LabEx
Log InJoin Free

Clean a Capture File for Hashcat using wpaclean

Beginner
Practice Now

Introduction

When performing Wi-Fi security assessments, you often capture network traffic into a file, typically with a .cap or .pcap extension. These raw capture files contain all the wireless packets seen by your network card, including beacon frames, probe requests, and data packets. However, for password cracking, you only need the specific packets that make up the WPA/WPA2 4-way handshake.

Keeping all the extra, unnecessary packets makes the capture file large and can slow down processing by tools like Hashcat. wpaclean is a utility from the aircrack-ng suite designed to solve this problem. It "cleans" a capture file by removing all packets that are not part of a handshake, resulting in a much smaller and more efficient file.

In this lab, you will learn how to use wpaclean to clean a sample capture file and then convert the cleaned file into the correct format for Hashcat.

Understand the Purpose of Cleaning Capture Files

In this step, you will learn why it's important to clean capture files before processing them.

As mentioned in the introduction, a raw capture file contains a lot of network traffic that is irrelevant for cracking a WPA/WPA2 password. The only information required is the 4-way handshake exchanged between a client and an access point.

The benefits of cleaning a capture file are:

  • Reduced File Size: Removing thousands of unnecessary packets can drastically reduce the file size, especially for long-duration captures. This saves disk space and makes the file easier to manage and transfer.
  • Faster Processing: Password cracking tools like Hashcat have to parse the capture file to find the handshake. By providing a cleaned file, you eliminate the overhead of parsing irrelevant data, leading to faster start-up times.
  • Improved Reliability: A cleaned file isolates the essential handshake data, reducing the potential for parsing errors or issues with malformed packets that are not part of the handshake.

The wpaclean tool automates this process by intelligently filtering the capture file and writing only the handshake-related packets to a new file. This lab environment has already installed the aircrack-ng suite, which includes wpaclean.

Locate a Raw Handshake .cap File

In this step, you will locate the sample capture file that we will work with throughout this lab.

For this lab, a sample capture file named wpa.cap has been automatically downloaded into your ~/project directory during the setup process. In a real-world scenario, you would generate this file yourself using a tool like airodump-ng.

Let's verify that the file exists. Use the ls -l command to list the contents of the current directory.

ls -l

You should see the wpa.cap file in the output, along with its permissions, owner, size, and modification date.

total 4
-rw-r--r-- 1 labex labex 634 Mar 20 10:30 wpa.cap

This small file contains a sample WPA handshake and is perfect for our demonstration.

Run wpaclean with an Output and Input File

In this step, you will use the wpaclean command to clean the raw capture file.

The syntax for wpaclean is straightforward. You provide the name for the new, cleaned output file, followed by the name of the original input file.

The basic syntax is: wpaclean <output_file.cap> <input_file.cap>

Now, let's run this command on our wpa.cap file. We will name the cleaned output file wpa_cleaned.cap.

Execute the following command in your terminal:

wpaclean wpa_cleaned.cap wpa.cap

The tool will process the input file and show you a summary of its work.

Reading wpa.cap ...
Writing wpa_cleaned.cap ...

Done.
Total packets read:      6
Total packets written:   4 (handshake)

As you can see from the output, wpaclean read 6 packets from the original wpa.cap file but only wrote the 4 essential handshake packets to the new wpa_cleaned.cap file.

Compare the Original and Cleaned File Sizes

In this step, you will compare the file sizes of the original and the cleaned capture files to see the effect of wpaclean. This will demonstrate the primary benefit of cleaning the file.

We can use the ls command with the -lh flags to get a "long" listing in "human-readable" format, which makes the file sizes easy to interpret.

Run the following command to display the sizes of both wpa.cap and wpa_cleaned.cap:

ls -lh wpa.cap wpa_cleaned.cap

You will see an output similar to the following:

-rw-r--r-- 1 labex labex 424 Mar 20 10:35 wpa_cleaned.cap
-rw-r--r-- 1 labex labex 634 Mar 20 10:30 wpa.cap

Notice the size difference. The original file was 634 bytes, while the cleaned file is only 424 bytes. While the reduction seems small for this tiny example file, the percentage of reduction is significant. For real-world captures that can be many megabytes or even gigabytes, this cleaning process results in substantial space savings and performance gains.

Convert the Cleaned .cap File to Hashcat 22000 Format

In this step, you will convert the cleaned .cap file into a format that Hashcat can use for cracking.

Hashcat cannot directly use .cap files. It requires the handshake data to be extracted and formatted in a specific way. For WPA/WPA2, this is Hashcat mode 22000. We will use a tool from the hcxtools suite, hcxpcapngtool, to perform this conversion.

The command syntax is: hcxpcapngtool -o <output_hash_file> <input_cleaned.cap>

Let's convert our wpa_cleaned.cap file into a Hashcat-compatible file named wpa.hc22000.

hcxpcapngtool -o wpa.hc22000 wpa_cleaned.cap

The tool will output a summary of the conversion:

reading from wpa_cleaned.cap
summary:
file name....................: wpa_cleaned.cap
file type....................: pcap
file hardware information....: 802.11
file network type............: DLT_IEEE802_11 (105)
packets inside...............: 4
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 0
probe requests...............: 0
probe responses..............: 0
association requests.........: 0
association responses........: 0
reassociation requests.......: 0
reassociation responses......: 0
authentications (OPEN SYSTEM): 2
authentications (BROADCOM)...: 0
EAPOL packets................: 2
EAPOL PMKIDs.................: 0
EAPOL M1s....................: 1
EAPOL M2s....................: 1
EAPOL M3s....................: 0
EAPOL M4s....................: 0
best handshakes..............: 1 (ap-less: 0)

1 handshake(s) written to wpa.hc22000

A new file, wpa.hc22000, has been created. Let's view its content with the cat command.

cat wpa.hc22000

The output will be a single, long line of text. This is the hash that Hashcat can understand.

WPA*02*...long string of characters...

This file is now ready to be used with Hashcat for a password cracking attempt.

Summary

Congratulations on completing the lab! You have successfully prepared a raw Wi-Fi capture file for use with Hashcat.

In this lab, you learned how to:

  • Understand the importance of cleaning capture files to improve efficiency and reduce file size.
  • Use the wpaclean tool to strip unnecessary packets from a raw .cap file.
  • Verify the effectiveness of the cleaning process by comparing the original and cleaned file sizes.
  • Use hcxpcapngtool to convert the cleaned capture file into the hc22000 format required by Hashcat.

You now have a fundamental skill for the Wi-Fi security assessment workflow. The next logical step would be to take the generated .hc22000 file and use it with Hashcat and a wordlist to attempt to recover the original password.