The other day I had a wireless network packet capture file saved as a .cap file. The ESSID that was displaying via normal aircrack-ng output of the WPA/WPA2 wireless packet capture lead me to believe there was at least one space included in the beginning of the ESSID and likely after the ESSID since it was not processing properly using oclHashcat-plus. I had never run into this before so wasn’t exactly sure the easiest way to figure out the number of spaces so I posed the question in the Freenode aircrack-ng IRC channel and got a couple responses which are noted below as well as instructions following the clearest solution.
In the past we have written a couple articles on using tshark to strip WPA capture files down to a specific ESSID or SSID but in some cases it can be more useful to strip the capture down by BSSID or MAC address of the WAP. Isolating packets by BSSID or WAP MAC address is useful in a scenario where a wireless deployment has numerous WAP’s and you have captured a specific SSID’s traffic from more than one WAP. Below is information on how to strip down a capture file based on BSSID and information on capture size before stripping the file down.
Pyrit was recently upgraded on a server that I use and when I logged in to run it manually from the CLI I noticed an error. The error, which is explained in more detail below, complains that the libpcap is to old. The server that this pyrit installation is installed on is CentOS 5.4. CentOS 5.X only provides libpcap version 0.9.4-14 as the latest available libpcap version in the yum repositories. At first I searched for a newer libpcap in third party repos though I was unsuccessful so I upgraded libpcap using the source. Below is more information regarding the error and how it was resolved.
I recently had a customer upload a WPA capture to our tools.question-defense.com server which failed immediately. This can happen from time to time and is for a variety of reasons Sometimes if captures does not contain all 4 eapol packets they will fail , and sometimes if a capture has lots of other wifi garbage in the .cap file it can confuse the cracking program. This last time was a new situation. After the fail I analyzed the cap file and determined that the essid was not present in the capture. This is absolutely crucial for the decrypting process. In this short article I will show how I determined the essid was not present and what I did about it.
I have had lots of people email me and ask if there is anyway to make it impossible for a attacker to recover your mac address from a capture file. If you are using one of our tools like the WPA Cracker in our tools section, you may be hesitant to upload a clients capture data because a skilled attacker could use the capture and the online Wiggle database to pinpoint your location assuming your area has been mapped by wardrivers. Although we run a secure site there is no way for you as the client to know this.