06-04-2019, 06:03 PM
hcxpcaptool doing hexify in the same way like hashcat. If we have non ASCII characters inside the traffic, we do a conversion to HEX-ASCII, too. hashcat understand this and will try this values as PSK.
We are doing this to make sure we don't loose a possible PSK.
For example lines 1/2 of your Test -E ESSID. That could be an ESSID, a PSK (EMOJI, UTF-8, or something else). We are doing a $HEX[....] and a hexify to HEX-ASCII. hashcat will test 2 different PSKs in this case.
"...but those PSKs are written by users as the access to the WLANs"
Not at all, some of them came from IOT devices.
"what you explain to me is that they could come from other WLANs not captured on the .16800 file"
Yes. And you will get better results, if you run the -E and -I lists against EAPOL (hash mode 2500), because you
get more information from a client than from an access point.
That always happens when you capture the PSK from a client and the client attempt to connect to hcxdumptool (ap-less attack). In other words, there is no need to hunt for an access point. Just wait for the client to come to you.
BTW:
3 hours isn't enough. You should consider 24/7 to get really all clients in range. Running hcxdumptool over a long(er) time on a place, where you expect many clients is a good idea. The more clients, the better results.
We are doing this to make sure we don't loose a possible PSK.
For example lines 1/2 of your Test -E ESSID. That could be an ESSID, a PSK (EMOJI, UTF-8, or something else). We are doing a $HEX[....] and a hexify to HEX-ASCII. hashcat will test 2 different PSKs in this case.
"...but those PSKs are written by users as the access to the WLANs"
Not at all, some of them came from IOT devices.
"what you explain to me is that they could come from other WLANs not captured on the .16800 file"
Yes. And you will get better results, if you run the -E and -I lists against EAPOL (hash mode 2500), because you
get more information from a client than from an access point.
That always happens when you capture the PSK from a client and the client attempt to connect to hcxdumptool (ap-less attack). In other words, there is no need to hunt for an access point. Just wait for the client to come to you.
BTW:
3 hours isn't enough. You should consider 24/7 to get really all clients in range. Running hcxdumptool over a long(er) time on a place, where you expect many clients is a good idea. The more clients, the better results.