hashcat Forum

Full Version: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I submit the test.cap .
All cap files I collected from here
 http://forum.anywlan.com/forum-134-1.html
and I cat all >test.cap, something about 64mb
enjoy
That's nice.
Maybe we can find more weak pass.
Some words about wlancap2hcx:

wlancap2hcx need the ESSID received before the handshake follows! Mainly the ESSID is taken from an associationrequest (priority 1).

If you got some caps, that are manually cleaned like this one:
http://zalil.su/2602890
M1
M2
M3
M4
beacon

wlancap2hcx will show you that result:
$ wlancap2hcx -o test.hccapx 2602890_DIR-88.cap
start reading from 2602890_DIR-88.cap
5 packets processed (5 wlan, 0 lan, 0 loopback)
found 2 handshakes without ESSIDs (hashcat -m 2501, john WPAPSK-PMK)

Now you have 2 choices
1) use wlangenpmkocl to generate PMK's for ESSID DIR-88 (not a good idea)
2) run wlancap2hcx on this cap twice (first run use option -p)

first run:
$ wlancap2hcx -p merged.cap 2602890_DIR-88.cap 2602890_DIR-88.cap
start reading from 2602890_DIR-88.cap
5 packets processed (5 wlan, 0 lan, 0 loopback)
found 2 handshakes without ESSIDs (hashcat -m 2501, john WPAPSK-PMK)
start reading from 2602890_DIR-88.cap
5 packets processed (5 wlan, 0 lan, 0 loopback)
found 2 handshakes without ESSIDs (hashcat -m 2501, john WPAPSK-PMK)

second run:
$ wlancap2hcx -o test.hccapx merged.cap
start reading from merged.cap
10 packets processed (10 wlan, 0 lan, 0 loopback)
total 2 usefull wpa handshakes
found 2 handshakes without ESSIDs (hashcat -m 2501, john WPAPSK-PMK)
found 2 WPA2 AES Cipher, HMAC-SHA1

and everthing is fine:
$ wlanhcxinfo -i test.hccapx -e
DIR-88
DIR-88

This isn't a bug in wlancap2hcx because the tool is designed to work together with wlandump-ng.
And both tools are working on complete authentications(!) and not on beacons, as a beacon is not part of an authentication sequence.
And keep in mind:
beacons can change!
associationrequests/associationresponses in an authenticationsequence never change!
Is it possible to ask wlandump to stop responding to probe requests only to specific SSIDs?
Hi ee10.
No it isn't possble. Searching, comparing, ignoring ESSIDs costs too much cpu cycles. To went into an allready initiated authentication process we must be extreme fast (faster than the ap!).

But there is a build in automatic. If we retrieved a M2 from a client, matching to our M1, wlandump-ng (bleeding git) stops answering this client (in this case we use the mac for this session).
but keep in mind:
- many clients use random generated mac's
- wlandump-ng use random generated mac'c

that means:
if such a client restarts or wlandump-ng restarts, we got new random generated mac's
hcxtools moved to v 4.0.1 (https://github.com/ZerBea/hcxtools):
added wlandump-rs
- use raw sockets instead of libpcap
- faster and more aggressive than wlandump-ng
- able to capture more handchakes than wlandump-ng
- automatic use channel 14 and 5GHz channels if driver supports this
- improvements on scan engine
- improvements on authentication engine
- use ap blacklist instead of BPF

$ wlandump-rs -h
wlandump-rs 4.0.1 (C) 2017 ZeroBeat
usage: wlandump-rs <options>

options:
-i <interface> : interface
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit> : set channel (default = channel 1)
-t <seconds> : stay time on channel before hopping to the next channel
: default = 5 seconds
-B <file> : blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx)
-I : show suitable wlan interfaces and quit
-T <maxerrors> : terminate after <xx> maximal errors
: default: 1000000
-D : enable to transmit deauthentication- and disassociation-frames
-P : enable poweroff
-s : enable status messages
-h : show this help
-v : show version
It would be nice if we could see the names of the networks that we have captured handshakes for while we are running wlandump-ng/rs.
Hi ee10.
Everything has a price tag and beautiful status costs performance (if function follows form).

wlandump-ng shows you the network names at the first occurrence or if an association/re-associationrequest is received (option -s).

wlandump-rs is an experimental version, optimized for speed on a raspberry (limited status out). According to latest tests (special thanks to TOXIC and freeroute), we retrieved 20% more (ap-less) handshakes.
Latest device updates (all vendors) makes it necessary to handle additional frames during the authentication process. That costs cpu cycles. So wlandump-rs is designed according to the principle "form follows function".
Later on  (>= v 4.1.0), I'll rename this version to hcxdump and I'll add a tool to retrieve detailed informations from the actual pcap file.

example 1 (4h field operation on top of a hill above ‎a little village):
$ wlancap2hcx 201712160914.cap
start reading from 201712160914.cap
28256 packets processed (28256 wlan, 0 lan, 0 loopback)
total 293 usefull wpa handshakes
found 293 WPA2 AES Cipher, HMAC-SHA1
found 255 valid WPA handshakes (retrieved from clients)
nonce-error-corrections is working on that file
found EAP-SIM (GSM Subscriber Modules) Authentication

using a panel antenna (TP-Link TL-ANT2414A)
and a common WiFi dongle (Tenda W311U+)
connected to a Raspberry Pi A+


example 2 (short walk through a capital city during the rush hour):
$ wlancap2hcx 201712141400.cap
start reading from 201712141400.cap
58728 packets processed (58728 wlan, 0 lan, 0 loopback)
total 801 usefull wpa handshakes
found 801 WPA2 AES Cipher, HMAC-SHA1
found 493 valid WPA handshakes (retrieved from clients)
nonce-error-corrections is working on that file
found EAP-SIM (GSM Subscriber Modules) Authentication
found WPS Authentication

using a nano WiFi dongle (ALLNET ALL0235NANO)
connected to a Raspberry Pi B+


example 3 ( 15m short trip by car):
$ wlancap2hcx 201712120033.pcap
start reading from 201712120033.pcap
5385 packets processed (5385 wlan, 0 lan, 0 loopback)
found 102 WPA2 AES Cipher, HMAC-SHA1
found 60 valid WPA handshakes (retrieved from clients)
nonce-error-corrections is working on that file

using a omni magnet D-LINK ANT24-0400 Antenna on top of the car
and a common WiFi dongle (LOGILINK WL0145 - not the A variant as that driver isn't working)


Please do not compare hcxtools (wlandump-ng/sr) with other tools. The main purpose is completely different:
- connect a rechargeable battery pack (15000mAh) to a Raspberry Pi
- connect a WiFi dongle (with or without external antenna) to the Raspberry Pi
- put this into your bag (or the bag of your grandma, if she's on shopping tour) or your car and forget it for the next 10-15 hours
- if you're back home, do the evaluation

There is also no(!) real need to use a high power WiFi dongle as it reduces the time of use dramatically.
It is much better to use less power and a high gain antenna.
6 caps cat > test.cap has  been submited just now
(that forum coin is used up,later I'll collect more if you really need)
and quite busy recently but still glad to see your masterpiece has new update?
one more thing,I write a short post there
http://forum.anywlan.com/thread-430516-1-1.html
wanna make some money( forum coins) and make a very brief introduction about hashcat and hcxtools.
bye and wish you all good days
(06-26-2017, 09:40 PM)ZerBea Wrote: [ -> ]capture:
sudo wlandump-ng -i wlp0s26u1u2 -o test.cap -c 1 -t 3 -d 100 -D 10 -m 512 -b -r -s 20
Options:
-i -> is the name of your wlan device - do not use virtual devices like mon0, mon1, monx
-o -> capture to this cap
-c -> start on channel 1
-t -> stay 3 seconds on this channel
-d -> deauthenticate  clients every 100 received management-packets
(do not use values below this, because this will ap change the anonce lease time - important for hashcat nonce-corr)
-D ->  disassociate clients every 10 received (NULL-, Powersave-, M4- packets)
(do not use values below this, because this will ap change the anonce lease time - important for hashcat nonce-corr)
-m -> size of internal ringbuffer (if more received, the oldest will be deleted)
-b -> activate beaconing on last ten probed clients
-r -> reset counter if channel 1 reached
-s -> show 20 additional status lines

wlanresponse is the "angry" brother of wlandump-ng !
sudo wlanresponse -b -t 3 -i wlp0s26u1u2 -o test.cap
-i -> is the name of your wlan device - do not use virtual devices like mon0, mon1, monx
-o -> capture to this cap
-b -> activate beaconing on last ten probed clients
-t -> stay 3 seconds on this channel
less options, no status display, but extreme fast!


convert:
wlancap2hcx -x -e wordlist -o test.hccapx *.cap
Options:
-x -> match exact mac_ap and mac_sta
-e -> extract also found passwords and networknames from wlan traffic (will be appended)
-o -> your hccapx file (new hashes will be appended)
*.cap -> do this from all cap files (or *.pcap from all pcap files or *.pcapng from all pcapng files)

if RADIUS authentications are inside your cap:
-m -> strip this hashes to file - iSCSI CHAP authentication, MD5(CHAP): use hashcat -m 4800
-n -> strip this hashes to file - PPP-CHAP and NetNTLMv1 authentication: use hashcat -m 5500
-u -> extract also user names, domain names or identities

Take a look into the help for more options

I will not give tutorials how to set device to monitor mode or how to disable systemd services that takes access to wlan devices - that's LINUX basic knowledge!
Cheers

Just loaded these tools - perhaps some things have changed since this was posted as some of the options listed here are no longer available.  Is there an updated "tutorial" I should be looking at now since this was originally posted back in June)?