03-15-2020, 09:12 PM
(This post was last modified: 03-15-2020, 09:24 PM by MrShannon.
Edit Reason: Firefox messed up post formatting & typos
)
Can someone help me find the field order in the .22000 hashlist format? I'm having a heck of a time tracking down the format description, and after digging through the .c code in hcxtools I am just not convinced that I understand what I am looking at :/
I am trying to extract the MAC Address of Clients and APs that were captured to build macfilters for hcxdumptool.
Before the .22000 format was introduced, I was using hcxpcaptool to convert .pcapng's to the .hccapx and older .16800 hashlist formats, then processing those with wlanhcxinfo or awk to get the mac addresses. Of course, now that this tool and these formats are deprecated, I want to move to 22000, but here's how I was doing it:
Since the .22000 format combines both PMKID and EAPOL captures, I was hoping I could sift the MAC addresses out of the file with tools like awk/grep/sed, but since I don't know the format I am really just making guesses. Can someone confirm my suspicions below?
Did a quick compare the contents of the GOTMACSCLI.txt and GOTMACSAPS.txt lists by grep'ing for a few examples
This looks pretty good, but there is a discrepancy in the number of Access Point MAC addresses. I've found other differences in the count of hashes when comparing .hccapx with .22000 before, so I am not totally surprised. That said, this new format seems to have fewer results that the older format. Maybe that's ok...
Am I doing this right?
I am trying to extract the MAC Address of Clients and APs that were captured to build macfilters for hcxdumptool.
Before the .22000 format was introduced, I was using hcxpcaptool to convert .pcapng's to the .hccapx and older .16800 hashlist formats, then processing those with wlanhcxinfo or awk to get the mac addresses. Of course, now that this tool and these formats are deprecated, I want to move to 22000, but here's how I was doing it:
Code:
# these tools/formats are now deprecated!
# Get Client MAC addresses to filter
# Convert the .pcapng to the older .hccapx format (EAPOL)
hcxpcaptool -o TEST.hccapx *.pcapng
# Get the "station" mac addresses (client MACs)
wlanhcxinfo -i TEST.hccapx -s | sort -u > GOTMACSCLI.txt
# Count how many we've got
wc -l GOTMACSCLI.txt
# 30 GOTMACSCLI.txt
# Convert the .pcapng to the old-older 16800 format (PMKID)
hcxpcaptool -z TEST.16800old *.pcapng
awk -F* '{print $2}' TEST.16800old | sort -u > GOTMACSAPS.txt
# Count how many we've got
wc -l GOTMACSAPS.txt
# 45 GOTMACSAPS.txt
Since the .22000 format combines both PMKID and EAPOL captures, I was hoping I could sift the MAC addresses out of the file with tools like awk/grep/sed, but since I don't know the format I am really just making guesses. Can someone confirm my suspicions below?
Code:
# Convert the .pcapng to the new .22000 format (PMKID+EAPOL)
hcxpcapngtool --prefix="TEST" *.pcapng
Did a quick compare the contents of the GOTMACSCLI.txt and GOTMACSAPS.txt lists by grep'ing for a few examples
- A MAC that was in GOTMACSCLI.txt should be the MAC of a captured Client. These MACs were in the .22000 list on lines that started with "WPA*02" and were the FIFTH field on that line.
- A MAC that was in GOTMACSAPS.txt should be the MAC of a captured Access Point. These MACs were in the .22000 list on lines that started with "WPA*01" and were the FOURTH field on that line.
- Some of the MACs that were in GOTMACSAPS.txt were in multiple lines of the .22000 list that started with both "WPA*01" and "WPA*02", but they were always in in the FOURTH field. I assume this means the AP was involved in a client EAPOL capture as well as a PMKID capture.
- lines that start with "WPA*02" are EAPOL hashes, so I want to grab the FIFTH field as the MAC of the Client to filter
- lines that start with "WPA*01" are PMKID hashes, so I want to grab the FOURTH field as the MAC of the Access Point to filter
Code:
# Get Client MAC addresses to filter and Count how many we've got
grep 'WPA\*02' TEST.22000 | awk -F* '{print $5}' | sort -u | wc -l
# 30
# Get Access Point MAC addresses to filter and Count how many we've got
grep 'WPA\*01' TEST.22000 | awk -F* '{print $4}' | sort -u | wc -l
# 44
This looks pretty good, but there is a discrepancy in the number of Access Point MAC addresses. I've found other differences in the count of hashes when comparing .hccapx with .22000 before, so I am not totally surprised. That said, this new format seems to have fewer results that the older format. Maybe that's ok...
Am I doing this right?