hashcat Forum
hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - wakawaka - 08-06-2018

(08-06-2018, 08:47 AM)RashidMalik Wrote: Hello ZerBea

Great to see you working hard on making hcxtools one of a kind. You guys have left other similar tools way way behind. Hats off and a bow to your tireless dedication.

Q - Regrading hcxpcaptool -o and -O option. Are they mutually exclusive (that is what -o captures -O does not and vice versa) or does -O include all you could capture with -o and then some more handshakes? I mean whats the difference and when to use which option?

see answer inĀ postĀ #275

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - RashidMalik - 08-06-2018

ZerBea

hcxdumptool 4.2.0 says powned=4 (after having been running for a while) on its status bar;

Is that a spelling mistake?
What does it mean? Does it mean it has pawned 4 networks (how)? If yes how can I see which four are they and what are their passwords?

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - atom - 08-06-2018

Select your target and crack the PSK with hashcat

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-07-2018

Small update hcxdumptool:
Now we use hardware handshake of the driver. ATHEROS chipset should work, now.

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-07-2018

hcxtools and hcxdumptool moved to version 4.2.1
added communication between hcxdumptool and hcxpcaptool via pcapng option field
in SHB and EHB block:
SHB block: 62108 REPLAYCOUNT uint64_t
SHB block: 62019 ANONCE uint8_t[32]

EHB block: 1 "HANDSHAKE AP-LESS" (green field in Wireshark Packet Comments)
EHB block: 62109 ANONCE uint8_t[32]

hcxdumptool: new status display options
ATHEROS still not working like expected.

randomized hcxdumptool AP-LESS attack now detected by hcxpcaptool:

summary:
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 200
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 2
beacons (with ESSID inside)..: 14
probe requests...............: 2
probe responses..............: 7
association requests.........: 6
association responses........: 11
authentications (OPEN SYSTEM): 140
authentications (BROADCOM)...: 6
EAPOL packets................: 21
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 1)

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - MadMeow - 08-07-2018

Good day, Zerbea.
First of all, i want to thank you for extremely useful set of utilities. Excellent work! I use your utilities from the very beginning of development and i always happy with results.
I had several questions now related to new version of hcxdumptool.
1. I faced that the utility ceases to work after a while. I am connected to Raspberry (3 with Raspbian 9 kernel 4.14) through ssh and i watch that how many packets it was received by the radio interface. After a while works of the program i notice that when switching to the following channel the number of collected packets (rx) increases by only one packet and at the same time transfer of packets stops. I can start the program again, but it does not help. Also the stop and start monitor mode (i use Atheros in TP-Link 722N) does not help. After reboot for some time everything becomes normal, but then the situation repeats again. I was updated about 8 hours ago. Can you tell me what I can check to localize this problem?
2. I tried the new attack mode and it really works great! I would just like to clarify some details about the output format of a file that contains PMKID. When using Hashcat (16800), I noticed that several APs with different MACs, but the same ESSID and pass were restored (of course it could be CAPsMAN or similar, for example) and i had some doubts as to whether i correctly understood the format of the pot file. Correctly I understand that the second position in the pot file after "*" is exactly the MAC address of the AP, which was successfully attacked?
Forgive me for my bad English and Thanks in advance!

Update:
The second question is removed from the agenda, i managed to repeat the situation in the lab.
Now i have updated to the latest version of the utility (4.2.1) and after building a new system image for Raspberry, it seems that i do not observe what i described earlier. Is it possible that there were some performance issues? In any case, i will try to reproduce this problem.

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-08-2018

Hi MadMeow.
First of all, thanks. I am very pleased about that.
1.
I'm not shure, how to handle the TL-WN722N. I noticed some issues in handling the FCS. You can read more about that here:
https://github.com/qca/open-ath9k-htc-firmware/issues/126
https://wikidevi.com/wiki/Wireless_adapters/Chipset_table (do a search for "broken")
https://github.com/vanhoefm/modwifi/issues/9
https://github.com/ZerBea/hcxdumptool/issues/12#issuecomment-410726219

(https://forums.The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali).org/showthread.php?34265-K a l i-linux-2016-2-amd64-problem-AWUS036H-wifi-card&styleid=2)

Sometimes the delivered packets (from userspace via raw socket to driver) are cut by the driver (last 2 bytes - I assume that is the FCS). After a while, the driver crashes. You can reproduce this using Wireshark. Wireshark will show you many "Malformed Packets", even if hcxdumptool is not running!

2.
Format of the 16800 potfile:
PMKID*MAC_AP*MAC*STA*ESSID followed by the PSK
Format of the 16801 potfile:
PMKID*MAC_AP*MAC*STA folowed by the PMK

If you have more hashlines with the same MAC_AP (BSSID) you can remove all, except of one. THis will speed up hashcat a little bit.

Using Version 4.2.1 you will notice some improvements:
--enable_status=<digit> : enable status messages
bitmask:
1: EAPOL
2: PROEBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION

For example to retrieve EAPOL and PROEBEREQUEST/PROBERESPONSE you can use
--enable_status=1 --enable_status=2
or via bitmask
--enable_status=3

status out will show you:
[FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 11132]
This Packets will be marked green in Wireshark.

[FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2129]
[FOUND PMKID]
[FOUND PMKID CLIENT-LESS]
or if hcxdumptool restarts the authentication sequence between a client and an access point
[EAPOL 4/4 - M4 RETRY ATTACK]
if you get more of this messages, you are too far away from the accesspoint.

--enable_status=2 will show you possible PSKs retrieved from the traffic, as well es ESSIDs.

Also we do a measurement of the EAPOL key timeout.
High timeout means: much traffic on the channel or weak signals

Get more informations and some nice how-tos here:
https://medium.com/@adam.toscher/new-attack-on-wpa-wpa2-using-pmkid-96c3119f7f99
and here:
https://www.youtube.com/watch?v=ve_0Qhd0bSM

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-08-2018

Pushed some updates: ATHEROS should work now, too:

Product:
TP-LINK TL-WN722N

$ uname -r
4.17.11-arch1

$ lsusb
Bus 005 Device 010: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n

$ dmesg
[22226.399738] usb 5-4.5: Manufacturer: ATHEROS
[22226.399740] usb 5-4.5: SerialNumber: 12345
[22226.489515] usb 5-4.5: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[22226.781615] usb 5-4.5: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[22227.031828] ath9k_htc 5-4.5:1.0: ath9k_htc: HTC initialized with 33 credits
[22227.267452] ath9k_htc 5-4.5:1.0: ath9k_htc: FW Version: 1.4
[22227.267454] ath9k_htc 5-4.5:1.0: FW RMW support: On
[22227.271109] ieee80211 phy3: Atheros AR9271 Rev:1
[22227.273600] ath9k_htc 5-4.5:1.0 wlp39s0f3u4u5: renamed from wlan0

$ sudo hcxdumptool -o atherostest.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status=1

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc233e628d4 (client)
MAC ACCESS POINT.........: 000d58c18ab7 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64450
ANONCE...................: d420b933a2b78ea4a77febbaed22a8bf9cf37b45bcaab23323f46f40d2789ca7

[16:08:35 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND PMKID CLIENT-LESS]
[16:08:36 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 3126]
[16:08:37 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND PMKID]
[16:08:39 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 11996]

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - MadMeow - 08-08-2018

Thank you very much for your help, ZerBea.
After some field tests, i think the problem really is with Atheros driver (I really miss my broken Alfa with 3070). But if I run the program with a "--disable_ap_attacks" key, then this problem does not happen. There is one more observation. If i do not use additional parameters, but simply specify the interface and output file, then the program works without problems if there are not more than half a dozen access points around. As soon as i start the program in a place where the radio air is very busy, after a while problems begin. I can not even connect to the ssh until i disconnect my adapter from usb, that causes hcxdumptool to stop working and after that i can connect via ssh again. I can still capture PMKID from the access point to client, but i do not initiate this process through hcxdumptool.

With my second question, everything is very clear to me. I'm really clearing the file manually to reduce hashat worktime. In my case, I need all MAC for my personal database and I just wanted to make sure that there is no error. This really can happen if I stumble upon Mikrotik CAPsMAN or access points that automatically organize a single wireless infrastructure (like some Asus models, for example).

Once again, thank you for all the information and I wish you great success in the development of your project.

Update: Oh. I must try new version now, i think.

RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - wakawaka - 08-11-2018

Hello ZerBea,
seems AP's with special characters (" ' * ) are auto converted to $HEX[xxxxxxx] in PROEBEREQUEST/PROBERESPONSE.
is this something that can be fixed/added in a future release.