Hi JuniorJPDJ.
Nice to see hcxtools on ANDROID. Implementing this additional blacklisting/state for wlandump-ng isn't so easy.
Best way is to use the -F option (add the client or the AP to the BPF). All entries are skipped by a kernel filter.
Behind this filter, we do
- deauthentication of all clients,
- disassociation of an associated client
- make M4 invalid
- and more....
Implementing a soft coded filter will us make extreme slow here and we are no longer able to went into an authentication sequence.
I test another solution in hcxdumptool (soft coded AP filter on raw packets). Maybe we can add a filter for the client here too.
If hcxdumptool and hcxpcaptool work as expected, they will replace wlandump-ng and wlancap2hcx. I get rid of libpcap.
Both tools are much more effective than the older ones.
Did also many improvements on the 3. generation tools:
the conversion tool:
$ hcxpcaptool -h
hcxpcaptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxpcaptool <options>
hcxpcaptool <options> [input.pcap] [input.pcap] ...
hcxpcaptool <options> *.cap
hcxpcaptool <options> *.*
options:
-o <file> : output hccapx file (hashcat -m 2500/2501)
-O <file> : output raw hccapx file (hashcat -m 2500/2501)
-x <file> : output hccap file (hashcat -m 2500)
-X <file> : output raw hccap file (hashcat -m 2500)
-j <file> : output john WPAPSK-PMK file (john wpapsk-opencl)
-J <file> : output raw john WPAPSK-PMK file (john wpapsk-opencl)
-E <file> : output wordlist (autohex enabled) to use as input wordlist for cracker
-I <file> : output unsorted identity list
-U <file> : output unsorted username list
-P <file> : output possible WPA/WPA2 plainmasterkey list
-T <file> : output management traffic information list
: european date timestamp mac_sta mac_ap essid
-H <file> : output dump raw packets in hex
-V : verbose (but slow) status output
-h : show this help
-v : show version
--time-error-corrections=<digit> : maximum allowed time gap (default: 600s)
--nonce-error-corrections=<digit> : maximum allowed nonce gap (default: 8)
: should be the same value as in hashcat
--netntlm-out=<file> : output netNTLMv1 file (hashcat -m 5500 / john netntlm)
--md5-out=<file> : output MD5 challenge file (hashcat -m 4800)
--md5-john-out=<file> : output MD5 challenge file (john chap)
The raw option es very interesting:
If a user types a half of his PSK into his phone, this data will be stored and the client tries to connect "his" AP using only a part of a PSK. hcxdumptool will answer the conncet attempt and store the M2 (from an uncomplete PSK). If you are able to retrieve this part of the PSK you can run a mask or rule to get the full PSK from an authenticated M2M3M4. This attack requires that you convert all(!) M1M2 combinations!
If a user typed his PSK instead of his ESSID and his ESSID instead of his PSK you can use the raw option too (in combination with the -E -U -I option of hcxpcaptool) to retrieve the PSK.
With the -T option you are able to track clients (by timestamp) - we use tv_sec so that you are able to correlate with a GPS track.
The upcomming analysis tool:
$ hcxhashcattool -h
hcxhashcattool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxhashcattool <options>
options:
-p <file> : input hashcat -m 2500 potfile
-P <file> : output PMK file (PMK : ESSID : PSK)
-h : show this help
-v : show version
hcxhashcattool calculates a PMK file from a 2500 potfile. Now you are able to check networks that occur more often much faster using hashmode 2501. I will add all wlanhcx2xxxx functions to this tool. (all john functions will move to hcxjohntool). Also you can share this PMK list, so that your share partners do not have to recalculate the PMKs.
We only use CPU (multithread) because there are too few PMKs to calculate.
And the attack/dump tool:
$ hcxdumptool -h
hcxdumptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxdumptool <options>
options:
-i <interface> : interface
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit> : set channel (default = channel 1)
-C <digit> : comma separated scanlist (1,3,5,7...)
-t <seconds> : stay time on channel before hopping to the next channel
: default = 5 seconds
-B <file> : blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx)
-I : show suitable wlan interfaces and quit
-T <maxerrors> : terminate after <xx> maximal errors
: default: 1000000
-D : enable to transmit deauthentication- and disassociation-frames
-l : enable capture of IPv4/IPv6 packets
-P : enable poweroff
-s : enable status messages
-h : show this help
-v : show version
Blacklist option is included here.
Using this three tools, you can build up an environment for WPA EAPOL and EAP).
Only a few files/lists needed:
- PSK list (for example wpa-sec cracked.txt)
- 2500 potfile
- 2501 potfile
- PMK list (from hcxhashcattool)
and some simple bash scripts to do the correlation between this files.
This environment is very powefull an will bring you many PSKs:
https://forum.hashkiller.co.uk/topic-vie...323#159323
Amazing, how many PSKs retrieved.....
You can use the attachement to test your environment....
Nice to see hcxtools on ANDROID. Implementing this additional blacklisting/state for wlandump-ng isn't so easy.
Best way is to use the -F option (add the client or the AP to the BPF). All entries are skipped by a kernel filter.
Behind this filter, we do
- deauthentication of all clients,
- disassociation of an associated client
- make M4 invalid
- and more....
Implementing a soft coded filter will us make extreme slow here and we are no longer able to went into an authentication sequence.
I test another solution in hcxdumptool (soft coded AP filter on raw packets). Maybe we can add a filter for the client here too.
If hcxdumptool and hcxpcaptool work as expected, they will replace wlandump-ng and wlancap2hcx. I get rid of libpcap.
Both tools are much more effective than the older ones.
Did also many improvements on the 3. generation tools:
the conversion tool:
$ hcxpcaptool -h
hcxpcaptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxpcaptool <options>
hcxpcaptool <options> [input.pcap] [input.pcap] ...
hcxpcaptool <options> *.cap
hcxpcaptool <options> *.*
options:
-o <file> : output hccapx file (hashcat -m 2500/2501)
-O <file> : output raw hccapx file (hashcat -m 2500/2501)
-x <file> : output hccap file (hashcat -m 2500)
-X <file> : output raw hccap file (hashcat -m 2500)
-j <file> : output john WPAPSK-PMK file (john wpapsk-opencl)
-J <file> : output raw john WPAPSK-PMK file (john wpapsk-opencl)
-E <file> : output wordlist (autohex enabled) to use as input wordlist for cracker
-I <file> : output unsorted identity list
-U <file> : output unsorted username list
-P <file> : output possible WPA/WPA2 plainmasterkey list
-T <file> : output management traffic information list
: european date timestamp mac_sta mac_ap essid
-H <file> : output dump raw packets in hex
-V : verbose (but slow) status output
-h : show this help
-v : show version
--time-error-corrections=<digit> : maximum allowed time gap (default: 600s)
--nonce-error-corrections=<digit> : maximum allowed nonce gap (default: 8)
: should be the same value as in hashcat
--netntlm-out=<file> : output netNTLMv1 file (hashcat -m 5500 / john netntlm)
--md5-out=<file> : output MD5 challenge file (hashcat -m 4800)
--md5-john-out=<file> : output MD5 challenge file (john chap)
The raw option es very interesting:
If a user types a half of his PSK into his phone, this data will be stored and the client tries to connect "his" AP using only a part of a PSK. hcxdumptool will answer the conncet attempt and store the M2 (from an uncomplete PSK). If you are able to retrieve this part of the PSK you can run a mask or rule to get the full PSK from an authenticated M2M3M4. This attack requires that you convert all(!) M1M2 combinations!
If a user typed his PSK instead of his ESSID and his ESSID instead of his PSK you can use the raw option too (in combination with the -E -U -I option of hcxpcaptool) to retrieve the PSK.
With the -T option you are able to track clients (by timestamp) - we use tv_sec so that you are able to correlate with a GPS track.
The upcomming analysis tool:
$ hcxhashcattool -h
hcxhashcattool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxhashcattool <options>
options:
-p <file> : input hashcat -m 2500 potfile
-P <file> : output PMK file (PMK : ESSID : PSK)
-h : show this help
-v : show version
hcxhashcattool calculates a PMK file from a 2500 potfile. Now you are able to check networks that occur more often much faster using hashmode 2501. I will add all wlanhcx2xxxx functions to this tool. (all john functions will move to hcxjohntool). Also you can share this PMK list, so that your share partners do not have to recalculate the PMKs.
We only use CPU (multithread) because there are too few PMKs to calculate.
And the attack/dump tool:
$ hcxdumptool -h
hcxdumptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxdumptool <options>
options:
-i <interface> : interface
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit> : set channel (default = channel 1)
-C <digit> : comma separated scanlist (1,3,5,7...)
-t <seconds> : stay time on channel before hopping to the next channel
: default = 5 seconds
-B <file> : blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx)
-I : show suitable wlan interfaces and quit
-T <maxerrors> : terminate after <xx> maximal errors
: default: 1000000
-D : enable to transmit deauthentication- and disassociation-frames
-l : enable capture of IPv4/IPv6 packets
-P : enable poweroff
-s : enable status messages
-h : show this help
-v : show version
Blacklist option is included here.
Using this three tools, you can build up an environment for WPA EAPOL and EAP).
Only a few files/lists needed:
- PSK list (for example wpa-sec cracked.txt)
- 2500 potfile
- 2501 potfile
- PMK list (from hcxhashcattool)
and some simple bash scripts to do the correlation between this files.
This environment is very powefull an will bring you many PSKs:
https://forum.hashkiller.co.uk/topic-vie...323#159323
Amazing, how many PSKs retrieved.....
You can use the attachement to test your environment....