Cleaning PCAPs with wpaclean

I recently created a somewhat convenient way to sort and clean my PCAPs I have collected with my pwnagotchi using wpaclean, a tool in the aircrack-ng suite.

I ran into the issue of the AircrackOnly plugin not working correctly on the pwnagotchi. Per Arttumiro, this plugin has had a history of being unstable. Because of this, I have had to use other methods for checking my collected PCAPs to verify they have proper handshakes to be audited. My old method was to boot up a copy of kali linux to use the wpaclean tool. This tool is part of the aircrack-ng suite of tools. With it, I am able to clean my PCAPs, so that I can audit them after a good stroll with my pwnagotchi. Originally, I was running this tool one PCAP at a time. This took way too long, as I would sometimes have hundreds of PCAPs to sort through. I recently stumbled across a shell script that was written by SmilingWolf. They wrote a nice little script that would create a few folders to sort and clean your PCAPs using wpaclean.

You can find SmilingWolf’s original script post here:

https://code.google.com/archive/p/script-it/

Here is the original topic this script was posted in:

https://hashcat.net/forum/thread-637.html

To better streamline the process of PCAP cleaning, I installed aircrack-ng to my pwnagotchi. Now I am able to run wpaclean on my device and no longer need my PC to clean the PCAPs.

I downloaded SmilingWolf’s script from the google code page, and renamed the script cleaner.sh for simplicity. I then placed this script into a folder called wpacleaner in my home directory. I ran the script to create the necessary folders for sorting and cleaning my PCAPs.

One thing I have noticed recently is that the script does not like that some of the folders already exist when you run the script the second time.

Here is my method of cleaning my PCAPs from start to finish:

  1. Run the cleaner.sh script in my wpacleaner directory.

  2. cd to the newly created /B directory.

  3. Remove all folders except the OriginalCaps folder that were created by the script.

  4. Copy my handshakes from the /root/handshakes directory (cp /root/handshakes/*.pcap /home/pi/wpacleaner/B/OriginalCaps/)

  5. Run the cleaner.sh script again.

This time the script will look in the OriginalCaps folder and sort the pcaps into the correct folders CleanCaps, HCcaps, BadCaps, etc.

From there I am able to grab the cleaned pcaps and audit them via whatever method I choose, hashcat, onlinehashcrack.com, wpa-sec.stanev.org, etc.

1 Like

Do you know if it detects PMKID handshakes too?