How to extract all handshakes from a capture file with several handshakes
A single network data capture file (pcap format) can contain more than one handshake. This can happen, for example, with the continued Airodump-ng capturing, as a result it can got several handshakes from one or more access points. Handshakes from files captured in ‘noisy’ conditions need additional verification and cleaning.
Several handshakes in one file can be obtained artificially, simply by combining them into one file. For example, the Besside-ng program (automatically captures handshakes from all access points within reach, for this purpose conducts deauthentication attack) creates a single .cap file for all captured handshake packets.
Therefore, this is not a rare situation, and to perform an attack on the wireless networks, whose handshakes are in the same file, you may need to extract each handshake.
How to separate handshakes on different files
It is important to understand the difference between a file in which several handshakes are simply merged and a capture file in a noisy environment. An example of analyzing a file of the first type (using aircrack-ng):
aircrack-ng FILE_NAME.cap
File example of the second type:
It can be seen that there is a lot of garbage in the second file, and in the whole file there are only two handshakes suitable for hacking. Among the garbage, there are many separate EAPOL frames (components of a handshake) that are unsuitable for password cracking.
To view the contents of a file, you can use Wireshark. After opening the file, apply the filter:
eapol
Manual separation handshake files using Wireshark
If you work with a file from merged handshakes, then there should not be any problems with it. Open the file in Wireshark:
You can use a filter
wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol
But it may not be necessary, because there are already only the necessary packages.
To filter packets for a specific access point, specify the BSSID with the following filter:
wlan.addr==BSSID
For example:
wlan.addr==28:28:5D:6C:16:24
Or so:
wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol && wlan.addr==28:28:5D:6C:16:24
Now use CTRL+m to select the required packages:
And from the File menu, choose Export Specified Packets:
Enter the file name and put the switch on the Marked packets only:
Checking our file:
All perfectly. You can make another check with coWPAtty by running a command like this:
cowpatty -r FILE -s ESSID -c
For example, in my case:
cowpatty -r ZyXEL_59.pcap -s ZyXEL_59 –c
The phrase ‘Collected all necessary data to mount the crack against WPA2/PSK passphrase’ means that all the necessary data is collected to crack the password.
To isolate the handshake from a capture file made in noisy conditions, it is necessary to exert some effort. Start with filtering (replace 84:C9:B2:52:F6:37 with the BSSID of the network you are interested in):
wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol && wlan.addr==84:C9:B2:52:F6:37
The handshake is suitable for hacking the password if:
- necessarily includes the second message (M2), as well as the third one (M3) (ensures that the connection to the network was made) or instead of the third message contains the first message (M1) (the handshake is suitable for hacking the password, but there are no guarantees that connection was established and even that the correct password was entered). It is better if you captured all four messages;
- the elements of the handshake must follow in the right order;
- between them there should not be too much time interval (measured in milliseconds and microseconds).
We are looking at the following example.
The first set of EAPOL frames (highlighted in black) does not correspond to the condition that there should be a third or first message in addition to the second one.
The second set (red): only one message.
The third set (yellow): there is no third or first message.
The fourth set (orange): there is no second message.
The fifth set (green) is suitable, because there is a second and the first message. The time between messages seems acceptable.
Select and save the necessary frames (I also include a Beacon frame):
Our file is being tested:
Extracting a handshake with tshark
tshark is Wireshark, but without a graphical interface. This program can also be used to separate a large capture file into separate handshakes. To do this, the command is run as follows:
tshark -r SOURCE_FILE.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == BSSID" -2 -w RESULT_FILE.cap -F pcap
In it, you need to insert your values for:
- SOURCE_FILE.cap – file with several handshakes
- BSSID – MAC address of the access point of interest
- RESULT_FILE.cap – file where the selected handshake will be saved
An example of a real command:
tshark -r wpa.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == 84:C9:B2:0B:79:94" -2 -w $ESSID.cap -F pcap -w wifi55.cap
Solution of the error Unsupported file format (not a pcap or IVs file). Read 0 packets. No networks found, exiting.
Some users have an error when using tshark, and then opening the resulting file to aircrack-ng:
aircrack-ng MiAl.cap Opening MiAl.cap Unsupported file format (not a pcap or IVs file). Read 0 packets. No networks found, exiting. Quitting aircrack-ng...
To avoid this error, while saving via tshark, you need to specify the -F pcap option, which specifies the correct file format.
A script for extracting handshakes
To automate the separation of one file into handshakes, I wrote a script. Remember that if you split a file obtained using Besside-ng or artificially when you merge handshakes, the script will work fine.
If you separate the capture file from a capture file obtained in noisy conditions (for example, during a long running Airodump-ng), the script will work like this:
- if no workable handshake is found for an access point, then all data for it will be discarded (no output file will be created)
- if at least one work handshake is found for an access point, then all EAPOL frames will be saved in one file.
Therefore, you will need to open the output files and check if there are any unnecessary data in them.
Although aircrack-ng seems to find the right handshake correctly, but with cap2hccapx (included in hashcat-utils set, used for converting to the hash format of Hashcat), problems are noticed if the unnecessary EAPOL frames from unsuitable handshakes if they are not previously cleaned.
Create a file called handshakes_extractor.sh:
gedit handshakes_extractor.sh
And copy there:
To start, specify the (p)cap file from which you want to extract the handshakes.
Launch example:
bash handshakes_extractor.sh wpa.cap
Results:
If at least one working handshake is found, then in the current directory a folder of the form 2018-04-13-155818 is created, in which separate handshakes for all access points are stored as separate files.
The information about the file name with the saved frames is displayed, as well as information about the saved frames themselves.
When you do not need to separate the file into separate handshakes
You do not need to divide a file into separate handshakes if you are going to use the aircrack-ng program. To select a target, you can use the options:
-e <essid> : target selection: network identifier -b <bssid> : target selection: access point's MAC
The cap2hccapx utility will write all the hashes (for hacking into Hashcat) into one .hccapx file.
Run as follows:
cap2hccapx.bin SOURCE_FILE.cap. HASH_FILE.hccapx
For example:
cap2hccapx.bin wpa.cap all.hccapx
To write a hash for only one AP, specify its ESSID:
cap2hccapx.bin SOURCE_FILE.cap HASH.hccapx ESSID
Example:
cap2hccapx.bin wpa.cap Zyxel-49.hccapx Zyxel-49
Related articles:
- How to hack Wi-Fi (100%)
- Hacking Wi-Fi without users in Aircrack-ng (100%)
- How to decrypt WPA traffic in Wireshark (81.3%)
- How to detect all Wi-Fi devices in the area? (68.8%)
- How to install the latest aircrack-ng release in Linux Mint or Ubuntu (68.8%)
- 3WiFi: open database of Wi-Fi Access Points passwords (RANDOM - 50%)
the handshakes extractor script breaks when SSIDs contain spaces, I added quotes at the second tshark call it seemed to fix it
./$DIR/"$ESSID.pcap"
Thank you!
Great script and thanks a lot for it, i have found a problem where Aircrack-NG stuck after processing the last handshake hence preventing the script from being exited properly this is mainly because the "timeout" command is not able to force exiting aircrack-ng (normally if you ran aircrack-ng FILE.pcap, aircrack-ng will wait for user input and won't be easily killed) hence again it need to be forcely killed.
A fix for this issue can be like that:
Hello! I was guessing the timeout command does not work in these circumstances, thank you for your confirmation.
I like your fix. Thanks a lot for it!
When I have a chance, I will make some tests by myself and replace the string in the article.
To everyone: in the handshakes_extractor.sh file
replace
with
hi mate can you help me in writing a script (bat file) that cecks for handchecks for the common view for wifi windows tool ?!