The other day I had a wireless network packet capture file saved as a .cap file. The ESSID that was displaying via normal aircrack-ng output of the WPA/WPA2 wireless packet capture lead me to believe there was at least one space included in the beginning of the ESSID and likely after the ESSID since it was not processing properly using oclHashcat-plus. I had never run into this before so wasn’t exactly sure the easiest way to figure out the number of spaces so I posed the question in the Freenode aircrack-ng IRC channel and got a couple responses which are noted below as well as instructions following the clearest solution.
In the past we have written a couple articles on using tshark to strip WPA capture files down to a specific ESSID or SSID but in some cases it can be more useful to strip the capture down by BSSID or MAC address of the WAP. Isolating packets by BSSID or WAP MAC address is useful in a scenario where a wireless deployment has numerous WAP’s and you have captured a specific SSID’s traffic from more than one WAP. Below is information on how to strip down a capture file based on BSSID and information on capture size before stripping the file down.
I recently had a customer upload a WPA capture to our tools.question-defense.com server which failed immediately. This can happen from time to time and is for a variety of reasons Sometimes if captures does not contain all 4 eapol packets they will fail , and sometimes if a capture has lots of other wifi garbage in the .cap file it can confuse the cracking program. This last time was a new situation. After the fail I analyzed the cap file and determined that the essid was not present in the capture. This is absolutely crucial for the decrypting process. In this short article I will show how I determined the essid was not present and what I did about it.
I have had lots of people email me and ask if there is anyway to make it impossible for a attacker to recover your mac address from a capture file. If you are using one of our tools like the WPA Cracker in our tools section, you may be hesitant to upload a clients capture data because a skilled attacker could use the capture and the online Wiggle database to pinpoint your location assuming your area has been mapped by wardrivers. Although we run a secure site there is no way for you as the client to know this.
Trying to capture a 4-way TKIP handshake without help can involve sitting and watching traffic for hours and hours, waiting for a client to connect to a network. By using a tool called aircrack-ng we can forcefully deauthenticate a client who is connected to the network and force them to reconnect back up. During the process of re-exchanging the encrypted WPA key, you will capture a handshake. In order to forcefully capture a 4-way handshake, you will need to deauthenticate a client computer that is actively using services, forcing it to exchange the WPA key and in turn capturing the handshake that can be decrypted.