013e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933f57b949771c867989f49d04ed47c6934cf020000000000000000000000000000000000000000000000000000000000000050cfa72cde35b2c1e2319255806ab364179fd9673041b9a5939fa1a2010d2ac794e25168055f794ddc1fdfae3521f4446bfd11da98345f543df6ce199df8fe48f8cdd17adca87bf45711183c496d41aa0c*13

1 only converted by --all (e.g. analysis purpose), because PMKID is calculated from zeroed PMK
2 M1M2E2 NC set to default due to too less M1 or M3
3 M2M3E2 NC set to default due to too less M1 or M3
3 M2M3E3 NC in EAPOL NC deactivated, because NONCE is taken from CLIENT

from hcxtools.

LLH-l commented on June 9, 2024

@ZerBea hello...
test.zip
Conver message number error
Among it should is M2M3 message pair number

hcxhash2cap --hccapx=test.hccapx
But conversion after, all is m1m2 message number

from hcxtools.

LLH-l commented on June 9, 2024

Another
from hc22000 >to *.cap
hcxhash2cap --pmkid-eapol=test.hc22000

from hcxtools.

ZerBea commented on June 9, 2024

First file: test.zip
Conversion from cap to hash (hccap/hccapx/hc22000) is not(!) lossless:
#324 (comment)
A hash file only contain one complete EAPOL MESSAGE Pair (M2, M3 or not zeroed M4).
Therefore it is impossible to generate a M2M3 or M3M4 cap file!

from hcxtools.

ZerBea commented on June 9, 2024

Second file: test2.zip

$ hcxhashtool --info=stdout -i test2.hc22000
SSID.......: Router_3A9A06
MAC_AP.....: 8439be3a9a07 (Unknown)
MAC_CLIENT.: 6c5c149386c6 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
PMKID......: 38c06716b06d39d6c650be3cd90ff6c3
HASHLINE...: WPA*01*38c06716b06d39d6c650be3cd90ff6c3*8439be3a9a07*6c5c149386c6*526f757465725f334139413036***

SSID.......: Router_3A9A06
MAC_AP.....: 8439be3a9a07 (Unknown)
MAC_CLIENT.: 6c5c149386c6 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 0
NC INFO....: little endian router detected / NC on LE
EAPOL MSG..: 2
MP M2M3 E2.: authorized
MIC........: 28d7d1cfd89f57b40038d0e1697a0f19
HASHLINE...: WPA*02*28d7d1cfd89f57b40038d0e1697a0f19*8439be3a9a07*6c5c149386c6*526f757465725f334139413036*6b782804b091e0ddc7783c7fb337e662d7e39fd5c97f038f696cb90b5a94f3ce*0103007502010a000000000000000000007ec77df727e1aa03cd7dd092d93ec4b8b7eec99550ef049966dd87b34e8177bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*22

SSID.......: Router_3A9A06
MAC_AP.....: 8439be3a9a07 (Unknown)
MAC_CLIENT.: 6c5c149386c6 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
VERSION....: 802.1X-2004 (2)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: ROGUE attack / NC deactivated
EAPOL MSG..: 3
MP M2M3 E3.: authorized
MIC........: 1e4e81e250bed56de3becf0ba16eaf70
HASHLINE...: WPA*02*1e4e81e250bed56de3becf0ba16eaf70*8439be3a9a07*6c5c149386c6*526f757465725f334139413036*7ec77df727e1aa03cd7dd092d93ec4b8b7eec99550ef049966dd87b34e8177bd*020300970213ca001000000000000000016b782804b091e0ddc7783c7fb337e662d7e39fd5c97f038f696cb90b5a94f3ced7e39fd5c97f038f696cb90b5a94f3cf67550b00000000000000000000000000000000000000000000000000000000000038f734ceff14da22f3c82321fb389bf824e8d6eab67fd2f582191f4fd2e0e7cddf6b9c79a22256b9d750ea288e41091e936e2a3e283cd5b300*13

It contain three hashes:
1 = PMKID
2 = EAPOL MSG 2 (can be converted back to a cap file)
3 = EAPOL MSG 3 (can not be converted back to a cap file because the EAPOL M2 MESSAGE is missing in the hash file)


$ ls
test2.hc22000

$ hcxhash2cap --pmkid-eapol=test2.hc22000
PMKIDs/EAPOL messages written to capfile(s): 2 (1 skipped)

$ ls
6c5c149386c6.cap  6c5c149386c6.cap_0  test2.hc22000

We got 2 valid cap files:

6c5c149386c6.cap = PMKID
6c5c149386c6.cap_0 = EAPOL M1M2
and the M2M3 has been skipped due to reasons mentioned above.

from hcxtools.

LLH-l commented on June 9, 2024

Sorry, due second file is hc22000 fixed format, reached limit please skip this issue
But from hcxpcapngtool >hccapx file, should add M3: EAPOL
When use hcxhash2cap Conversion to cap, it can have a complete m2m3 EAPOL

from hcxtools.

ZerBea commented on June 9, 2024

To make that absolutely clear:
A hccap/hccapx contain one single or more single hashes of a size of 392 bytes (hccap) or 393 bytes (hccapx).
Each of this single hash blocks contain only one EAPOL message!

This entire conversion hash -> cap is completely different to the conversion cap -> hash, e.g.:
time stamp is missing
the second MESSAGE PAIR is missing (and it is definitely not a good idea to take it from a different hash block from an unknown source
EAPOL M3 can't be converted back

I will not add code to generate a MESSAGE PAIR from two different hash blocks of an unknown source.

from hcxtools.

ZerBea commented on June 9, 2024

By latest commit, I added a notice to hcxhash2cap --help:

$ hcxhash2cap -h
hcxhash2cap 6.3.2-41-gb28983f (C) 2024 ZeroBeat
usage:
hcxhash2cap <options>

options:
-c <file> : output cap file
            if no cap file is selected, output will be written to single cap files
            format: mac_sta.cap (mac_sta.cap_x)
-h        : show this help
-v        : show version

--pmkid-eapol=<file> : input PMKID EAPOL (22000) combi hash file
--pmkid=<file>       : input deprecated PMKID (16800) hash file
--hccapx=<file>      : input deprecated hccapx (2500) hash file
--hccap=<file>       : input ancient hccap (2500) file
--john=<file>        : input John the Ripper WPAPSK hash file
--help               : show this help
--version            : show version

Important notice:
Conversion from a dump file to a hash file is not loss less.
Hash files that contain EAPOL M3 MESSAGEs can't be converted back to a cap file.

from hcxtools.

hcxhash2cap not working on some files about hcxtools HOT 18 CLOSED

Comments (18)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent