hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
And this is really important:
Hashmodes 2501 and 16801 are not cracking hashmodes.
The are only usefull to verfify(!) an existing PMK.
Reply
thank zerbea, i understand now i need the -O output in this case no the -o output, anyway this was a 24 hower dump, i'll try all your suggestion soon possible, and i'll let you know. also i forgot to say that in the -E output i got a clear wpa2 pass.
Reply
24h is good, but you should do that on different days and or different month, too.

Let me say a few words about hcx-suite:
The suite is designed as an analysis suite. All attack vectors run on raw packet level, usually against machines. If there is no weak machine (client) in range, you don't get a PSK or a PMK.
The suite doesn't perform higher lever attacks like running a fake AP using a patched hostapd. From my point of view that is phishing!

And some words about the goal for a new hash line from the perspective of a penetration tester:
The task is to test a network of a company (ESSID: "network", PSK: networkkey1, and some clients)
hcxdumptool got the following result:
... FOUND PMKID CLIENT-LESS
... FOUND PMKID
... FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT
... FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT
... FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT

hcxpcaptool convert the hashes.
hashcat -m 16800 recoverd 2/2 and the correct networkkey1
Unfortunately, we have to to the same on hashmode -2500.
Running latest hashcat (new potfile line, hashcat detects allready cracked networks by PMK and remove them - you will see, the potfile line is different to the olde version) and we got the message that 2 hashes are removed. They belong to the company network.
The left handshake is somebody who tries to get access to the companies network running a false key.
...and we will get this false PSK, too - (reason, why we must run 16800 and 2500).

hashcat's recovering process of a WPA key is divided into 2 parts:
PBKDF2 calculation of the PMK (very slow)
PMK verification (fast) by EAPOL (250x) or(!) PMKID (1680x)
Unfortunately, if we have both, a PMKID and an EAPOL, we must run our wordlist twice. That will cost much time.

Goal of the new hashline is to run PBKDF2 once and to verify the PMK against EAPOL and(!) PMKID in one step (instead of running 2500 and 16800 on the same wordlist). That will save 50% GPU time, because the wordlist is running only once.
Reply
hcxdumptool
status display
INFO: cha=11, rx=1225452, rx(dropped)=47087, tx=6551, powned=47, err=0
Why / when packets are dropped ( rx(dropped)=47087 )?

Thanks
Reply
We drop a packet if
it doesn't contain a usefull information (deauthentication frames, disassociations frames, ack frames, ...)
if it was transmitted twice or more
if it is damaged (and I mean really hard damaged)

Not processing this packets will save us much CPU time and space on SD-card of a Raspberry. The remaining packets are very useful, so we store them to pcapng file. That keeps the pcapng file small.

Running latest hcxdumptool you should count much more dropped packets.
Reply
(04-14-2019, 01:46 PM)ZerBea Wrote: We drop a packet if
it doesn't contain a usefull information (deauthentication frames, disassociations frames, ack frames, ...)
if it was transmitted twice or more
if it is damaged (and I mean really hard damaged)

Not processing this packets will save us much CPU time and space on SD-card of a Raspberry. The remaining packets are very useful, so we store them to pcapng file. That keeps the pcapng file small.

Running latest hcxdumptool you should count much more dropped packets.


Lots of thanks for the detailed reply, Zerbea, much appreciated!

One more question is it possible to run hcxdumptool on NodeMCU (you know of someone who has achieved it); it would be such a powerful combination ( I know you have ported hcxdumptool over to Raspberry Pi).

Thanks, regards and a very pleasant day to you!
Reply
I'm not sure if sombody ported hcxdumptool to run using NodeMCU. But there is a similar project here:
https://null-byte.wonderhowto.com/how-to...r-0193837/

BTW:
hcxdumptool is primary designed to run on a Raspberry running Arch Arm.


.jpg   rpuzerowh_allent0150.jpg (Size: 216.7 KB / Downloads: 11)

Raspberry Pi Zero wh (gpio key stroke and LED: https://github.com/ZerBea/hcxdumptool/bl...iowait.odg)
ALLNET ALLWA0150 (mt7601 chipset)
Intenso 5200 mAh Powerbank
Reply
hi zerbea, from the command hcxpcaptool -o prova, i receive for example 20 handshake, if i want test only two of them how i can do that? that is good when making custom wordlist with know kespace!
Reply
(04-21-2019, 03:20 AM)ciccio17 Wrote: hi zerbea, from the command  hcxpcaptool -o prova, i receive for example 20 handshake, if i want test only two of them how i can do that? that is good when making custom wordlist with know kespace!

You can extract individual hashes from the output file with any text editor. Simply find the mac address you're wanting to isolate and pop it into a new text file.
Reply
@ ciccio17
In case of a hccapx hash file, use
- wlanhcxinfo to get information about the content.
- wlanhcx2ssid to get desired hash or
- split -b 393 --additional-suffix=.hccapx (393 = size of a single hccapx) to split the file
Reply