New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No valid handshakes when wifi.handshakes.aggregate false #939
Comments
I got an issue report, too, that hcxpcapngtool doesn't convert a bettercap dump file to a hash file accepted by hashcat. If you take a closer look at the status output of hcxpcapngtool you'll notice that only the four EAPOL messages are stored while the ESSID information is missing. An ESSID is mandatory to calculate the plain master key (PMK). The difference between this types of frames: |
@undermuz , to figure out what exactly is missing in the dump file, it would be helpful if you add it here. |
|
|
Great, thanks. To successful convert a 4way handshake to a hash file accepted by hashcat or john we need: e.g.: Now take a look at the invalid pcap dump file: 02........22:37:08,712138........3c:dc:bc:85:9b:49........58:d9:d5:8e:52:20........1........1 As you can see, we only have EAPOL MESSAGES of type M1, M3 and M4 while M2 is missing! 802.1X Authentication The conditions doesn't meet and hcxpcapngtool will not convert it. @evilsocket in that case (if we got an M4, but the other EAPOL messages are missing/incomplete) hcxdumptool will request the entire 4 way handshake again, by sending a DISASSOCIATION frame with reason WLAN_REASON_DISASSOC_AP_BUSY In hcxlabtool I make it a bit more aggressive and transmit different reason codes, depending on what kind of EAPOL messages are received before: We do that until we receive a complete 4way handshake. BTW: |
In summary, we can say it is not an issue of bettercap/pwnagotchi or hcxpcapngtool. |
This warning is related to go.lang in combination with libpcap and NETLINK: e.g.: packet 3 is out of time sequence, packet 2 and packet 4 have the same time (it is impossible that 2 packets are transmitted at the same time): e.g.: packet 2 is out of time sequence, packet 4, 6, 8 and 10 have the same time. |
tshark -r /root/DISTR/bettercap/wpa.pcap -T fields -e frame.number -e _ws.col.Time -e wlan.ra -e wlan.ta -e wlan_rsna_eapol.keydes.msgnr -e eapol.keydes.replay_counter ┌──(root💀kali)-[~/DISTR/bettercap] so here I have no ESSID from pcap file generated from bettercap . |
I do not recommend to add an ESSID by manually and hcxpcapngtool has no option to add an ESSID. If the ESSID doesn't match exactly, you'll waste your time trying to recover the PSK. It is much better to capture a new fresh 4way handshake or (better) a PMKID. BTW: |
To answer your question completely: EAPOL 4way handshake hash line: hashcat will accept this hash line. The same applies to a PMKID hash line: |
@undermuz , this
is old school and will not work if @evilsocket , please take a look what happens if an AP receive a CLASS 2 or a CLASS 3 frame outside the expected AUTHENTICATION STATE. This attack vector is extreme fast and very effective. This attack vector is part of hcxlabtool: Another attack vector is to request an EAPOL M2 directly from a CLIENT. |
@ZerBea https://twitter.com/evilsocket/status/1467884054607499275 tl;dr i'm on a long break |
Hi Simone. Cheers |
Description of the bug or feature request
Environment
bettercap v2.32.0 (built for linux arm with go1.15.15)
Linux raspberry-pi 5.10.92-v7+ armv7l GNU/Linux
Raspbian GNU/Linux 11 (bullseye)
cli:
/usr/local/bin/bettercap -no-colors -eval "set events.stream.output /var/log/bettercap.log" -caplet undermuz-basic
cat /usr/local/share/bettercap/caplets/undermuz-basic.cap
Steps to Reproduce
curl -X POST -F "email=SOME_VALID_EMAIL" -F "file=@/path/to/handshake.pcap" https://api.onlinehashcrack.com
No valid EAPOL handshake or PMKID found
Expected behavior: Expected to had a valid handshake
Actual behavior: Not getting valid handshakes
--
BTW, when
wifi.handshakes.aggregate true
, an aggregated file with handshakes is valid, and can be uploaded to onlinehashcrackThe text was updated successfully, but these errors were encountered: