hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - slyexe - 11-23-2017 (11-20-2017, 10:01 AM)ZerBea Wrote: A good idea is to use the world domain: This solved all my issues, and great knowledge to know. Thank you for your great work and great application! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-23-2017 Hi slyexe. That are good news. Take also a look at the complete regdb. There are some countries which allows high power by default. And keep in mind that most of the issues regarding packet injection / packet capturing are caused by a misconfigured system: - device is blocked by other services (networkmanager, wpa-supplicant) run: sudo systemctl list-unit-files | grep enabled to retrieve an overview of enabled services - device is not set properly to monitor mode - device isn't set up - driver doesn't support monitor mode - driver is broken - wrong wireless regulatory domain - missing user permissions RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-23-2017 Some good "driver" news: Neheb told me that there is a fix for the iwlwifi driver issue in upcomming kernel 4.15 Right now, this driver is broken! More infos here: https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/backport-iwlwifi.git/commit/?id=b4e52af439847fde1b24f004560fb7e974480b34 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-28-2017 hcxtools update: https://github.com/ZerBea/hcxtools added detection of CISCO TACACS+ Authentication (on LoopBack, Ethernet and WLAN): $ wlancap2hcx TACACS1Cisco123.pcapng start reading from TACACS1Cisco123.pcapng 14 packets processed (0 wlan, 14 lan, 0 loopback) found IPv4 packets found TCP packets found CISCO TACACS+ Authentication packets RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Jorma - 11-28-2017 Sorry if i missed something, but is there something like a whitelist inside wlandump-ng? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-28-2017 Hi. Yes it is: -F <file> : input file containing entries for Berkeley Packet Filter (BPF) All entries in this filterlist are not attacked. Plese read this how to use the white list: https://hashcat.net/forum/thread-6661-post-37381.html#pid37381 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-28-2017 added full support for hashcat hashmode -m 16100 (TACAS+) now detection and conversion of CISCO TACACS+ Authentication (on LoopBack, Ethernet and WLAN) get the example cap from here: https://blog.synack.co.uk/2017/10/15/pcap-tacacs-pcap-file/ convert the pcapng to hashcat format: $ wlancap2hcx -t tacacs TACACS1+.pcap.pcapng start reading from TACACS1+.pcap.pcapng 14 packets processed (0 wlan, 14 lan, 0 loopback) found IPv4 packets found TCP packets found CISCO TACACS+ Authentication packets (hashcat -m 16100, john tacacs-plus) and run hashcat on tacacs read how-to here: https://hashcat.net/forum/thread-7062-post-37789.html#pid37789 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - DKblue - 12-02-2017 (09-11-2017, 08:52 AM)ZerBea Wrote: update on hcxtools (https://github.com/ZerBea/hcxtools): hi ZerBea ,what's the difference of "usefull" and "valid" WPA handshakes? Does that means valid WPA handshakes is captured by wlandump-ng/wlanresponse and it's 100% crackable ? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 12-02-2017 Hi DKblue. usefull all handshakes (authenticated and not authenticated) , all message_pairs (including message_pairs that need nonce-error-corrections) valid (matching M1 and M2) wlandump-ng asked the client to send us his M2 (we now got a M2 that matches exact to this M1) it isn't possible that the clients M2 doesn't match to our M1 it isn't possible that there is a packetloss between our M1 and the clients M2 it isn't possible that there is no password for this message_pair this M12E2 message_pair can be used with hashcat to recover a real, "valid" password the password may not necessarily be the correct password for that network it is also possible that it is only a part of the correct password or a password for another network using the same ESSID or an old password for that network so, you're right when you say a wlandump-ng "valid" handshake is 100% crackable! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - DKblue - 12-02-2017 (12-02-2017, 10:50 AM)ZerBea Wrote: Hi DKblue. Thxs for ur reply ZerBea and here comes a related question,my co-workers can be trained to capture by minidwep-gtk ,a simple tool built-in cdlinux. all is done just with click by wizards. This awesome wlandump-ng,and those confusing shell commands are really too much for them.(Those systemctl stop and start,ip/iw dev up and down...etc) So brief to say,I have many caps to deal with ,by wlandump-ng or not,and I wanna ensuring effective caps and nonce-error-corrections=0 for max speed. Here is an example: original26c4.cap captured by minidwep-gtk ,I cat *.caps got it. wlancapinfo reported truncated file. wlancap2hcx the original then got 1st26c4.hccapx Ignore so many reading errors reported by wlancap2hcx ,convert the 1st26c4.hccapx back to cap named 2nd26c4.cap OK now wlancapinfo the new 2nd26c4.cap,reported flawless(maybe most people like flawless more) wlancap2hcx it with -W ,finally get 2nd26c4.hccapx Studing all these skills mainly from your posts,if there'r mistakes would u kindly show me plz? Thanks root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancapinfo -i original26c4.cap input file.......: original26c4.cap magic file number: 0xa1b2c3d4 (cap/pcap) major version....: 2 minor version....: 4 data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html] packets inside...: 94497 last pcap error..: truncated dump file; tried to read 193104 captured bytes, only got 72696 root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancap2hcx -o 1st26c4.hccapx original26c4.cap start reading from original26c4.cap pcap read error: invalid packet capture length 6881280, bigger than maximum of 262144 pcap read error: invalid packet capture length 1835008, bigger than maximum of 262144 pcap read error: invalid packet capture length 2623291088, bigger than maximum of 262144 pcap read error: invalid packet capture length 1383399423, bigger than maximum of 262144 pcap read error: invalid packet capture length 12845056, bigger than maximum of 262144 pcap read error: invalid packet capture length 909837, bigger than maximum of 262144 pcap read error: invalid packet capture length 1960823124, bigger than maximum of 262144 pcap read error: invalid packet capture length 4294967295, bigger than maximum of 262144 pcap read error: invalid packet capture length 2683722260, bigger than maximum of 262144 pcap read error: invalid packet capture length 3377725880, bigger than maximum of 262144 pcap read error: invalid packet capture length 2683722260, bigger than maximum of 262144 pcap read error: invalid packet capture length 3377725556, bigger than maximum of 262144 pcap read error: invalid packet capture length 1079645251, bigger than maximum of 262144 pcap read error: invalid packet capture length 3489741312, bigger than maximum of 262144 pcap read error: truncated dump file; tried to read 193104 captured bytes, only got 72696 94493 packets processed (94493 wlan, 0 lan, 0 loopback) root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlanhcx2cap -i 1st26c4.hccapx -O 2nd26c4.cap 5 records read from 1st26c4.hccapx 5 handshakes written to 2nd26c4.cap 0 handshakes not written (?irreversible messagepair) root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancapinfo -h wlancapinfo 4.0.0 (C) 2017 ZeroBeat usage: wlancapinfo <options> options: -i <file> : input pcap file root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancapinfo -i 2nd26c4.cap input file.......: 2nd26c4.cap magic file number: 0xa1b2c3d4 (cap/pcap) major version....: 2 minor version....: 4 data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html] packets inside...: 15 last pcap error..: flawless root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancap2hcx -W 2nd26c4.hccapx 2nd26c4.cap start reading from 2nd26c4.cap 15 packets processed (15 wlan, 0 lan, 0 loopback) total 3 usefull wpa handshakes found 3 WPA2 AES Cipher, HMAC-SHA1 |