Hcxpcaptools -z cannot output any files about hcxtools HOT 6 CLOSED

If hcxpcaptool -z test.16800 test.pcapng is empty, you have not captured a PMKID.
hcxpcaptool -o test.hccapx test.pcapng convert EAPOL handshakes.
So your test.pcapng contains only EAPOL handshakes.

Keep in mind:
Some router don't send a PMKID.

Example of combined hcxdumptool (modified Raspberry Pi) / hcxpcaptool output:
$ hcxdumptool --gpio_button=4 --gpio_statusled=17 -i wlp3s0f0u10u4 -o201907081331.pcapng --poweroff --filterlist=blacklistown --filtermode=1 --give_up_ap_attacks=100000 --give_up_deauthentications=100000

$ hcxpcaptool -o test.hccapx -k test.16800 201907081331.pcapng
reading from 201907081331.pcapng
summary:
file name........................: 201907081331.pcapng
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.57-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 14866
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
WDS packets......................: 15
beacons (total)..................: 1250
beacons (WPS info inside)........: 196
beacons (device info inside).....: 18
beacons (MESH-ID inside).........: 9
probe requests...................: 504
probe responses..................: 349
association requests.............: 343
association responses............: 249
reassociation requests...........: 219
reassociation responses..........: 162
authentications (OPEN SYSTEM)....: 1463
authentications (BROADCOM).......: 1407
authentications (SONOS)..........: 2
authentications (APPLE)..........: 47
authentications (CISCO)..........: 6
EAPOL packets (total)............: 1722
EAPOL packets (WPA1).............: 2
EAPOL packets (WPA2).............: 1720
PMKIDs (total)...................: 146
PMKIDs (WPA1)....................: 2
PMKIDs (WPA2)....................: 419
PMKIDs from access points........: 142
PMKIDs from stations.............: 4
EAP packets......................: 8602
EAP START packets................: 3
found............................: EAP type ID
best handshakes..................: 89 (ap-less: 60)
best PMKIDs......................: 144

89 handshake(s) written to test.hccapx
144 PMKID(s) written to test.16800

Closed this, because it isn't a hcxpcaptool issue, but you can still ask questions here.

from hcxtools.

same here and a few threads over at bettercap too..

hcxpcaptool -E essidlist -I identitylist -U usernamelist -z bettercap-wifi-handshakes.16800 bettercap-wifi-handshakes.pcap

reading from bettercap-wifi-handshakes.pcap
summary:

file name....................: bettercap-wifi-handshakes.pcap
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianness....................: little endian
read errors..................: flawless
packets inside...............: 21
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 21
beacons (with ESSID inside)..: 2
EAPOL packets................: 19
EAPOL PMKIDs.................: 2
best handshakes..............: 2 (ap-less: 0)

0 PMKID(s) written to bettercap-wifi-handshakes.16800

no output file is found.

from hcxtools.

Please attach the pcap file to determine that the 2 PMKIDs match to the 2 beacons and that the PMKIDs are not zeroed. From the output of the status I assume that we miss several frames which bettercap doesn't captured (no proberequest, no proberesponse, no association request).
Also make sure, you're running the latest version. Above status is from an old version.
Latest version is hcxpcaptool 5.2.0.

If you don't like to attach the pcap file here, please send it via mail. You can retrieve the mail address using git api:
https://api.github.com/users/ZerBea/events/public
search for email

from hcxtools.

[
bettercap-wifi-handshakes.zip

](url)

from hcxtools.

@careyjames thanks for the cap file. Here is my analysis of the bettercap pcap file:
It contain:
2 Beacons with ESSID (packets 2, 14 ), 2 x ESSID "Mac Help" BSSID: f09fc2db80e8
11 EAPOl M1 frames (packets 1, 3, 5, 6, 9, 10, 15, 16, 19, 20, 21)
4 EAPOL M2 frames (packets 4, 7, 11, 17)
4 EAPOL M 3 frames (packets 8, 12, 13 18)
from the 11 EAPOL M1 frames, 4 frames contain a PMKID (packets 1, 19 20, 21), BSSID a8bd27cb1700, unfortunately none of them matches to the captured ESSID

running -z you requested hcxpcaptool to convert PMKIDs for use with
hashmode 16800:
-z : output PMKID file (hashcat hashmode -m 16800 old format and john)
In that case the cap file must contain ESSID, mac access point, mac client, PMKID - all of them must match to each other. Your bettercap pcap file doesn't contain this frames.

hcxpcaptool told you that:
Your bettercap pcap file contain 2 PMKIDs
EAPOL PMKIDs.................: 2
But no matching ESSID for them. So there is nothing to convert for use with hashmode 16800.
hcxpcaptool told you that, too:
0 PMKID(s) written to bettercap-wifi-handshakes.16800

Nevertheless: If you have a valid PMK, you can verify it running hashmode 16801.
Running that mode we do not need an ESSID. To convert the PMKID use option -Z:
-Z : output raw PMKID file (hashcat hashmode -m 16801 old format and john)
hcxpcaptool will do this:
$ hcxpcaptool -Z test.168010 bettercap-wifi-handshakes.pcap
reading from bettercap-wifi-handshakes.pcap
summary capture file:
file name........................: bettercap-wifi-handshakes.pcap
file type........................: pcap 2.4
file hardware information........: unknown
file os information..............: unknown
file application information.....: unknown
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 18.08.2019 20:32:59 (GMT)
maximum time stamp...............: 18.08.2019 23:15:44 (GMT)
packets inside...................: 21
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 21
beacons (total)..................: 2
EAPOL packets (total)............: 19
EAPOL packets (WPA2).............: 19
PMKIDs (total)...................: 2
PMKIDs (WPA2)....................: 4
PMKIDs from access points........: 2
best handshakes (total)..........: 2 (ap-less: 0)
best PMKIDs (total)..............: 2

summary output file(s):
2 raw PMKID(s) written to test.16800

Conclusion:
bettercap failed to capture the required frames to convert the hashes successfully.
many useful frames are missing in the bettercap pcap file
it took you 2 hours, 42 minutes and 45 seconds to capture this few and incomplete data:
minimum time stamp...............: 18.08.2019 20:32:59 (GMT)
maximum time stamp...............: 18.08.2019 23:15:44 (GMT)
running options -E, -I -U on your bettercap pcap file is useless because this bettercap pcap file doesn't contain useful data (not captured or removed). This options are only useful on a hcxpcaptool pcapng file

I expect this results on third party tools, so hcxpcaptool --help print an information:
Do not use hcxpcaptool in combination with third party cap/pcap/pcapng cleaning tools (except: tshark and/or Wireshark)!
I assume bettercap is such a tool, because the pcap file is missing many useful/required frames.
I really suggest you to use hcxpcaptool!

from hcxtools.

Here is an example, if you run hcxpcaptool on a hcxdumptool pcapng file:
capture time: 8 mintues, 52 seconds!

$ hcxpcaptool -k /tmp/test.16800 -o /tmp/test.hccapx 20190815_081058017.pcapng.gz
decompressing 20190815_081058017.pcapng.gz to /tmp/20190815_081058017.pcapng.gz.tmp
reading from 20190815_081058017.pcapng.gz.tmp
summary capture file:
file name........................: 20190815_081058017.pcapng.gz.tmp
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.65-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 11.08.2019 15:26:05 (GMT)
maximum time stamp...............: 11.08.2019 15:34:57 (GMT)
packets inside...................: 913
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
WDS packets......................: 4
beacons (total)..................: 370
beacons (WPS info inside)........: 83
beacons (device info inside).....: 3
beacons (MESH-ID inside).........: 3
probe requests...................: 87
probe responses..................: 58
association requests.............: 31
association responses............: 17
reassociation requests...........: 12
reassociation responses..........: 8
authentications (OPEN SYSTEM)....: 126
authentications (BROADCOM).......: 124
authentications (APPLE)..........: 2
EAPOL packets (total)............: 202
EAPOL packets (WPA2).............: 202
PMKIDs (total)...................: 38
PMKIDs (WPA2)....................: 124
PMKIDs from access points........: 38
EAP packets......................: 2
found............................: EAP type ID
best handshakes (total)..........: 10 (ap-less: 7)
best PMKIDs (total)..............: 38

summary output file(s):
10 handshake(s) written to /tmp/test.hccapx
message pair M12E2...............: 7
message pair M32E2...............: 3
38 PMKID(s) written to /tmp/test.16800

BTW:
The PMKIDs are captured during the first 2 minutes - but I hunted for one of the 7 clients, so it took me that long time.

from hcxtools.