Plugins 2500/2501 and 16800/16801 are deprecated - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: Plugins 2500/2501 and 16800/16801 are deprecated (/thread-10253.html) |
RE: Plugins 2500/2501 and 16800/16801 are deprecated - yuXfar - 12-05-2023 hi devs, I am now in the command hcxdumptool -i INTERFACENAME -w dumpfile.pcapng -F --rds=1 and it shows my network, I have no idea how to attack my network, what should I do next? Also, after I stopped the above command, I tried the command tshark -i <interface> -w allframes.pcapng I changed <interface> to <wlan0>, but it says an error of Running as user "root" and group "root". This could be dangerous. Capturing on 'wlan0' tshark: The file to which the capture would be saved ("allframes.pcapng") could not be opened: Permission denied. edit, I just exit root mode, and tshark now works RE: Plugins 2500/2501 and 16800/16801 are deprecated - ZerBea - 12-05-2023 To attack your network, it is mandatory to build a BPF. First get the MAC address of your AP. This can be done by Code: $ hcxdumptool --rcascan=active build the filter: Code: $ hcxdumptool --bpfc="wlan addr3 112233445566 or wlan addr3 ffffffffffff" > attack.bpfc do the attack: Code: $ hcxdumptool -i INTERFACENAME -w dumpfile.pcapng -F --rds=1 --bpf=attack.bpfc If the AP does PMKID caching or if a CLIENT is connected to the AP, the attack should be successful in a couple of seconds. e.g.: attack using an ALFA AWSU035ACM took 0m8,334s: https://github.com/ZerBea/hcxdumptool/discussions/361#discussioncomment-7550759 e.g.: attack using an ALFA AWSU035ACHM took 0m7,512s: https://github.com/ZerBea/hcxdumptool/discussions/361#discussioncomment-7553512 BTW: There is no need to run tshark as super user and it is not recommended to do so. But if you run it as super user, a normal user can't open the dump file. RE: Plugins 2500/2501 and 16800/16801 are deprecated - ZerBea - 12-05-2023 I forgot to mention: Don't count on it that you are able to decrypt the entire traffic recorded by tshark during an attack. Therefore you need a session key that belongs to the same session as the encrypted traffic. If you miss the begin of such a sequence (e.g. hcxdumptool does channel hopping) the decryption will fail (epically). RE: Plugins 2500/2501 and 16800/16801 are deprecated - yuXfar - 12-05-2023 Hi devs, I tried the command $ hcxdumptool --bpfc="wlan addr3 112233445566 or wlan addr3 ffffffffffff" > attack.bpfc i changed wlan to wlan0 because it dont work first and mac to the mac visible when rcascan, when I hit enter it says unrecognized option '--bpfc=wlan0 addr3 a87484c8d49a' edit: so I successfully run the command by adding space at -- bpfc RE: Plugins 2500/2501 and 16800/16801 are deprecated - ZerBea - 12-05-2023 If the internal BPF compiler is available depend on how hcxdumptool has been compiled (see Makefile). My version (development system running Arch Linux) is compiled with BPF compiler: Code: $ hcxdumptool -v RE: Plugins 2500/2501 and 16800/16801 are deprecated - yuXfar - 12-05-2023 this is what shows on my end ─$ hcxdumptool --version hcxdumptool 6.3.2-70-gdf8f2e6 (C) 2023 ZeroBeat running on Linux kernel 6.5.0-kali3-amd64 running GNU libc version 2.37 compiled by gcc 13.2.0 compiled with Linux API headers 6.5.6 compiled with GNU libc headers 2.37 enabled REALTIME DISPLAY enabled GPS support disabled BPF compiler RE: Plugins 2500/2501 and 16800/16801 are deprecated - yuXfar - 12-05-2023 I tried creating a filter with the help of hcxdumptool --help tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > filter.bpf I only changed 112233445566 to my mac address then hit enter then still BPC is unset RE: Plugins 2500/2501 and 16800/16801 are deprecated - ZerBea - 12-05-2023 What happens after hcxdumptool has been started: it requests the regulatory domain settings (to figure out what is allowed) it requests the the capabilities of the attack device it sets monitor mode (active monitor mode if possible) it sets lowest bit rate and smallest bandwidth (to increase range) it scans for the target(s) upper display: if a target is in range an under attack a + appears in the R column it requests the PMKID from the target - a + appears in the 1 column if the target support PMKID caching a + P appears in the P column it reconnects to the target connected CLIENTs (if that fails tries to disconnect them) if it got a 4way handshake a + appears in the 3 column a plus in the S column show that the AP uses a WPA-PSK mode lower display: if the CLIENT respond to an EAP request, a + appears in the E column if the CLIENT connects to hcxdumptool a + appears in the 2 column If you got a plus in the P, 3 or 2 column you can stop hcxdumptool and convert the pcapng file to hashcat's hc22000 format. Either you can use hashcat's online converter (that runs hcxpcapngtool): https://hashcat.net/cap2hashcat/ or you can use hcpcapngtool https://github.com/ZerBea/hcxtools Code: $ hcxpcapngtool -o test.hc22000 dumpfile.pcang Now you can start your offline attacks running hashcat's different attack modes as described here: https://hashcat.net/wiki/ e.g. word list attack: Code: $ hascat -m 22000 test.hc22000 wordlist An up to date word list (c-nets) is here: https://wpa-sec.stanev.org/?dicts or here https://hashmob.net/resources/hashmob RE: Plugins 2500/2501 and 16800/16801 are deprecated - ZerBea - 12-05-2023 (12-05-2023, 12:55 PM)yuXfar Wrote: I tried creating a filter with the help of hcxdumptool --help Something is wrong with your work flow. Please check the command lines. Added cat filter.bpf to see that has been really compiled. Code: $ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > filter.bpf RE: Plugins 2500/2501 and 16800/16801 are deprecated - ZerBea - 12-05-2023 Linux does not forgive mistakes/typos on the command line level. |