How to extract a handshake from a capture file with multiple handshakes

More than one handshake can be contained in a single network data capture file (pcap format). This can happen, for example, during long work of Airodump-ng , as a result of which it can intercept several handshakes from the same or different access points. Handshakes from files captured in “noisy” conditions need additional checking and cleaning.

Several handshakes in one file can be obtained artificially by simply merging them into one file. For example, the Besside-ng tool (automatically grabs handshakes from all access daughters within reach, for this conducts a deauthentication attack) creates a single .cap file for all captured handshake packages.

Those. this is not a rare situation, and to attack on networks whose handshakes are in the same file, you may need to extract each handshake.

    How to split handshakes on different files

    It is important to understand the difference between a file in which several handshakes are simply merged and a capture file in a noisy environment. An example of analyzing a file of the first type (using aircrack-ng ):
    aircrack-ng FILE_NAME.cap
    aircrack-ng FILE_NAME.cap
    An example of the file of the second type:

    How to split handshakes

    It can be seen that in the file there is a lot of garbage, and in the whole file there are only one handshakes suitable for hacking. Among the garbage.

    You can use Wireshark to view the file contents . After opening the file, install the filter:

    Manually breaking handshakes using Wireshark

    If you work with a file from merged handshakes, then there should not be any special problems with it. Open the file in Wireshark :

    You can use the filter
    wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol
    But it may not be necessary, as there are already only the necessary packages.
    To filter packets for a specific access point, specify its BSSID with the following filter:
    For example:
    Either way:
    (wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr==28:28:5D:6C:16:24
    Now using CTRL + m, select the necessary packages:
    And on the File menu, select Export Specified Packets :
    Enter the file name and put the switch on Marked packets only :
    Check our file:

    All perfectly. You can do another check with coWPAtty by running a command like this:
    cowpatty -r FILE -s NAME_SETI -c
    For example, in my case:
    cowpatty -r ZyXEL_59.pcap -s ZyXEL_59 -c
    The phrase " Collected passphrase against all WPA2 / PSK passphrase " means that all the necessary data has been collected to crack the password.

    To isolate a handshake from a grip made in noisy environments, some effort must be made. Start with filtering (replace 84: C9: B2: 52: F6: 37 with the BSSID of the network you are interested in):
    (wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr==84:C9:B2:52:F6:37
    Handshake is suitable for password cracking if:
    • necessarily includes the second element (M2), as well as the third (M3) (ensures that the connection to the network was made) or instead of the third element contains the first element (M1) (the handshake is suitable for breaking the password, but there are no guarantees that connection and that the correct password was entered). Better if you managed to capture all four elements;
    • elements of a handshake must be in the correct order;
    • there should not be too much time between them (measured in milliseconds and microseconds).
    See the following example:
    The first set of EAPOL frames (highlighted in black) - the rule that the third or the first message must be apart from the second one is not observed.

    • The second set (red) - only one message.
    • The third set (yellow) - no third or first message.
    • The fourth set (orange) - there is no second message.
    • The fifth set (green) is appropriate, since there is a second and first message. The time between messages seems acceptable.

    Select and save the necessary frames (I also selected the Beacon frame):
    Our file is being tested:

    Handshake highlighting with tshark

    tshark is Wireshark, but without a graphical interface. This tool can also be used to split a large capture file into separate handshakes. To do this, the command runs as follows:
    tshark -r ISKHODNYY_FAYL.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == BSSID" -2 -w ITOGOVYY_FAYL.cap -F pcap
    In it you need to insert your values ​​for:
    • INITIAL_FILE.cap - file with several handshakes
    • BSSID - MAC address of the access point of interest
    • TOTAL_FILE.cap - the file where the selected handshake will be saved
    Example of a real command:
    tshark -r wpa.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == 84:C9:B2:0B:79:94" -2 -w $ESSID.cap -F pcap -w wifi55.cap
    Solving the error Unsupported file format (not a pcap or IVs file). Read 0 packets. No networks found, exiting.
    Some users get an error when using tshark and then later opening the resulting file in aircrack-ng :
    aircrack-ng MiAl.cap
    Opening MiAl.cap
    Unsupported file format (not a pcap or IVs file).
    Read 0 packets.
    No networks found, exiting.
    Quitting aircrack-ng...
    To prevent this error, the tshark tool must save the -F pcap option to it , which specifies the correct file format.

    Script to separate handshakes
    To automate the separation of a single file into a handshake, I wrote a script. Remember that if you split a file obtained using Besside-ng or artificially when merging handshakes, the script will work without problems.

    If you divide the capture file obtained in noisy environments (for example, during Airodump-ng for a long time ), then the script will work like this:

    • if no working handshare is found for any access point, then all data for it will be discarded (no output file will be created)
    • if at least one working handshake is found for the access point, all EAPOL frames will be saved to one file.

    Those. you will need to open the output files yourself and check if there are any extra data in them.

    Although aircrack-ng seems to find the right handshake correctly, but with cap2hccapx (from the hashcat-utils set , used to convert into the Hashcat hash format ), problems are noticed if unnecessary EAPOL frames from unsuitable handhelds are not cleaned.

    Create a file :
    #! / bin / bash
    AIRCRACK_TIMEOUT = 2 # How much time is given to aircrack-ng to read the file. Time is indicated in seconds.
    # if you have a very large file or a very slow system, then increase this value
    DIR = `date +"% Y-% m-% d-% H% M% S "`
    if [["$ 1" && -f "$ 1"]]; then
        FILE = "$ 1"
        echo 'Specify. (p) cap file to extract handshakes from.';
        echo 'Startup example:';
        echo -e "\ tbash wpa.cap";
        exit 1
    while read -r "line"; do
    if ["$ (echo" $ line "| grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \ (' | awk -F '' '{print $ 3}')" ]; then
        if [$ ISDIRCREATED -eq 0]; then
            mkdir ./$DIR || (echo "Cannot create directory to save handshakes. Exit." && exit 1)
            ISDIRCREATED = 1
        ESSID = "$ (echo" $ line "| grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \ (' | awk -F '' '{print $ 3}')"
        BSSID = "$ (echo" $ line "| grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \ (' | awk -F '' '{print $ 2}')"
        echo -e "\ 033 [0; 32m" A handshake was found for the $ ESSID network ($ BSSID). Saved to $ DIR / \ 033 [1m $ ESSID.pcap \ e [0m ")
        tshark -r $ FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $ BSSID" -2 2> / dev / null
        tshark -r $ FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $ BSSID" -2 -w ./$DIR/ " $ ESSID.pcap "-F pcap 2> / dev / null
    done <<(timeout $ AIRCRACK_TIMEOUT aircrack-ng $ FILE)
    To start, specify. (P) cap file from which you want to extract a handshake.
    If at least one working handshake is found, then a folder will be created in the current directory, in which handshakes for all access points are saved as separate files.

    Information about the file name with the saved frames is displayed, as well as information about the saved frames themselves.

    When it is not necessary to divide the file into separate handshakes

    You do not need to pre-divide the file into separate handshakes if you are going to use the aircrack-ng tool. To select a target, you can use the options:
    -e : select target: network id
    -b : target selection: MAC access point
    The cap2hccapx tool will write all the hashes (for hacking into Hashcat) in one .hccapx file. Runs like this:
    cap2hccapx.bin SOURCE_FILE.cap HASHI.hccapx
    For example:
    cap2hccapx.bin wpa.cap all.hccapx

    To write a hash for only one AP, specify its ESSID :
    cap2hccapx.bin SOURCE_FILE.cap HASHI.hccapx ESSID
    cap2hccapx.bin wpa.cap Zyxel-49.hccapx Zyxel-49
    Wifi Hacking
    May 25, 2019



    Popular Posts

    USB WiFi adapters that support monitor mode and wireless injection

    usb wifi adapter with monitor mode and wireless injection (100% compatibl…

    how to update Kali Linux and Fix update error

    Kali Linux one of the best Linux distro for penetration testing it's freq…

    Fix Kali Linux sources.list Repositories

    Fix default repository First after installing a clean Kali Linux the sou…

    Recent Comments

    Contact Me