Wonder How ToGadget HacksNext RealityNull Byte
Forum Thread

How to Check for a Succesful Capture Using Wireshark (.CAP File)

Sep 22, 2015 08:08 AM
Sep 22, 2015 03:43 PM
635784799853037622.jpg

Hello again my fellow Hackerzz!! I was trying hashcat and when converting my .cap file to .hccap, i noticed that even after converting, hashcat was not working. So i got to know that sometimes, even if aircrack-ng suite tells you that a 4-way handshake was succesful, it is not. So, in this How-To, i'll be telling you how to check a captured 4-way handshake in a .cap file was succesful or not.

I read the guide about it on the aircrack website and decided to write about it.

Start Wireshark

Go Ahead and open Wireshark And Open your .cap file.

OR open your .cap file with Wireshark (One and The Same thing haha:))

Analysis

When you open the .cap file in Wireshark, you will notice about 15 Packets are present.

The Packets we want to analyse are Packet - 8,9,10,11 as these are the 4-Way Handshake Packets.

The Packets Before them are no use to us (I Mean no use for this tutorial) but i'll explain what they do.

Packet 1 - AP Beacon, ie, announces presence and capabilities of AP

Packet 2 - Probe Request packet, ie, client looking for AP

Packet 3 - Probe Response packet, ie, AP responding to client

Packet 4,5 - Open-authentication System packets, ie, client sending authentication request

Packet 6,7 - Association packets, ie, Joins the client to network

Packets 8,9,10,11 - 4-Way Handshake

Packets 12,13,14,15... - Data Packets or Reauthenticaiton (I'll explain this)

So, Let's Get Started!!

NOTE - This guide is not-so detailed, just a quick way to check if you have a succesful capture!

Succesful Capture

If you have a succesful Capture, Then your Packets 8 and 9 will have 'Replay Counter : 1' And Packets 10 and 11 will have 'Replay Counter : 2'.

Packet 8

635784803122725295.jpg

Packet 9

635784803500225502.jpg

Packet 10

635784803810694308.jpg

Packet 11

635784804052412984.jpg

Now The Packets 12,13,14,15 Will be Data Packets containing 'TKIP Parameters' and 'Data'.

635784804674131309.jpg

Unsuccesful Capture

If your Capture was Unsuccesful, Then the Packets 8 and 9 will have 'Replay Counter : 1', but after the The Packets 10,11,12,13,14,15 will be Repeats of Packets 8 and 9 with successive replay counters.

Packet 8

635784805500068736.jpg

Packet 9

635784805782725180.jpg

Packet 10

635784806720077545.jpg

Packet 11

635784806954600762.jpg

Packet 12

635784807225225238.jpg

Packet 13

635784807414287764.jpg

Packet 14

635784807618820025.jpg

Packet 15

635784807798352507.jpg

Now Packet 16 will be a 'De-authentication Packet'.

635784808359600381.jpg

Conclusion

What you need to check is the last few packets. If they are data packets, then you have a succesful capture!! But if the last one is a De-authentication Packet, then you dont have a succesful Capture.

Credit to aircrack official website guide

Related Articles

637263493835297420.jpg

How to Use Zero-Width Characters to Hide Secret Messages in Text (& Even Reveal Leaks)
636455706472146367.jpg

How to Hide DDE-Based Attacks in MS Word

Comments

No Comments Exist

Be the first, drop a comment!