hashcat Forum
hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-24-2020

There is no option to set the frequency, but there are several options to work on channels and scan lists:

Channel options to set one or more channels:
Code:
-c <digit>     : set channel (1,2,3, ...)
                 default channels: 1...13
                 maximum entries: 127
                 allowed channels (depends on the device):
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96
                 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128
                 132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159
                 161, 165, 169, 173

Scan list options to set a scan list:
Code:
-s <digit>     : set predefined scanlist
                 0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default)
                 1 = 1,2,3,4,5,6,7,8,9,10,11,12,13
                 2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
                 3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
Both of this options will replace the default (and optimized) scan list.

There is also an option (-C) to retrieve by the interface supported channels (inclusive frequency and tx power):

First we retrieve the names of available interfaces:
Code:
$ hcxdumptool -I
wlan interfaces:
503eaa92e326 wlp39s0f3u1u1u2 (mt76x0u)
00e06148645e wlp39s0f3u1u1u4 (mt7601u)

The ones are detected by hcxdumptool:
Code:
$ lsusb
Bus 005 Device 008: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
Bus 005 Device 007: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter

Now we can retrieve the channel list, supported by each interface:
Code:
$ sudo hcxdumptool -i wlp39s0f3u1u1u2 -C
initialization...
available channels:
  1 / 2412MHz (14 dBm)
  2 / 2417MHz (14 dBm)
  3 / 2422MHz (14 dBm)
  4 / 2427MHz (14 dBm)
  5 / 2432MHz (14 dBm)
  6 / 2437MHz (14 dBm)
  7 / 2442MHz (14 dBm)
  8 / 2447MHz (14 dBm)
  9 / 2452MHz (14 dBm)
10 / 2457MHz (14 dBm)
11 / 2462MHz (14 dBm)
12 / 2467MHz (14 dBm)
13 / 2472MHz (14 dBm)
36 / 5180MHz (17 dBm)
40 / 5200MHz (17 dBm)
44 / 5220MHz (17 dBm)
48 / 5240MHz (17 dBm)
52 / 5260MHz (17 dBm)
56 / 5280MHz (17 dBm)
60 / 5300MHz (17 dBm)
64 / 5320MHz (17 dBm)
100 / 5500MHz (17 dBm)
104 / 5520MHz (17 dBm)
108 / 5540MHz (17 dBm)
112 / 5560MHz (17 dBm)
116 / 5580MHz (17 dBm)
120 / 5600MHz (17 dBm)
124 / 5620MHz (17 dBm)
128 / 5640MHz (17 dBm)
132 / 5660MHz (17 dBm)
136 / 5680MHz (17 dBm)
140 / 5700MHz (17 dBm)
149 / 5745MHz (17 dBm)
153 / 5765MHz (17 dBm)
157 / 5785MHz (17 dBm)
161 / 5805MHz (17 dBm)
165 / 5825MHz (17 dBm)

terminating...

$ sudo hcxdumptool -i wlp39s0f3u1u1u4 -C
initialization...
available channels:
  1 / 2412MHz (30 dBm)
  2 / 2417MHz (30 dBm)
  3 / 2422MHz (30 dBm)
  4 / 2427MHz (30 dBm)
  5 / 2432MHz (30 dBm)
  6 / 2437MHz (30 dBm)
  7 / 2442MHz (30 dBm)
  8 / 2447MHz (30 dBm)
  9 / 2452MHz (30 dBm)
10 / 2457MHz (30 dBm)
11 / 2462MHz (30 dBm)
12 / 2467MHz (30 dBm)
13 / 2472MHz (30 dBm)
14 / 2484MHz (30 dBm)

terminating...

Now you can run hcxdumptool using your own channel list e.g.: -c 1,6,11

It is mandatory to set the "Regulatory domain":
"The regdomain setting is often made difficult or impossible to change so that the end users do not conflict with local regulatory agencies."
Please read more here:
https://wiki.archlinux.org/index.php/Network_configuration/Wireless#Respecting_the_regulatory_domain

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ciccio17 - 10-24-2020

hi , zerbea, thanks, i think i cannot post my phy info here, but anyway i cannot go over channel 173 on 5 ghz and i cannot go under channel 1 on 2.4 ghz. let's make an esemple on 2.4 ghz first.

iw phy0 info

* 2397 MHz [-2] (26.0 dBm)
* 2402 MHz [-1] (26.0 dBm)
* 2412 MHz [1] (26.0 dBm)
* 2417 MHz [2] (26.0 dBm)
* 2422 MHz [3] (26.0 dBm)
* 2427 MHz [4] (26.0 dBm)
* 2432 MHz [5] (26.0 dBm)
* 2437 MHz [6] (26.0 dBm)
* 2442 MHz [7] (26.0 dBm)
* 2447 MHz [8] (26.0 dBm)
* 2452 MHz [9] (26.0 dBm)
* 2457 MHz [10] (26.0 dBm)
* 2462 MHz [11] (26.0 dBm)
* 2467 MHz [12] (26.0 dBm)
* 2472 MHz [13] (26.0 dBm)
* 2484 MHz [14] (26.0 dBm)

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-24-2020

You have to take care about:
the channels, modes and tx power supported by the interface
and
the channels, modes and tx power allowed by Regulatory domain

Do you use a Software Defined Radio (SDR)? None of the common sold interfaces support this channels you posted because they are out of range of the oscillator.

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ciccio17 - 10-24-2020

i just patched the ath9k driver and other other info, and airodump is working

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-24-2020

You can modify hcxdumptool to work on your patched driver, too:
here (we need int instead of uint8_t):
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L132
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L6432

and here to allow an expanded range:
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L226

and here to retrieve the expanded range:
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L6464

Please notice:
The signal become extreme crappy on the edge of the frequency range (you can verify this using a spectrum analyzer e.g.: R&SĀ®FSC3).

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-24-2020

I pushed an update. This patch is not longer needed:
here (we need int instead of uint8_t):
https://github.com/ZerBea/hcxdumptool/bl...ool.c#L132
https://github.com/ZerBea/hcxdumptool/bl...ol.c#L6432

starting with this commit we use int instead of unit8_t:
https://github.com/ZerBea/hcxdumptool/commit/c3f021bf915908da22c16b5289ec32ee0d43ea44
That allow us to use more than 255 channels and negative channels.

BTW:
You mentioned airodump-ng so please read this issue report:
https://github.com/aircrack-ng/aircrack-ng/issues/2184
especially that one:
https://github.com/aircrack-ng/aircrack-ng/issues/2184#issuecomment-699992260

Please re-compile aircrack-ng suite without libnl support. Than check if an out of range channel is really set.

hcxdumptool doesn't use NETLINK (libnl) in favor of ioctl() system calls and it will notice you if the channel can't be set.
And I have several more "good" reasons not to use NETLINK:
https://www.quora.com/What-are-the-differences-between-netlink-sockets-and-ioctl-calls?share=1

Also you should notice that iw is also using libnl (NETLINK).

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ciccio17 - 10-24-2020

hi zerbea, thanks for that alot, i 'll try soon as possible, i need to patch tree device to try really this commits, one ap one sta, and the other one for hcxdumptool, also do you need my strange range on 5 ghz?

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-24-2020

It would be great, if you can comment the output of hcxdumptool -C (after you modified hcxdumptool), the Regulatory Domain setting (to allow the kernel to use the expanded channels) as well as some information about the interface (VENDOR).

My HackRF one ends at 6GHz, but unfortunately the bandwidth is limited to 20MHz. My measurement equipment ends at 3GHz. All above this frequency makes it very expensive for a (retired) hobbyist.

BTW:
Your scan list (5Mhz step) looks like a spectral scan list:
https://wireless.wiki.kernel.org/en/users/drivers/ath9k/spectral_scan
Reporting FFT data is a nice feature of AR92xx and AR93xx.

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ciccio17 - 10-24-2020

hi zerbea, compiled last commits, not working, some info?

but on regular channels is working
i receive an invalid channel message

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-24-2020

Last commits only allow to add more than 255 channels and to use own channel numbers.
If you want to expand frequency range you have to modify this functions, depending on your step size (e.g. 5 MHz steps), too:
https://github.com/ZerBea/hcxdumptool/bl...ool.c#L226
https://github.com/ZerBea/hcxdumptool/bl...ol.c#L6464
I haven't added this, because it will only work on a modified firmware and a modified driver.

Here we test that the interface set the desired channel:
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L5105

We set the channel:
if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) return false;
and read the channel:
if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) == 0) aktchannel = pwrq.u.freq.m;

Depending on the answer of the driver we use the new channel or we increment error count.