hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-19-2017 (10-19-2017, 03:51 PM)winxp5421 Wrote: Zerbea, No I have not received any mail from you. I just got done searching my mailbox. I sent you an email via Hashcat.net's Email function to see if this site function is actually working. If you did not receive an email feel free to contact me directly. Well, answered direct via mail. Cheers Mike RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-20-2017 hcxtools and hcxkeys v 4.0.0 released ------------------------------------------- https://github.com/ZerBea/hcxtools https://github.com/ZerBea/hcxkeys many bug- and stability fixes initial OSX support detection of big endian systems (only detection - running hcxtools on big endian systems is a still a challenge) many new options improved status messages improved and speed up authentication engine better support for cap2hccapx and wpapcap2john (makes detection of handshakes easier for both of them) better detection of groupkeys (that has nothing to do with KRACK - this groupkeys are installed instead of pairwise keys; they are very rare) and more... Many thanks for the great support: Atom, Magnum, RealEnder and Neheb I could not achieve any of this without your courageously incessant support! So again, thank you so much for this. Cheers Mike RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - MrShannon - 10-20-2017 Regarding winxp's question about ignoring clients that were previously captured, would it make sense to add the mac adddy's of those to a bpf and use -F to filter them out in later runs? I'm wondering if there's a sanity threshold on how many entries can be processed by the filter before it becomes a problem. dozens of rules? hundreds? thousands? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-20-2017 The BPF works on wlandump-ng, wlanresponse and wlancap2hcx and is extreme fast. The maximum instruction limit per program is restricted to 4096 BPF instructions. That should be enough for stationary operations (surveillance). Create different filter files for different surveillance operations (for example, my BPF for an operation in an allready discovered area contains 25 instructions). It doesn't make sense to use a BPF during fast moving operations (reconnaissance). Use different options and filters tailored to the mission! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - windmaple - 10-25-2017 Hi newbie here, I tried to use wlandump-ng but couldn't make it work (compilation worked fine). I placed the wifi card into monitor mode but somehow wlandump doesn't like wlan0 windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~$ service network-manager stop windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~$ sudo airmon-ng start wlan0 [sudo] password for windmaple: Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 603 avahi-daemon 675 avahi-daemon 787 wpa_supplicant Interface Chipset Driver wlan0 Unknown rtl8192ce - [phy0] (monitor mode enabled on mon0) windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~$ cd Desktop/crackwifi/ windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~/Desktop/crackwifi$ sudo ../hcxtools/wlandump-ng -i wlan0 -o capture.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20 sudo: ../hcxtools/wlandump-ng: command not found windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~/Desktop/crackwifi$ sudo ./hcxtools/wlandump-ng -i wlan0 -o capture.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20 error opening device wlan0: wlan0: That device is not up windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~/Desktop/crackwifi$ iwconfig eth0 no wireless extensions. mon0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr=2347 B Fragment thr:off Power Management:on wlan0 IEEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr=2347 B Fragment thr:off Power Management:off docker0 no wireless extensions. lo no wireless extensions. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - freeroute - 10-25-2017 systemctl network-manager stop ifconfig wlan0 down iwconfig wlan0 mode monitor ifconfig wlan0 up systemctl network-manager start RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-25-2017 windmaple: There are some major problems in your configuration: 1. do not use aircrack-ng tools or scripts in combination with hcxtools. airmon-ng creates a virtual interface (monx) and leaves wlan0 managed! 2. do not use wlandump-ng/wlanresponse on virtual devices like monx "I placed the wifi card into monitor mode but somehow wlandump doesn't like wlan0" wlandump-ng/wlanresponse likes wlan0, but they don't like virtual devices! 3. as freeroute wrote, you must identify all services that takes access to your capture device and stop them (at least this 2): sudo systemctl stop NetworkManager.service sudo systemctl stop wpa_supplicant.service 4. as freeroute wrote, you must put the interface into monitor mode (where $WLANDEV is your device name) sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type monitor sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info 5. if you got pcap read errors like this: internal pcap errors.....................................: 12 there are more services that prevent wlandump-ng/wlanresponse to access the device - you must identify and stop them. 6. if you finished capturing do not forget to put the device back into managed mode sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type managed sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info 7. and start the services - otherwise you will have no connectivity! sudo systemctl start NetworkManager.service sudo systemctl start wpa_supplicant.service I prefer ip in combination with iw which is much more powerful than ifconfig (archlinux dropped support for deprecated ifconfig “net-tools” sometime back). Read about the difference between both tools here: https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/ https://p5r.uk/blog/2010/ifconfig-ip-comparison.html RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - windmaple - 10-25-2017 Thanks for the handholding, ZerBea and freeroute! So I followed the instructions here and was able to run wlandump-ng on wlan0. I think I'm getting close to making it work but right now it seems it doesn't hop to diff channels (it pretty much is stuck on channel 4, which I specified w/ '-c 4'). My understanding has been that wlandump-ng will automatically hop to another channel after 60s. Isn't that the case? interface................................: wlan0 internal pcap errors/maximal pcap errors.: 0/0 interface channel/hop timer..............: 04/60 private-mac (oui/nic)....................: 1000006f7656 deauthentication/disassociation count....: 100/10 current/maximum ringbuffer entries.......: 9/512 proberequests/proberesponses.............: 61/31 associationrequests/reassociationrequests: 0/0 transmitted m1/received appropriate m2...: 0/0 received regular m1/m2/m3/m4.............: 0/0/0/0 mac_ap hs xe essid (countdown until next deauthentication/disassociation) ------------------------------------------------------------------------------- 000fe29538e1 00 00 @city (41/10) 000fe29538e4 00 00 !MoDuWiFi (37/10) 000fe29538e0 00 00 ChinaNet (44/10) 000fe29538e5 00 00 aWiFi (36/10) 00226c06a978 00 00 Crea2015_A978 (83/10) cc81da38f1a8 00 00 @PHICOMM_A0 (100/10) 808917f1e454 00 00 5F (99/10) (10-25-2017, 08:04 AM)ZerBea Wrote: windmaple: There are some major problems in your configuration: RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-25-2017 hi windmaple "I think I'm getting close to making it work but right now it seems it doesn't hop to diff channels (it pretty much is stuck on channel 4, which I specified w/ '-c 4'). My understanding has been that wlandump-ng will automatically hop to another channel after 60s. Isn't that the case?" No. Option c -4 means that you start scanning on channel 4. Refresh of the upper part of the status display depends on received frames (only important frames, we need for calculating candidates). In your case: interface channel/hop timer..............: 04/60 The last frames are received on channel 4. No newer frames received on other channels. If you receive newer frames for example on channel 1, next refresh will show you this: interface channel/hop timer..............: 01/60 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-28-2017 according to many user requests: merged wlanresponse and wlandump-ng refactored wlandump-ng and removed wlanresponse wlandump-ng ---------------- - waterfall status - improved deauthentication stop when retrieved one complete handshake (M1-M4) from ap <-> client - improved disassociation stop when received one complete handshake (M1-M4) from ap <-> client - send one undirected proberequest to broadcast after channel change - improved expanded EAPOL handling - improved authentication - improved beaconing on proberequests - now wlandump-ng is passive by default (only receive) - transmit must be enabled - changed / new options: -R : enable to respond to all requests -D : enable deauthentications -d : enable disassociations -E <digit> : stop deauthentications and disassociations if xx complete handshakes received : default = 1 complete handshake (M1-M4) -U : send one undirected proberequest to broadcast after channel change -B : enable beaconing on last proberequest -s : enable status messages\n" localtime, channel, mac_ap, mac_sta, information 11:02:52 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (forced) 11:01:45 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (forced-retransmission) 11:03:57 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (not verified) 11:03:57 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M2M3 handshake (verified) 11:03:57 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M3M4 handshake (established) and full detection of WPS: 16:36:13 1 xxxxxxxxxxxx --> xxxxxxxxxxxx identity request: hello 16:36:13 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx identity response: WFA-SimpleConfig-Registrar-1-0 16:36:14 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M1 message 16:36:14 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M2 message 16:36:16 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M3 message 16:36:16 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M4 message 16:36:16 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M5 message 16:36:16 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M6 message 16:36:16 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M7 message 16:36:16 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M8 message aggressive mode: wlandump-ng -i <device> -o output.cap -c 1 -t 4 -D -d -E 2 -R -U -B wlandump-ng attacks everything - deauthentication/disassociation stops when 2 complete handshakes retrieved (ap-client) friendly mode: wlandump-ng -i $WLANDEV -o output.cap -c 1 -t 120 -R -B wlandump-ng just looks for clients silent mode: wlandump-ng -i $WLANDEV -o output.cap -c 1 -t 120 wlandump-ng doesn't transmit |