hashcat Forum

Full Version: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
It is not mandatory for hashcat and hcxtools/hcxdumptool.
Explained here:
https://wpa-sec.stanev.org/
Hi ZerBea

Thank you very much for all the work you have done on hcxdumptool and hcxtools they are fantastic tools!

I am only a keen hobbyist so please forgive my lack of computer skills but I am working my way through understanding just what is going on with your tools and the terms you use when writing on this forum.

Sadly my old hardware is no longer supported by hashcat so I am restricted to using hccap and not hccapx with all the wonderful new features it has.  I am learning as much as I can about hccapx ready for when I have saved up enough!

Until I have built my... "Mega WPA Cracking Machine" and seek WIFI domination ...MMUUHHAAHA I have to use hccap.  I have tried converting the output of hcxdumptool to hccap and it does produce a hccap file but it is not crackable.

I have converted my own network and was (NOT) able to break the known password.  I did manage to convert to hccap(x) and use hashcat with cpu only to crack it though.  The output size of the hccap is also much larger than expected.

I use hcxpcaptool --hccap-out=myfile.hccap (inputfile)

As explained I am only a keen hobbyist so I expect all this to be something I am doing wrong and so please accept my apologies in advance if it is my fault.

Also again this could be my fault but using hcxinfo I cannot seem to get an output to a text file when using "-o", I can however get an output to a text file by doing >>info.txt

Thanks for your time.
Old hashcat is very, very limited regarding WPA. Additional we can have several issues within the conversion process (e.g. handshake is outside default nonce-error-correction of hcxpcaptool).
You can try latest hcxpcapngtool. I'm doing several things here better than in the old version.
But don't expect good/workable results on this ancient hccap format. wlanhcxinfo will not work on this format, too.
hcxhashtool has now a build in test for PSK and/or PMK. To verify that you captured and converted the correct handshake do the following:
$ hcxpcapngtool -o test.22000 your_capfile_here.pcapng
$ hcxhashtool -i test.22000 --psk=your_PSK_here
Thank you for your help.

I exported and converted the correct handshake so I don't think that was the problem.

I have attached a cap file (the old hashcat test cap from this site) and the resulting hccap file so you can see what happens.  The password is hashcat!

I suggest if converting to hccap is not reliable then perhaps it might be time to remove the option to convert to hccap?  I worry people may be working on hccap's which will never crack.

I understand I am in the minority needing to use hccap.

wlanhcxinfo was used on hccapx not hccap when I experienced the none output issue when using "-o"

The file extension for the attachment is .7z, I had to call it .txt because zipped attachments would not upload.
Tested your example and it is working like a charm. The hccap file is ok!

This is the chain:

Step 1 convert hccap to hccapx (I'm not able to run ancient versions of programs, here)
$ wlanhc2hcx -o test.hccapx hashcat.cap.hccap

Step 2 run hashcat against hccapx
$ hashcat -m 2500 test.hccapx -a 3 'hashcat!'
hashcat (v5.1.0-1563-g3005b5a6) starting...
b0487ad676e2:0025cf2db489:hashcat.net:hashcat!
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Tue Jan 7 10:03:54 2020 (0 secs)
Time.Estimated...: Tue Jan 7 10:03:54 2020 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 40 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 1/15 (6.67%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:14-29
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 50c Fan: 34% Util: 6% Core:1873MHz Mem:5005MHz Bus:16

Inside the hccap file are 15(!) single records, created by hcxtools. 1 is crackable, 15 not. This is the result of hcxtools nonce-error-correction (old hashcat can't do it, so hcxtools must do it) in case of an assumed packet loss during capturing.
As the hccap file is ok, your issue must be related to the old hashcat version.
I suggest you to use latest hcxpcapngtool. It doesn't make nonce-error-corrections and provide only basic functions for conversion to old formats.

Pay attention: The cap file is synthetic and doesn't contain valid WPA/RSN information elements. The timestamps are zeroed. You must use option --ignore-ie to convert this cap file. Also you receive a warning about the timestamps.

$ hcxpcapngtool --hccap=test.hccap --ignore-ie hashcat.cap
reading from hashcat.cap...

summary capture file
file name..............................: hashcat.cap
version (pcap/cap).....................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)................: 01.01.1970 01:00:00
timestamp maximum (GMT)................: 01.01.1970 01:00:00
link layer header type.................: DLT_IEEE802_11 (105)
endianess (capture system).............: little endian
packets inside.........................: 3
packets with zeroed timestamps.........: 3 (warning: this prevents EAPOL time calculation)
BEACON.................................: 1
EAPOL messages (total).................: 2
EAPOLTIME (measured maximum usec)......: 9999998
EAPOL M1 messages......................: 1
EAPOL M2 messages......................: 1
EAPOL pairs............................: 1
EAPOL pairs written to hccap...........: 1
EAPOL M12E2............................: 1

I have to convert the hccap back to hccapx to test it. You don't need this step.
$ wlanhc2hcx -o test.hccapx test.hccap
1 record(s) read from test.hccap
1 record(s) written to test.hccapx

$ hashcat -m 2500 test.hccapx -a 3 'hashcat!'
hashcat (v5.1.0-1563-g3005b5a6) starting...

b0487ad676e2:0025cf2db489:hashcat.net:hashcat!

Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: hashcat.net (AP:b0:48:7a:d6:76:e2 STA:00:25:cf:2d:b4:89)
Time.Started.....: Tue Jan 7 10:33:15 2020 (0 secs)
Time.Estimated...: Tue Jan 7 10:33:15 2020 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 43 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 42c Fan: 29% Util: 35% Core:1885MHz Mem:5005MHz Bus:16

So, everything is fine here, too.
Hi ZerBea

Sorry for my slow reply but I have been at work and I am learning about this stuff as I go so I am not as confident with my replies as I would like to be.

My old (I prefer the term vintage) hardware means I am restricted to hashcat v2.01
I tried your suggestion with hcxpcapngtool.
Obviously I did not re-convert to hccap(x) which is the step you noted I would not have to do and success it cracked!  Thank you.

If you enjoy a technical challenge, which it seems like you do, is there any way to convert AP-Less captures to hccap?  Obviously converting the EAPOL should be the same but there are no beacon frames with this method of capture.  Is it possible for you to add the ability to make a hccap using the EAPOL parts and perhaps grab the ESSID from the probe request and pack into a hccap?

I noticed in the help of hcxpcapngtool the following:

bitmask for message pair field:
4: ap-less attack (set to 1) - no nonce-error-corrections necessary

I was not sure how to set a bitmask to see if my request was something already available.

With the new hcxpcapngtool will you be adding the option to allow the user to define mac_ap or mac_station of the target they wish to output as a hccap a bit like the options in wlanhcx2ssid?


A hcxdumptool question if you don't mind:

Using The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) (fully updated) and AlfaNetworks AWUSO36H running in virtualbox

I occasionally (not always) receive this error when trying to use hcxdumptool.


Code:
initialization...
could not create dumpfile Dump/wifidump_2020_01_08.pcapng
failed to init globals
hcxdumptool need full (monitor mode and full packet injection running all packet types) and exclusive access to the adapter
that is not the case


My wifi card is in monitor mode and I try to run hcxdumptool first before anything else, if hcxdumptool produces the error I try wifite and airodump-ng which work properly.  I use these just to check my card is in monitor mode.  (I do not run anything else on the wifi when trying to use hcxdumptool).

The following is a simple script I use to get into monitor mode.  Please could you tell me if there is there something I should add to my script to reduce the times I have trouble starting hcxdumptool?



Code:
#!/bin/bash

systemctl stop network-manager.service
systemctl stop NetworkManager.service
systemctl stop wpa_supplicant.service
wpa_cli terminate wlan0
airmon-ng check kill
rfkill unblock all

ip link set wlan0 down
iw wlan0 set monitor control
ip link set wlan0 up


Thanks again ZerBea, you are a wifi God
Well, K*A*L*I isn't a distribution, which is easy to use. Why do I tell this first? Because of this error message:
"could not create dumpfile Dump/wifidump_2020_01_08.pcapng"

You simply haven't write permission to save the dumpfile.

By latest commit, I changed the warning to:
"hcxdumptool need full (monitor mode and full packet injection running all packet types) and exclusive access to the as well as write permission for the dumpfile"

This is an example of a script if hcxdumptool can't set monitor mode (e.g. on RTL8188, rtl8812 drivers, which require NETLINK):

Code:
#!/bin/sh
if test -z "$1"
then
for IFACE in `ls -1 /sys/class/net | grep ^wl`
do
printf "$IFACE "
cat /sys/class/net/$IFACE/address
done
printf "\nbitte WLAN-Adapter eingeben: "
read WLANDEV

else
WLANDEV=$1
fi

echo "deaktiviere Monitor für $WLANDEV"
sudo ip link set $WLANDEV down
sudo iw dev $WLANDEV set type managed
sudo ip link set $WLANDEV up
sudo iw dev $WLANDEV info

echo "aktiviere NetworkManager"
sudo systemctl start NetworkManager.service
sudo systemctl start wpa_supplicant.service



"With the new hcxpcapngtool will you be adding the option to allow the user to define mac_ap or mac_station of the target they wish to output as a hccap a bit like the options in wlanhcx2ssid?"

new hcxhashtool is designed to filter hashfiles by user options:

Code:
$ hcxhashtool -h
hcxhashtool 5.3.0 (C) 2019 ZeroBeat
usage:
hcxhashtool <options>
options:
-i <file>  : input PMKID/EAPOL hash file
-o <file>  : output PMKID/EAPOL hash file
-E <file>  : output ESSID list (autohex enabled)
-d          : download http://standards-oui.ieee.org/oui.txt
            : and save to ~/.hcxtools/oui.txt
            : internet connection required
-h          : show this help
-v          : show version
--type                      : filter by hash type
                            : default PMKID (1) and EAPOL (2)
--essid-group                : convert to ESSID groups
                              full advantage of reuse of PBKDF2
--essid-len                  : filter by ESSID length
                            : default ESSID length: 0...32
--essid-min                  : filter by ESSID minimum length
                            : default ESSID minimum length: 0
--essid-max                  : filter by ESSID maximum length
                            : default ESSID maximum length: 32
--essid=<ESSID>              : filter by ESSID
--essid_part=<part of ESSID> : filter by part of ESSID
--mac=<MAC>                  : filter by MAC
                            : format: 001122334455 (hex)
--oui-ap                    : filter AP by OUI
                            : format: 001122 (hex)
--oui-client                : filter CLIENT by OUI
                            : format: 001122 (hex)
--vendor=<VENDOR>            : filter by (part of) VENDOR name
--info=<file>                : output detailed information about content of hash file
--info=stdout                : stdout output detailed information about content of hash file
--vendorlist                : stdout output VENDOR list sorted by OUI
--psk=<PSK>                  : pre-shared key to test
                            : due to PBKDF2 calculation this is a very slow process
                            : no nonce error corrections
--pmk=<PMK>                  : plain master key to test
                            : no nonce error corrections
--help                      : show this help
--version                    : show version


Today I'll add filtering by message pair, replaycount check, and AP-LESS, too. I will not add this to hcxpcapngtool.

The Linux philosophy (an mine, too) is:
Write programs that do one thing and do it well.
Write programs to work together.
https://en.wikipedia.org/wiki/Unix_philosophy

hcxdumptool -> WiFi part (fast without additional stuff, able to run headless)
hcxpcapngtool -> conversion (fast, without additional filtering stuff, able to run headless)
hcxhashtool -> provide filter / info about content of hashfile / pre-processor for hashcat/JtR
hcxpsktool -> provide information based on MAC and ESSID
wlancap2wpasec -> upload to data base
hcxwltool -> provide word list functions which other tools don't provide

All other hcxtools are deprecated and I'm going to remove them, soon (in sync with hashcat and JtR, when they drop old format).

Supporting and maintaining this ancient formats (hccap, hccapx, JtR old) is an is an immense effort.
Please take a look at the latest commit here:
https://github.com/ZerBea/hcxtools/commi...9010c557cc
hcxhashtool: added hccap output
All filteroptions (except essid groups - old hascat doesn't support reuse PBKDF2) are working on hccap, now.

workflow:
hcxdumptool (-o x.pcapng) -> hcxpcapngtool (-o test.22000) -> hcxhashtool (--hccap=test.hccap)
for your attached example:

$ hcxpcapngtool -o test1.22000 hashcat.cap --ignore-ie
reading from hashcat.cap...
summary capture file
file name..............................: hashcat.cap
version (pcap/cap).....................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)................: 01.01.1970 01:00:00
timestamp maximum (GMT)................: 01.01.1970 01:00:00
link layer header type.................: DLT_IEEE802_11 (105)
endianess (capture system).............: little endian
packets inside.........................: 3
packets with zeroed timestamps.........: 3 (warning: this prevents EAPOL time calculation)
BEACON.................................: 1
EAPOL messages (total).................: 2
EAPOLTIME (measured maximum usec)......: 9999998
EAPOL M1 messages......................: 1
EAPOL M2 messages......................: 1
EAPOL pairs............................: 1
EAPOL pairs written to combi hash file.: 1
EAPOL M12E2............................: 1

$ hcxhashtool -i test.22000 --hccap=test.hccap --info=stdout
SSID......: hashcat.net
MAC_AP....: b0487ad676e2 (TP-LINK TECHNOLOGIES CO.,LTD.)
MAC_CLIENT: 0025cf2db489 (Nokia Danmark A/S)
MP M1M2 E2: not authorized
RC INFO...: replycount checked
MIC.......: d9f3b5b6f744c662518458ac6cc79f11
HASHLINE..: WPA*02*d9f3b5b6f744c662518458ac6cc79f11*b0487ad676e2*0025cf2db489*686173686361742e6e6574*2f0f764c6632d5579c57c3a9fe067a845e22d6435941c1843845db34a2f80dde*0103007502010a0000000000000000000170003e0ad11bc0a9e48679459ebcbffd7ee75697628c371365d7a05e1b35d7d8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*00

OUI information file...: .hcxtools/oui.txt
OUI entires............: 27383
total lines read.......: 1
valid hash lines.......: 1
EAPOL hash lines.......: 1
filter by ESSID len min: 0
filter by ESSID len max: 32
EAPOL written..........: 1
EAPOL written to hccap.: 1

$ ls
hashcat.cap test.22000 test.hccap

No need for conversion to hash format 1680x. That can be done by simple bash commands.

BTW:
You're right, I like a challenge.