hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ee10 - 01-26-2018 I was able to fix the issue by downgrading to kal.i 2017.2. Yes I am using a VM. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-26-2018 Nice that it works again. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - sfw10625 - 01-30-2018 For some reason the website http://wpa-sec.stanev.org gives error "bad capture file" when trying to upload a few of my caps. All of them were gotten with hcxdumptool and havent been cleaned or whatever, they are the original caps from hcxdumptool RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-30-2018 Hi sfw10625. The reason is, that wpa-sec is doing full backend rewrite during the last weeks.That isn't finished, yet. Alex hope that wpa-sec get rid of all those issues till the end of the week. So, please stay tunned... RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - sfw10625 - 01-30-2018 Thanks for the fast reply ! Great job on the tool also ! I also want to ask is there a way to remove handshakes from a cap generated by hcxdumptool. I have a 24 hr cap with like 4500 handshakes and when i export with hcxpcaptool -o i get around around 260 best handshakes. Is there a way I can remove handshakes based on theyre ESSID. I ask this because if i feed the entire hccapx with the 260 handshakes it will take me a like 5 days to run a basic bruteforce on it, but if there are only 10 handshakes for example I can run that bruteforce for 1 hour. atleast thats what hashcat gives as an estimate using the same bruteforce options for both. Or am I making something wrong in hashcat? should 260 handshakes take 5 days and 10 handshakes take 1 hour to bruteforce if im using the same mask for both - 8 digits ? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-30-2018 Yes, you can do this using wlanhcx2ssid: $ wlanhcx2ssid -h wlanhcx2ssid 4.0.2 (C) 2018 ZeroBeat usage: wlanhcx2ssid <options> options: -i <file> : input hccapx file -p <path> : change directory for outputfiles -a : output file by mac_ap's -s : output file by mac_sta's -o : output file by vendor's (oui) -e : output file by essid's -E <essid> : output file by part of essid name -X <essid> : output file by essid name (exactly) -x <digit> : output by essid len (1 <= 32) -A <mac_ap> : output file by single mac_ap -S <mac_sta> : output file by single mac_sta -O <oui> : output file by single vendor (oui) -V <name> : output file by single vendor name or part of vendor name -L <mac_list> : input list containing mac_ap's (need -l) : format of mac_ap's each line: 112233445566 -l <file> : output file (hccapx) by mac_list (need -L) -w <file> : write only forced from clients to hccapx file -W <file> : write only forced from access points to hccapx file -r <file> : write only replaycount checked to hccapx file -R <file> : write only not replaycount checked to hccapx file -N <file> : output stripped file (only one record each mac_ap, mac_sta, essid, message_pair combination) -n <file> : output stripped file (only one record each mac_sta, essid) -g <file> : write only handshakes with pairwise key flag set -G <file> : write only handshakes with groupkey flag set -0 <file> : write only MESSAGE_PAIR_M12E2 to hccapx file -1 <file> : write only MESSAGE_PAIR_M14E4 to hccapx file -2 <file> : write only MESSAGE_PAIR_M32E2 to hccapx file -3 <file> : write only MESSAGE_PAIR_M32E3 to hccapx file -4 <file> : write only MESSAGE_PAIR_M34E3 to hccapx file -5 <file> : write only MESSAGE_PAIR_M34E4 to hccapx file -k <file> : write keyversion based on key information field (use only basename) : output: basename.x.hccapx : WPA1 RC4 Cipher, HMAC-MD5..... basename.1.hccapx : WPA2 AES Cipher, HMAC-SHA1.... basename.2.hccapx : WPA2 AES Cipher, AES-128-CMAC2 basename.3.hccapx : all other are unknown -F <file> : remove bad records and write only flawless records to hccapx file -D <file> : remove duplicates from the same authentication sequence : you must use nonce-error-corrections on that file! -h : this help for example: $ hcxpcaptool -o test.hccapx 201801031743.cap start reading from 201801031743.cap summary: -------- file name..............: 201801031743.cap file type..............: pcap 2.4 network type...........: DLT_IEEE802_11 (105) endianess..............: little endian read errors............: flawless packets inside.........: 1785492 skippedpackets.........: 0 packets with FCS.......: 0 warning................: zero value timestamps detected WDS packets............: 14 beacons................: 17182 probe requests.........: 8974 probe responses........: 25548 association requests...: 32142 reassociation requests.: 5299 EAPOL packets..........: 1693747 EAP packets............: 751 found..................: EAP type ID found..................: EAP-SIM (GSM Subscriber Modules) Authentication found..................: EAP-TTLS Authentication found..................: PEAP Authentication found..................: WPS Authentication best handshakes........: 807 (ap-less: 387) 815 handshake(s) written to test.hccapx wlanhcx2ssid -i test.hccapx -X Home 815 records read from test.hccapx 1 records written $ ls 201801031743.cap Home.hccapx Do not wonder why we have 807 best handshakes and 815 handshakes written to hccapx. Reason is that there are networks inside the cap which changed the ESSID during capture time! We do not want to loose them. It is also possible the you have less raw handshakes than best handshakes. That depends on how many re-authentication sequences are captured: less re-authentications sequences = less raw handshakes RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - sfw10625 - 01-30-2018 thanks just tested it. wlancap2hcx -f hashes *.cap - gives errors on some CAPs - pcap read error: a packet arrives on interface 8, but theres no interface description block for that interface. Also, if i try to generate PMKs and use hashcat hash-mode 12000 will it reduce the time needed to crack all the 260 handshakes? Because my hashrate doesnt fall it stays the same but if i put 10 handshakes it finishes for 1 hour and if i input the 260 handshakes it wants 3 days although the hashrate is the same. I dont understand this, what is the reason for this to happen in hash-mode 2500. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-30-2018 No, hash-mode 12000 doesn't reduce the time. PBKDF2 is very, very computationally intensive. Generating PMKs only makes sense on common ESSIDs like home, HOME, default, etc.... Once calculated (rainbowtable), you can use the PMK list against this ESSIDs. But rainbowtables are outdated. I use them only to check allready recovered passwords. Therefore I calculated a PMK list from the hashcat potfile. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - sfw10625 - 01-30-2018 thanks for the fast reply and support, you are a wonderful person!! the errors i got with wlancap2hcx was because i inputted all the caps in my directory and there were caps that I have edited and played around. it was giving the error on those. The original caps are working so its my mistake RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 01-30-2018 Nice to hear that it works. BTW: It's not me alone (RealEnder, Atom, Magnum, Neheb, TOXIC, freeroute - they all belong to the team) Some words about m -12000 in combination with WiFi: If you have captured a PMK from an EAP authentication (hcxtools can do this) and you have - an idea about the salt - the password - or retrieved a possible password from the EAP ID (hcxtools can do this) - or from the username (hcxtools can do this) - or from the wlan traffic (hcxtools can do this) then it's time for hashcat -m 12000 |