07-23-2018, 12:21 AM
hcxdumptool default capture format will be pcapng. That means upcomming hcxdumptool 4.2.0 will save the data in pcapng format. wlandump-ng and wlancap2hcx will be removed in version 4.2.0!
I decided to switch to pcapng, because it has many advantages. New attack modes requiere to calculate pre-hashes and nonces during runtime of the dumper. pcapng format is able to handle comments, and we can store this values within the comment field, to provide the following conversiontool with this values. I don't like the idea to use separate files or incredibly long commandlines for this purpose.
You can download first hcxdumptool testversion here:
https://github.com/ZerBea/hcxdumptool_bleeding_testing
This is a bleeding version. So expect compiler warnings and missing functions as well as some (heavy) bugs!
Latest update hcxpcaptool is able to evaluate pcapng options:
$ hcxpcaptool -o test.hccapx sae_simple_psk.pcapng
start reading from sae_simple_psk.pcapng
summary:
file name....................: sae_simple_psk.pcapng
file type....................: pcapng 1.0
file hardware information....: Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz (with SSE4.2)
file os information..........: Linux 4.14.0-kali3-amd64
file application information.: Dumpcap (Wireshark) 2.4.4 (Git v2.4.4 packaged as 2.4.4-1)
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 30
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 2
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
deauthentications............: 3
action packets...............: 1
EAPOL packets................: 4
best handshakes..............: 1 (ap-less: 0)
1 handshake(s) written to test.hccapx
Keep in mind: This is only an example of the evaluation of pcapng option fields and n o t SAE cracking!!!
Beside this informations:
file hardware information....: Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz (with SSE4.2)
file os information..........: Linux 4.14.0-kali3-amd64
file application information.: Dumpcap (Wireshark) 2.4.4 (Git v2.4.4 packaged as 2.4.4-1)
hcxdumptool will save the interface name and the first three bytes of the capture device mac (OUI), too, to identify faulty vendor drivers. Also pre-hashed data like client based calculated authenticationkeys and nonces are saved in the comment fields.
Read more about pcapng format specs here:
https://pcapng.github.io/pcapng/
And about the advantages here:
http://www.lovemytool.com/blog/2012/10/f...walls.html
Get example cap from here:
https://github.com/vanhoefm/wifi-example-captures
or here:
https://www.cloudshark.org/captures/3638626f4551
I decided to switch to pcapng, because it has many advantages. New attack modes requiere to calculate pre-hashes and nonces during runtime of the dumper. pcapng format is able to handle comments, and we can store this values within the comment field, to provide the following conversiontool with this values. I don't like the idea to use separate files or incredibly long commandlines for this purpose.
You can download first hcxdumptool testversion here:
https://github.com/ZerBea/hcxdumptool_bleeding_testing
This is a bleeding version. So expect compiler warnings and missing functions as well as some (heavy) bugs!
Latest update hcxpcaptool is able to evaluate pcapng options:
$ hcxpcaptool -o test.hccapx sae_simple_psk.pcapng
start reading from sae_simple_psk.pcapng
summary:
file name....................: sae_simple_psk.pcapng
file type....................: pcapng 1.0
file hardware information....: Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz (with SSE4.2)
file os information..........: Linux 4.14.0-kali3-amd64
file application information.: Dumpcap (Wireshark) 2.4.4 (Git v2.4.4 packaged as 2.4.4-1)
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 30
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 2
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
deauthentications............: 3
action packets...............: 1
EAPOL packets................: 4
best handshakes..............: 1 (ap-less: 0)
1 handshake(s) written to test.hccapx
Keep in mind: This is only an example of the evaluation of pcapng option fields and n o t SAE cracking!!!
Beside this informations:
file hardware information....: Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz (with SSE4.2)
file os information..........: Linux 4.14.0-kali3-amd64
file application information.: Dumpcap (Wireshark) 2.4.4 (Git v2.4.4 packaged as 2.4.4-1)
hcxdumptool will save the interface name and the first three bytes of the capture device mac (OUI), too, to identify faulty vendor drivers. Also pre-hashed data like client based calculated authenticationkeys and nonces are saved in the comment fields.
Read more about pcapng format specs here:
https://pcapng.github.io/pcapng/
And about the advantages here:
http://www.lovemytool.com/blog/2012/10/f...walls.html
Get example cap from here:
https://github.com/vanhoefm/wifi-example-captures
or here:
https://www.cloudshark.org/captures/3638626f4551