Comments (18)
For sure it doesn't work on some has files, because the conversion from a dump file to a hash file is not loss less.
Only the following MESSGAGE PAIRs can be converted back
M1M2E2
M2M3E2
M1M4E4
This MESSAGE PAIRs can't be converted back, because it produce calculate invalid hashes
M2M3E3
M3M4E3
The reason why there is no direct converter.
We don't know the state of a hccap or a hccapx file (it could be converted from an invalid message pair) and the hc22000 file might be crappy, too.
If we convert hccap/hccapx to cap, good conversion tools (hcxpcapngtool) detect that it came from a crappy source and it print a warning.
from hcxtools.
Maybe add to tool to convert from hccap/hccapx to 22000 format directly and do not skip anything?
Let me think awhile about this problem.
from hcxtools.
Added two feature requests to import old formats.
Closed this report, because conversion from dump file to hash file is not loss less.
from hcxtools.
Added hccapx to hc22000 converter by this commit:
7956a90
and option hccapx= has been changed to hccapx-out=
$ hcxhashtool -h:
--hccapx-in=<file> : inputput deprecated hccapx file
--hccapx-out=<file> : output to deprecated hccapx file
hccap converter will follow, soon.
from hcxtools.
Thank you @ZerBea ! Yes my whole goal is to just convert these to the 22000 format. The hcxhash2cap was just an intermediate step. I understand these old formats are not lossless "and the hc22000 file might be crappy, too." but that is okay for my use case.
With this new option every (multiple) hccapx structs in a file will be converted? How are you handling the MESSAGEPAIR conversion from the old hccapx format and the new 22000 format?
from hcxtools.
All hash structs of a hccapx file are converted to hc22000.
The requirements are:
hccapx must be 393 bytes (in case of one hash only) or a multiple of that (in case of more hashes).
hccapx version 3 or 4
The MESSAGEPAIR is directly taken from the hccapx struct (unmodified). It is impossible to calculate a MESSAGEPAIR from a lossy hash file.
A hccap file does not have a MESSAGEPAIR. The MESSAGEPAIR will be that of a crappy dump file.
from hcxtools.
To reproduce the process:
get the example dumpfile from Wireshark sample captures:
wget https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap
get hashcat-utils from here and compile them
https://github.com/hashcat/hashcat-utils/releases/
convert dump file to hccapx format:
$ ./cap2hccapx.bin wpa-Induction.pcap deprecated.hccapx
Networks detected: 1
[*] BSSID=00:0c:41:82:b2:55 ESSID=Coherer (Length: 7)
--> STA=00:0d:93:82:36:3a, Message Pair=0, Replay Counter=0
--> STA=00:0d:93:82:36:3a, Message Pair=2, Replay Counter=0
Written 2 WPA Handshakes to: deprecated.hccapx
convert hccapx to hc22000 format:
$ hcxhashtool --hccapx-in=deprecated.hccapx -o converted.hc22000
OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entries...................: 34539
total lines read..............: 2
valid hash lines..............: 2
EAPOL hash lines..............: 2
EAPOL written.................: 2
convert the dump file to a hc22000 file by hcxpcapngtool. We do not use --all to get all handshake. Instead we run hcxpcapngtool by default options to gget only the best one:
$ hcxpcapngtool -o hash.hc22000 wpa-Induction.pcap
compare both hc22000 files:
$ cat converted.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*00
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02
$ cat hash.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02
from hcxtools.
Added hccap to hc22000 converter by this commit:
e5d04c5
and option hccap= has been changed to hccap-out=
$ hcxhashtool -h:
--hccap-in=<file> : inputput ancient hccap file
--hccap-out=<file> : output to ancient hccap file
from hcxtools.
Still confused about the MP being set. I am getting different MPs then your commands above.
I am running all this using:
Linux debian12-template 6.1.0-15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1 (2023-12-09) x86_64 GNU/Linux
and latest git commit for hcxhashtools and hashcat-utils compiled with
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.2.0 (Debian 12.2.0-14)
Commands:
$ root@debian12-template ~/test# ll
total 192
drwxr-xr-x 4 root root 4096 Dec 17 23:48 ./
drwx------ 14 root root 4096 Dec 17 23:45 ../
drwxr-xr-x 3 root root 4096 Dec 17 23:48 cap2hccap/
drwxr-xr-x 6 root root 4096 Dec 17 23:47 hashcat-utils/
-rw-r--r-- 1 root root 179298 Mar 13 2023 wpa-Induction.pcap
$ root@debian12-template ~/test# cap2hccap/cap2hccap.bin wpa-Induction.pcap ancient.hccap
[info ] writing handshake for "Coherer".
$ root@debian12-template ~/test# hashcat-utils/src/cap2hccapx.bin wpa-Induction.pcap deprecated.hccapx
Networks detected: 1
[*] BSSID=00:0c:41:82:b2:55 ESSID=Coherer (Length: 7)
--> STA=00:0d:93:82:36:3a, Message Pair=0, Replay Counter=0
--> STA=00:0d:93:82:36:3a, Message Pair=2, Replay Counter=0
Written 2 WPA Handshakes to: deprecated.hccapx
$ root@debian12-template ~/test# ~/hcxtools/hcxhashtool --hccap-in=ancient.hccap -o ancient.hc22000
OUI information file..........: N/A
total lines read..............: 1
valid hash lines..............: 1
EAPOL hash lines..............: 1
EAPOL written.................: 1
$ root@debian12-template ~/test# ~/hcxtools/hcxhashtool --hccapx-in=deprecated.hccapx -o deprecated.hc22000
OUI information file..........: N/A
total lines read..............: 2
valid hash lines..............: 2
EAPOL hash lines..............: 2
EAPOL written.................: 2
$ root@debian12-template ~/test# ~/hcxtools/hcxpcapngtool wpa-Induction.pcap -o best.22000
hcxpcapngtool 6.3.2-28-ga589864 reading from wpa-Induction.pcap...
summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 01:14:45
timestamp maximum (GMT)..................: 04.01.2007 01:15:26
duration of the dump tool (seconds)......: 40
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 1093
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.
session summary
---------------
processed cap files...................: 1
$ root@debian12-template ~/test# ~/hcxtools/hcxpcapngtool wpa-Induction.pcap --all -o all.22000
hcxpcapngtool 6.3.2-28-ga589864 reading from wpa-Induction.pcap...
summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 01:14:45
timestamp maximum (GMT)..................: 04.01.2007 01:15:26
duration of the dump tool (seconds)......: 40
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
PROBEREQUEST (undirected)................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 4
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 3
EAPOL pairs (useful).....................: 3
EAPOL pairs written to 22000 hash file...: 3 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 1
EAPOL M32E3 (authorized).................: 1
RSN PMKID (total)........................: 1
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
RSN PMKID (useful).......................: 1
RSN PMKID written to 22000 hash file.....: 1
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 1093
Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Duration of the dump tool was a way too short to capture enough additional information.
session summary
---------------
processed cap files...................: 1
That outputs:
$ root@debian12-template ~/test# cat ancient.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80
$ root@debian12-template ~/test# cat deprecated.hc22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*00
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*02
$ root@debian12-template ~/test# cat best.22000
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80
$ root@debian12-template ~/test# cat all.22000
WPA*01*592da88096c461da246c69001e877f3d*000c4182b255*000d9382363a*436f6865726572***01
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80
WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*82
WPA*02*7d0af6df51e99cde7a187453f0f93537*000c4182b255*000d9382363a*436f6865726572*cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386*020300af0213ca001000000000000000013e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933f57b949771c867989f49d04ed47c6934cf020000000000000000000000000000000000000000000000000000000000000050cfa72cde35b2c1e2319255806ab364179fd9673041b9a5939fa1a2010d2ac794e25168055f794ddc1fdfae3521f4446bfd11da98345f543df6ce199df8fe48f8cdd17adca87bf45711183c496d41aa0c*13
It looks like my MP are different when using hcxpcapngtool.
HCCAP converted using hcxhashtool is set to 0x80 correctly
HCCAPX converted using hcxhashtool is set to 0x00 and 0x02 correctly
hcxpcapngtool with best handshake is set to 0x80. I expect it to 0x02 for M2+M3, EAPOL from M2 (authorized) and replaycount is correct.
Also when using --all with hcxpcapngtool (ignoring the WPA*01
and the last hash with MP 13) the other two hashes have MP of 0x80 and 0x82 when these should be 0x00 and 0x02, right?
I am assuming the way cap2hccapx is doing replay count checking is different then hcxpcapngtool is and that is why there is a difference? Also why did when you ran hcxpcapngtool it produced 0x02 for you and 0x80 for me when running the same command?
from hcxtools.
Also a couple of errors in the usage section of hcxhashtool.c:
"--hccapx-in=<file> : inputput deprecated hccapx file\n"
" MESSSAGEPAIR is taken from the hccapx source\n"
"--hccapx-out=<file> : output to deprecated hccapx file\n"
"--hccap-in=<file> : input to ancient hccap file\n"
"--hccap-out=<file> : output to ancient hccap file\n"
" MESSSAGEPAIR is calculated from the EAPOL MESSAGE\n"
" due to missing information, the worst case value is calculated\n"
"--hccap=<file> : output to ancient hccap file\n"
to:
"--hccapx-in=<file> : input deprecated hccapx file\n"
" MESSSAGEPAIR is taken from the hccapx source\n"
"--hccapx-out=<file> : output to deprecated hccapx file\n"
"--hccap-in=<file> : input to ancient hccap file\n"
" MESSSAGEPAIR is calculated from the EAPOL MESSAGE\n"
" due to missing information, the worst case value is calculated\n"
"--hccap-out=<file> : output to ancient hccap file\n"
correct inputput , move hccap message to the hccap in portion, delete --hccap=
from hcxtools.
Thanks for testing.
Help has been fixed by latest commit.
hcxpcapngtool with best handshake is set to 0x80. I expect it to 0x02 for M2+M3, EAPOL from M2 (authorized) and replaycount is correct.
No, best is always a MESSAGPAIR of 2 EAPOL MESSAGES with the lowest time gap
Jan 4, 2007 07:14:51.509261000 CET 1 0 3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933
Jan 4, 2007 07:14:51.510267000 CET 2 0 cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386
Jan 4, 2007 07:14:51.515265000 CET 3 1 3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933
Jan 4, 2007 07:14:51.515281000 CET 4 1 0000000000000000000000000000000000000000000000000000000000000000
M1M2 510267000 - 509261000 = 1006000
M2M3 515265000 - 510267000 = 4998000
The dump file contains too less M1 or M3 MESSAGES
Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
We take the worst case and activate default NC
The PMKID is an initial PMKID calculated from a zeroed PMK. That makes it useless:
RSN PMKID (from zeroed PMK)..............: 1 (not converted by default options - use --all if needed)
$ echo "0000000000000000000000000000000000000000000000000000000000000000" > pmk
$ hashcat -m 22001 /tmp/test.22000 pmk
hashcat (v6.2.6-846-g4d412c8e0) starting
...
592da88096c461da246c69001e877f3d:000c4182b255:000d9382363a:Coherer:0000000000000000000000000000000000000000000000000000000000000000
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)
Hash.Target......: /tmp/test.22000
Time.Started.....: Mon Dec 18 08:04:13 2023 (1 sec)
Time.Estimated...: Mon Dec 18 08:04:14 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pmk)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1627 H/s (0.00ms) @ Accel:128 Loops:1024 Thr:512 Vec:1
Recovered........: 1/3 (33.33%) Digests (total), 1/3 (33.33%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2-5Candidate.Engine.: Device Generator
Candidates.#1....: 0000000000000000000000000000000000000000000000000000000000000000 -> 0000000000000000000000000000000000000000000000000000000000000000
Hardware.Mon.#1..: Temp: 25c Fan: 0% Util: 6% Core:2505MHz Mem:10802MHz Bus:16
Started: Mon Dec 18 08:04:13 2023
Stopped: Mon Dec 18 08:04:15 2023
All in detail:
1 WPA*01*592da88096c461da246c69001e877f3d*000c4182b255*000d9382363a*436f6865726572***01
2 WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*80
3 WPA*02*a462a7029ad5ba30b6af0df391988e45*000c4182b255*000d9382363a*436f6865726572*3e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933*0203007502010a00100000000000000000cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*82
4 WPA*02*7d0af6df51e99cde7a187453f0f93537*000c4182b255*000d9382363a*436f6865726572*cdf405ceb9d889ef3dec42609828fae546b7add7baecbb1a394eac5214b1d386*020300af0213ca001000000000000000013e8e967dacd960324cac5b6aa721235bf57b949771c867989f49d04ed47c6933f57b949771c867989f49d04ed47c6934cf020000000000000000000000000000000000000000000000000000000000000050cfa72cde35b2c1e2319255806ab364179fd9673041b9a5939fa1a2010d2ac794e25168055f794ddc1fdfae3521f4446bfd11da98345f543df6ce199df8fe48f8cdd17adca87bf45711183c496d41aa0c*13
1 only converted by --all (e.g. analysis purpose), because PMKID is calculated from zeroed PMK
2 M1M2E2 NC set to default due to too less M1 or M3
3 M2M3E2 NC set to default due to too less M1 or M3
3 M2M3E3 NC in EAPOL NC deactivated, because NONCE is taken from CLIENT
from hcxtools.
@ZerBea hello...
test.zip
Conver message number error
Among it should is M2M3 message pair number
hcxhash2cap --hccapx=test.hccapx
But conversion after, all is m1m2 message number
from hcxtools.
Another
from hc22000 >to *.cap
hcxhash2cap --pmkid-eapol=test.hc22000
from hcxtools.
First file: test.zip
Conversion from cap to hash (hccap/hccapx/hc22000) is not(!) lossless:
#324 (comment)
A hash file only contain one complete EAPOL MESSAGE Pair (M2, M3 or not zeroed M4).
Therefore it is impossible to generate a M2M3 or M3M4 cap file!
from hcxtools.
Second file: test2.zip
$ hcxhashtool --info=stdout -i test2.hc22000
SSID.......: Router_3A9A06
MAC_AP.....: 8439be3a9a07 (Unknown)
MAC_CLIENT.: 6c5c149386c6 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
PMKID......: 38c06716b06d39d6c650be3cd90ff6c3
HASHLINE...: WPA*01*38c06716b06d39d6c650be3cd90ff6c3*8439be3a9a07*6c5c149386c6*526f757465725f334139413036***
SSID.......: Router_3A9A06
MAC_AP.....: 8439be3a9a07 (Unknown)
MAC_CLIENT.: 6c5c149386c6 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 0
NC INFO....: little endian router detected / NC on LE
EAPOL MSG..: 2
MP M2M3 E2.: authorized
MIC........: 28d7d1cfd89f57b40038d0e1697a0f19
HASHLINE...: WPA*02*28d7d1cfd89f57b40038d0e1697a0f19*8439be3a9a07*6c5c149386c6*526f757465725f334139413036*6b782804b091e0ddc7783c7fb337e662d7e39fd5c97f038f696cb90b5a94f3ce*0103007502010a000000000000000000007ec77df727e1aa03cd7dd092d93ec4b8b7eec99550ef049966dd87b34e8177bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*22
SSID.......: Router_3A9A06
MAC_AP.....: 8439be3a9a07 (Unknown)
MAC_CLIENT.: 6c5c149386c6 (GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD)
VERSION....: 802.1X-2004 (2)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: ROGUE attack / NC deactivated
EAPOL MSG..: 3
MP M2M3 E3.: authorized
MIC........: 1e4e81e250bed56de3becf0ba16eaf70
HASHLINE...: WPA*02*1e4e81e250bed56de3becf0ba16eaf70*8439be3a9a07*6c5c149386c6*526f757465725f334139413036*7ec77df727e1aa03cd7dd092d93ec4b8b7eec99550ef049966dd87b34e8177bd*020300970213ca001000000000000000016b782804b091e0ddc7783c7fb337e662d7e39fd5c97f038f696cb90b5a94f3ced7e39fd5c97f038f696cb90b5a94f3cf67550b00000000000000000000000000000000000000000000000000000000000038f734ceff14da22f3c82321fb389bf824e8d6eab67fd2f582191f4fd2e0e7cddf6b9c79a22256b9d750ea288e41091e936e2a3e283cd5b300*13
It contain three hashes:
1 = PMKID
2 = EAPOL MSG 2 (can be converted back to a cap file)
3 = EAPOL MSG 3 (can not be converted back to a cap file because the EAPOL M2 MESSAGE is missing in the hash file)
$ ls
test2.hc22000
$ hcxhash2cap --pmkid-eapol=test2.hc22000
PMKIDs/EAPOL messages written to capfile(s): 2 (1 skipped)
$ ls
6c5c149386c6.cap 6c5c149386c6.cap_0 test2.hc22000
We got 2 valid cap files:
6c5c149386c6.cap = PMKID
6c5c149386c6.cap_0 = EAPOL M1M2
and the M2M3 has been skipped due to reasons mentioned above.
from hcxtools.
Sorry, due second file is hc22000 fixed format, reached limit please skip this issue
But from hcxpcapngtool >hccapx file, should add M3: EAPOL
When use hcxhash2cap Conversion to cap, it can have a complete m2m3 EAPOL
from hcxtools.
To make that absolutely clear:
A hccap/hccapx contain one single or more single hashes of a size of 392 bytes (hccap) or 393 bytes (hccapx).
Each of this single hash blocks contain only one EAPOL message!
This entire conversion hash -> cap is completely different to the conversion cap -> hash, e.g.:
time stamp is missing
the second MESSAGE PAIR is missing (and it is definitely not a good idea to take it from a different hash block from an unknown source
EAPOL M3 can't be converted back
I will not add code to generate a MESSAGE PAIR from two different hash blocks of an unknown source.
from hcxtools.
By latest commit, I added a notice to hcxhash2cap --help:
$ hcxhash2cap -h
hcxhash2cap 6.3.2-41-gb28983f (C) 2024 ZeroBeat
usage:
hcxhash2cap <options>
options:
-c <file> : output cap file
if no cap file is selected, output will be written to single cap files
format: mac_sta.cap (mac_sta.cap_x)
-h : show this help
-v : show version
--pmkid-eapol=<file> : input PMKID EAPOL (22000) combi hash file
--pmkid=<file> : input deprecated PMKID (16800) hash file
--hccapx=<file> : input deprecated hccapx (2500) hash file
--hccap=<file> : input ancient hccap (2500) file
--john=<file> : input John the Ripper WPAPSK hash file
--help : show this help
--version : show version
Important notice:
Conversion from a dump file to a hash file is not loss less.
Hash files that contain EAPOL M3 MESSAGEs can't be converted back to a cap file.
from hcxtools.
Related Issues (20)
- Error = hcxpcapngtool.c:27:10: fatal error: openssl/core.h: No such file or directory due to missing dependency (openssl >= 3.0) HOT 2
- Nothing find with EWSA when converts hash file hccapx to cap with hcxhash2cap. HOT 4
- fatal error: openssl/core.h: No such file or directory HOT 6
- Short, greppable outputs
- Windows/MSYS Make support HOT 2
- handshake detection HOT 40
- NO
- No
- Warning: out of sequence timestamps! hcxpcapngtool/hcxdumptool HOT 9
- wifite ends in an infinite loop HOT 6
- About using - o some questions HOT 17
- atal error: openssl/core.h: No such file or directory HOT 3
- valid message pairs and nonce-error-corrections HOT 29
- feature request: hcxhashtool - add import function of deprecatred hccapx hash files HOT 1
- feature request: hcxhashtool - add import function of ancient hccap hash file HOT 1
- please help me in this issue HOT 1
- Maximum of supported interfaces reached HOT 3
- fatal error: openssl/sha.h: No such file or directory (misconfigured KALI distribution) HOT 9
- Issue with cap2hccapx.bin not producing readable hash HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hcxtools.