Hello again my fellow Hackerzz!! I was trying hashcat and when converting my .cap file to .hccap, i noticed that even after converting, hashcat was not working. So i got to know that sometimes, even if aircrack-ng suite tells you that a 4-way handshake was succesful, it is not. So, in this How-To, i'll be telling you how to check a captured 4-way handshake in a .cap file was succesful or not.
I read the guide about it on the aircrack website and decided to write about it.
Start Wireshark
Go Ahead and open Wireshark And Open your .cap file.
OR open your .cap file with Wireshark (One and The Same thing haha:))
Analysis
When you open the .cap file in Wireshark, you will notice about 15 Packets are present.
The Packets we want to analyse are Packet - 8,9,10,11 as these are the 4-Way Handshake Packets.
The Packets Before them are no use to us (I Mean no use for this tutorial) but i'll explain what they do.
Packet 1 - AP Beacon, ie, announces presence and capabilities of AP
Packet 2 - Probe Request packet, ie, client looking for AP
Packet 3 - Probe Response packet, ie, AP responding to client
Packet 4,5 - Open-authentication System packets, ie, client sending authentication request
Packet 6,7 - Association packets, ie, Joins the client to network
Packets 8,9,10,11 - 4-Way Handshake
Packets 12,13,14,15... - Data Packets or Reauthenticaiton (I'll explain this)
So, Let's Get Started!!
NOTE - This guide is not-so detailed, just a quick way to check if you have a succesful capture!
Succesful Capture
If you have a succesful Capture, Then your Packets 8 and 9 will have 'Replay Counter : 1' And Packets 10 and 11 will have 'Replay Counter : 2'.
Packet 8
Packet 9
Packet 10
Packet 11
Now The Packets 12,13,14,15 Will be Data Packets containing 'TKIP Parameters' and 'Data'.
Unsuccesful Capture
If your Capture was Unsuccesful, Then the Packets 8 and 9 will have 'Replay Counter : 1', but after the The Packets 10,11,12,13,14,15 will be Repeats of Packets 8 and 9 with successive replay counters.
Packet 8
Packet 9
Packet 10
Packet 11
Packet 12
Packet 13
Packet 14
Packet 15
Now Packet 16 will be a 'De-authentication Packet'.
Conclusion
What you need to check is the last few packets. If they are data packets, then you have a succesful capture!! But if the last one is a De-authentication Packet, then you dont have a succesful Capture.
Credit to aircrack official website guide
1 Response
Se7enPeace
thank you for writing this.
Have you compared any of your captures to this?
If so what were your results?
H@CK - D@D
Share Your Thoughts