hashcat Forum

Full Version: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
(11-01-2017, 04:57 PM)ZerBea Wrote: [ -> ]It is possible.
create you combilist.
split the list into 2 parts of the same size
run in terminal1
wlangenpmkocl -I part1 -a plainmasterkeylist1 -P 0 -D 0
run in terminal2
wlangenpmkocl -I part2 -a plainmasterkeylist2 -P 0 -D 1

if both threads finished:
cat plainmasterkeylist1 plainmasterkeylist2 > totallist

Thank you very much
So...

Code:
wlanhcx2ssid -e

argument actually spits out the hex ESSID, is it supposed to? If so, would it be possible for you to put an option to ASCII stringify this?
For the BFP, I wanted to filter out all of the client devices and access points in my own network. Do I just need to find the mac addys for each client, and then add them with "wlan host" and then add the AP's with "wlan ta" ?

As an example...
a phone, and a laptop have mac addys 00:00:00:00:00:11 and 00:00:00:00:00:22
Two access points have mac addys 00:00:00:00:33:00 and 00:00:00:00:44:00

Should my BFP just be a text file 'bpf.txt' with one line like this?
!(wlan host 00:00:00:00:00:11 || wlan host 00:00:00:00:00:22 || wlan ta 00:00:00:00:33:00 || wlan ta 00:00:00:00:44:00)

Then use the filter by adding the -F switch?
wlandump-ng -F bfp.txt -(otherargs)

Thanks!
Hi.

1)
wlanhcx2ssid -e
argument actually spits out the hex ESSID, is it supposed to? If so, would it be possible for you to put
an option to ASCII stringify this?


It is possible, but I don't like it, because it will crash your filesystem, if there are unwanted characters in the ESSID
(like slashes). You can use "grep -r "searchedessid" to get the filename for the essid you're looking for.
And here is a negative example:
https://forum.hashkiller.co.uk/topic-vie...413#152413
This guy postet his collection of hccapx files (essid as filename.hccapx)
Download the zip, extract it and crash your filesystem!


2)
use host for the accesspoints and src for the clients
your BPF should look like this:
!(wlan host 00:00:00:00:00:11 || wlan host 00:00:00:00:00:22 || wlan src 00:00:00:00:33:00 || wlan src 00:00:00:00:44:00)


But keep in mind:
newer clients use a random generated mac! So it's possible that they try to connect to our random generated mac_ap using their random generated mac_sta. In that case, BPF doesn't work as expected.
Accesspoint-less attack not longer working against latest ANDROID devices.
The authentication sequence was changed. Now there are some additional frames
inside the authentication procedure.
This prevents that the client tries to connect to a fake accesspoint and you will get a warning on your device!
I think it came with the KRACK fix.
Is it possible to supply the authentication hash used to view your submissions on the site when submitting hashes via wlancap2wpasec?
Thank you again ZerBea, I've got 42 entries in my BPF and its working like a champ.
Hey. Please, tell me under what settings or conditions we can get the PMK in the dump?
HI strasharo
Is it possible to supply the authentication hash used to view your submissions on the site when submitting hashes via wlancap2wpasec?

No, wpa-sec doesn't support this.
But you can do this if your handshake was found:
Downlod this list:
http://wpa-sec.stanev.org/dict/cracked.txt.gz
ungzip the list an run the list against your hashes. The found key is inside this list.
Hi mob_new.
Please, tell me under what settings or conditions we can get the PMK in the dump?

Only in that case if a WPA-ENTERPRISE client is missconfigured.
The pmk is part of the last part of an expanded EAPOL authentication. Using this key, you are able to connect to the accesspoint.
Sometimes zeroed pmks are in use. wlancap2hcx is able to detect this complete missconfigured networks.