How to extract all handshakes from a capture file with several handshakes

A single network data capture file (pcap format) can contain more than one handshake. This can happen, for example, with the continued Airodump-ng capturing, as a result it can got several handshakes from one or more access points. Handshakes from files captured in ‘noisy’ conditions need additional verification and cleaning.

Several handshakes in one file can be obtained artificially, simply by combining them into one file. For example, the Besside-ng program (automatically captures handshakes from all access points within reach, for this purpose conducts deauthentication attack) creates a single .cap file for all captured handshake packets.

Therefore, this is not a rare situation, and to perform an attack on the wireless networks, whose handshakes are in the same file, you may need to extract each handshake.

How to separate handshakes on different files

It is important to understand the difference between a file in which several handshakes are simply merged and a capture file in a noisy environment. An example of analyzing a file of the first type (using aircrack-ng):

aircrack-ng FILE_NAME.cap

File example of the second type:

It can be seen that there is a lot of garbage in the second file, and in the whole file there are only two handshakes suitable for hacking. Among the garbage, there are many separate EAPOL frames (components of a handshake) that are unsuitable for password cracking.

To view the contents of a file, you can use Wireshark. After opening the file, apply the filter:

eapol

Manual separation handshake files using Wireshark

If you work with a file from merged handshakes, then there should not be any problems with it. Open the file in Wireshark:

You can use a filter

wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol

But it may not be necessary, because there are already only the necessary packages.

To filter packets for a specific access point, specify the BSSID with the following filter:

wlan.addr==BSSID

For example:

wlan.addr==28:28:5D:6C:16:24

Or so:

wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol && wlan.addr==28:28:5D:6C:16:24

Now use CTRL+m to select the required packages:

And from the File menu, choose Export Specified Packets:

Enter the file name and put the switch on the Marked packets only:

Checking our file:

All perfectly. You can make another check with coWPAtty by running a command like this:

cowpatty -r FILE -s ESSID -c

For example, in my case:

cowpatty -r ZyXEL_59.pcap -s ZyXEL_59 –c

The phrase ‘Collected all necessary data to mount the crack against WPA2/PSK passphrase’ means that all the necessary data is collected to crack the password.

To isolate the handshake from a capture file made in noisy conditions, it is necessary to exert some effort. Start with filtering (replace 84:C9:B2:52:F6:37 with the BSSID of the network you are interested in):

wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol && wlan.addr==84:C9:B2:52:F6:37

The handshake is suitable for hacking the password if:

• necessarily includes the second message (M2), as well as the third one (M3) (ensures that the connection to the network was made) or instead of the third message contains the first message (M1) (the handshake is suitable for hacking the password, but there are no guarantees that connection was established and even that the correct password was entered). It is better if you captured all four messages;
• the elements of the handshake must follow in the right order;
• between them there should not be too much time interval (measured in milliseconds and microseconds).

We are looking at the following example.

The first set of EAPOL frames (highlighted in black) does not correspond to the condition that there should be a third or first message in addition to the second one.

The second set (red): only one message.

The third set (yellow): there is no third or first message.

The fourth set (orange): there is no second message.

The fifth set (green) is suitable, because there is a second and the first message. The time between messages seems acceptable.

Select and save the necessary frames (I also include a Beacon frame):

Our file is being tested:

Extracting a handshake with tshark

tshark is Wireshark, but without a graphical interface. This program can also be used to separate a large capture file into separate handshakes. To do this, the command is run as follows:

tshark -r SOURCE_FILE.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == BSSID" -2 -w RESULT_FILE.cap -F pcap

In it, you need to insert your values for:

• SOURCE_FILE.cap – file with several handshakes
• BSSID – MAC address of the access point of interest
• RESULT_FILE.cap – file where the selected handshake will be saved

An example of a real command:

tshark -r wpa.cap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == 84:C9:B2:0B:79:94" -2 -w $ESSID.cap -F pcap -w wifi55.cap

Solution of the error Unsupported file format (not a pcap or IVs file). Read 0 packets. No networks found, exiting.

Some users have an error when using tshark, and then opening the resulting file to aircrack-ng:

aircrack-ng MiAl.cap
Opening MiAl.cap
Unsupported file format (not a pcap or IVs file).
Read 0 packets.
 
No networks found, exiting.
 
Quitting aircrack-ng...

To avoid this error, while saving via tshark, you need to specify the -F pcap option, which specifies the correct file format.

A script for extracting handshakes

To automate the separation of one file into handshakes, I wrote a script. Remember that if you split a file obtained using Besside-ng or artificially when you merge handshakes, the script will work fine.

If you separate the capture file from a capture file obtained in noisy conditions (for example, during a long running Airodump-ng), the script will work like this:

• if no workable handshake is found for an access point, then all data for it will be discarded (no output file will be created)
• if at least one work handshake is found for an access point, then all EAPOL frames will be saved in one file.

Therefore, you will need to open the output files and check if there are any unnecessary data in them.

Although aircrack-ng seems to find the right handshake correctly, but with cap2hccapx (included in hashcat-utils set, used for converting to the hash format of Hashcat), problems are noticed if the unnecessary EAPOL frames from unsuitable handshakes if they are not previously cleaned.

Create a file called handshakes_extractor.sh:

gedit handshakes_extractor.sh

And copy there:

#!/bin/bash
 
# Author: MiAl
# Script home page: https://miloserdov.org/?p=1047
 
AIRCRACK_TIMEOUT=2 # given time to the aircrack-ng program to read the file. Time is specified in seconds
# If you have a very large file or a very slow system, increase this value
DIR=`date +"%Y-%m-%d-%H%M%S"`
ISDIRCREATED=0
 
if [[ "$1" && -f "$1" ]]; then
    FILE="$1"
else
    echo 'Specify a (p)cap file from which you want to extract the handshakes.';
    echo 'Usage:';
    echo -e "\tbash handshakes_extractor.sh wpa.cap";
    exit 1
fi
 
while read -r "line" ; do
if [ "$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F '  ' '{print $3}')" ]; then
    if [ $ISDIRCREATED -eq 0 ]; then
        mkdir ./$DIR || (echo "It is not possible to create a directory for saving handshakes. Quitting." && exit 1)
        ISDIRCREATED=1
    fi
    ESSID="$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F '  ' '{print $3}')"
    BSSID="$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F '  ' '{print $2}')"
    echo -e "\033[0;32mFound a handshake for the network $ESSID ($BSSID). Saved to file $DIR/\033[1m$ESSID.pcap\e[0m"
    tshark -r $FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $BSSID" -2 2>/dev/null
    tshark -r $FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $BSSID" -2 -w ./$DIR/"$ESSID.pcap" -F pcap 2>/dev/null
fi
done < <(timeout $AIRCRACK_TIMEOUT aircrack-ng $FILE)

To start, specify the (p)cap file from which you want to extract the handshakes.

Launch example:

bash handshakes_extractor.sh wpa.cap

Results:

If at least one working handshake is found, then in the current directory a folder of the form 2018-04-13-155818 is created, in which separate handshakes for all access points are stored as separate files.

The information about the file name with the saved frames is displayed, as well as information about the saved frames themselves.

When you do not need to separate the file into separate handshakes

You do not need to divide a file into separate handshakes if you are going to use the aircrack-ng program. To select a target, you can use the options:

    -e <essid> : target selection: network identifier
    -b <bssid> : target selection: access point's MAC

The cap2hccapx utility will write all the hashes (for hacking into Hashcat) into one .hccapx file.

Run as follows:

cap2hccapx.bin SOURCE_FILE.cap. HASH_FILE.hccapx

For example:

cap2hccapx.bin wpa.cap all.hccapx

To write a hash for only one AP, specify its ESSID:

cap2hccapx.bin SOURCE_FILE.cap HASH.hccapx ESSID

Example:

cap2hccapx.bin wpa.cap Zyxel-49.hccapx Zyxel-49