hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
(07-26-2018, 09:54 AM)ZerBea Wrote: please use latest git updates!
hashcat:
https://github.com/hashcat/hashcat/commi...3d8d7f4400
hcxtools:
https://github.com/ZerBea/hcxtools
hcxdumptool:
https://github.com/ZerBea/hcxdumptool

or test hcxdumptool-bleeding (disabled make install because it's really a bleeding version):
https://github.com/ZerBea/hcxdumptool_bleeding_testing
I started the complete refactoring of hcxdumptool, because old version acts as an AP for CLIENTs (ap-less attack).
After the implementation of hasmodes 1680x, new hcxdumptool acts as CLIENT for APs (client-less attack), too.
Unfortunately I noticed that new hcxdumptool now attacks itself (because of full mac randomization).

We need full randomization of all values to prevent counter measures against us. That includes
- mac address
- replaycounter
- nonce
- authenticationkeys
- and perhaps more...

Now, bleeding will start like this:
$ sudo ./hcxdumptool-bleeding -i wlp39s0f3u4u5 -o test.pcapng -t 10 -s 1 -H blacklisthost -C blacklistclient

start capturing (stop with ctrl+c)
INTERFACE:...: wlp39s0f3u4u5
MAC_STA......: f0a2253d7966 (client)
MAC_AP.......: 140708855fcf (start OUI)
REPLAYCOUNTER: 64052
ANONCE.......: 56f695dcb497439bbde941b67cdb98b06ad9b98c45dfc55853bd45b8551dabac

[10:14:16 - 001] f0a2253d7966 -> ffffffffffff [SENDING BROADCAST PROBEREQUEST]
...
and if you receive a PMKID it will look like this:
[10:21:18 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [EAPOL M1, REPLAYCOUNT 1, FOUND PMKID]

No M2, M3 or M4 needed for hashcat -m 16800 to recover the PSK. The PMKID is authorized by the AP and 100% valid.


Sorry, thank you
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by strike1953 - 07-26-2018, 02:29 PM