hashcat
Networks named 💥🖥💥 Ⓟ➃ⓌⓃ🅟❶
💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ is the name of a network in my area. I was curious to see how the special characters affected these tools. I get this message
tricky-02.cap: Oversized packet detected Networks detected: 0
when doing
cap2hccapx.exe tricky-02.cap tricky-02.hccapx
on a cap file without a handshake.
I tried the 1.9 version on a file where I am certain there was a handshake and simply got this:
Networks detected: 0
I know that airodump captured the handshake. Could this be an issue with the odd characters of the ssid or am I missing something?
Could you please attach the capfile? aircrack-ng handshake detection is known as buggy: https://github.com/aircrack-ng/aircrack-ng/issues/1993
I can't actually remember which file it was. Is there a way to figure out which one it was?
On Fri, May 24, 2019 at 3:19 AM ZerBea [email protected] wrote:
Could you please attach the capfile? aircrack-ng handshake detection is known as buggy: aircrack-ng/aircrack-ng#1993 https://github.com/aircrack-ng/aircrack-ng/issues/1993
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXC63AZFMW5AMVUEBXHDPW66J3A5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWE2OAA#issuecomment-495560448, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXC5MZ2L2S3LOXCIVZTLPW66J3ANCNFSM4HK4NLCQ .
Grrrrr. Google won't let me send the whole thing uncompressed. I zipped up all the files. Here you go.
On Sun, May 26, 2019 at 1:09 PM ZerBea [email protected] wrote:
You have a filename: tricky-02.cap. So you can search it by name.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXCZGJJUCFVJCNXCSSI3PXLVBBA5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWIMRPI#issuecomment-496027837, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXC3TFZISFWXIO64J47LPXLVBBANCNFSM4HK4NLCQ .
Hmmm, why google? That will not work. To attach a file a compressed cap file, drag and drop it into the comment box here on git. https://help.github.com/en/articles/file-attachments-on-issues-and-pull-requests
tricky-02.zip I didn't realize our conversation was going into this thread. I was just replying via email. I've dragged and dropped the file here. I hope it helps.
Ok, that worked. Thanks.
Looks like the AP use emojis within ESSID. That is a new trend: https://medium.com/@bcjordan/emojify-your-wi-fi-c01f4ac0b0ab Unfortunately some clients doesn't understand this: https://www.reddit.com/r/Ubiquiti/comments/7hfusd/using_emoji_characters_in_ssid/
hashcat (hashcat-utils), john (latest) and wpa-sec are able to handle emojis inside an ESSID.
Unfortunately, your capfile doesn't contain a PMKID or a handshake. It also doesn't contain an oversized packet. There is nothing to analyze or to hunt for an issue inside. So, cap2hccapx is doing its job as expected: $ cap2hccapx.bin tricky-02.cap tricky-02.hccapx Networks detected: 0
hcxpcaptool will give us more information about the file:
$ hcxpcaptool -V tricky-02.cap
reading from tricky-02.cap
summary:
file name....................: tricky-02.cap
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11 (105)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 24304
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
probe responses..............: 24303
That is so strange. When I did the capture it said it caught a handshake. If there is no PMKID or handshake then either the capture softare (aircrack-ng) is the issue or I am imagining things. I should post on the aircrack-ng site to see if that is the issue.
On Mon, May 27, 2019 at 2:26 AM ZerBea [email protected] wrote:
Ok, that worked. Thanks.
Looks like the AP use emojis within ESSID. That is a new trend: https://medium.com/@bcjordan/emojify-your-wi-fi-c01f4ac0b0ab Unfortunately some clients doesn't understand this:
https://www.reddit.com/r/Ubiquiti/comments/7hfusd/using_emoji_characters_in_ssid/
hashcat (hashcat-utils), john (latest) and wpa-sec are able to handle emojis inside an ESSID.
Unfortunately, your capfile doesn't contain a PMKID or a handshake. It also doesn't contain an oversized packet. There is nothing to analyze or to hunt for an issue inside. So, cap2hccapx is doing it's job as expected: $ cap2hccapx.bin tricky-02.cap tricky-02.hccapx Networks detected: 0
hcxpcaptool will give us more information about the file: $ hcxpcaptool -V tricky-02.cap reading from tricky-02.cap summary: file name....................: tricky-02.cap file type....................: pcap 2.4 file hardware information....: unknown file os information..........: unknown file application information.: unknown network type.................: DLT_IEEE802_11 (105) endianness...................: little endian read errors..................: flawless packets inside...............: 24304 skipped packets..............: 0 packets with GPS data........: 0 packets with FCS.............: 0 beacons (with ESSID inside)..: 1 probe responses..............: 24303
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXC5Y23PNXDIJTCRKD7TPXOSNBA5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWJJOTQ#issuecomment-496146254, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXC4X6AWHVA36WPGIVOTPXOSNBANCNFSM4HK4NLCQ .
same result, running wpapcap2john: $ wpapcap2john tricky-02.cap File tricky-02.cap: raw 802.11 1 ESSIDS processed and 0 AP/STA pairs processed 0 handshakes written, 0 RSN IE PMKIDs
BTW: tricky-02.cap doesn't look like an aircrack-ng captured file too much kismet stuff inside the zip file. also it looks like the interface wasn't set properly to monitor mode (only beacons and proberesponses inside)
Just compiled aircrack-ng and it is working like expected, too:
$ ./aircrack-ng tricky-02.cap -w testlist Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. BSSID ESSID Encryption 1 B8:27:EB:36:CE:53 💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ Unknown Choosing first network as target. Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. 1 potential targets Packets contained no EAPOL data; unable to process this AP. Quitting aircrack-ng...
Is driver installed in the correct way? https://rioasmara.com/2018/09/15/alfa-awus1900-kali-linux-experience/
I was able to capture other handshakes so I would assume it is working. At this point it seems like everything is pointing to the software working. There is likely an "unknown unknown" variable which caused the initial blip. The emoji in the SSID may just be Ad hoc ergo roster hoc. On May 28, 2019 10:55 AM, "ZerBea" [email protected] wrote:
Just compiled aircrack-ng and it is working like expected, too:
$ ./aircrack-ng tricky-02.cap -w bekannte Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. BSSID ESSID Encryption 1 B8:27:EB:36:CE:53 💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ Unknown Choosing first network as target. Reading packets, please wait... Opening tricky-02.cap Read 24304 packets. 1 potential targets Packets contained no EAPOL data; unable to process this AP. Quitting aircrack-ng...
Is driver installed in the correct way? https://rioasmara.com/2018/09/15/alfa-awus1900-kali-linux-experience/
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hashcat/hashcat-utils/issues/49?email_source=notifications&email_token=ABDBXC7QTDIBNCVSA5EIA2LPXVWYXA5CNFSM4HK4NLC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWM5WZQ#issuecomment-496622438, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDBXCYHLPITPRZXI66CC73PXVWYXANCNFSM4HK4NLCQ .
