hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi JuniorJPDJ.
Nice to see hcxtools on ANDROID. Implementing this additional blacklisting/state for wlandump-ng isn't so easy.
Best way is to use the -F option (add the client or the AP to the BPF). All entries are skipped by a kernel filter.
Behind this filter, we do
- deauthentication of all clients,
- disassociation of an associated client
- make M4 invalid
- and more....
Implementing a soft coded filter will us make extreme slow here and we are no longer able to went into an authentication sequence.

I test another solution in hcxdumptool (soft coded AP filter on raw packets). Maybe we can add a filter for the client here too.

If hcxdumptool and hcxpcaptool work as expected, they will replace wlandump-ng and wlancap2hcx. I get rid of libpcap.
Both tools are much more effective than the older ones.

Did also many improvements on the 3. generation tools:

the conversion tool:
$ hcxpcaptool -h
hcxpcaptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxpcaptool <options>
hcxpcaptool <options> [input.pcap] [input.pcap] ...
hcxpcaptool <options> *.cap
hcxpcaptool <options> *.*

options:
-o <file> : output hccapx file (hashcat -m 2500/2501)
-O <file> : output raw hccapx file (hashcat -m 2500/2501)
-x <file> : output hccap file (hashcat -m 2500)
-X <file> : output raw hccap file (hashcat -m 2500)
-j <file> : output john WPAPSK-PMK file (john wpapsk-opencl)
-J <file> : output raw john WPAPSK-PMK file (john wpapsk-opencl)
-E <file> : output wordlist (autohex enabled) to use as input wordlist for cracker
-I <file> : output unsorted identity list
-U <file> : output unsorted username list
-P <file> : output possible WPA/WPA2 plainmasterkey list
-T <file> : output management traffic information list
         : european date   timestamp   mac_sta   mac_ap   essid
-H <file> : output dump raw packets in hex
-V        : verbose (but slow) status output
-h        : show this help
-v        : show version

--time-error-corrections=<digit>  : maximum allowed time gap (default: 600s)
--nonce-error-corrections=<digit> : maximum allowed nonce gap (default: 8)
                                 : should be the same value as in hashcat
--netntlm-out=<file>              : output netNTLMv1 file (hashcat -m 5500 / john netntlm)
--md5-out=<file>                  : output MD5 challenge file (hashcat -m 4800)
--md5-john-out=<file>             : output MD5 challenge file (john chap)


The raw option es very interesting:
If a user types a half of his PSK into his phone, this data will be stored and the client tries to connect "his" AP using only a part of a PSK.  hcxdumptool will answer the conncet attempt and store the M2 (from an uncomplete PSK). If you are able to retrieve this part of the PSK you can run a mask or rule to get the full PSK from an authenticated  M2M3M4. This attack requires that you convert all(!) M1M2 combinations!

If a user typed his PSK instead of his ESSID and his ESSID instead of his PSK you can use the raw option too (in combination with the -E -U -I option of hcxpcaptool) to retrieve the PSK.

With the -T option you are able to track clients (by timestamp) - we use tv_sec so that you are able to correlate with a GPS track.


The upcomming analysis tool:
$ hcxhashcattool -h
hcxhashcattool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxhashcattool <options>

options:
-p <file> : input hashcat -m 2500 potfile
-P <file> : output PMK file (PMK : ESSID : PSK)
-h        : show this help
-v        : show version

hcxhashcattool calculates a PMK file from a 2500 potfile. Now you are able to check networks that occur more often much faster using hashmode 2501. I will add all wlanhcx2xxxx functions to this tool. (all john functions will move to hcxjohntool). Also you can share this PMK list, so that your share partners ‎do not have to recalculate the PMKs.
We only use CPU (multithread) because there are too few PMKs to calculate.


And the attack/dump tool:
$ hcxdumptool -h
hcxdumptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxdumptool <options>

options:
-i <interface> : interface
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set channel (default = channel 1)
-C <digit>     : comma separated scanlist (1,3,5,7...)
-t <seconds>   : stay time on channel before hopping to the next channel
              : default = 5 seconds
-B <file>      : blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx)
-I             : show suitable wlan interfaces and quit
-T <maxerrors> : terminate after <xx> maximal errors
              : default: 1000000
-D             : enable to transmit deauthentication- and disassociation-frames
-l             : enable capture of IPv4/IPv6 packets
-P             : enable poweroff
-s             : enable status messages
-h             : show this help
-v             : show version

Blacklist option is included here.

Using this three tools, you can build up an environment for WPA EAPOL and EAP).
Only a few files/lists needed:
- PSK list (for example wpa-sec cracked.txt)
- 2500 potfile
- 2501 potfile
- PMK list (from hcxhashcattool)
and some simple bash scripts to do the correlation between this files.
This environment is very powefull an will bring you many PSKs:
https://forum.hashkiller.co.uk/topic-vie...323#159323
Amazing, how many PSKs retrieved.....
You can use the attachement to test your environment....
Reply


Messages In This Thread
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 02-05-2018, 11:26 PM
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM