8

How can I get the PSK hash in plain text from a airodumnp-ng .cap file ?

Example :

Hash : af8cfcf3c66d6e279d3fcb43e78569e872446e24f5f190350637fa174d9ece63

I understand aircrack-ng -J file.hccap file2.cap generates the .hccap ( format hashcat works with ) but has other hashes , not the PSK hash.

This is my router hccap file :

Opening clean.cap
Read 3 packets.

   #  BSSID              ESSID                     Encryption

   1  5C:D9:98:E5:AD:D8  me                        WPA (1 handshake)

Choosing first network as target.

Opening clean.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 2): me
[*] Key version: 2
[*] BSSID: 5C:D9:98:E5:AD:D8
[*] STA: 48:86:E8:1A:B5:B0
[*] anonce:
    80 BB D8 30 3C 77 67 69 05 C0 9E 1D E2 1F B9 78 
    77 E2 91 83 02 BA FB AA E3 53 45 D8 C7 60 EC 12 
[*] snonce:
    6F 82 D4 AE D5 D3 9C D8 5D 43 CB 2E 9D D1 56 1A 
    F7 20 F0 43 89 FB 48 69 37 7E 12 9D 65 B4 3B B7 
[*] Key MIC:
    A9 80 58 2B 77 E0 50 6B CF 7C 14 42 23 55 AD 2A
[*] eapol:
    01 03 00 75 02 01 0A 00 00 00 00 00 00 00 00 00 
    01 6F 82 D4 AE D5 D3 9C D8 5D 43 CB 2E 9D D1 56 
    1A F7 20 F0 43 89 FB 48 69 37 7E 12 9D 65 B4 3B 
    B7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 16 30 14 01 00 00 0F AC 02 01 00 00 0F AC 
    04 01 00 00 0F AC 02 00 00 

Successfully written to myRouterClean.hccap


Quitting aircrack-ng...

Because is my own router I know that my PSK is :

9b3fdc780db2bbf3045eff878f10a55b0e2c0eb1088df8dad0d6dc130f2d51fd

How can I extract my PSK from the above file ( hccap ) or from airodump-ng output .cap file ?

Also john needs to process the capture file to be able to work with it and here is the output of hccap2john , still no good :(

    e:$WPAPSK$me#LBaMtOrMG6Pc4fKkPs9IfhLHbBVREwgibR3K4jQUw2C7yoVdBrsGbKKoCvS.ixUkD
    5RbOEL.bVrW5vZsRy8FUk8uyufXIoLMlq1g2U21.5I0.Ec............/Ps9IfhLHbBVREwgibR3
    K4jQUw2C7yoVdBrsGbKKoCvQ......................................................
    ...........3X.I.E..1uk0.E..1uk2.E..1uk0.......................................
    ..............................................................................
    .................................................................
    /t.....U...8a.K0hrs3/fnrkIEWBJfGc:48-86-e8-1a-b5-b0:5c-d9-98-e5-ad-
    d8:5cd998e5add8::WPA2:myRouterClean.hccap
Zodiac
  • 105
  • 2
  • 8
  • you cant extract psk hash from the hccap you have , As you are looking for a thing which never goes on air – Arjun sharma Oct 31 '16 at 13:09
  • But you actually break the psk hash from that .hccap file. Isn't psk hash the one we are computing and trying to match with the one captured from the handshake ? – Zodiac Jul 25 '17 at 17:34

3 Answers3

1

Assuming you have properly captured the Handshake using airodump-ng. you can crack .cap using aircrack-ng as: aircrack-ng -w Wordlist captured.cap file

1

I realize this question was posted a while ago and hope you were able to find an answer sooner. However, I wanted to post for others that may still have this question or for future reference.

I think you were looking for something like ZerBea's hcxpcaptool. This will provide details about the pcap file and convert the hash into a format compatible with john the ripper/hashcat.

./hcxpcaptool -z test.16800 test.pcapng
M03
  • 21
  • 4
0

There is no plain hash of PSK on the file because the system use "Salt" that is a technique that adds some random digits on the password prior to calculate hash to be immune from "rainbow tables". This are lists that allow you to look up the original password when you have the hash. (for Salt in wpa2 is used the SSID)

After that PBKDF2 does some other changes (using a key derivation function (KDF) in 2 steps making the brute-force attack the only available way to be performed to find the original PSK used.

So the only way is to brute force with dictionary attack or true brute force with any possible value that starts from the easiest one of 8 digits.

MK (the password) -> PMK (derived) -> PTK (what is sniffed) [no way to go in reverse]

emirjonb
  • 121
  • 5