hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-04-2020 It is not mandatory for hashcat and hcxtools/hcxdumptool. Explained here: https://wpa-sec.stanev.org/ RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-06-2020 Hi ZerBea Thank you very much for all the work you have done on hcxdumptool and hcxtools they are fantastic tools! I am only a keen hobbyist so please forgive my lack of computer skills but I am working my way through understanding just what is going on with your tools and the terms you use when writing on this forum. Sadly my old hardware is no longer supported by hashcat so I am restricted to using hccap and not hccapx with all the wonderful new features it has. I am learning as much as I can about hccapx ready for when I have saved up enough! Until I have built my... "Mega WPA Cracking Machine" and seek WIFI domination ...MMUUHHAAHA I have to use hccap. I have tried converting the output of hcxdumptool to hccap and it does produce a hccap file but it is not crackable. I have converted my own network and was (NOT) able to break the known password. I did manage to convert to hccap(x) and use hashcat with cpu only to crack it though. The output size of the hccap is also much larger than expected. I use hcxpcaptool --hccap-out=myfile.hccap (inputfile) As explained I am only a keen hobbyist so I expect all this to be something I am doing wrong and so please accept my apologies in advance if it is my fault. Also again this could be my fault but using hcxinfo I cannot seem to get an output to a text file when using "-o", I can however get an output to a text file by doing >>info.txt Thanks for your time. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-06-2020 Old hashcat is very, very limited regarding WPA. Additional we can have several issues within the conversion process (e.g. handshake is outside default nonce-error-correction of hcxpcaptool). You can try latest hcxpcapngtool. I'm doing several things here better than in the old version. But don't expect good/workable results on this ancient hccap format. wlanhcxinfo will not work on this format, too. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-06-2020 hcxhashtool has now a build in test for PSK and/or PMK. To verify that you captured and converted the correct handshake do the following: $ hcxpcapngtool -o test.22000 your_capfile_here.pcapng $ hcxhashtool -i test.22000 --psk=your_PSK_here RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-06-2020 Thank you for your help. I exported and converted the correct handshake so I don't think that was the problem. I have attached a cap file (the old hashcat test cap from this site) and the resulting hccap file so you can see what happens. The password is hashcat! I suggest if converting to hccap is not reliable then perhaps it might be time to remove the option to convert to hccap? I worry people may be working on hccap's which will never crack. I understand I am in the minority needing to use hccap. wlanhcxinfo was used on hccapx not hccap when I experienced the none output issue when using "-o" The file extension for the attachment is .7z, I had to call it .txt because zipped attachments would not upload. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-07-2020 Tested your example and it is working like a charm. The hccap file is ok! This is the chain: Step 1 convert hccap to hccapx (I'm not able to run ancient versions of programs, here) $ wlanhc2hcx -o test.hccapx hashcat.cap.hccap Step 2 run hashcat against hccapx $ hashcat -m 2500 test.hccapx -a 3 'hashcat!' hashcat (v5.1.0-1563-g3005b5a6) starting... b0487ad676e2:0025cf2db489:hashcat.net:hashcat! Session..........: hashcat Status...........: Exhausted Hash.Name........: WPA-EAPOL-PBKDF2 Hash.Target......: test.hccapx Time.Started.....: Tue Jan 7 10:03:54 2020 (0 secs) Time.Estimated...: Tue Jan 7 10:03:54 2020 (0 secs) Guess.Mask.......: hashcat! [8] Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 40 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1 Recovered........: 1/15 (6.67%) Digests Progress.........: 1/1 (100.00%) Rejected.........: 0/1 (0.00%) Restore.Point....: 1/1 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:14-29 Candidates.#1....: hashcat! -> hashcat! Hardware.Mon.#1..: Temp: 50c Fan: 34% Util: 6% Core:1873MHz Mem:5005MHz Bus:16 Inside the hccap file are 15(!) single records, created by hcxtools. 1 is crackable, 15 not. This is the result of hcxtools nonce-error-correction (old hashcat can't do it, so hcxtools must do it) in case of an assumed packet loss during capturing. As the hccap file is ok, your issue must be related to the old hashcat version. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-07-2020 I suggest you to use latest hcxpcapngtool. It doesn't make nonce-error-corrections and provide only basic functions for conversion to old formats. Pay attention: The cap file is synthetic and doesn't contain valid WPA/RSN information elements. The timestamps are zeroed. You must use option --ignore-ie to convert this cap file. Also you receive a warning about the timestamps. $ hcxpcapngtool --hccap=test.hccap --ignore-ie hashcat.cap reading from hashcat.cap... summary capture file file name..............................: hashcat.cap version (pcap/cap).....................: 2.4 (very basic format without any additional information) timestamp minimum (GMT)................: 01.01.1970 01:00:00 timestamp maximum (GMT)................: 01.01.1970 01:00:00 link layer header type.................: DLT_IEEE802_11 (105) endianess (capture system).............: little endian packets inside.........................: 3 packets with zeroed timestamps.........: 3 (warning: this prevents EAPOL time calculation) BEACON.................................: 1 EAPOL messages (total).................: 2 EAPOLTIME (measured maximum usec)......: 9999998 EAPOL M1 messages......................: 1 EAPOL M2 messages......................: 1 EAPOL pairs............................: 1 EAPOL pairs written to hccap...........: 1 EAPOL M12E2............................: 1 I have to convert the hccap back to hccapx to test it. You don't need this step. $ wlanhc2hcx -o test.hccapx test.hccap 1 record(s) read from test.hccap 1 record(s) written to test.hccapx $ hashcat -m 2500 test.hccapx -a 3 'hashcat!' hashcat (v5.1.0-1563-g3005b5a6) starting... b0487ad676e2:0025cf2db489:hashcat.net:hashcat! Session..........: hashcat Status...........: Cracked Hash.Name........: WPA-EAPOL-PBKDF2 Hash.Target......: hashcat.net (AP:b0:48:7a:d6:76:e2 STA:00:25:cf:2d:b4:89) Time.Started.....: Tue Jan 7 10:33:15 2020 (0 secs) Time.Estimated...: Tue Jan 7 10:33:15 2020 (0 secs) Guess.Mask.......: hashcat! [8] Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 43 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 1/1 (100.00%) Rejected.........: 0/1 (0.00%) Restore.Point....: 0/1 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: hashcat! -> hashcat! Hardware.Mon.#1..: Temp: 42c Fan: 29% Util: 35% Core:1885MHz Mem:5005MHz Bus:16 So, everything is fine here, too. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - WPA_Catcher - 01-08-2020 Hi ZerBea Sorry for my slow reply but I have been at work and I am learning about this stuff as I go so I am not as confident with my replies as I would like to be. My old (I prefer the term vintage) hardware means I am restricted to hashcat v2.01 I tried your suggestion with hcxpcapngtool. Obviously I did not re-convert to hccap(x) which is the step you noted I would not have to do and success it cracked! Thank you. If you enjoy a technical challenge, which it seems like you do, is there any way to convert AP-Less captures to hccap? Obviously converting the EAPOL should be the same but there are no beacon frames with this method of capture. Is it possible for you to add the ability to make a hccap using the EAPOL parts and perhaps grab the ESSID from the probe request and pack into a hccap? I noticed in the help of hcxpcapngtool the following: bitmask for message pair field: 4: ap-less attack (set to 1) - no nonce-error-corrections necessary I was not sure how to set a bitmask to see if my request was something already available. With the new hcxpcapngtool will you be adding the option to allow the user to define mac_ap or mac_station of the target they wish to output as a hccap a bit like the options in wlanhcx2ssid? A hcxdumptool question if you don't mind: Using The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) (fully updated) and AlfaNetworks AWUSO36H running in virtualbox I occasionally (not always) receive this error when trying to use hcxdumptool. Code: initialization... My wifi card is in monitor mode and I try to run hcxdumptool first before anything else, if hcxdumptool produces the error I try wifite and airodump-ng which work properly. I use these just to check my card is in monitor mode. (I do not run anything else on the wifi when trying to use hcxdumptool). The following is a simple script I use to get into monitor mode. Please could you tell me if there is there something I should add to my script to reduce the times I have trouble starting hcxdumptool? Code: #!/bin/bash Thanks again ZerBea, you are a wifi God RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-08-2020 Well, K*A*L*I isn't a distribution, which is easy to use. Why do I tell this first? Because of this error message: "could not create dumpfile Dump/wifidump_2020_01_08.pcapng" You simply haven't write permission to save the dumpfile. By latest commit, I changed the warning to: "hcxdumptool need full (monitor mode and full packet injection running all packet types) and exclusive access to the as well as write permission for the dumpfile" This is an example of a script if hcxdumptool can't set monitor mode (e.g. on RTL8188, rtl8812 drivers, which require NETLINK): Code: #!/bin/sh "With the new hcxpcapngtool will you be adding the option to allow the user to define mac_ap or mac_station of the target they wish to output as a hccap a bit like the options in wlanhcx2ssid?" new hcxhashtool is designed to filter hashfiles by user options: Code: $ hcxhashtool -h Today I'll add filtering by message pair, replaycount check, and AP-LESS, too. I will not add this to hcxpcapngtool. The Linux philosophy (an mine, too) is: Write programs that do one thing and do it well. Write programs to work together. https://en.wikipedia.org/wiki/Unix_philosophy hcxdumptool -> WiFi part (fast without additional stuff, able to run headless) hcxpcapngtool -> conversion (fast, without additional filtering stuff, able to run headless) hcxhashtool -> provide filter / info about content of hashfile / pre-processor for hashcat/JtR hcxpsktool -> provide information based on MAC and ESSID wlancap2wpasec -> upload to data base hcxwltool -> provide word list functions which other tools don't provide All other hcxtools are deprecated and I'm going to remove them, soon (in sync with hashcat and JtR, when they drop old format). Supporting and maintaining this ancient formats (hccap, hccapx, JtR old) is an is an immense effort. Please take a look at the latest commit here: https://github.com/ZerBea/hcxtools/commit/b35f9262178c212b6cc6ed599578629010c557cc RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-08-2020 hcxhashtool: added hccap output All filteroptions (except essid groups - old hascat doesn't support reuse PBKDF2) are working on hccap, now. workflow: hcxdumptool (-o x.pcapng) -> hcxpcapngtool (-o test.22000) -> hcxhashtool (--hccap=test.hccap) for your attached example: $ hcxpcapngtool -o test1.22000 hashcat.cap --ignore-ie reading from hashcat.cap... summary capture file file name..............................: hashcat.cap version (pcap/cap).....................: 2.4 (very basic format without any additional information) timestamp minimum (GMT)................: 01.01.1970 01:00:00 timestamp maximum (GMT)................: 01.01.1970 01:00:00 link layer header type.................: DLT_IEEE802_11 (105) endianess (capture system).............: little endian packets inside.........................: 3 packets with zeroed timestamps.........: 3 (warning: this prevents EAPOL time calculation) BEACON.................................: 1 EAPOL messages (total).................: 2 EAPOLTIME (measured maximum usec)......: 9999998 EAPOL M1 messages......................: 1 EAPOL M2 messages......................: 1 EAPOL pairs............................: 1 EAPOL pairs written to combi hash file.: 1 EAPOL M12E2............................: 1 $ hcxhashtool -i test.22000 --hccap=test.hccap --info=stdout SSID......: hashcat.net MAC_AP....: b0487ad676e2 (TP-LINK TECHNOLOGIES CO.,LTD.) MAC_CLIENT: 0025cf2db489 (Nokia Danmark A/S) MP M1M2 E2: not authorized RC INFO...: replycount checked MIC.......: d9f3b5b6f744c662518458ac6cc79f11 HASHLINE..: WPA*02*d9f3b5b6f744c662518458ac6cc79f11*b0487ad676e2*0025cf2db489*686173686361742e6e6574*2f0f764c6632d5579c57c3a9fe067a845e22d6435941c1843845db34a2f80dde*0103007502010a0000000000000000000170003e0ad11bc0a9e48679459ebcbffd7ee75697628c371365d7a05e1b35d7d8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*00 OUI information file...: .hcxtools/oui.txt OUI entires............: 27383 total lines read.......: 1 valid hash lines.......: 1 EAPOL hash lines.......: 1 filter by ESSID len min: 0 filter by ESSID len max: 32 EAPOL written..........: 1 EAPOL written to hccap.: 1 $ ls hashcat.cap test.22000 test.hccap No need for conversion to hash format 1680x. That can be done by simple bash commands. BTW: You're right, I like a challenge. |