+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html)
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-15-2018
By the latest hashcat improvement hcxtools are able to control hashcats nonce-error-corrections (nonce-error-corrections on/off):
hcxdumptool -> hcxpcaptool -> hashcat
https://github.com/hashcat/hashcat/commit/547025ec475c2aaa4edf16184e91c24fbefe08ff
Some tools doesn't check replaycount properly or set timestamps to zero. In that case you can override this automatic control by hashcats --nonce-error-corrections=x
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-22-2018
Added full support (TZSP_ENCAP_IEEE_802_11) for TaZmen Sniffer Protocol (TZSP)
$ hcxpcaptool -V tzsp.pcap
start reading from tzsp.pcap
summary:
--------
file name....................: tzsp.pcap
file type....................: pcap 2.4
network type.................: DLT_EN10MB (1)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 15
EAPOL packets................: 15
IPv4 packets.................: 15
UDP packets..................: 15
TZSP (802.11) packets........: 15
read more here:
https://wikivisually.com/wiki/TZSP
here:
https://wiki.mikrotik.com/wiki/Manual:Tools/Packet_Sniffer
and here:
https://github.com/hashcat/hashcat-utils/pull/45
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-24-2018
hcxpcaptool: Added full support for AVS header (DLT_IEEE802_11_RADIO_AVS)
Read more about the common capture formats here:
https://www.lancom-systems.com/docs/LCOS/reference-manual/#Referenzhandbuch_7.60_EN/Addendum-900/topics/2_12_86_1.html
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-27-2018
hcxdumptool / hcxpcaptool: added detection of SAE authentication.
$ hcxpcaptool -V sae_simple_psk.pcapng
start reading from sae_simple_psk.pcapng
summary:
file name....................: sae_simple_psk.pcapng
file type....................: pcapng 1.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 30
skipped packets..............: 0
packets with FCS.............: 0
beacons......................: 2
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
deauthentications............: 3
action packets...............: 1
EAPOL packets................: 4
best handshakes..............: 1 (ap-less: 0)
Read more about SAE authentication here:
http://www.mathyvanhoef.com/2018/03/wpa3-technical-details.html
Get example cap from here:
https://github.com/vanhoefm/wifi-example-captures
or here:
https://www.cloudshark.org/captures/3638626f4551
A good explanation (basic protocol and fundamentals) is here (page 22 - 25):
https://www.cwnp.com/covers/2014-09-SAE-at-CWNP.PDF
And a nice video that explains Diffie-Hellman keyexchange is here:
http://www.youtube.com/watch?v=3QnD2c4Xovk
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - rk3y - 06-30-2018
Hey ZerBea!
thank you so much for this great work - this is simply the most interesting project I witnessed.
One question regarding focussing on ssid/bssid. How to analyze specific stations? Is it possible to read only packets coming from this ssid/bssid with hcxdumptool. Or is there a way to use hcxpcaptool only extract/filter information associated with specfici ssid/bssid? I would like to use this in your described workflow for extracting probes, identity, etc.
Thank you so much !
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-01-2018
Hi rk3y.
How to analyze specific stations?
That depends on the depth of you analysis. For a simple analysis run:
hcxdumptool -> hcxpcaptool -T trafficlist *.cap
Result is a list, containig simple network relationships (european date : timestamp : mac_sta : mac_ap : essid)
Then use simple bash commands to filter the requiered informations (cat, grep , tail, head, awk).
To do a deep analysis, use wireshark. Wireshark contains a filter for every task, so there is no need for me to implement this to hcxtools.
BTW:
wlandump-ng and wlancap2hcx are outdated. I will remove them soon, because the depend on libpcap. Using raw sockets makes us much more flexible.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-01-2018
hcxpcaptool: added detection of FILS authentication.
$ hcxpcaptool -V -I identitylist *.pcapng
start reading from fils-handshake.pcapng
summary:
file name....................: fils-handshake.pcapng
file type....................: pcapng 1.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 92
skipped packets..............: 0
packets with FCS.............: 0
beacons......................: 25
probe responses..............: 2
association requests.........: 2
association responses........: 2
authentications (OPEN SYSTEM): 2
authentications (FILS).......: 2
deauthentications............: 5
action packets...............: 5
EAPOL packets................: 4
EAP packets..................: 6
found........................: EAP type ID
found........................: EAP-PSK Authentication
Get example cap from here:
https://github.com/vanhoefm/wifi-example-captures/blob/master/experimental/fils-handshake.pcapng
Retrieved identity is in identitylist.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-07-2018
hcxpcaptool: added detection of BROADCOM specific authentication.
BROADCOM adds a special vendor tag to the authentication sequence:
Tagged parameters (11 bytes)
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0202000c0000
From now on, hcxdumptool and hcxpcaptool are able to capture and detect this:
$ hcxpcaptool -V broadcomtag.pcap
start reading from broadcomtag.pcap
summary:
file name....................: broadcomtag.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 2
skipped packets..............: 0
packets with FCS.............: 0
authentications (OPEN SYSTEM): 2
authentications (BROADCOM)...: 1
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-10-2018
hcxpcaptool: added detection of SONOS and APPLE specific authentication.
SONOS adds a special vendor tag to the authentication sequence, too:
Tagged parameters (8 bytes)
Tag: Vendor Specific: Sonos, Inc.
Tag Number: Vendor Specific (221)
Tag length: 6
OUI: 00:0e:58 (Sonos, Inc.)
Vendor Specific OUI Type: 2
Vendor Specific Data: 020101
APPLE adds a special vendor tag to the authentication sequence, too:
Tagged parameters (13 bytes)
Tag: Vendor Specific: Apple, Inc.
Tag Number: Vendor Specific (221)
Tag length: 11
OUI: 00:17:f2 (Apple, Inc.)
Vendor Specific OUI Type: 10
Vendor Specific Data: 0a00010400000000
From now on, hcxdumptool and hcxpcaptool are able to capture and detect this:
$ hcxpcaptool -V tags.pcap
start reading from tags.pcap
summary:
file name....................: tags.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 4
skipped packets..............: 0
packets with FCS.............: 0
authentications (OPEN SYSTEM): 4
authentications (SONOS)......: 1
authentications (APPLE)......: 3
That are really nice fingerprints!
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 07-15-2018
We have some bad issues in radioptap and/or wireshark.
read more about the issue here:
https://github.com/secdev/scapy/issues/1465
hcxpcaptool and hcxdumptool will ignore this issues.
Get example pcap from here:
https://github.com/secdev/scapy/files/2088036/rt_ext.pcap.txt
and rename to rt_ext.pcap (not neccessary for hcxpcaptool, but wireshark requiere this).
$ hcxpcaptool -V *.pcap
start reading from rt_ext.pcap
summary:
--------
file name....................: rt_ext.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 10
skipped packets..............: 0
packets with FCS.............: 10
beacons (with ESSID inside)..: 9
and compare to wireshark output (Malformed Packet)!
BTW:
Normally hcxtools are not interested in evaluation of BEACON frames, but BEACON frames which contain an ESSID are counted by hcxpcaptool.
AUTHENTICATION, ASSOCIATIONREQUEST, ASSOCIATIONRESPONSE, REASSOCIATIONREQUEST, REASSOCIATIONRESPONSE frames contains more and important informations than stupid BEACON frames.
So do not use tools which remove (clean) this frames from your capfiles!