How to extract all handshakes from a capture file with several handshakes
A single network data capture file (pcap format) can contain more than one handshake. This can happen, for example, with the continued Airodump-ng capturing, as a result it can got several handshakes from one or more access points. Handshakes from files captured in ‘noisy’ conditions need additional verification and cleaning.
Several handshakes in one file can be obtained artificially, simply by combining them into one file. For example, the Besside-ng program (automatically captures handshakes from all access points within reach, for this purpose conducts deauthentication attack) creates a single .cap file for all captured handshake packets.
Therefore, this is not a rare situation, and to perform an attack on the wireless networks, whose handshakes are in the same file, you may need to extract each handshake.
How to separate handshakes on different files
It is important to understand the difference between a file in which several handshakes are simply merged and a capture file in a noisy environment. An example of analyzing a file of the first type (using aircrack-ng):
aircrack-ng FILE_NAME.cap
File example of the second type:
It can be seen that there is a lot of garbage in the second file, and in the whole file there are only two handshakes suitable for hacking. Among the garbage, there are many separate EAPOL frames (components of a handshake) that are unsuitable for password cracking.
To view the contents of a file, you can use Wireshark. After opening the file, apply the filter:
eapol
Manual separation handshake files using Wireshark
If you work with a file from merged handshakes, then there should not be any problems with it. Open the file in Wireshark:
You can use a filter
wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol
But it may not be necessary, because there are already only the necessary packages.
To filter packets for a specific access point, specify the BSSID with the following filter:
wlan.addr==BSSID
For example:
wlan.addr==28:28:5D:6C:16:24
Or so:
wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol && wlan.addr==28:28:5D:6C:16:24
Now use CTRL+m to select the required packages:
And from the File menu, choose Export Specified Packets:
Enter the file name and put the switch on the Marked packets only:
Checking our file:
All perfectly. You can make another check with coWPAtty by running a command like this:
cowpatty -r FILE -s ESSID -c
For example, in my case:
cowpatty -r ZyXEL_59.pcap -s ZyXEL_59 –c
The phrase ‘Collected all necessary data to mount the crack against WPA2/PSK passphrase’ means that all the necessary data is collected to crack the password.
To isolate the handshake from a capture file made in noisy conditions, it is necessary to exert some effort. Start with filtering (replace 84:C9:B2:52:F6:37 with the BSSID of the network you are interested in):
wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol && wlan.addr==84:C9:B2:52:F6:37
The handshake is suitable for hacking the password if:
- necessarily includes the second message (M2), as well as the third one (M3) (ensures that the connection to the network was made) or instead of the third message contains the first message (M1) (the handshake is suitable for hacking the password, but there are no guarantees that connection was established and even that the correct password was entered). It is better if you captured all four messages;
- the elements of the handshake must follow in the right order;
- between them there should not be too much time interval (measured in milliseconds and microseconds).
We are looking at the following example.
The first set of EAPOL frames (highlighted in black) does not correspond to the condition that there should be a third or first message in addition to the second one.
The second set (red): only one message.
The third set (yellow): there is no third or first message.
The fourth set (orange): there is no second message.
The fifth set (green) is suitable, because there is a second and the first message. The time between messages seems acceptable.
Select and save the necessary frames (I also include a Beacon frame):
Our file is being tested:
Extracting a handshake with tshark
tshark is Wireshark, but without a graphical interface. This program can also be used to separate a large capture file into separate handshakes. To do this, the command is run as follows:
tshark -r SOURCE_FILE.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == BSSID" -2 -w RESULT_FILE.cap -F pcap
In it, you need to insert your values for:
- SOURCE_FILE.cap – file with several handshakes
- BSSID – MAC address of the access point of interest
- RESULT_FILE.cap – file where the selected handshake will be saved
An example of a real command:
tshark -r wpa.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == 84:C9:B2:0B:79:94" -2 -w $ESSID.cap -F pcap -w wifi55.cap
Solution of the error Unsupported file format (not a pcap or IVs file). Read 0 packets. No networks found, exiting.
Some users have an error when using tshark, and then opening the resulting file to aircrack-ng:
aircrack-ng MiAl.cap Opening MiAl.cap Unsupported file format (not a pcap or IVs file). Read 0 packets. No networks found, exiting. Quitting aircrack-ng...
To avoid this error, while saving via tshark, you need to specify the -F pcap option, which specifies the correct file format.
A script for extracting handshakes
To automate the separation of one file into handshakes, I wrote a script. Remember that if you split a file obtained using Besside-ng or artificially when you merge handshakes, the script will work fine.
If you separate the capture file from a capture file obtained in noisy conditions (for example, during a long running Airodump-ng), the script will work like this:
- if no workable handshake is found for an access point, then all data for it will be discarded (no output file will be created)
- if at least one work handshake is found for an access point, then all EAPOL frames will be saved in one file.
Therefore, you will need to open the output files and check if there are any unnecessary data in them.
Although aircrack-ng seems to find the right handshake correctly, but with cap2hccapx (included in hashcat-utils set, used for converting to the hash format of Hashcat), problems are noticed if the unnecessary EAPOL frames from unsuitable handshakes if they are not previously cleaned.
Create a file called handshakes_extractor.sh:
gedit handshakes_extractor.sh
And copy there:
To start, specify the (p)cap file from which you want to extract the handshakes.
Launch example:
bash handshakes_extractor.sh wpa.cap
Results:
If at least one working handshake is found, then in the current directory a folder of the form 2018-04-13-155818 is created, in which separate handshakes for all access points are stored as separate files.
The information about the file name with the saved frames is displayed, as well as information about the saved frames themselves.
When you do not need to separate the file into separate handshakes
You do not need to divide a file into separate handshakes if you are going to use the aircrack-ng program. To select a target, you can use the options:
-e <essid> : target selection: network identifier -b <bssid> : target selection: access point's MAC
The cap2hccapx utility will write all the hashes (for hacking into Hashcat) into one .hccapx file.
Run as follows:
cap2hccapx.bin SOURCE_FILE.cap. HASH_FILE.hccapx
For example:
cap2hccapx.bin wpa.cap all.hccapx
To write a hash for only one AP, specify its ESSID:
cap2hccapx.bin SOURCE_FILE.cap HASH.hccapx ESSID
Example:
cap2hccapx.bin wpa.cap Zyxel-49.hccapx Zyxel-49
Related articles:
- How to use precomputed tables to crack Wi-Fi passwords in Hashcat and John the Ripper (74.7%)
- Automatic capturing of handshakes with Besside-ng (66.8%)
- How to hack Wi-Fi (60.6%)
- Hacking Wi-Fi without users in Aircrack-ng (60.6%)
- How to decrypt WPA traffic in Wireshark (55.7%)
- How to perform selective jamming of Wi-Fi networks and clients (DoS attack on individual access points / clients) (RANDOM - 50%)
the handshakes extractor script breaks when SSIDs contain spaces, I added quotes at the second tshark call it seemed to fix it
./$DIR/"$ESSID.pcap"
Thank you!
Great script and thanks a lot for it, i have found a problem where Aircrack-NG stuck after processing the last handshake hence preventing the script from being exited properly this is mainly because the "timeout" command is not able to force exiting aircrack-ng (normally if you ran aircrack-ng FILE.pcap, aircrack-ng will wait for user input and won't be easily killed) hence again it need to be forcely killed.
A fix for this issue can be like that:
Hello! I was guessing the timeout command does not work in these circumstances, thank you for your confirmation.
I like your fix. Thanks a lot for it!
When I have a chance, I will make some tests by myself and replace the string in the article.
To everyone: in the handshakes_extractor.sh file
replace
with
hi mate can you help me in writing a script (bat file) that cecks for handchecks for the common view for wifi windows tool ?!
And is there any option op attacking by brute force all the captured handshakes with for exalple Besside-NG?
Thank you very much, you rock
wtf, this site is better than the offical airmon-ng website & wiki.
I always hated that site anywayes.
Shitty help for beginners.
Not too lazy to write a probber program, but too lazy to fucking write a user guide that any idiot can understand. Epic Fail.
Thanks to the author for taking this shit serious! To educate the future generations.
Thanks
Thanks , that was clear and worked well on my network,but in my case the deauthintication didn't work, I just did manually for testing purposes.
Why so complicated ? It's a lot easier!
I guess you have not read the article. Sometimes we get a capture file with a lot of good and broken handshakes.
The script does not work 2021.
Putting the script into Pycharm and installing bash script checker it also gives nearly 100 errors. A behavior I have never seen before. Something is clearly wrong. It is like Kali linux can't recognise the file type or something but all my other bash scripts works fine on my raspberry pi 4 with the newest kali linux on.
You get the “command not found” error on blank lines, doesn't that bother you?
You did something completely wrong.
The script works great:
Damn you are fast.
You are world-class man.
I just found the problem.
I got this "grepper" extension in google chrome.
It pops scripts on websites in a bigger picture and you can save it for future use when you another day google the same problem.
I used this pop-up window to copy-paste the script.
That is where the problem came. It added some unicode for blank spaces that I could see in Pycharm and it made me wonder why I could not see them in the editor on kali linux…
So tried copy-paste the script from the tiny text box n the website instead (where you can't ctrl-a sadly)
And now it works on my raspberry pi/kali linux and there is no unicode for blank spaces in pycharm on my main pc.
Thanks a lot for your lovely website and uber-fast support!
Now others can find the solution in the comments.
There was also an eapol hash in the file mixed with pmkid that I could not authentically extract from Wirehark, in principle it cannot be considered adequate based on the methods read above. But if I didn’t mix the filter with more things, I just used the MAC smoothly, I could select and save it along with the secondary communication data. Thus, the theoretically flawed eapol hash proved to be successful. 🙂
Heello, just FYI. A stolen copy of your article and script over there? https:// kalitut [.] com /how-to-extract-handshake-from-capture/
Hello, thanks for the information. Yes, you are right, you stole the text of the article, also in the stolen article, pay attention to the screenshots corrected in the photo editor – the command line prompt has been changed.