Forum Thread: Confused Noob

I Inadvertently Left Kali Running a Scan on Local APs Using the Airodump Function in Aircrack Whilst I Was Away for a Couple of Days. Upon My Return I Find That It Has Seemingly Grabbed Shedloads of WPA Handshakes for Various BSSIDs Whilst I've Been Away. As I'm Used to Using the Tutorials on Here (Whereby You Use the -W Command to Create a File for the Captured 'Shakes) I've No Idea Where to Find the Handshakes. I Know I Need to Make a Start on the Linux Basics Tutorials but Any Assistance in the Interim on Locating and Getting to Grips on the 'Shakes I've Grabbed Would Be Appreciated.

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

2 Responses

Ciuffy is correct about the headline - I don't post much and was rushing off to a beer festival. Many thanks for your help.

A few things you can do (assuming you're using Kali):

Open up a terminal and run from the command line:

wpaclean new.cap old.cap

Note that the order in this is the opposite of what you'll usually see -- enter the file name you want to give your clean cap file FIRST, and then the file of the one you have now. e.g.

wpaclean SmallCap.cap HugeCapBecauseILeftAirCrackRunning.cap

This will strip the file down to only the relevant handshakes (you only need two from each set, but they have to be the right two).

pyrit -r Old.cap -o New.cap strip

This will strip it down to just handshakes, but won't pre-select them for you.
After that you can run:
pyrit -r New.cap analyze

This will return a list of all handshakes, and tell you if they're usable ("good spread") or not.

And, finally, you can do it manually by opening the cap file in wireshark and selecting individual packets. See this for an explanation:


I've only ever used these on cap files that captured handshakes from a single ESSID. Not certain how they'll work if you have dozens of different ESSIDs in there.

What I've done is run pyrit strip on the cap file first, run pyrit analyze on it, and then run it through wpaclean. Then I'll open up the final cap file in wireshark and make sure they all look good. But I think you can get away with just wpaclean.

Share Your Thoughts

  • Hot
  • Active