hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
We have an initial start value for MAC_AP and MAC_STA:

Code:
$ sudo hcxdumptool -i wlp39s0f3u3u1u2
initialization...

start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
INTERFACE NAME............: wlp39s0f3u3u1u2
INTERFACE HARDWARE MAC....: 74da38f2038f
DRIVER....................: mt7601u
DRIVER VERSION............: 5.6.11-arch1-1
DRIVER FIRMWARE VERSION...: N/A
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ROGUE (ACCESS POINT)......: 580943e645ac (BROADCAST HIDDEN)
ROGUE (ACCESS POINT)......: 5809430045ad (BROADCAST OPEN)
ROGUE (ACCESS POINT)......: 580943e645ae (incremented on every new client)
ROGUE (CLIENT)............: d85dfb191ce1
EAPOLTIMEOUT..............: 20000 usec
REPLAYCOUNT...............: 61908
ANONCE....................: d7777e471a712f6a3078e200ccad66f1be031e233b4b952a0a22091e91f23a35
SNONCE....................: 51c535657193024054db65b16e9d6dbde8bcc9b7146a35c5a2ec2255cc7764f8

After we receive the first packet, hcxdumptool start to collect received MACs and use them.
Please notice: nearly all MACs from probing CLIENTs are randomized - MAC tracing doesn't make sense here.
If you really need real MACs, please use hcxpcapngtool --all option.
Now filter out PMKIDs and authenticated handshakes. They are received from "real" ACCESS POINTS and "real" CLIENTs.

WPS and WEP:
I talked with Atom about WPS (and WEP) and we decided not to add it.
WPS is reaver/bully/pixie-dust domain, because this tools can do it much better. Besides, hcxdumptool will have to stay a very long time on the same frequency to do this attack.

The same applies to WEP.
This is aircrack-ng domain, because this tools do it much better. Besides, hcxdumptool will have to stay a very long time on the same frequency to do this attack.

I'll put my focus on EAPOL, EAP and other Authentication Key Management (AKM) systems like SAE.
This attack vector need only a few packets before we switch the channel.
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 05-13-2020, 08:42 AM