(11-17-2018, 09:44 AM)ZerBea Wrote: Latest link is expired, so I can't download the file.
hcxdumptool attack and dump modes depend on filter list and filter mode option. Running without this options, hcxdumptool will attack all and capture all!.
If you want to attack a single access point (and you do not want to receive other traffic), add this mac to your filter list. Then use --filterlist=<your filterlist> and filtermode=3
Usage is explained in changelog and -h (menu).

BTW:
I found another issue in big endian conversation in pcapng option fields and fixed it with latest hcxtools commit (I hope so...). Big - little endian conversation is really ugly stuff, because I have no big endian machine here. So your pcapng files are really, really appreciated!

(11-17-2018, 11:22 AM)ZerBea Wrote: v4.pcapng looking good:

$ hcxpcaptool -o test.hccapx -z test.16800 v4.pcapng
reading from v4.pcapng
summary:                                        
file name....................: v4.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 151
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 142
beacons (with ESSID inside)..: 3
probe requests...............: 4
probe responses..............: 8
association requests.........: 3
association responses........: 5
authentications (OPEN SYSTEM): 89
authentications (BROADCOM)...: 5
EAPOL packets................: 39
EAPOL PMKIDs.................: 5
best handshakes..............: 1 (ap-less: 1)

1 handshake(s) written to test.hccapx
5 PMKID(s) written to test.16800

inside of test.16800 is a PMKID from this network ESSID "shit wifi" and the PSK is not 123456789!

$ whoismac -p 07b4xxxx....xxxx*e84e06xxxxxx*f0a225c4c261*736869742077696669
ESSID..: shit wifi
MAC_AP.: e84e06xxxxxx
VENDOR.: EDUP INTERNATIONAL (HK) CO., LTD
MAC_STA: f0a225c4c261
VENDOR.: Private

From the -E option of hcxpcaptool I noticed that there is also an ESSID "Shit Wifi". Unfortunately we have no handshake and no PMKID from this network.

(11-18-2018, 08:26 PM)ZerBea Wrote: I don't think it's a driver issue and I don't think it's a pineapple issue, because use received a PMKID from the access point!

1) check your environment
identify your access point (ESSID and mac)
set the PSK from the access point to 123456789
connect a client to the access point (we need this to verify that the handshakes matches to the PMKID) and use this PSK
use a fix channel (for example: 3)

2) make sure you're using latest git of hcxtools and hcxdumptool
add the mac ap to the filter list
run hcxdumptool:
hcxdumptool -i <your interface> -o test.pcapng --filterlist=your filterlist> --filtermode=3 -t 120 -c 3 --enable-status=1
now wait until you have received a PMKID and a handshake

3) run hcxpcaptool to convert the hashes for hashcat
hcxpcaptool -o test.hccapx -z test.16800 test.pcapng

4) check if test.16800 contains the mac of the access point
and that the mac matches to the mac within test.hccapx
wlanhcxinfo -i test.hccapx -a -e

6) add some words and the PSK 123456789 to the wordlist
first run hashcat on the handshake
hashcat -m 2500 test.hccapx wordlist
hashcat should recover the PSK
now run hashcat on the PMKID
hashcat -m 16800 test.16800 wordlist
hashcat should recover the PSK

7) upload test.pcapng to https://wpa-sec.stanev.org/?
to see if it's crackable by common worlists
use the webinterface or wlancap2wpasec
wlancap2wpasec test.pcapng
if the PSK is easy, wpa-sec should be able to retrieve the the PSK:
Last 24h processed nets: 73876
Last 24h performance: 705.79K/s
Last 24h submissions: 24877
Last 24h founds: 11368
...as of today from wpa-sec stats: https://wpa-sec.stanev.org/?stats