So you've (legally 🤨) deauthed some networks with an esp32 or pwnagotchi or whatever else and now have a bunch of pcap files to inspect.
What now? Handshake extraction!
Note: This guide is intended for cracking password hashes with hashcat, but it should still work with John the Ripper
Steps:
1. If you don't already have your pcap files saved, do that first. You can use scp but I usually spawn a python server
over ssh with python3 -m http.server
2. To extract the handshake from the pcap into a .hc22000 hash file, there are two main methods:
- Easy method for one file: Use the convertor on the hashcat website
- Better for multiple files: Use the hcxtools pcap convertor (installation and usage at the bottom)
3. Now that you have the extracted handshake, run hashcat with the hc22000 mode to crack it: hashcat -m 22000 -a 0 hs.hc22000 [wordlist]
4. I'd recommend for beginners to use rockyou.txt (download link here but you can also use more
specific tactics like:
- Phone number based on area code (hashcat -m 22000 hs.hc22000 -a 3 123?d?d?d?d?d?d?d)
- Using the essids as a wordlist (see below)
- Creating specific hashcat or JtR rules (outside the scope of this guide sorryyy)
Using hxctools:
1. Follow the instructions in the github repo to install (though I do believe it
can be installed with apt on debian based systems)
2. There are multiple tools available, but in this case I used hcxpcapngtool with the command
hcxpcapngtool *.pcap -o handshakes.hc22000
3. This saves every pcap in the current directory to one file so you can crack them all at once
4. Tip: you can add -E essid.wordlist to the end of the command to create an essid wordlist for hash cracking
Happy hacking c: (contact me if this makes no sense)
july 2024