Extract WPA PSK from airodump-ng output file

Question

How can I get the PSK hash in plain text from a airodumnp-ng .cap file ?

Example :

Hash : af8cfcf3c66d6e279d3fcb43e78569e872446e24f5f190350637fa174d9ece63

I understand aircrack-ng -J file.hccap file2.cap generates the .hccap ( format hashcat works with ) but has other hashes , not the PSK hash.

This is my router hccap file :

Opening clean.cap
Read 3 packets.

   #  BSSID              ESSID                     Encryption

   1  5C:D9:98:E5:AD:D8  me                        WPA (1 handshake)

Choosing first network as target.

Opening clean.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 2): me
[*] Key version: 2
[*] BSSID: 5C:D9:98:E5:AD:D8
[*] STA: 48:86:E8:1A:B5:B0
[*] anonce:
    80 BB D8 30 3C 77 67 69 05 C0 9E 1D E2 1F B9 78 
    77 E2 91 83 02 BA FB AA E3 53 45 D8 C7 60 EC 12 
[*] snonce:
    6F 82 D4 AE D5 D3 9C D8 5D 43 CB 2E 9D D1 56 1A 
    F7 20 F0 43 89 FB 48 69 37 7E 12 9D 65 B4 3B B7 
[*] Key MIC:
    A9 80 58 2B 77 E0 50 6B CF 7C 14 42 23 55 AD 2A
[*] eapol:
    01 03 00 75 02 01 0A 00 00 00 00 00 00 00 00 00 
    01 6F 82 D4 AE D5 D3 9C D8 5D 43 CB 2E 9D D1 56 
    1A F7 20 F0 43 89 FB 48 69 37 7E 12 9D 65 B4 3B 
    B7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 16 30 14 01 00 00 0F AC 02 01 00 00 0F AC 
    04 01 00 00 0F AC 02 00 00 

Successfully written to myRouterClean.hccap


Quitting aircrack-ng...

Because is my own router I know that my PSK is :

9b3fdc780db2bbf3045eff878f10a55b0e2c0eb1088df8dad0d6dc130f2d51fd

How can I extract my PSK from the above file ( hccap ) or from airodump-ng output .cap file ?

Also john needs to process the capture file to be able to work with it and here is the output of hccap2john , still no good :(

    e:$WPAPSK$me#LBaMtOrMG6Pc4fKkPs9IfhLHbBVREwgibR3K4jQUw2C7yoVdBrsGbKKoCvS.ixUkD
    5RbOEL.bVrW5vZsRy8FUk8uyufXIoLMlq1g2U21.5I0.Ec............/Ps9IfhLHbBVREwgibR3
    K4jQUw2C7yoVdBrsGbKKoCvQ......................................................
    ...........3X.I.E..1uk0.E..1uk2.E..1uk0.......................................
    ..............................................................................
    .................................................................
    /t.....U...8a.K0hrs3/fnrkIEWBJfGc:48-86-e8-1a-b5-b0:5c-d9-98-e5-ad-
    d8:5cd998e5add8::WPA2:myRouterClean.hccap

Answer 1

Assuming you have properly captured the Handshake using airodump-ng. you can crack .cap using aircrack-ng as: aircrack-ng -w Wordlist captured.cap file

Answer 2

I realize this question was posted a while ago and hope you were able to find an answer sooner. However, I wanted to post for others that may still have this question or for future reference.

I think you were looking for something like ZerBea's hcxpcaptool. This will provide details about the pcap file and convert the hash into a format compatible with john the ripper/hashcat.

./hcxpcaptool -z test.16800 test.pcapng

Answer 3

There is no plain hash of PSK on the file because the system use "Salt" that is a technique that adds some random digits on the password prior to calculate hash to be immune from "rainbow tables". This are lists that allow you to look up the original password when you have the hash. (for Salt in wpa2 is used the SSID)

After that PBKDF2 does some other changes (using a key derivation function (KDF) in 2 steps making the brute-force attack the only available way to be performed to find the original PSK used.

So the only way is to brute force with dictionary attack or true brute force with any possible value that starts from the easiest one of 8 digits.

MK (the password) -> PMK (derived) -> PTK (what is sniffed) [no way to go in reverse]