hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-23-2018 hcxdumptool default capture format will be pcapng. That means upcomming hcxdumptool 4.2.0 will save the data in pcapng format. wlandump-ng and wlancap2hcx will be removed in version 4.2.0! I decided to switch to pcapng, because it has many advantages. New attack modes requiere to calculate pre-hashes and nonces during runtime of the dumper. pcapng format is able to handle comments, and we can store this values within the comment field, to provide the following conversiontool with this values. I don't like the idea to use separate files or incredibly long commandlines for this purpose. You can download first hcxdumptool testversion here: https://github.com/ZerBea/hcxdumptool_bleeding_testing This is a bleeding version. So expect compiler warnings and missing functions as well as some (heavy) bugs! Latest update hcxpcaptool is able to evaluate pcapng options: $ hcxpcaptool -o test.hccapx sae_simple_psk.pcapng start reading from sae_simple_psk.pcapng summary: file name....................: sae_simple_psk.pcapng file type....................: pcapng 1.0 file hardware information....: Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz (with SSE4.2) file os information..........: Linux 4.14.0-kali3-amd64 file application information.: Dumpcap (Wireshark) 2.4.4 (Git v2.4.4 packaged as 2.4.4-1) network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: little endian read errors..................: flawless packets inside...............: 30 skipped packets..............: 0 packets with FCS.............: 0 beacons (with ESSID inside)..: 2 probe responses..............: 1 association requests.........: 1 association responses........: 1 authentications (SAE)........: 4 deauthentications............: 3 action packets...............: 1 EAPOL packets................: 4 best handshakes..............: 1 (ap-less: 0) 1 handshake(s) written to test.hccapx Keep in mind: This is only an example of the evaluation of pcapng option fields and n o t SAE cracking!!! Beside this informations: file hardware information....: Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz (with SSE4.2) file os information..........: Linux 4.14.0-kali3-amd64 file application information.: Dumpcap (Wireshark) 2.4.4 (Git v2.4.4 packaged as 2.4.4-1) hcxdumptool will save the interface name and the first three bytes of the capture device mac (OUI), too, to identify faulty vendor drivers. Also pre-hashed data like client based calculated authenticationkeys and nonces are saved in the comment fields. Read more about pcapng format specs here: https://pcapng.github.io/pcapng/ And about the advantages here: http://www.lovemytool.com/blog/2012/10/five-reasons-to-move-to-the-pcapng-capture-format-by-jason-walls.html Get example cap from here: https://github.com/vanhoefm/wifi-example-captures or here: https://www.cloudshark.org/captures/3638626f4551 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - strike1953 - 07-23-2018 (07-23-2018, 12:21 AM)ZerBea Wrote: hcxdumptool default capture format will be pcapng. That means upcomming hcxdumptool 4.2.0 will save the data in pcapng format. wlandump-ng and wlancap2hcx will be removed in version 4.2.0! Excelent RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-23-2018 Hi strike1953. Well, I hope so. I didn't see any chance to save during runtime calculated values in a better way. The option field of pcapng seems to be a good way to do that. Wireshark is an absolutely fantastic analysis tool (my favourite), so it's good to be compatible with that nice tool. Also I noticed, that wireshark opens a pcapng file much faster than an old cap/pcap file (32bit alignment, permit backward file navigation, ...). Since hcxtools running in the background of https://wpa-sec.stanev.org/? , pcapng capture files are accepted by the server, as well as gz compressed files (pcapng, cap, pcap). Last but not least can we provide the following hashcracktool with all values requiered by the cracking procedure: dumper/attacker -> conversiontool -> hashcracker -> database (for example: hcxdumptool -> hcxpcaptool -> hashcat -> wpa-sec database) We do this allready in a very simple way, using the messagepair field in the hccapx record. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-23-2018 BTW: Parsing pre-hashes or nonces isn't really witchcraft. We are doing this allready: hcxpcaptool -h --netntlm-out=<file> In that case a SHA1 pre-hash, based on an EAP authentication frame, is parsed to hashcat. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-25-2018 Small update on hcxdumptool and hcxtools: moved to v 4.2.0 rc1: Added complete new WPA attackmode according to new hashcat hashmodes 16800 and 16801. The attack is performed on the RSN IE (Robust Security Network Information Element) of an EAPOL 1/4 frame in 802.11i networks. At this moment we do not know on which vendors and on how many routers this will work. Please test it... Also hcxdumptool isn't ready for a 100% attack - I'm working on it. $ hcxpcaptool -h -z <file> : output PMKID file (hashcat hashmode -m 16800) -Z <file> : output PMKID file (hashcat hashmode -m 16801) Advantage: only 2 packets required 1 associationrequest/reassociationrequest (proberesponse is ok, too) 2 EAPOL 1/4 (M1) with included RSN IE Remember ap-less attack: only 2 packets required 1 associationrequest/reassociationrequest (proberequest is ok, too) 2 EAPOL 2/4 (M2) as response to hcxdumptool Just use hcxdumptool to capture, hcxpcaptool to convert and hashcat to crack hcxtools update: 4.2.0 rc1 added new attack mode on WPA PMKID $ hcxpcaptool -z hashfile.16800 pmkidassociationrequest.pcapng start reading from pmkidassociationrequest.pcapng summary: file name....................: pmkidassociationrequest.pcapng file type....................: pcapng 1.0 file hardware information....: unknown file os information..........: unknown file application information.: unknown network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: little endian read errors..................: flawless packets inside...............: 3 skipped packets..............: 0 packets with FCS.............: 0 association requests.........: 1 association responses........: 1 EAPOL packets................: 1 EAPOL PMKIDs.................: 1 1 PMKID(s) written to hashfile.16800 $ hashcat -m 16800 hashfile.16800 wordlist example hashes are here: https://hashcat.net/wiki/doku.php?id=example_hashes RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - freeroute - 07-25-2018 Thanks the update. Going to test.... RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - strike1953 - 07-25-2018 (07-25-2018, 08:44 PM)ZerBea Wrote: Small update on hcxdumptool and hcxtools: moved to v 4.2.0 rc1: Hashcat -m 16800?????? where? Unknown hash-type '16800' selected RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-26-2018 please use latest git updates! hashcat: https://github.com/hashcat/hashcat/commit/88ebca40b8a52c16fd0d9d24f7a2f63d8d7f4400 hcxtools: https://github.com/ZerBea/hcxtools hcxdumptool: https://github.com/ZerBea/hcxdumptool or test hcxdumptool-bleeding (disabled make install because it's really a bleeding version): https://github.com/ZerBea/hcxdumptool_bleeding_testing I started the complete refactoring of hcxdumptool, because old version acts as an AP for CLIENTs (ap-less attack). After the implementation of hasmodes 1680x, new hcxdumptool acts as CLIENT for APs (client-less attack), too. Unfortunately I noticed that new hcxdumptool now attacks itself (because of full mac randomization). We need full randomization of all values to prevent counter measures against us. That includes - mac address - replaycounter - nonce - authenticationkeys - and perhaps more... Now, bleeding will start like this: $ sudo ./hcxdumptool-bleeding -i wlp39s0f3u4u5 -o test.pcapng -t 10 -s 1 -H blacklisthost -C blacklistclient start capturing (stop with ctrl+c) INTERFACE:...: wlp39s0f3u4u5 MAC_STA......: f0a2253d7966 (client) MAC_AP.......: 140708855fcf (start OUI) REPLAYCOUNTER: 64052 ANONCE.......: 56f695dcb497439bbde941b67cdb98b06ad9b98c45dfc55853bd45b8551dabac [10:14:16 - 001] f0a2253d7966 -> ffffffffffff [SENDING BROADCAST PROBEREQUEST] ... and if you receive a PMKID it will look like this: [10:21:18 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [EAPOL M1, REPLAYCOUNT 1, FOUND PMKID] No M2, M3 or M4 needed for hashcat -m 16800 to recover the PSK. The PMKID is authorized by the AP and 100% valid. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Mot85 - 07-26-2018 太棒了伙计加油 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - strike1953 - 07-26-2018 (07-26-2018, 09:54 AM)ZerBea Wrote: please use latest git updates! Sorry, thank you |