hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#1
Small set of tools to capture and convert packets from wlan devices designed for the use with latest hashcat:

wlandump-ng (Small, fast and powerfull deauthentication/authentication/response tool)
wlanresponse (Extreme fast deauthentication/authentication/response tool (unattended use on Raspberry Pi's))
wlanrcascan (Small, fast and simple passive WLAN channel assignment scanner (status output))
wlancapinfo (Shows info of pcap file)
wlancap2hcx (Converts cap to hccapx and other formats (recommended for use with wlandump-ng and wlanresponse))
wlanhcx2cap ( Converts hccapx to cap)
wlanhc2hcx (Converts hccap to hccapx)
wlanhcx2essid (Merges hccapx containing the same ESSID)
wlanhcx2ssid (Strips BSSID, ESSID, OUI)
wlanhcx2john (Converts hccapx to format expected by John the Ripper)
wlanhcxinfo (Shows detailed info from contents of hccapxfile)
wlanhcxmnc (Manually do nonce correction on byte number xx of a nonce)
wlancap2wpasec (Upload multiple caps to http://wpa-sec.stanev.org)
whoismac (Show vendor information)
pwhash (Generate hash of a word by using a given charset)
pioff (Turns Raspberry Pi off via GPIO switch - hardware mods required)

Some of the features:
wlandump-ng/wlanresponse are able to prevent complete wlan traffic
wlandump-ng/wlanresponse are able to capture handshakes from not connected clients
wlandump-ng/wlanresponse are able to capture handshakes from 5GHz clients on 2.4GHz
wlandump-ng/wlanresponse are able to capture extended EAPOL (WPA Enterprise, WPS)
wlandump-ng/wlanresponse are able to capture passwords from the wlan traffic
wlancap2hcx is able to strip WPA Enterprise to use with hashcat (-m 4800, -m 5500)
Take a look into help of each tool (-h)

The tools are part of the penetration-distros BlackArch and The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali);
or get latest version from here:

https://github.com/ZerBea/hcxtools

ZerBea
Reply
#2
Hot! Thanks!
Reply
#3
This is fantastic! Now, all we need is an automated way to scan client probe requests, setup fake AP with probe request info, client attempts authentication, save to .cap, rinse, repeat. Smile
Reply
#4
Well, that's allready implemented in wlandump-ng
wlandump-ng -i <wlandevice> -o test.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20

and wlanresponse
wlanresponse -i <wlandevice> -o test.cap -b -t 3

and much more...
Reply
#5
I have no words for how amazing you are.
Reply
#6
added iSCSI CHAP authentication, MD5(CHAP)
and option to save usernames/identities to a file
Reply
#7
refactored scan engine
now full 5GHz support
for fixed channel operation use high value (-t 86400 for a day)
see wlandump-ng -h
device must support this!
Reply
#8
example of a typical output: wlancap2hcx *.cap
start reading from example.cap
27278 packets processed (27278 wlan, 0 lan, 0 loopback)
found 24 usefull wpa handshakes
hashcat --nonce-error-corrections is working on that file
found MD5-Challenge (hashcat -m 4800)
found EAP-TLS Authentication
found EAP-Cisco Wireless Authentication (hashcat -m 5500)
found EAP-SIM (GSM Subscriber Modules) Authentication
found PEAP Authentication
found WPS Authentication
found IPv4 packets
found IPv6 packets
found TCP packets
found UDP packets
found PPP CHAP Authentication packets (hashcat -m 5500)
found wpa encrypted data packets
found wep encrypted data packets
Reply
#9
example of a typical status: sudo wlandump-ng -i wlp0s26u1u2 -o test.cap -c 1 -t 3 -d 100 -D 10 -m 512 -b -r -s 20
interface.....................................................: wlp0s26u1u2
internal pcap errors.....................................: 0
interface channel/hop timer..........................: 08/3
private-mac (oui/nic)...................................: 00a0856e6e00
deauthentication/disassociation count............: 100/10
current/maximum ringbuffer entries..............: 321/512
proberequests/proberesponses.....................: 798/1073
associationrequests/reassociationrequests.....: 421/57
transmitted m1/received appropriate m2.......: 391/843
received regular m1/m2/m3/m4...................: 57/43/55/16

mac_ap hs xe essid (countdown until next deauthentication/disassociation)
---------------------------------------------------------------------------------------------
00a0856e6dfe 00 00 default (94/10)
...
...
17 more status lines containing networkinfos
Reply
#10
Hello ! Mate , can you give us a tuto, how to capture the handshake and how convert it please ? im new and i dont know how !
Reply