hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - RashidMalik - 05-12-2018 Quote:There are many, many clear passwords in the captured files How does one find/extract these clear passwords (Example commands please!)? Do we need to enable a certain option for wlandump to capture these? What causes these to be sent in the first place; isn't wireless communication encrypted and only hashes are exchanged? thanks RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - RashidMalik - 05-12-2018 What is the advantage of using (wlandump) -l switch with respect to password cracking? I don't enable it, am I missing something important? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 05-12-2018 Hi RashidMalik. wlandump-ng -l and hcxdumptool -O enable capturing of IPv4 and IPv6 traffic (for example from hotspots). For example all non EAP based authentications like: -TLS authentications -CHAP authentications -TACACS+ authentication (https://hashcat.net/forum/thread-7062.html) It isn't enabled by default, because this cap files can grow very big (very fast). Passwords (PSK), usernames and identities are captured by default. You can retrieve them using hcxdumptool -E -U -I options. Unfortunately we can't decide between ESSIDs and PSKs. So you find both of them in -E option file. The more clients you receive, the more PSKs, usernames and/or identities you will get. APs doesn't send PSKs, usernames and/or identities! wlandump-ng and wlancap2hcx are outdated. I kept them only for backward compatibility (libpcap). hcxdumptool and hcxpcaptool are the successors. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - RashidMalik - 05-14-2018 Hello ZerBea Really appreciate your posts. They are full of gems and I am going through all your posts gathering those gems. Thanks for all the time you (and your great team) put into writing these posts (making them understandable to newbies like me and also in creating/updating the awesome hcx tools. Q1 What is the difference between these two tools "wlancap2hcx" and "hcxpcaptool"? They seem to have some common functionality? Which one is suitable for which purpose? Q2 I have switched to hcxdumptool (from wlandump-ng) as you had stated that the later was now outdated. I have been now using hcxdumptool for about two days and it seems that wlandump tool used to catch more handshakes. Is it possible that wlandump works better on some platforms (I am on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux (4.15.0-kali3-amd64)), maybe because it communicates with the system drivers? (Comands used wlandump-ng -i wlan1mon -o 13052018-1031am.cap -R -U -s hcxdumptool -i wlan1mon -o 14052018-1115am.cap -D -t 15 -s -c 1,2,3,4,5,6,7,8,9,10,11,12,13,14 ) Q3 Which linux distribution do you suggest is best for working with hashcat? My laptop has intel corei5 processor and intel graphics card. I can't use my processor with hasccat due to CLI issues; graphics card works (but then only with --force option) but then whole system seems to come to a crawl, cant do anything else especially with browsers? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 05-14-2018 Hi RashidMalik. Nice to hear that. Q1 What is the difference between these two tools "wlancap2hcx" and "hcxpcaptool"? They seem to have some common functionality? Which one is suitable for which purpose? It's nearly the same like the difference between wlandump-ng and hcxdumptool: - wlancap2hcx uses libpcap, hcxpacptool doesn't use it. - hcxpcaptool supports more formats than wlancap2hcx and the detection of handshakes is much, much better. (broken ESSIDs, no ESSIDs, broken handshakes...) - hcxpcaptool has some additional functions (for example -O to convert all handshakes to hccapx - usefull if an unauthorized client tries some passwords) - hcxpcaptool is the tool for conversion cap, pcap, pcap-ng, cap.gz to hccapx on wpa-sec - it will replace wlancap2hcx Q2 I have switched to hcxdumptool (from wlandump-ng) as you had stated that the later was now outdated. I have been now using hcxdumptool for about two days and it seems that wlandump tool used to catch more handshakes. Definitely no. In your case: hcxdumptool -i wlan1mon -o 14052018-1115am.cap -D -t 15 -s -c 1,2,3,4,5,6,7,8,9,10,11,12,13,14 you disabled attacks against existing connections (-D : do not transmit deauthentications or disassociations) So you will get only handshakes from AP-less attacks. Also you can improve your scanlist. Just do a wlanrcascan to see what channels are used in your area (for example 1,6,11). Then create your scanlist: 1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,11, 12,1,6,11,13,1,6,11,14,1,6,11 so your commandline could look like this: hcxdumptool -i wlan1mon -o 14052018-1115am.cap -t 15 -c 1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,11, 12,1,6,11,13,1,6,11,14,1,6,11 -s if you captured enough/all handshakes from APs in your area you can move to: hcxdumptool -i wlan1mon -o 14052018-1115am.cap -t 15 -c 2,4,6,8,10,12 -s to attack only new clients on less used channels. Is it possible that wlandump works better on some platforms (I am on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)) linux (4.15.0-kali3-amd64)), maybe because it communicates with the system drivers? Definitely yes - a reason, why I didn't remove it, yet. Q3 Which linux distribution do you suggest is best for working with hashcat? That is hard to answer. The recommended distribution is UBUNTU. You get help here in the forum and you can read everything about the installation on the wiki pages. I prefer arch LINUX. It's not easy to install and even less easy to configure. arch LINUX isn't beginner-friendly. But ask yourself: I would like to build a cracking system. -do I need a multimedia distribution? -do I need an oversized environment (like KDE, Gnome, UNITY) or is LXQT, XFCE better for me? -do I need all the services started by default (like pulseaudio, networkmanager, wpa-supplicant, and more....) For example UBUNTU: https://askubuntu.com/questions/702209/how-do-i-disable-unnecessary-services-without-uninstalling-them-in-ubuntu-15-10 and arch: systemctl enable acpid.service systemctl enable avahi-daemon.service systemctl enable org.cups.cupsd.service systemctl enable cronie.service systemctl enable ntpd.service (no unnecessary services, only what I decided to start) You can read more here: https://wiki.archlinux.org/index.php/arch_compared_to_other_distributions RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 05-14-2018 Oh, I noticed, that I didn't answer your first question: How does one find/extract these clear passwords (Example commands please!)? Do we need to enable a certain option for wlandump to capture these? What causes these to be sent in the first place; isn't wireless communication encrypted and only hashes are exchanged? thanks Finding PSKs is easy. But you have to develop a sight for that. PSKs can be found in proberequests, identity responses and authentication frames (usernames). A detailed tutorial is here: https://hashcat.net/forum/thread-6661-post-35891.html#pid35891 including a test cap: https://hashcat.net/forum/attachment.php?aid=512 command to save them: hcxpcaptool -o test.hccapx -E probes -I identities -U usernames *.cap What causes these to be sent in the first place? A damaged wpa-supplicant.conf of the client. We can annoy a client in such a way, that he sends us his PSK and/or complete NVRAM. Isn't wireless communication encrypted and only hashes are exchanged? Yes, but that (managament) frames are unencrypted. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - RashidMalik - 05-16-2018 (08-18-2017, 01:15 PM)ZerBea Wrote: weak point analyse (2) Where can I find this pwhash? Google search turned up a lots of variants. Which one exactly are you using? Its not installed on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) by default and I could not locate it on the repository? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 05-16-2018 Hi RashidMalik. This tool (and some others ) is located on GitHub (https://github.com/ZerBea): https://github.com/ZerBea/hcxkeys RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - taxil - 05-16-2018 lets say I run hcxdumptool (aggressively) on a one hour timer, after one hour I hard close hcxdumptool. Then I start hcxdumptool for another hour capture. I am left with two cap files, hour1.cap and hour2.cap. I did not move location so a large chunk of handshakes are from the same clients/AP. Quite a bit of overlap. My goal is one hccapx without dupes for that day, should I: Method 1 1. hcxpcaptool -o allday.hccapx hour1.cap hour2.cap Method 2 1. cat hour1.cap hour2.cap > full.cap 2. hcxpcaptool -o allday.hccapx full.cap Method 3 1. wlancap2hcx -p full.cap hour1.cap hour2.cap 2. hcxpcaptool -o allday.hccapx full.cap I am currently using method 3, but I would like to use method 1. Does hcxpcaptool -o combine and compare all caps for the "best" handshakes? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 05-17-2018 Hi taxil. Neither method1 nor method 2 nor method 3. First some words about the basic rationale behind hcxtools: -hcxtools are analysis tools -what we did not record is gone forever 1) get all handshakes from established connections in your neigbourhood hcxdumptool -i interface -o record.pcap -t 5 -b blacklisthome 2) if you got all, focus on (new) clients (longterm - weeks!) hcxdumptool -i interface -o record.pcap -t 60 -D -b blacklisthome 3) do the conversation hcxpcaptool -o new.hccapx -E probelist -I identitylist -U usernamelist -P pmklist *.pcap (if a wpa encrypted hotspot is in range, additionally use -O newall.hccapx to retrieve also connect attemps) 4) add all this raw data to your databases cat new.hccapx >> database_best.hccapx cat new.hccapx newall.hccapx >> database_all.hccapx cat probelist >> databaseprobelist cat identitylist >> databaseidentitylist cat usernamelist >> databaseusernamelist cat pmklist >> databasepmklist cat database*list > workinglist (and sort this list uniq) run workinglist against your database_best and use --potfile option of hashcat create pmklist from hashcat.2500 potfile cat pmklist >> databasepmklist from now on, you can run pmklist in combination with --remove against your database and(or incomming to remove allready cracked ones in a very fast way. Now put your focus on common ESSIDs and get them: wlanhcx2ssid -i database_xxx.hccapx -X default (you can do this on best and/or raw) In this case you get full advantage of reuse PBKDF2 on default.hccapx for common ESSIDs If you need a single ESSID: wlanhcx2ssid -i database_best.hccapx -w forced.hccapx Retrieve info about converted networks: wlanhcxinfo -i forced.hccapx -a -s -e | sort | uniq and get exact the network you like to attack by mac or ESSID or whatever you like: wlanhcx2ssid -i forced.hccapx -A mac_ap Do not try to run useless wordlists found in www (and most of them are useless for your purpose) Analyze your potfile to get informations about the keyspace of similar networks (same VENDOR and/or ISP) Use -O option of hcxpcaptool (maybe a clients made a typo - half PSK, you are able to crack) Analyze probelist (myabe PSK or simlilar PSK is inside) Build your own wordlist based on your database lists and run rules on them cat database lists and cracked to one list and run princeattack Annoy the client to retrieve his NVRAM and or PSK - longterm: hcxdumptool -i interface -o record.pcap -t 60 -D -b blacklisthome (that is not the same like a "normal" rogue AP or an evil twin - we are on protocol level) This procedure will work: for example https://wpa-sec.stanev.org/?stats Last 24h processed handshakes: 15760 Last 24h performance: 176.23K/s Last 24h submissions: 288 Last 24h founds: 231 |