hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-17-2017 manually calculate hashcat's "--nonce-error-corrections" using hcxtools If you use wlancap2hcx, you'll get a proposal for the --nonce-error-corrections value of hashcat. It looks like this: hashcat --nonce-error-corrections is working on that file (that means you can use the default value) or you should use hashcat --nonce-error-corrections=16 (or greater) on ... you should use hashcat --nonce-error-corrections=32 (or greater) on ... you should use hashcat --nonce-error-corrections=64 (or greater) on ... If, you like, you can calculate this value manually: use wlanhcxinfo option -a -A to get the required informations: $ wlanhcxinfo -i yourhccapxfile.hccapx -a -A This will show you all anonces (anonce = nonce transmited by the access point). You will get something like this: mac_ap anonce ----------------------------------------------------------------------------------------------------- xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a5 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a6 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a8 (for little endian ap's) xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3ae7cde0 xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3de7cde0 xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa40e7cde0 (for big endian ap's) You can see, the last byte is counting up. Also you can see that there are gaps between the values (caused by packetloss of the dumper). Now take the highest value and substract the lowest value (little endian: 0xa8 - 0xa1 = 7, big endian: 0x40 - 0x3a = 6). The result is the lowest value you should use for hashcat --nonce-error-corrections! Keep in mind: This will only work on hccpax files converted from uncleaned(!) and unreduced(!) cap files. It doesn't work on a single handshake!!!! Background informations: ------------------------------- An access point uses several different EAPOL-timers like this: EAP-Identity-Request Timeout (seconds) EAP-Identity-Request Max Retries EAP Key-Index for Dynamic WEP EAP Max-Login Ignore Identity Response EAP-Request Timeout (seconds) EAP-Request Max Retries EAPOL-Key Timeout (milliseconds) EAPOL-Key Max Retries EAP-Broadcast Key Interval Calculating an anonce, releasing an anonce, calculation of the replaycount, releasing a replaycount, accepting an authentication, all this depends on that timers. Knowing the "secrets" about this timers allows us to use nonce-error-corrections (and other features build-in in hashcat and hcxtools). Disregarding this (by cleaning caps, reducing caps to only one handshake, capturing only one handshake, using to much deauthentications) possible will let you fail calculating the key! Why will you possible fail? wlanhcxinfo will show you this using the options -a -A -R Well, let's take a look into the replaycount (-R): $ wlanhcxinfo -i yourhccapxfile.hccapx -a -A -R mac_ap anonce replaycount ------------------------------------------------------------------------------------------------------------------------------- xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1:0000000000000000 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a1:0000000000000000 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a5:0000000000000000 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a6:0000000000000000 xxxxxxxxxxxx:ffa500a5ec3f312701fe821b2628a182ca11cc91fec662b0ed41fe84145984a8:0000000000000000 (on the little endian ap) xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3ae7cde0:0000000000000001 xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa3de7cde0:0000000000000000 xxxxxxxxxxxx:daa065e1aa368b38404a517b39c23613bfce72ada13726fdb1f1aeaa40e7cde0:0000000000000001 (on the big endian ap) In both cases the ap's received to much deauthentications and didn't receive their clients packets. So they resetted their replaycounters. Without using nonce-error-corrections, in many cases you are not able to calculate the password because the M2 and/or M4 of the client doesn't match! Sending more (than mutch) deauthentications causes ap's to release their complete anonce. In that case not even nonce-error-corrections will work! update hcxtools 4.0.0-rc1: Added new option -I to wlanhcxmnc: -I : show mac_ap and anonces now you can use $ wlanhcxmnc -i yourfile.hccapx -I to get the required informations for hashcat's nonce-error-corrections stdout is used for printing this informations. So it's possible to redirect the output to a file $ wlanhcxmnc -i yourfile.hccapx -I > apinfos wlanhcxinfo option -a -A no longer needed for this purpose! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-19-2017 some words about hcxtools (https://github.com/ZerBea/hcxtools) and hcxkeys (https://github.com/ZerBea/hcxkeys): Main purpose of both toolsets is to conduct an analysis and compile statistics on WiFi, together with hashcat! That means: wlanhhcxcat, wlangenpmk, wlangenpmkocl (and pwhash) are to slow for cracking purposes!! This tools are only usefull to calculate, show and test single hashes. Do not try to use them as crackers. hashcat can do this much better and faster! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-20-2017 calculate hashcat's "--nonce-error-corrections" using hcxtools In some special cases hashcat isn't able to do nonce-error-corrections. If you use wlanhcxinfo option -a -A to get the required informations and you see this: mac_ap anonce ----------------------------------------------------------------------------------------------------- xxxxxxxxxxxx:4a8d0509f2a10031e819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316 xxxxxxxxxxxx:4a8d0509f2a10034e819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316 xxxxxxxxxxxx:4a8d0509f2a10037e819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316 xxxxxxxxxxxx:4a8d0509f2a1003ae819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316 xxxxxxxxxxxx:4a8d0509f2a1003ce819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316 xxxxxxxxxxxx:4a8d0509f2a1003ee819d487f95a33825cbaf6ea6d7dff3ade2c7c3071889316 Byte 7 is incremented. There are gaps between the values (caused by packetloss of the dumper). Now it's time for wlanhcxmnc. This tool will do the nonce-err-corrections for hashcat. Calculate the nonce-err-corrections value as in post 61 described: 0x3e - 0x31 = 0xd Then run: wlanhcxmnc -i yourfile.hccapx -a xxxxxxxxxxxx -o correctedfile.hccapx -b 7 -n d wlanhcxmnc will correct the nonce values for this ap xxxxxxxxxxxx and save them to a file. Now you can run hashcat with --nonce-error-corrections=0 on that file. This is possible, because the nonce-error-corrections is allready done by wlanhcxmnc! update hcxtools 4.0.0-rc1: Added new option -I to wlanhcxmnc: -I : show mac_ap and anonces now you can use $ wlanhcxmnc -i yourfile.hccapx -I to get the required informations for hashcat's nonce-error-corrections stdout is used for printing this informations. So it's possible to redirect the output to a file $ wlanhcxmnc -i yourfile.hccapx -I > apinfos wlanhcxinfo option -a -A no longer needed for this purpose! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-25-2017 update hcxtools (4.0.0-rc1): https://github.com/ZerBea/hcxtools Added new tool wlanjohn2hcx to convert john wpapsk hashfiles to hccapx. $ wlanjohn2hcx -h wlanjohn2hcx 4.0.0-rc1 (C) 2017 ZeroBeat usage: wlanjohn2hcx <options> [input.john] [input.john] ... options: -o <file> : output hccapx file -e <file> : output ESSID list RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-26-2017 wlanhcx2cap update: set M1 replaycount = (M4 replaycount-1) if M4 EAPOL is used attention: somtimes wireshark can't handle wlanhcx2cap files if group keys are used that means handshake in cap file is correct and all tools working on that cap, but wireshark output is wrong (M2 is shown as M4) RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-27-2017 I have tested the most used wpa cracking tools hascat (google: about 274,000 results), aircrack-ng (google: about 535,000 results) and John the Ripper jumbo (google: about 311,000 results) how they work on wpa using their own conversion tools and how they work closely together with hcxtools. Overview of the tests: 1. cap2hccapx -> hashcat 2. wpapcap2john -> john 3. aircrack-ng 4. wlancap2hcx -> hashcat 5. wlancap2hcx -> wlanhcx2john -> john 1. Test: cap2hccapx -> hashcat (https://github.com/hashcat/hashcat-utils) $ time cap2hccapx 20170228.cap cap2hccapx.hccapx Written 12736 WPA Handshakes to: cap2hccapx.hccapx real 4m37,154s user 4m36,964s sys 0m0,170s a) no nonce-error-correction $ hashcat -m 2500 --nonce-error-corrections=0 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 cap2hccapx.hccapx wlan hashcat (4.0.0-rc1) starting... Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: cap2hccapx.hccapx Time.Started.....: Wed Sep 27 10:05:30 2017 (1 min, 40 secs) Time.Estimated...: Wed Sep 27 10:07:10 2017 (0 secs) Guess.Base.......: File (wlan) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 403.0 kH/s (0.93ms) Recovered........: 1297/8967 (14.46%) Digests, 227/1059 (21.44%) Salts Recovered/Time...: CUR:681,N/A,N/A AVG:782,46927,1126251 (Min,Hour,Day) Progress.........: 39484815/39484815 (100.00%) Rejected.........: 0/39484815 (0.00%) Restore.Point....: 37285/37285 (100.00%) Candidates.#1....: -> волчонок HWMon.Dev.#1.....: Temp: 73c Fan: 84% Util: 10% Core:1847MHz Mem:5005MHz Bus:16 b) nonce-error-correction 8 (default) $ hashcat -m 2500 --nonce-error-corrections=8 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 cap2hccapx.hccapx wlan hashcat (4.0.0-rc1) starting... Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: cap2hccapx.hccapx Time.Started.....: Wed Sep 27 10:07:45 2017 (2 mins, 47 secs) Time.Estimated...: Wed Sep 27 10:10:32 2017 (0 secs) Guess.Base.......: File (wlan) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 264.7 kH/s (0.94ms) Recovered........: 1901/8967 (21.20%) Digests, 242/1059 (22.85%) Salts Recovered/Time...: CUR:702,N/A,N/A AVG:682,40959,983039 (Min,Hour,Day) Progress.........: 39484815/39484815 (100.00%) Rejected.........: 0/39484815 (0.00%) Restore.Point....: 37285/37285 (100.00%) Candidates.#1....: -> волчонок HWMon.Dev.#1.....: Temp: 71c Fan: 33% Util: 24% Core:1847MHz Mem:5005MHz Bus:16 2. Test: wpapcap2john -> john (https://github.com/magnumripper/JohnTheRipper) $ time wpapcap2john 20170228.cap > wpapcap2john.john Dumping 212780 unverified auths 18500 ESSIDS processed real 0m49,941s user 0m44,413s sys 0m1,621s as of today nonce-error-corrections isn't implemented in JtR (but in progress for the next update) $ john -w:wlan --format=wpapsk-opencl --pot=john.pot wpapcap2john.john Device 0: GeForce GTX 1080 Ti Local worksize (LWS) 64, global worksize (GWS) 2097152 Loaded 7481 password hashes with 7481 different salts (wpapsk-opencl, WPA/WPA2 PSK [PBKDF2-SHA1 OpenCL]) 1767g 0:00:01:18 DONE (2017-09-27 09:44) 22.57g/s 476.3p/s 3563Kc/s 3563KC/s GPU:79°C util:99% fan:60% 3. Test: aircrack-ng (http://svn.aircrack-ng.org/trunk/) $ time aircrack-ng -J aircrackng 20170228.cap Opening 20170228.cap Reading packets, please wait... Index number of target network ? 17887 Opening 20170228.cap Reading packets, please wait... Building Hashcat (1.00) file... Successfully written to aircrackng.hccap Quitting aircrack-ng... real 3m17,601s user 1m40,430s sys 0m0,107s Remarks: only hashes from 16927 up to 17887 displayed only 1 hash written to hashfile only support hashcat 1.0 hccap format real handshakes detected: $ aircrack-ng 20170228.cap | grep "1 hand" > aircrackhandshakes $ wc -l aircrackhandshakes 1356 aircrackhandshakes found (5 with empty ESSIDs) I didn't have the time to test 1356 single hashes! now the same, but using wpaclen on 20170228.cap $ wpaclean wpaclean.cap 20170228.cap $ aircrack-ng wpaclean.cap | grep "1 hand" > aircrackhandshakescleaned $ wc -l aircrackhandshakescleaned 1305 aircrackhandshakescleaned I didn't have the time to test 1305 single hashes! $ wlancap2hcx -o wpacleaned.hccapx wpaclean.cap start reading from wpaclean.cap 4056 packets processed (4056 wlan, 0 lan, 0 loopback) total 1259 usefull wpa handshakes found 1 handshake with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey) found 30 WPA1 RC4 Cipher, HMAC-MD5 found 1229 WPA2 AES Cipher, HMAC-SHA1 found 68 valid WPA handshakes (by wlandump-ng/wlanresponse) hashcat --nonce-error-corrections is working on that file warning: use of wpaclean detected a) no nonce-error-correction on that cleaned cap $ hashcat -m 2500 --nonce-error-corrections=0 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wpacleaned.hccapx wlan hashcat (4.0.0-rc1) starting... Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: wpacleaned.hccapx Time.Started.....: Wed Sep 27 11:50:11 2017 (1 min, 31 secs) Time.Estimated...: Wed Sep 27 11:51:42 2017 (0 secs) Guess.Base.......: File (wlan) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 417.6 kH/s (0.95ms) Recovered........: 356/1257 (28.32%) Digests, 266/1016 (26.18%) Salts Recovered/Time...: CUR:221,N/A,N/A AVG:234,14046,337111 (Min,Hour,Day) Progress.........: 37881560/37881560 (100.00%) Rejected.........: 0/37881560 (0.00%) Restore.Point....: 37285/37285 (100.00%) Candidates.#1....: -> волчонок HWMon.Dev.#1.....: Temp: 73c Fan: 78% Util: 66% Core:1860MHz Mem:5005MHz Bus:16 a) nonce-error-correction 8 (default) on that cleaned cap Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: wpacleaned.hccapx Time.Started.....: Wed Sep 27 11:52:14 2017 (1 min, 40 secs) Time.Estimated...: Wed Sep 27 11:53:54 2017 (0 secs) Guess.Base.......: File (wlan) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 378.6 kH/s (0.94ms) Recovered........: 365/1257 (29.04%) Digests, 273/1016 (26.87%) Salts Recovered/Time...: CUR:202,N/A,N/A AVG:218,13091,314184 (Min,Hour,Day) Progress.........: 37881560/37881560 (100.00%) Rejected.........: 0/37881560 (0.00%) Restore.Point....: 37285/37285 (100.00%) Candidates.#1....: -> волчонок HWMon.Dev.#1.....: Temp: 73c Fan: 75% Util: 44% Core:1860MHz Mem:5005MHz Bus:16 4. Test: wlancap2hcx -> hashcat (https://github.com/ZerBea/hcxtools) $ time wlancap2hcx -o wlancap2hcx.hccapx 20170228.cap start reading from 20170228.cap 1396632 packets processed (1396632 wlan, 0 lan, 0 loopback) total 18537 usefull wpa handshakes found 21 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey) found 184 WPA1 RC4 Cipher, HMAC-MD5 found 18353 WPA2 AES Cipher, HMAC-SHA1 found 1431 valid WPA handshakes (by wlandump-ng/wlanresponse) hashcat --nonce-error-corrections is working on that file you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx found WDS or Mesh packets real 0m0,911s user 0m0,760s sys 0m0,149s a) no nonce-error-correction hashcat (4.0.0-rc1) starting... Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: wlancap2hcx.hccapx Time.Started.....: Wed Sep 27 09:58:34 2017 (1 min, 40 secs) Time.Estimated...: Wed Sep 27 10:00:14 2017 (0 secs) Guess.Base.......: File (wlan) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 407.1 kH/s (0.93ms) Recovered........: 2871/11989 (23.95%) Digests, 266/1059 (25.12%) Salts Recovered/Time...: CUR:2017,N/A,N/A AVG:1713,102790,2466976 (Min,Hour,Day) Progress.........: 39484815/39484815 (100.00%) Rejected.........: 0/39484815 (0.00%) Restore.Point....: 37285/37285 (100.00%) Candidates.#1....: -> волчонок HWMon.Dev.#1.....: Temp: 73c Fan: 71% Util: 49% Core:1860MHz Mem:5005MHz Bus:16 b) nonce-error-correction 8 (default) $ hashcat -m 2500 --nonce-error-corrections=8 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wlancap2hcx.hccapx wlan hashcat (4.0.0-rc1) starting... Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: wlancap2hcx.hccapx Time.Started.....: Wed Sep 27 10:01:29 2017 (3 mins, 13 secs) Time.Estimated...: Wed Sep 27 10:04:42 2017 (0 secs) Guess.Base.......: File (wlan) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 290.9 kH/s (0.94ms) Recovered........: 2969/11989 (24.76%) Digests, 282/1059 (26.63%) Salts Recovered/Time...: CUR:870,N/A,N/A AVG:922,55330,1327926 (Min,Hour,Day) Progress.........: 39484815/39484815 (100.00%) Rejected.........: 0/39484815 (0.00%) Restore.Point....: 37285/37285 (100.00%) Candidates.#1....: -> волчонок HWMon.Dev.#1.....: Temp: 72c Fan: 42% Util: 75% Core:1860MHz Mem:5005MHz Bus:16 5. Test: wlancap2hcx -> wlanhcx2john -> john (https://github.com/ZerBea/hcxtools) $ time wlancap2hcx -o wlancap2hcx.hccapx 20170228.cap start reading from 20170228.cap 1396632 packets processed (1396632 wlan, 0 lan, 0 loopback) total 18537 usefull wpa handshakes found 21 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey) found 184 WPA1 RC4 Cipher, HMAC-MD5 found 18353 WPA2 AES Cipher, HMAC-SHA1 found 1431 valid WPA handshakes (by wlandump-ng/wlanresponse) hashcat --nonce-error-corrections is working on that file you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx found WDS or Mesh packets real 0m0,911s user 0m0,760s sys 0m0,149s $ wlanhcx2john -o wlanhcx2john.john wlancap2hcx.hccapx 18537 records read from wlancap2hcx.hccapx 18537 records written to wlanhcx2john.john as of today nonce-error-corrections isn't implemented in JtR (but in progress for the next update) $ john -w:wlan --format=wpapsk-opencl --pot=john.pot wlanhcx2john.john Device 0: GeForce GTX 1080 Ti Local worksize (LWS) 64, global worksize (GWS) 2097152 Loaded 11984 password hashes with 11984 different salts (wpapsk-opencl, WPA/WPA2 PSK [PBKDF2-SHA1 OpenCL]) 2871g 0:00:01:23 DONE (2017-09-27 10:12) 34.21g/s 444.3p/s 5325Kc/s 5325KC/s GPU:81°C util:99% fan:62% Well, no conclusion from me, so make your own conclusion about all tools, results and features (nonce-error-corrections). RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-27-2017 And if you decide to follow hcxtools recommendations: you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx $ hashcat -m 2500 --nonce-error-corrections=64 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wlancap2hcx.hccapx wlan Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 Hash.Target......: wlancap2hcx.hccapx Time.Started.....: Wed Sep 27 17:24:21 2017 (14 mins, 17 secs) Time.Estimated...: Wed Sep 27 17:38:38 2017 (0 secs) Guess.Base.......: File (wlan) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 96197 H/s (0.94ms) Recovered........: 2976/11989 (24.82%) Digests, 285/1059 (26.91%) Salts Recovered/Time...: CUR:94,N/A,N/A AVG:208,12499,299983 (Min,Hour,Day) Progress.........: 39484815/39484815 (100.00%) Rejected.........: 0/39484815 (0.00%) Restore.Point....: 37285/37285 (100.00%) Candidates.#1....: -> волчонок HWMon.Dev.#1.....: Temp: 75c Fan: 42% Util: 8% Core:1847MHz Mem:5005MHz Bus:16 you will get some more hits! RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-02-2017 update hcxtools (better plainmasterkey handling): https://github.com/ZerBea/hcxtools added new option -O to wlancap2hcx: -O <file> : output hccapx file without ESSIDs (WPA/WPA2/WPA2 AES-128-CMAC: use hashcat -m 2501 only) All handshakes without ESSID went into this file, mainly handshakes from the second part of an expanded EAPOL authentication (like RADIUS / ENTERPRISE). This handshakes are crackable using captured plainmasterkeys from wlan-traffic (wlancap2hcx option -f) or pre-computed plainmasterkeys. example: $ wlancap2hcx -O noessid.hccapx test.cap start reading from test.cap 12089037 packets processed (12089037 wlan, 0 lan, 0 loopback) total 286811 usefull wpa handshakes found 85 handshakes with zeroed plainmasterkeys (use hashcat -m 2501 with a zeroed plainmasterkey) found 2467 handshakes without ESSIDs (use hashcat -m 2501) $ hashcat -m 2501 --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundhashcat.2501 noessid.hccapx pmklist hashcat (4.0.0-rc1) starting... Session..........: hashcat Status...........: Exhausted Hash.Type........: WPA/WPA2 PMK Hash.Target......: noessid.hccapx Time.Started.....: Mon Oct 2 13:22:05 2017 (0 secs) Time.Estimated...: Mon Oct 2 13:22:05 2017 (0 secs) Guess.Base.......: File (pmklist) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 288.1 kH/s (0.00ms) Recovered........: 25/252 (9.92%) Digests, 0/1 (0.00%) Salts Progress.........: 48164/48164 (100.00%) Rejected.........: 0/48164 (0.00%) Restore.Point....: 48164/48164 (100.00%) Candidates.#1....: 00.... -> ff.... HWMon.Dev.#1.....: Temp: 34c Fan: 33% Util: 62% Core:1911MHz Mem:5005MHz Bus:16 Do not wonder about this 2 values: wlancap2hcx: found 2467 handshakes without ESSIDs hashcat: Recovered........: 25/252 (9.92%) Digests, 0/1 (0.00%) Salts In this case wlancap2hcx doesn't test dupes, because hashcat makes it better. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-02-2017 If you like to test this new feature do the following steps: 1) Download example cap from wireshark examples (https://wiki.wireshark.org/SampleCaptures) File: wpa-eap-tls.pcap.gz https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-eap-tls.pcap.gz 2) gunzip the cap $ gunzip wpa-eap-tls.pcap.gz 3) get the demo plainmasterkeys from (https://wiki.wireshark.org/SampleCaptures) Wifi / Wireless LAN captures / 802.11 File: wpa-eap-tls.pcap.gz Description: 802.11 capture with WPA-EAP. PSK's to decode: a500........ 7925........ 23a9........ and copy them to your pmklist 4) use wlancap2hcx to convert the cap file: $ wlancap2hcx -O test.hccapx wpa-eap-tls.pcap start reading from wpa-eap-tls.pcap 86 packets processed (86 wlan, 0 lan, 0 loopback) total 2 usefull wpa handshakes found 2 handshakes without ESSIDs (use hashcat -m 2501) found 2 WPA2 AES Cipher, HMAC-SHA1 found EAP-TLS Authentication found WPA encrypted data packets 5) run hashcat: $ hashcat -m 2501 --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundhashcat.2501 test.hccapx pmklist hashcat (4.0.0-rc2) starting... Session..........: hashcat Status...........: Cracked Hash.Type........: WPA/WPA2 PMK Hash.Target......: (AP:10:6f:3f:0e:33:3c STA:24:77:03:d2:5e:a8) Time.Started.....: Mon Oct 2 16:38:18 2017 (0 secs) Time.Estimated...: Mon Oct 2 16:38:18 2017 (0 secs) Guess.Base.......: File (pw) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 0 H/s (0.00ms) Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 3/3 (100.00%) Rejected.........: 0/3 (0.00%) Restore.Point....: 0/3 (0.00%) Candidates.#1....: a500.... -> 23a9.... HWMon.Dev.#1.....: Temp: 41c Fan: 29% Util: 4% Core:1835MHz Mem:5005MHz Bus:16 RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-03-2017 advanced wpa cracking: Entering the "royal class" needed tools: combinator3 (hashcat-utils) wlancap2hcx (hcxtools) wlangenpmk or wlangenpmkocl (hcxkeys) hashcat (hashcat) 1) download demo caps from here: https://github.com/magnumripper/JohnTheRipper/files/1156223/WPA-PSK-SHA256-session.pcap.zip https://github.com/magnumripper/JohnTheRipper/files/1156394/normal-wpa-traffic.pcap.zip and unzip them. 2) create 3 txt files: file1, file2 and file3 and: write this 4 essids to file1: default hello home networkname and: write this delimiter to file2: : and: write this 4 demo passwords to file3: password 12345678 mypassword test1234 3) use combinator3 to create the psklist combinator3 file1 file2 file3 > psklist 4) use wlangenpmkocl or wlangenpmk to create the pmklist $ wlangenpmk -I psklist -a pmklist 16 plainmasterkeys generated, 0 password(s) skipped 5) use wlancap2hcx to convert the pcaps $ wlancap2hcx -O test.hccapx *.pcap start reading from normal-wpa-traffic.pcap 5 packets processed (0 wlan, 5 lan, 0 loopback) total 2 usefull wpa handshakes found 2 handshakes without ESSIDs (use hashcat -m 2501) found 2 WPA2 AES Cipher, HMAC-SHA1 start reading from WPA-PSK-SHA256-session.pcap 28 packets processed (0 wlan, 28 lan, 0 loopback) total 12 usefull wpa handshakes found 12 handshakes without ESSIDs (use hashcat -m 2501) found 12 WPA2 AES Cipher, AES-128-CMAC 6) use hashcat to crack them $ hashcat -m 2501 --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundhashcat.2501 test.hccapx pmklist hashcat (4.0.0-rc2) starting... Session..........: hashcat Status...........: Cracked Hash.Type........: WPA/WPA2 PMK Hash.Target......: test.hccapx Time.Started.....: Tue Oct 3 15:34:39 2017 (0 secs) Time.Estimated...: Tue Oct 3 15:34:39 2017 (0 secs) Guess.Base.......: File (pmklist) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 0 H/s (0.00ms) Recovered........: 11/11 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 16/16 (100.00%) Rejected.........: 0/16 (0.00%) Restore.Point....: 0/16 (0.00%) Candidates.#1....: b9d4.... -> 83c0.... Don't wonder about the different values (wlancap2hcx = 2+12 handshakes, hashcat only 11 handshakes). wlancap2hcx doesn't make a dupe check on hashcat -m 2501 mode. |