hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 12-02-2017 Hi DKblue. You've done the right things. That is the way to make a flawless and clean cap. The second way is to use the option -p from wlancap2hcx: -p <file> : output merged pcap file (upload this file to http://wpa-sec.stanev.org) In that case you get a flawless (uncleaned) cap. This behavior is normal for capture tools which doesn't take care about "save terminating" or a script that kills the capture tool. In your case the cap is cutted and you get this message: pcap read error: invalid packet capture length 1960823124, bigger than maximum of 262144 You will also get this error if you try to read this cap using wireshark. I should like to point out that the result of minidwep-gtk is very poor comparing to a wlandump-ng (raspberry pi) capture: $ wlancap2hcx 201711290935.pcap start reading from 201711290935.pcap 11698 packets processed (11698 wlan, 0 lan, 0 loopback) total 320 usefull wpa handshakes found 7 WPA1 RC4 Cipher, HMAC-MD5 found 313 WPA2 AES Cipher, HMAC-SHA1 found 164 valid WPA handshakes (by wlandump-ng/wlanresponse) nonce-error-corrections is working on that file found FAST Authentication By the way: I power on my raspberry pi. Than I take a walk through the city. After I returned, I power off the raspberry and copy the cap to the gpu rig and do the conversation to hccapx. Thats all. And even with a very small wordlist and a simple notebook, I have a hitrate of 8% on that cap: Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: test.hccapx Time.Started.....: Sat Dec 2 15:42:36 2017 (1 min, 24 secs) Time.Estimated...: Sat Dec 2 15:44:00 2017 (0 secs) Guess.Base.......: File (wordlist) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 31164 H/s (3.68ms) Recovered........: 18/225 (8.00%) Digests, 4/70 (5.71%) Salts Progress.........: 2857610/2857610 (100.00%) Rejected.........: 0/2857610 (0.00%) Restore.Point....: 40823/40823 (100.00%) Candidates.#1....: rsax4337 -> волчонок HWMon.Dev.#1.....: Temp: 63c Util: 95% Core:1176MHz Mem: 900MHz Bus:4 Started: Sat Dec 2 15:42:28 2017 Stopped: Sat Dec 2 15:44:01 2017 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - DKblue - 12-04-2017 Sorry for reply so late Zerbea! really sorry! Enlight by your case with raspberry pi ,I'm fixing serveral grandpa-class notebooks,remove those mechnial hdd,trying to install The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) on u-disk .(as I hnow nothing about raspberry pi,so does my co-workers) RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - DKblue - 12-04-2017 one more thing,I seem to find hcxtools has win-version realeased? If so,that would be most convenient RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 12-05-2017 Hi DKblue. Nice snapshot. At least you are able to recover the key. That's great. But it's not a good idea to use wlangenpmk (as it is much slower than hascat). This tool was designed for analysis purpose and to speed up hashcats hashing process of allready recovered passwords. example: Use wlangenpmk on your potfile to calculate PMKs for allready recovered networks. Convert new captures to hccapx and do the first hashcat run using this calculated PMKs and hashcats --remove option. Now all (allready) recovered passwords are filtered out (very fast). Then use your prefered methods (crunch) on the remaining networks in your hccapx file. I do not think about it to port hcxtools to windows. First of all hcxtools are designed to be analysis tools and pre-processing tools for use with hashcat and JtR. For that purpose you need a system that you control(!!!) and not somebody in Silicon Valley. If you decide to use hcxtools, your level of experience (LINUX and 802.11x) must be significantly higher than using a simple all-in-one-script. Only in that case you'll get good results. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - slyexe - 12-06-2017 Just out of curiosity, has anyone compiled this for OpenWRT? Looks like all the required packages are already available with Chaos Calmer, would be neat to set this up in my Ubiquiti unit and give it a try. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 12-06-2017 Hi slyexe Yes, but we are still running into problems on big endian machines. The source contains allready some muscle fixes, but there is a lot of work todo. There are also many OSX fixes inside the latest git code (thanks to RealEnder, Neheb and Magnum). Next step is to drop libpcap dependency. But that needs a complete rewrite of the tools. wlandump-ng (https://github.com/ZerBea/hcxtoolsbleeding) is the first tool that dropped that dependency. Now we use a file descriptor to read incomming packets from a raw socket and write outgoing packets to a raw socket (full duplex). Also, that makes it easier to port the code to other OS (I hope so). Life would be easier, if I can get some big endian caps and a PRISM (I or II) header cap. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - DKblue - 12-07-2017 hi ZerBea it's not mine command,here is original link: http://arg-wireless.com.ar/index.php?topic=1927.15 Anyway I'd like to consult you on wlangenpmk later, while free. Now I'm still busy fighting those rubbish notebooks,try to install kalie-light-version on sd-card. It would be so nice to capture with your excellent wlandump-ng. your suggestion is good,but we are electromechanical labourers, pretty raspberry is a little delicate in our tools-bag. Thanks. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 12-07-2017 Hi DKblue. You're welcome. I know that ARG forum, well. There are nice posts inside about Fibertel's and Speedy's. The solution for your problem is a simple bash script that: disables NetworkManager and wpa_supplicant enables monitor mode for the selceted device brings interface up and a second script that disables monitor mode for selected device brings interface up enables NetworkManager and wpa_supplicant I'm shure some UBUNTU/DEBIAN users can post their scripts here. for an arch system: makemonitor --------------- #!/bin/sh if test -z "$1" then for IFACE in `ls -1 /sys/class/net | grep ^wl` do printf "$IFACE " cat /sys/class/net/$IFACE/address done printf "\nselect interface: " read WLANDEV else WLANDEV=$1 fi echo "deactivate monitor mode on $WLANDEV" sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type managed sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info echo "activate services" sudo systemctl start NetworkManager.service sudo systemctl start wpa_supplicant.service killmonitor ----------- #!/bin/sh if test -z "$1" then for IFACE in `ls -1 /sys/class/net | grep ^wl` do printf "$IFACE " cat /sys/class/net/$IFACE/address done printf "\nselect interface: " read WLANDEV else WLANDEV=$1 fi echo "deactivate services" sudo systemctl stop NetworkManager.service sudo systemctl stop wpa_supplicant.service echo "activate monitor mode on $WLANDEV" sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type monitor sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - DKblue - 12-08-2017 Thanks ZerBea! Your scripts seems helpful. Last month I learned from your reply to windmaple here: windmaple: There are some major problems in your configuration: 1. do not use aircrack-ng tools or scripts in combination with hcxtools. airmon-ng creates a virtual interface (monx) and leaves wlan0 managed! 2. do not use wlandump-ng/wlanresponse on virtual devices like monx "I placed the wifi card into monitor mode but somehow wlandump doesn't like wlan0" wlandump-ng/wlanresponse likes wlan0, but they don't like virtual devices! 3. as freeroute wrote, you must identify all services that takes access to your capture device and stop them (at least this 2): sudo systemctl stop NetworkManager.service sudo systemctl stop wpa_supplicant.service 4. as freeroute wrote, you must put the interface into monitor mode (where $WLANDEV is your device name) sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type monitor sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info 5. if you got pcap read errors like this: internal pcap errors.....................................: 12 there are more services that prevent wlandump-ng/wlanresponse to access the device - you must identify and stop them. 6. if you finished capturing do not forget to put the device back into managed mode sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type managed sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info 7. and start the services - otherwise you will have no connectivity! sudo systemctl start NetworkManager.service sudo systemctl start wpa_supplicant.service and now learned from you time after time. I'll trie your scripts later,thanks again! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 12-08-2017 Hi DKblue. The problems aren't so big as you might think. Penetration distros doesn't start as many unwanted services as multimedia distros. So there are only a few services to stop. There is no real need to use airmon-ng if you have common hardware (Realtek, Ralink or Atheros chipsets that support native monitor mode). Aircrack-ng is able to run other services on the same interface (like hostapd, airbase-ng or airtun-ng). Therefore it use virtual devices. wlandump-ng is stand alone and needs full access to the hardcoded interface. Thats all... And please upload your capfiles to http://wpa-sec.stanev.org/ We need the caps for analysis purposes (weakpoints, keyspace, 802.11 protocol, ...) to improve the tools (hashcat, JtR, hcxtools). example: You mentioned the arg-wireless forum in your post. The user are interested in Fibertel routers. We did an analysis of the database to get informations about the keyspace and added this as new option to latest wlanhcx2psk $ wlanhcx2psk -h wlanhcx2psk 4.0.0 (C) 2017 ZeroBeat usage..: wlanhcx2psk <options> example: wlanhcx2psk -i <hccapx> -W -s | hashcat -m 2500 <hccapx> options: -i <file> : input hccapx file -o <file> : output plainkeys to file -s : output plainkeys to stdout (pipe to hashcat) -w : include generic weak passwords -W : include complete wps keys -D : include complete european dates -d : include complete american dates -N : include NETGEARxx weak candidates -F : include Fibertel weak candidates -h : this help -v : version Keep in mind, wlanhcx2psk is no key generator based on closed source firmware. Only results of open sources intelligence are used. |