hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-08-2020 Hi ZerBea You are incredibly productive, I am starting to think you are one of those AI bots who can write forum posts and code awesome programs! I appreciate you supporting "ancient" formats as it must be time consuming but those of us with no option other than to use older versions of hashcat are very, very grateful. I thought I would write back now to say thank you for your reply as I will be testing the new hcx(all) features after work. It takes me longer to learn and test than it does for you to code! As you will be depreciating wlanhcx2ssid will the following (very useful) options be available in the finished hcxhashtool? -a : output file by mac_ap's -s : output file by mac_sta's -o : output file by vendor's (oui) -e : output file by essid's I would love to be able to output all good quality handshakes, converted to hccap's, contained within a given pcapng into separate files named by MAC. If the option --authorized in the new hcxhashtool means what I think it does then that is GREAT! I guess it means only output handshakes that are likely to be both crackable and the password is the correct one for the AP. Just as a side note, I am proud to say hcxtools is the very first program I have ever compiled! Thanks again for your work. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-08-2020 This are the available options. If there is need for more, please let me know. Decided to add filter by MAC CLIENT, too, because hcxdumptool is able to request the original MAC of a CLIENT. Code: $ hcxhashtool -h RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-08-2020 I really like the -E option,.. autohex was going to be one of my feature requests! Reading the help I am not sure how I would do the folling for hccap Filter good quality (crackable) handshakes only Output individual files for each ESSID or capture Include all AP_Less captures and test these for quality Outputs would be user-defined as hccap, hccapx or PMKID etc All above from a single large pcapng in an automated way My guess would be something like the following: hcxhashtool -i myfile.pcapng --type 2 --hccap=(this requires a file but multiple output would need directory) I am asking rather than testing as I don't have a pcapng with multiple known captures so I can test to see if the outputted hccaps are crackable for me with old hashcat. Thank you RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-08-2020 No, there will be no "all in one tool". The workflow is: hcxdumptool -> hcxpcapngtool -> hcxhashtool -> (optional hcxpsktool) -> hashcat Detection of handshakes and PMKIDs is really complex and I don't want to add additional features to the converter (hcxpcapngtool). BTW: The Linux philosophy (an mine, too) is: Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface. https://en.wikipedia.org/wiki/Unix_philosophy RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-08-2020 Oh I see I have to chain them. So automating the process of outputting everything is possible? With the oncoming of your new tools v6 I think I will have to wait for the official release and then try to work it out. I am not a computer expert just a keen hobbyist so this will take me some time. Your tools are brilliant and I cannot thank you enough for making them available. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-09-2020 "Oh I see I have to chain them." Yes! The new has format (2200x) is plain HEX-ASCII. That means you will get a read able hashline (not binary hccap or hccapx). Depending on the WiFi related filters of hcxpcapngtool, everything is converted to this hash format. WiFi related filters are filters that do not work on already converted hashes: - filter by EAPOLTIME - filter bei replaycount - filter by information element (IE) - filter by ESSID changes / damaged ESSIDs This information is present in a cap/pcap file (and a pcapng contain much more information than a cap/pcap) You can use Wireshark (convert by hand) or hcxpcapngtool. After that process, we have a plain HEX ASCII hashfile, you can use hash related filters on: - filter by ESSID - filter by VENDOR - filter by MAC - filter by .... You can use a text editor (by hand) or hcxhashtool. If you get them by hand, you have to use hcxhashtool again to convert them to hccap. Now we have the hashfile, which is the first file we have to feed to hashcat. For the second file (wordlist), you can use your own wordlist to feed hashcat or run hcxpsktool to generate a wordlist based on the hashfile. We have tested this since the decision to add this new hashmode: https://github.com/hashcat/hashcat/issues/1816 and JtR will implement it, too: https://github.com/magnumripper/JohnTheRipper/issues/4183 BTW: I know this is hashcat forum, but for me it is amazing, that both coder (Atom and Magnum) working together, here!!!!!!!! ...and several other coder, too: https://github.com/RealEnder/dwpa https://github.com/kimocoder/wifite2 https://github.com/s77rt/multicapconverter RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-11-2020 Hi ZerBea I really like the idea of the hashes being exported from hcxpcapngtool as text (.22000). As you are currently designing the format could I make a request that, assuming I understand autohex to mean write in ASCII unless the output would crash you system if so then use Hex, would it be possible to have autohex on ESSID names written to each text line? Example: Netgear123:WPA*01*2f5c05d6ad2070743...etc or if the AP name is bad then "Hex...:WPA*01*2f5c05d6ad2070743...etc" When using hcxpcapngtool if a user outputs the entire contents of their .pcapng file to hccap each network is merged into a single .hccap. This is no use to the user as hccap's have to only contain a single network per hccap. As it seems possible to make hccapx and hccap files directly from the new text format (.22000) I am not sure why hcxpcapngtool has the --hccap option. Perhaps the conversion should be left solely to hcxhashtool? Hopefully this will be easier for you to maintain as only one tool converts to hccap and hccapx. If the user directly converts the .22000 text output to hccap using hcxhashtool how will the resulting hccap be crackable? I ask because when converting to hccap using hcxpcapngtool it requires --ignore-ie. hcxhashtool Could hcxhashtool please have the features wlanhcx2ssid has but for the text hash and not wifi? The -a option in wlanhcx2ssid allows the user to recursively and automatically output each network to it's own file named by the AP mac. As mentioned before the following options in hcxhashtool (copied from wlanhcx2ssid) would be very useful to have in hcxhashtool. -a : output file by mac_ap's -s : output file by mac_sta's -o : output file by vendor's (oui) -e : output file by essid's The option --hccap= or --hccapx= would ideally allow the user to select a folder to send the individual conversions to not a specific file as currently is. To explain what I am trying to say above. Say my capture file (.pcapng) contains the following: 1 x PMKID of Network1 1 x AP and client handshake Network2 1 x AP-Less capture hcxdumptool to target client Network3 (In reality there could be 30 or 40 valid networks) I would like to be able to output these in an automated way. I use: hcxdumptool to capture hcxpcapngtool to convert to .22000 (what about the --ignore-ie option if I know I will later be converting the text hash to hccap?) hcxhashtool to convert .22000 to hccap(x) or hccap Obviously it would be time consuming for the user to have to manually alter each filter for every valid handshake which is why I ask for the same options available in wlanhcx2ssid to be in hcxhashtool so I can create a folder containing converted versions of the PMKID, AP and client handshake and AP-Less capture to a specified folder. The result would be a folder containing the following. Network1.hccap Network2.hccap Network3.hccap Just a side question. I assume setting --authorized in hcxhashtool will only output more reliable hashes as in more likely to be correct and crackable? Thank you for reading this far! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-11-2020 Most of the features you requested are already build in. The rest can be done by bash commands. Example: Netgear123:WPA*01*2f5c05d6ad2070743...etc or if the AP name is bad then "Hex...:WPA*01*2f5c05d6ad2070743...etc" --info=stdout will do it We do not touch the hash line (-o output), because neither hashcat nor JtR like this) Don't worry about a "big" hccap file. You can split it into single parts, running split -b use hcpcapngtool to convert to .22000 hashfile use hcxhashtool to filter and to write result all to a single hccap use bashtool split to the "big hccap" into single parts: $ split -b 392 --additional-suffix=.hccap test.hccap use bashtool grep -r NETGEAR to find your desired hccap $ grep -r NETGEAR Binary file xzrdg.hccap matches Binary file xzequ.hccap matches Binary file xzasl.hccap matches Binary file xzask.hccap matches Binary file test.hccap matches <- that is the big one feed old hashcat with desired single hccap hashcat -m 2500 xzequ.hccap wordlist --ignore-ie should be used on damaged cap files, or cap files which doesn't provide RSN-IE and/or WPA-IE elements. "I assume setting --authorized in hcxhashtool will only output more reliable hashes as in more likely to be correct and crackable?" No, all hashes should be recoverable. --authorized means that the CLIENT from which we take the M2 is allowed to enter the network. --unauthorized means that a CLIENT tries to get access to the network, but is not allowed to enter it. PSKs you recovered from both kinds of hashes are valid, but only one of them belongs to the network. Please keep in mind: hcxtools are designed as analysis tools and not to "crack" a single network. If you would like to use them you should know basics of LINUX, basics of ieee802.11 and basics of radio technology. Running K*A*L*I and a high power WiFi adapter is far from enough. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-11-2020 Hi ZerBea Thank you for explaining how I can sort the output using bash. It just seems a shame the very useful feature of outputting all networks recursively and auto naming each file, as with wlanhcx2ssid, will not be possible with hcxhashtool. Thanks for explaining --authorized in hcxhashtool, it is what I was hoping it meant. Quote:Please keep in mind: You are of course correct, I have much to learn about all the things you mention. Thanks again for helping and obviously for hcxtools. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-11-2020 The major advantage of the new hashline is that you can use bash tools on it, because it isn't any longer binary. Playing around with this bash tools you can do nearly everything (grep, sort, cut, cat, sed, awk, ...). There is no longer need for tools, working on binary hash formats. Now it is time for a change. Please let hccap/hccapx rest in peace (R.I.P) after release of hashcat v6.0.0. But anyway, you're right, we are missing some options in hcxhashtool, compared to wlanhcx2ssid. I'm going to add them, step by step. This are the first ones: --mac-group-ap (old -a) --mac-group-client (old -s) BTW: replacement for this old two options is already implemented: -o : output file by vendor's (oui) (hcxhashtool : --oui-group) -e : output file by essid's (hcxhashtool: --essid-group) |