hashcat Forum

Full Version: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
great! hcxdumptool_bleeding_testing feels more sensitive. thanks
hcxdumptool moved to version 4.1.5
With lots of help from RealEnder, chron0 and rofl0r the tool is complete refactored:

- improved scan engine
- improved authentication engine (incl. Radio Measurement, and NULL frame detection)
- dropped timer
- use threads for LED and channel switch
- use only one file descriptor for raw socket operations
- working on Intel Corporation Centrino Ultimate-N 6300 (rev 3e) WiFi adapter (kernel >= 4.15)
- working on Alfa AWUS036NH, Alfa AWUS036NHA, AWUS036ACH
- more channels allowed (depends on installed wireless regulatory domain)
- simple usage: hcxdumptool -i <interface> -o dumpfile.pcap -t 5
 interface (real interface - no monX) must be in monitor - all services/programms with access to the interface must be stopped!
- new format of blacklist
- and more...

reported to run on Gentoo
https://github.com/ZerBea/hcxdumptool_bl...-369256915

reported to run on OpenWRT/LEDE
https://github.com/ZerBea/hcxdumptool_bl...-369756725

reported to run with AWUS036ACH (driver: https://github.com/kimocoder/rtl8812au)
https://github.com/ZerBea/hcxdumptool_bl...-369300973

reported to run with Intel Corporation Centrino Ultimate-N 6300 (rev 3e)
https://github.com/ZerBea/hcxdumptool_bl...-369259800

$ hcxdumptool -h
hcxdumptool 4.1.5 (C) 2018 ZeroBeat
usage:
hcxdumptool <options>

options:
-i <interface> : interface (monitor mode must be eanabled)
                 ip link set <interface> down
                 iw dev <interface> set type monitor
                 ip link set <interface> up
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : ip based traffic output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set scanlist  (1,2,3,... / default = default scanlist)
                 default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
                 allowed channels:
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
                 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 147, 149, 151, 153, 155, 157
                 161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216
-t <seconds>   : stay time on channel before hopping to the next channel
                 default: 5 seconds
-T <maxerrors> : terminate after <x> maximal errors
               : default: 1000000
-D             : do not transmit deauthentications or disassociations
-R             : do not transmit requests
-A             : do not respond to requests from clients
-B <file>      : blacklist (do not deauthenticate clients from this hosts)
                 format = mac_ap:mac_sta:ESSID
                 112233445566:aabbccddeeff:networkname (max. 32 chars)
-P             : enable poweroff
-s             : enable status messages
-I             : show suitable wlan interfaces and quit
-h             : show this help
-v             : show version



Important notice:
Also, we pushed an update of wlancap2wpasec, because wpa-sec activated TLSv1.2!
One of the major problems is to find a good wordlist and to filter out the garbage from that wordlist.

For that purpose you can try hashcat in combination with the new python client from
https://wpa-sec.stanev.org
and a wordlist of your choice (for example from here: https://github.com/berzerk0/Probable-Wordlists)

1. step
do a git clone from latest dwpa: git clone https://github.com/RealEnder/dwpa

2. step
create a directory and copy help_crack.py and "yourwordlist" into this folder

3. step (this will take a while...)
run help_crack.py either with this option:
./help_crack.py -pot potfile.2500 -ad yourwordlist
 
or run help_crack.py with this option:
./help_crack.py -pot potfile.2500 -cd yourwordlist

difference between -cd and -ad is:
-cd test only yourwordlist
-ad test yourwordlist and one common wordlist from wpa-sec

you will retrieve confirmed and real(!) passwords in this files:
cracked.txt (only the passwords, no longer readable by common text editors since this list contains non ASCII/UTF characters, hashcat can handle this as input)
potfile.2500 (complete hashcat pot data: hashcat_md64:mac_ap:mac_sta:ESSID:password)
rkg.txt (additionally retrieved passwords from a default key generator)

In parallel, you can upload your cap file (hcxdumptool, wlandump-ng, airodump-ng, besside-ng, wireshark, tcpdump, kismet) to wpa-sec (via web interface or using wlancap2wpasec). In that case, your captured handshakes are tested, too against this wordlists. You will retrieve the results also in potfile.2500 and the passwords in cracked.txt, immediately.

4. step
Delete yourwordlist and try another one.
You will see, that your confirmed password lists (potfile.2500, cracked.txt) will increase, soon, containing real(!) passwords.

help_crack.py (python2 and 3) should work on LINUX, MacOS and WINDOWS


Added also a new option on hcxdumptool:
-W <dump file> : WEP encrypted packets output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) for your favourite wep cracker
added some improvements to wlancap2wpasec
Now, you can add your personal key to link the results to your ID.

$ wlancap2wpasec -h
wlancap2wpasec 4.1.0 (C) 2018 ZeroBeat
usage: wlancap2wpasec <options> [input.cap] [input.cap] ...
wlancap2wpasec <options> *.cap
wlancap2wpasec <options> *.*

options:
-k <key> : wpa-sec user key
-t <seconds> : set connection timeout (default 30 seconds)
-R : remove cap if upload was successfull
-h : this help
(03-02-2018, 01:44 PM)ZerBea Wrote: [ -> ]hcxdumptool moved to version 4.1.5
With lots of help from RealEnder, chron0 and rofl0r the tool is complete refactored:

- improved scan engine
- improved authentication engine (incl. Radio Measurement, and NULL frame detection)
- dropped timer
- use threads for LED and channel switch
- use only one file descriptor for raw socket operations
- working on Intel Corporation Centrino Ultimate-N 6300 (rev 3e) WiFi adapter (kernel >= 4.15)
- working on Alfa AWUS036NH, Alfa AWUS036NHA, AWUS036ACH
- more channels allowed (depends on installed wireless regulatory domain)
- simple usage: hcxdumptool -i <interface> -o dumpfile.pcap -t 5
 interface (real interface - no monX) must be in monitor - all services/programms with access to the interface must be stopped!
- new format of blacklist
- and more...

reported to run on Gentoo
https://github.com/ZerBea/hcxdumptool_bl...-369256915

reported to run on OpenWRT/LEDE
https://github.com/ZerBea/hcxdumptool_bl...-369756725

reported to run with AWUS036ACH (driver: https://github.com/kimocoder/rtl8812au)
https://github.com/ZerBea/hcxdumptool_bl...-369300973

reported to run with Intel Corporation Centrino Ultimate-N 6300 (rev 3e)
https://github.com/ZerBea/hcxdumptool_bl...-369259800

$ hcxdumptool -h
hcxdumptool 4.1.5 (C) 2018 ZeroBeat
usage:
hcxdumptool <options>

options:
-i <interface> : interface (monitor mode must be eanabled)
                 ip link set <interface> down
                 iw dev <interface> set type monitor
                 ip link set <interface> up
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : ip based traffic output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set scanlist  (1,2,3,... / default = default scanlist)
                 default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
                 allowed channels:
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
                 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 147, 149, 151, 153, 155, 157
                 161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216
-t <seconds>   : stay time on channel before hopping to the next channel
                 default: 5 seconds
-T <maxerrors> : terminate after <x> maximal errors
               : default: 1000000
-D             : do not transmit deauthentications or disassociations
-R             : do not transmit requests
-A             : do not respond to requests from clients
-B <file>      : blacklist (do not deauthenticate clients from this hosts)
                 format = mac_ap:mac_sta:ESSID
                 112233445566:aabbccddeeff:networkname (max. 32 chars)
-P             : enable poweroff
-s             : enable status messages
-I             : show suitable wlan interfaces and quit
-h             : show this help
-v             : show version



Important notice:
Also, we pushed an update of wlancap2wpasec, because wpa-sec activated TLSv1.2!

Did the -D option switch change?  I thought post 214 mentioned that -D was to send DEAUTH until M2 received.  I'm confused, does -D mean to send DEAUTH or NOT send DEAUTH?
Pretty sure this is a super basic question, but where do I get a candidate list for determining what to put into my -B blacklist file?  I know the SSID that I don't want to gather any handshakes from, so I'm trying to figure out the format of the file.

The help states mac_ap:mac_sta:ESSID, so does that mean that I need to gather the MAC of each AP and the the MAC of each client on that SSID?  Or, is it enough to just put the SSID on the line of the file?

If I need to get the MAC of AP and the MAC of each client - what's the best way to gather that list?  wlanrcascan?

Again - sorry to ask basic question, but trying to figure this out.
Hi walterlacka.
Several approaches are possible:

you can get it from hashcat potfile
md_64hash : mac_ap : mac_sta : ESSID : PSK (take only mac_ap : mac_sta : ESSID)

you can get it from a hccapx file:
wlanhcxinfo -a -s -e (format is different (!) mac_sta : mac_ap : ESSID)

you can get it live from WLAN traffic
hcxdumptool ... -s
Thank you ZerBea - I will give that a try.

Could you take a peek at post 235 and let me know the status of the -D option of the hcxdumptool?  Maybe I'm reading it incorrectly, but I thought one of your posts said -D was disable DEAUTH and a different post said -D was enable DEAUTH.

Thank you.
Well, changed some options

hcxdumpttool is aggressive by default:
$ hcxdumptool -h
hcxdumptool 4.1.5 (C) 2018 ZeroBeat
-D : do not transmit deauthentications or disassociations
-R : do not transmit requests
-A : do not respond to requests from clients


wlandump-ng is friendly by default:
$ wlandump-ng -h
wlandump-ng 4.1.5 (C) 2018 ZeroBeat
-D : enable deauthentications
-d : enable disassociations
As always, thanks again ZerBea...

I noticed that the latest hcxdumptool supports AWUS036ACH.  Is that the only dual-band adapter supported?  Is there any benefit to using a dual-band adapter?