+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html)
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-04-2021
Good point, thanks.
Main purpose of info option is to show detailed information of the content of a hash file before hash cat is feed with it.
Due to many, many filter options, the evaluation is going to be complex and I lost the overview.
By latest commit, all filter options are disabled in combination with info options and --help is updated:
Code:
--info=<file> : output detailed information about content of hash file
no filter options available
--info=stdout : stdout output detailed information about content of hash file
no filter options available
--info-vendor=<file> : output detailed information about ACCESS POINT and CLIENT VENDORs
no filter options available
--info-vendor-ap=<file> : output detailed information about ACCESS POINT VENDORs
no filter options available
--info-vendor-client=<file> : output detailed information about ACCESS POINT VENDORs
no filter options available
--info-vendor=stdout : stdout output detailed information about ACCESS POINT and CLIENT VENDORs
no filter options available
--info-vendor-ap=stdout : stdout output detailed information about ACCESS POINT VENDORs
no filter options available
--info-vendor-client=stdout : stdout output detailed information about ACCESS POINT VENDORs
no filter options availableUsing regex is not planed, because it is yet another dependency.
#include <regex.h>
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - oayz - 11-04-2021
Super, thanks!
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - oayz - 11-04-2021
Sorry, can't stop complaining about this "list" feature. Why ESSID filter only works for "-o"? OK, it doesn't work for "info" why not even for JtR?!
total lines read..............: 76
valid hash lines..............: 76
PMKID hash lines..............: 30
EAPOL hash lines..............: 46
EAPOL written.................: 2
EAPOL written to john.........: 46
CMD line:
hcxhashtool.exe -i ssid_all.hc22000 -o ssid_new.hc22000 --john=ssid_new.john --essid-list=ssid_new.lst
List has only one ESSID. If I use the same ESSID in "----essid=" everything is as expected:
total lines read..............: 76
valid hash lines..............: 76
PMKID hash lines..............: 30
EAPOL hash lines..............: 46
filter by ESSID...............: takenoko
EAPOL written.................: 2
EAPOL written to john.........: 2
Am I missing intent of the filter? I didn't check the code but shouldn't filter remove ESSIDs from the input and then generate all required outputs?
BTW, it would be nice if filter could have inclusive and exclusive options (e.g. to keep or discard listed ESSIDs). Global, not per ESSID
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-04-2021
To speed up filtering, hcxhashtool is running only one stage. Therefore less common filter option combinations which do not make sense are ignored.
In that case, it is mandatory to run hcxhashtool a second time (third time, ...) on the output of the task before.
Purpose of ESSID filtering is to get benefit of reuse of PBKDF2, which will speed up hashcat.
Code:
--essid-group
--essid
--essid-listFiltering e.g. ESSIDs by occurrence of characters (e.g. x digit, digit, alfa...) doesn't make sense, because it will not speed up hashcat task.
BTW:
It is mandatory that the user knows what he is doing (analytical competencies):
- knowledge of radio technology and electromagnetic-wave engineering (RF power vs. antenna gain vs. range)
- detailed knowledge of 802.11 protocol (AUTHENTICATION sequences)
- detailed knowledge of key derivation functions (PBKDF2 and HMAC functions)
- detailed knowledge of Linux (driver specification, monitor mode, bash)
Otherwise the result is always unexpected.
e.g. as mentioned here:
https://hashcat.net/forum/thread-10441-post-53995.html#pid53995
This applies in particular if you decide to use hcxdumptool/hcxtools, because they are analysis tools.
There is no script inside hcxtools that replaces this knowledge.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - oayz - 11-04-2021
Nah, I'm not trying "filtering by occurrence", I just have huge file of hashes and I want to run attack only on few ESSIDs. JTR file has clear text ESSIDs so I can simply run grep/egrep. HC22000 has ESSID in hex, I guess to properly handle foreign chars. BTW, hcxhashtool takes input as a text which seems to contradict hex intent
Anyway I think I need tool to convert HC22000 hash from ESSID_hex to ESSID_text and back. If you are happy with the way filtering is done in hcxhashtool then I'll move on.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-04-2021
The major reason to use HEX_ASCII within hash lines:
"Unlike basic service set identifiers, SSIDs are usually customizable. These SSIDs can be zero to 32 octets (32 bytes) long, and are, for convenience, usually in a natural language, such as English. The 802.11 standards prior to the 2012 edition did not define any particular encoding or representation for SSIDs, which were expected to be treated and handled as an arbitrary sequence of 0–32 octets that are not limited to printable characters. IEEE Std 802.11-2012 defines a flag to express that the SSID is UTF-8-encoded and could contain any Unicode text. Wireless network stacks must still be prepared to handle arbitrary values in the SSID field."
Due to my analyses of wpa-sec submissions, I've seen almost everything within SSID IE_TAG.
And the script (one liner) you're looking for:
Code:
$ printf hashline | awk 'BEGIN { FS = "*" } ; { print $6 }' | perl -pe 's/(..)/chr(hex($1))/ge'From hashcat example hashes
https://hashcat.net/wiki/doku.php?id=example_hashes
Code:
$ printf "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" | awk 'BEGIN { FS = "*" } ; { print $6 }' | perl -pe 's/(..)/chr(hex($1))/ge'
hashcat-essidor
Code:
$ whoismac -x 686173686361742d6573736964
hashcat-essidor
Code:
$ whoismac -x `printf "WPA*01*5ce7ebe97a1bbfeb2822ae627b726d5b*27462da350ac*accd10fb464e*686173686361742d6573736964***" | awk 'BEGIN { FS = "*" } ; { print $6 }'`
hashcat-essidor (if you know the PSK)
Code:
$ hcxpmktool -i "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" -p 'hashcat!'
ESSID.............: hashcat-essid
PSK .............: hashcat!
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)or (if you know the PMK)
Code:
$ hcxpmktool -i "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
ESSID.............: hashcat-essid
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)or what ever you want.
BTW:
Magnum (JtR) is involved, too:
https://github.com/hashcat/hashcat/issues/1816#issuecomment-446117257
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - oayz - 11-04-2021
Oh, thanks, I had no doubt there is a way to achieve my goal and in Unix there 1000 ways to skin the cat. Just liked hcxtools much and prefer to use one tool. Cheers!
P.S. 1) I'm on windows and using Unix tricks is kind of PITA 2) I only know SSID
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 11-06-2021
Take care about your terminal settings if you convert ESSID HEX values to ASCII.
As far as I know, Windows doesn't like some characters within a terminal session.
A very bad example of handling ESSIDs has been described here:
https://nakedsecurity.sophos.com/2021/07/12/take-care-dont-get-tricked-by-this-crashtastic-iphone-wi-fi-hack/
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - v71221 - 12-17-2021
Hi, Zerbea!
Could you please answer.
Currently (December 2021), which chipsets/adapters are you testing hcxdumptool on?
Specifically, which 5GHz dongles are your favorite at the moment?
Thanks in advance.
P.S.
I read your previous posts about your favorite chipsets/adapters.
02-13-2021
https://hashcat.net/forum/thread-6661-post-51653.html#pid51653
hcxdumptool is working on every driver (e.g.: mt76, rt2800usb, ath9k) that is able to run full monitor mode, full packet injection, accept ioctl() system calls and doesn't depend on NETLINK.
02-23-2020
https://hashcat.net/forum/thread-6661-post-47734.html#pid47734
As of today, I only use/test devices running mt76 and rt2800usb driver.
01-21-2020
https://hashcat.net/forum/thread-8899-post-47284.html#pid47284
I suggest to buy an adapter whose driver (native driver within official kernel, e.g.: rt2800usb, mt76) support monitor mode and packet injection.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 12-17-2021
Tested devices by ID (Arch Linux, kernel >= 5.10):
Code:
USB:
ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter
ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi
ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter
ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter
ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
PCIe:
Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network AdapterTo get additional information about the ID
just do a DuckDuckGo search, e.g.:
https://duckduckgo.com/?t=ffab&q=ID+148f%3A7601&ia=web
or a device hunt:
https://devicehunt.com/view/type/usb/vendor/148F/device/761A
My favourite 5GHz adapters:
ALFA ALFA Network AWUS036ACM (MT7612U)
ASUS AC51 (MT7610U)
CSL - 300Mbit USB WLAN (RT5572)
In detail:
CH 14 limited tx power due to wireless regdomain settings
hcxdumptool and hcxlabtool series using the same functions to get device information (I prefer hcxlabtool series due to performance reasons on headless operation).
ALFA ALFA Network AWUS036ACM (MT7612U)
ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter
Code:
$ sudo hcxlabgetmall -C
wlp39s0f3u1u6 available frequencies, channels and tx power reported by driver:
2412MHz 1 (20 dBm)
2417MHz 2 (20 dBm)
2422MHz 3 (20 dBm)
2427MHz 4 (20 dBm)
2432MHz 5 (20 dBm)
2437MHz 6 (20 dBm)
2442MHz 7 (20 dBm)
2447MHz 8 (20 dBm)
2452MHz 9 (20 dBm)
2457MHz 10 (20 dBm)
2462MHz 11 (20 dBm)
2467MHz 12 (20 dBm)
2472MHz 13 (20 dBm)
2484MHz 14 ( 0 dBm)
5180MHz 36 (20 dBm)
5200MHz 40 (20 dBm)
5220MHz 44 (20 dBm)
5240MHz 48 (20 dBm)
5260MHz 52 (20 dBm)
5280MHz 56 (20 dBm)
5300MHz 60 (20 dBm)
5320MHz 64 (20 dBm)
5500MHz 100 (20 dBm)
5520MHz 104 (20 dBm)
5540MHz 108 (20 dBm)
5560MHz 112 (20 dBm)
5580MHz 116 (20 dBm)
5600MHz 120 (20 dBm)
5620MHz 124 (20 dBm)
5640MHz 128 (20 dBm)
5660MHz 132 (20 dBm)
5680MHz 136 (20 dBm)
5700MHz 140 (20 dBm)
5720MHz 144 (20 dBm)
5745MHz 149 (20 dBm)
5765MHz 153 (20 dBm)
5785MHz 157 (20 dBm)
5805MHz 161 (20 dBm)
5825MHz 165 (20 dBm)
5845MHz 169 (20 dBm)
5865MHz 173 (20 dBm)
0 error(s) encounteredASUS AC51
ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
Code:
$ sudo hcxlabgetmall -C
wlp39s0f3u1u6 available frequencies, channels and tx power reported by driver:
2412MHz 1 (16 dBm)
2417MHz 2 (16 dBm)
2422MHz 3 (16 dBm)
2427MHz 4 (16 dBm)
2432MHz 5 (16 dBm)
2437MHz 6 (16 dBm)
2442MHz 7 (16 dBm)
2447MHz 8 (16 dBm)
2452MHz 9 (16 dBm)
2457MHz 10 (16 dBm)
2462MHz 11 (16 dBm)
2467MHz 12 (16 dBm)
2472MHz 13 (16 dBm)
2484MHz 14 ( 0 dBm)
5180MHz 36 (19 dBm)
5200MHz 40 (19 dBm)
5220MHz 44 (19 dBm)
5240MHz 48 (19 dBm)
5260MHz 52 (19 dBm)
5280MHz 56 (19 dBm)
5300MHz 60 (19 dBm)
5320MHz 64 (19 dBm)
5500MHz 100 (19 dBm)
5520MHz 104 (19 dBm)
5540MHz 108 (19 dBm)
5560MHz 112 (19 dBm)
5580MHz 116 (19 dBm)
5600MHz 120 (19 dBm)
5620MHz 124 (19 dBm)
5640MHz 128 (19 dBm)
5660MHz 132 (19 dBm)
5680MHz 136 (19 dBm)
5700MHz 140 (19 dBm)
5720MHz 144 (19 dBm)
5745MHz 149 (19 dBm)
5765MHz 153 (19 dBm)
5785MHz 157 (19 dBm)
5805MHz 161 (19 dBm)
5825MHz 165 (19 dBm)
5845MHz 169 (19 dBm)
5865MHz 173 (19 dBm)
0 error(s) encounteredCSL 300MBit
ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter
Code:
$ sudo hcxlabgetmall -C
wlp39s0f3u1u1u4 available frequencies, channels and tx power reported by driver:
2412MHz 1 (20 dBm)
2417MHz 2 (20 dBm)
2422MHz 3 (20 dBm)
2427MHz 4 (20 dBm)
2432MHz 5 (20 dBm)
2437MHz 6 (20 dBm)
2442MHz 7 (20 dBm)
2447MHz 8 (20 dBm)
2452MHz 9 (20 dBm)
2457MHz 10 (20 dBm)
2462MHz 11 (20 dBm)
2467MHz 12 (20 dBm)
2472MHz 13 (20 dBm)
2484MHz 14 ( 0 dBm)
5180MHz 36 (30 dBm)
5190MHz 38 (30 dBm)
5200MHz 40 (30 dBm)
5210MHz 42 (30 dBm)
5220MHz 44 (30 dBm)
5230MHz 46 (30 dBm)
5240MHz 48 (30 dBm)
5250MHz 50 (24 dBm)
5260MHz 52 (24 dBm)
5270MHz 54 (24 dBm)
5280MHz 56 (24 dBm)
5290MHz 58 (24 dBm)
5300MHz 60 (24 dBm)
5310MHz 62 (24 dBm)
5320MHz 64 (24 dBm)
5500MHz 100 (24 dBm)
5510MHz 102 (24 dBm)
5520MHz 104 (24 dBm)
5530MHz 106 (24 dBm)
5540MHz 108 (24 dBm)
5550MHz 110 (24 dBm)
5560MHz 112 (24 dBm)
5570MHz 114 (24 dBm)
5580MHz 116 (24 dBm)
5590MHz 118 (24 dBm)
5600MHz 120 (24 dBm)
5610MHz 122 (24 dBm)
5620MHz 124 (24 dBm)
5630MHz 126 (24 dBm)
5640MHz 128 (24 dBm)
5650MHz 130 (24 dBm)
5660MHz 132 (24 dBm)
5670MHz 134 (24 dBm)
5680MHz 136 (24 dBm)
5690MHz 138 (24 dBm)
5700MHz 140 (24 dBm)
5745MHz 149 (30 dBm)
5755MHz 151 (30 dBm)
5765MHz 153 (30 dBm)
5775MHz 155 (30 dBm)
5785MHz 157 (30 dBm)
5795MHz 159 (30 dBm)
5805MHz 161 (30 dBm)
5825MHz 165 (30 dBm)
0 error(s) encounteredPlease notice:
On 5GHz the range is very limited and good antennas are mandatory!
Wireless regulatory domain must not be be unset!