How to convert an entire 4way handshake to a hash file hashcat or JtR can work on

[ZerBea]

Convert an entire 4way handshake (and if available a PMKID too) to a hash file.

Example dump file
fb7272_wpa2_ABCDEFGH.pcap.zip

Examine the dump file:

$ tshark -r fb7272_wpa2_ABCDEFGH.pcap -Y eapol -T fields -e frame.number -e frame.time_relative -e wlan.ra -e wlan.ta -e wlan_rsna_eapol.keydes.msgnr -e eapol.keydes.replay_counter -e wlan_rsna_eapol.keydes.nonce
3	0.006826000	b0:c0:90:46:7c:ab	34:81:c4:e7:99:1b	1	1	aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d
4	0.016785000	34:81:c4:e7:99:1b	b0:c0:90:46:7c:ab	2	1	756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886
5	0.019811000	b0:c0:90:46:7c:ab	34:81:c4:e7:99:1b	3	2	aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d
6	0.021914000	34:81:c4:e7:99:1b	b0:c0:90:46:7c:ab	4	2	0000000000000000000000000000000000000000000000000000000000000000

Use hcxpcapngtool --all to convert to a hash file:

$ hcxpcapngtool --all -o entire_hash.22000 fb7272_wpa2_ABCDEFGH.pcap
hcxpcapngtool 6.3.5-60-g459569b reading from fb7272_wpa2_ABCDEFGH.pcap...

summary capture file
--------------------
file name................................: fb7272_wpa2_ABCDEFGH.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (timestamp)............: 11.07.2018 10:22:06 (1531304526)
timestamp maximum (timestamp)............: 11.07.2018 10:22:06 (1531304526)
duration of the dump tool (seconds)......: 0
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 6
packets received on 2.4 GHz..............: 6
ESSID (total unique).....................: 1
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum msec)....: 9
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 3
EAPOL pairs (useful).....................: 3
EAPOL pairs written to 22000 hash file...: 3 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 1
EAPOL M32E3 (authorized).................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2432: 6	

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
https://hashcat.net/forum/thread-6361.html
Duration of the dump tool was a way too short to capture enough additional information.


session summary
---------------
processed cap files...................: 1

All available MESSAGE PAIRs are stored to the hash file:

EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 3
EAPOL pairs (useful).....................: 3
EAPOL pairs written to 22000 hash file...: 3 (RC checked)
EAPOL M12E2 (challenge)..................: 1
EAPOL M32E2 (authorized).................: 1
EAPOL M32E3 (authorized).................: 1

$ cat entire_hash.22000
WPA*02*cd233ba67d241df2b64c28b0602aa72b*3481c4e7991b*b0c090467cab*574c414e2d32*aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d*0103007502010a00000000000000000001756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*82
WPA*02*98b80077fb25f7fb4f42f6e7c5d57522*3481c4e7991b*b0c090467cab*574c414e2d32*756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886*020300970213ca00100000000000000002aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000381b5a765bd516dfac80a9f6cb0dfa7166326e0aa51e114c776f828446ed1a8e1a408e778b7adf9dd1fc1d8f8313dd0e7a5c114f9e802a47d5*13
WPA*02*cd233ba67d241df2b64c28b0602aa72b*3481c4e7991b*b0c090467cab*574c414e2d32*aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d*0103007502010a00000000000000000001756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*80

hashcat tries to recover the PSK from these hashes:

98b80077fb25f7fb4f42f6e7c5d57522 (MIC M2M3 E3 authorized)
cd233ba67d241df2b64c28b0602aa72b (MIC M2M3 E2 authorized)
cd233ba67d241df2b64c28b0602aa72b (MIC M1M2 E2 challenge)

$ hcxhashtool -i entire_hash.22000 --info=stdout
SSID.......: WLAN-2
MAC_AP.....: 3481c4e7991b (AVM GmbH)
MAC_CLIENT.: b0c090467cab (Chicony Electronics Co., Ltd.)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: hashcat default NC activated
EAPOL MSG..: 2
MP M2M3 E2.: authorized
MIC........: cd233ba67d241df2b64c28b0602aa72b
HASHLINE...: WPA*02*cd233ba67d241df2b64c28b0602aa72b*3481c4e7991b*b0c090467cab*574c414e2d32*aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d*0103007502010a00000000000000000001756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*82

SSID.......: WLAN-2
MAC_AP.....: 3481c4e7991b (AVM GmbH)
MAC_CLIENT.: b0c090467cab (Chicony Electronics Co., Ltd.)
VERSION....: 802.1X-2004 (2)
KEY VERSION: WPA2
REPLAYCOUNT: 2
NC INFO....: NC deactivated
EAPOL MSG..: 3
MP M2M3 E3.: authorized
MIC........: 98b80077fb25f7fb4f42f6e7c5d57522
HASHLINE...: WPA*02*98b80077fb25f7fb4f42f6e7c5d57522*3481c4e7991b*b0c090467cab*574c414e2d32*756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886*020300970213ca00100000000000000002aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000381b5a765bd516dfac80a9f6cb0dfa7166326e0aa51e114c776f828446ed1a8e1a408e778b7adf9dd1fc1d8f8313dd0e7a5c114f9e802a47d5*13

SSID.......: WLAN-2
MAC_AP.....: 3481c4e7991b (AVM GmbH)
MAC_CLIENT.: b0c090467cab (Chicony Electronics Co., Ltd.)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 1
NC INFO....: hashcat default NC activated
EAPOL MSG..: 2
MP M1M2 E2.: challenge
MIC........: cd233ba67d241df2b64c28b0602aa72b
HASHLINE...: WPA*02*cd233ba67d241df2b64c28b0602aa72b*3481c4e7991b*b0c090467cab*574c414e2d32*aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d*0103007502010a00000000000000000001756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*80

Important note:
On a full 4way handshake, the MESSAGE PAIRs M1M2 E2 and M2M3 E2 are always the same!

run hashcat now:

$ hashcat -m 22000 --remove entire_hash.22000 -a 3 ABCDEFGH
hashcat (v6.2.6-851-g6716447df) starting
...
98b80077fb25f7fb4f42f6e7c5d57522:3481c4e7991b:b0c090467cab:WLAN-2:ABCDEFGH
cd233ba67d241df2b64c28b0602aa72b:3481c4e7991b:b0c090467cab:WLAN-2:ABCDEFGH
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: entire_hash.22000
Time.Started.....: Mon Mar 31 10:45:57 2025 (0 secs)
Time.Estimated...: Mon Mar 31 10:45:57 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: ABCDEFGH [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       12 H/s (0.09ms) @ Accel:512 Loops:32 Thr:32 Vec:1
Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1-3
Candidate.Engine.: Device Generator
Candidates.#1....: ABCDEFGH -> ABCDEFGH
Hardware.Mon.#1..: Temp: 37c Util: 89% Core:1890MHz Mem: 810MHz Bus:8

Started: Mon Mar 31 10:45:54 2025
Stopped: Mon Mar 31 10:45:59 2025

Both different MICs should be verified:

M2M3 E3:           98b80077fb25f7fb4f42f6e7c5d57522:3481c4e7991b:b0c090467cab:WLAN-2:ABCDEFGH
M1M2 E2 & M2M3 E2: cd233ba67d241df2b64c28b0602aa72b:3481c4e7991b:b0c090467cab:WLAN-2:ABCDEFGH

and the hashes should be deleted from the hash file!

The same applies to JtR:

$ hcxpcapngtool --all fb7272_wpa2_ABCDEFGH.pcap --john=entire_hash.john
$ john --no-log -w wordlist --format=wpapsk-opencl entire_hash.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 2 password hashes with no different salts (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 HMAC-SHA256/AES-CMAC OpenCL])
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Note: Minimum length forced to 8 by format
LWS=256 GWS=77824 (304 blocks) 
Proceeding with wordlist:/usr/share/john/password.lst
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
ABCDEFGH         (WLAN-2)     
ABCDEFGH         (WLAN-2)     
2g 0:00:00:00 DONE (2025-03-31 11:15) 8.696g/s 338365p/s 338365c/s 676730C/s Dev#1:67°C password..lilwayne6
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

[ZerBea]

Behind the scenes.

From a complete 4way handshake hcxpcapngtool can convert up to 7 MESSAGE PAIRS (usually 3 ; 7 if the SNONCE of the M4 is not zeroed). Running with default options, if the EAPOL-Key is not exceeded and the replaycount matches (M1 = RCx, M2 = RCx, M3 = RCx+1, M4 = RCx +1), converts only one of these MESSAGE PAIRS.

MESSAGE PAIR M1M2 E2 (challenge) from packet 3 and 4
WPA*02*cd233ba67d241df2b64c28b0602aa72b*3481c4e7991b*b0c090467cab*574c414e2d32*aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d*0103007502010a00000000000000000001756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*80
This is a challenge and it can lead to a recovered PSK that does not match to the target NETWORK.
Mostly it happens if 2 different NETWORKS running the same ESSID and a CLIENT from NETWORK 2 tires to get access to NETWORK one.
This is an important MESSAGE PAIR, because (thanks to reuse of PBKDF2, we get 2 valid PSKs for the price of one. Once both PSKs have been recovered, the results went directly into hcxpsktool.
The recovered PSK either belongs to NETWORK 1 or NETWORK 2!

MESSAGE PAIR M2M3 E2 (challenge / authorized) from packet 4 and 5
WPA*02*cd233ba67d241df2b64c28b0602aa72b*3481c4e7991b*b0c090467cab*574c414e2d32*aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d*0103007502010a00000000000000000001756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*82
Basically this MESSAGE PAIR is 100% identical to a challenge M1M2 E2. The only difference is from which EAPOL MESSAGE the ANONCE has been taken.
ANONCE taken from M1 = challenge
ANONCE taken from M3 = authorized
The recovered PSK is the NETWORK key!

MESSAGE PAIR M2M3 E3 (authorized) from packet 4 and 5
WPA*02*98b80077fb25f7fb4f42f6e7c5d57522*3481c4e7991b*b0c090467cab*574c414e2d32*756b0c976942934fb44f69b5af714007c63a36252ffabc2da954bfb732b31886*020300970213ca00100000000000000002aacdb63cdc22a2615420abf4fc1a001bf0f3705a452607dc18e64b4d7abcb50d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000381b5a765bd516dfac80a9f6cb0dfa7166326e0aa51e114c776f828446ed1a8e1a408e778b7adf9dd1fc1d8f8313dd0e7a5c114f9e802a47d5*13
The recovered PSK is the NETWORK key!

If the SNONCE is not zeroed:
MESSAGE PAIR M1M4 E4 (authorized)
MESSAGE PAIR M3M4 E3 (authorized)
MESSAGE PAIR M3M4 E4 (authorized)
The recovered PSK is the NETWORK key!

[ZerBea]

On poor quality dump files, NONCE ERROR CORRECTIONS is activated by default. The same applies to hashcat (default NC = 8).
If you don't want this (due to speed impact) either set hashcat nonce-error-corrections=0 or run hcxpcapngtool --all and filter (hcxhashtool) by:

 011 = M2+M3, EAPOL from M3 (authorized) - usable by option --all
or
 100 = M3+M4, EAPOL from M3 (authorized) - usable by option --all

[StrongWind1]

1. Do you have a pcap that can show the MESSAGE PAIRs for a capture where SNONCE in M4 is not zeroed?

2. This should output 7 hashes/lines, correct? You only list 6 MESSAGE PAIRs above, as well as in the readme. Is it 6 or 7 pairs?

3. Maybe we can update the readme with some more of the info from here. Are some of the MESSAGE PAIRs still not converted/used?

4. Is there a reason why the M4 SNONCE would be zeroed or not zeroed (router model, config or some standard)?

5. Does hcxhashtool when using the --authorized just filter out MESSAGE PAIR M1M2 E2 since that is the only challenge / not-authorized pair and therefore keeping all other MESSAGE PAIRs?

[ZerBea]

Do you have a pcap that can show the MESSAGE PAIRs for a capture where SNONCE in M4 is not zeroed?

$ tshark -r m1234.pcapng -Y "eapol" -T fields -e frame.number -e wlan_rsna_eapol.keydes.msgnr -e eapol.keydes.replay_counter -e wlan_rsna_eapol.keydes.nonce
3	1	1	2f5f3a406e60e56ea66bdafdd1c6467113ca55822c889699450322561a670482
4	2	1	61c3eab4abb2f15b4f2b519ef9e51c9387e4f1268777ce24163c8ec63141fe15
5	3	2	2f5f3a406e60e56ea66bdafdd1c6467113ca55822c889699450322561a670482
6	4	2	61c3eab4abb2f15b4f2b519ef9e51c9387e4f1268777ce24163c8ec63141fe15

This should output 7 hashes/lines, correct? You only list 6 MESSAGE PAIRs above_, as well as in the readme. Is it 6 or 7 pairs?_
No, only 6 combinations are possible:

 000 = M1+M2, EAPOL from M2 (challenge - ANONCE from M1)
 001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 
 010 = M2+M3, EAPOL from M2 (authorized - ANONCE from M3)
 011 = M2+M3, EAPOL from M3 (authorized) - usable by option --all
 100 = M3+M4, EAPOL from M3 (authorized) - usable by option --all
 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed

To convert them, it is mandatory to use option "--all":

$ hcxpcapngtool m1234.pcapng -o test --all
hcxpcapngtool 6.3.5-68-gc9dc0cc reading from m1234.pcapng...

summary capture file
--------------------
file name................................: m1234.pcapng
version (pcapng).........................: 1.0
...
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 6
EAPOL pairs (useful).....................: 6
EAPOL pairs written to 22000 hash file...: 6 (RC checked)
EAPOL M12E2 (challenge - ANONCE from M1).: 1
EAPOL M32E2 (authorized - ANONCE from M3): 1
EAPOL M14E4 (authorized).................: 1
EAPOL M32E3 (authorized).................: 1
EAPOL M34E3 (authorized).................: 1
EAPOL M34E4 (authorized).................: 1

Maybe we can update the readme with some more of the info from here. Are some of the MESSAGE PAIRs still not converted/used?
Oversized EAPOL MESSAGES (M32E3, M34E3, M34E4) are ignored, because neither hashcat nor JtR can handle them.
hcxpcapngtool show an information if these EAPOL MESSAGES have been detected.

Is there a reason why the M4 SNONCE would be zeroed or not zeroed (router model, config or some standard)?
A not zeroed M4 NONCE is a very, very rare case.
I have no idea why this happens.

Does hcxhashtool when using the --authorized just filter out MESSAGE PAIR M1M2 E2 since that is the only challenge / not-authorized pair and therefore keeping all other MESSAGE PAIRs?
To get full benefit of hcxhashtool's filtering it is mandatory to convert the dump file running hcxpcapngtool "--all" option.

$ hcxpcapngtool --all m1234.pcapng -o all.22000
hcxpcapngtool 6.3.5-68-gc9dc0cc reading from m1234.pcapng...

summary capture file
--------------------
file name................................: m1234.pcapng
version (pcapng).........................: 1.0
...
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 6
EAPOL pairs (useful).....................: 6
EAPOL pairs written to 22000 hash file...: 6 (RC checked)
EAPOL M12E2 (challenge - ANONCE from M1).: 1
EAPOL M32E2 (authorized - ANONCE from M3): 1
EAPOL M14E4 (authorized).................: 1
EAPOL M32E3 (authorized).................: 1
EAPOL M34E3 (authorized).................: 1
EAPOL M34E4 (authorized).................: 1


$ hcxhashtool --authorized -i all.22000 -o filtered.22000
OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entries...................: 36946
total lines read..............: 6
valid hash lines..............: 6
EAPOL hash lines..............: 6
filter by status..............: authorized (M1M4, M2M3 or M3M4)
EAPOL written.................: 5