hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html) |
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - faberC - 08-08-2017 To compile for Raspberry pi 3 I needed to add -std = c99 after CC = gcc on line 8 of the Makefile, just as I said in the error output. Worked perfect on my headless raspberry pi 3 with tplinkwn722n dongle RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-08-2017 Thanks for the feedback. hcxtools should work on raspberry A, A+, B, B+, 2B and 3 (3: except build in wifi). The compiler options depending on the version: for arch: $ gcc --version gcc (GCC) 7.1.1 20170630 but, raspbian or ubuntu should work, too RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - freeroute - 08-11-2017 (06-23-2017, 09:56 PM)winxp5421 Wrote: This is fantastic! Now, all we need is an automated way to scan client probe requests, setup fake AP with probe request info, client attempts authentication, save to .cap, rinse, repeat. So we can use wlandump-ng/wlanresponse to get the handshake (capture only M1-M2) without AP (using cliens probe requests) and than find the password using hashcat? Am I correct? RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-11-2017 Quick answer: Yes, that's correct. Long statement: You need only to capture the M2 from a client. wlandump-ng and wlanresponse will calculate the M1. wlandump-ng will show us this (using the -s xx option): transmitted m1/received appropriate m2...: 343/719 and the regular messages from a real ap connected to a client: received regular m1/m2/m3/m4.............: 146/98/143/68 Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf. A stupid client also probes and authenticates his 5GHz access point on 2.4GHz! wlandump-ng accepts and transmitts a M1. After receiving this M1 the client transmitts his M2. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf. If the client has 10 entries (from 10 different networks) in his wpa_supplicant.conf, we get 10 different crackable M2's. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - freeroute - 08-12-2017 Thanks for your help. It is a unique tool. You are great... RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-12-2017 It's just a wlan parser for hashcat - hashcat is the amazing tool. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-14-2017 added detection of zeroed plainmasterkeys to hcxtools: $ wlancap2hcx -o test.hccapx *.cap start reading from wlan.cap 8659109 packets processed (8659109 wlan, 0 lan, 0 loopback) total 201527 usefull wpa handshakes found 52 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey) found 1642 WPA1 RC4 Cipher, HMAC-MD5 found 199883 WPA2 AES Cipher, HMAC-SHA1 found 2 WPA2 AES Cipher, AES-128-CMAC found 90883 valid WPA handshakes (by wlandump-ng/wlanresponse) hashcat --nonce-error-corrections is working on that file found MD5-Challenge (hashcat -m 4800) found EAP-TLS Authentication found EAP-Cisco Wireless Authentication (hashcat -m 5500) found EAP-SIM (GSM Subscriber Modules) Authentication found PEAP Authentication found WPS Authentication warning: use of wpaclean detected found 52 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey) means that a client uses a misconfigured wpa-supplicant or an accesspoint uses a misconfigured hostapd. use hashcat -m 2501 test.hccapx pmkfile to crack the net pmkfile: 0000000000000000000000000000000000000000000000000000000000000000 If you cracked M1/M2 or M1/M4 the client is misconfigured. If you cracked M2/M3 or M3/M4 the accesspoint is misconfigured and you are able connect to the net using a zeroed plainmasterkey. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-16-2017 How to increase hashcat's cracking speed on wpa/wpa2 by using wlandump forced handshakes only: 1. use wlandump-ng or wlanresponse to capture wlan traffic 2. increase cracking speed: use wlancap2hcx to convert cap to hccapx (option -w <file> : write only wlandump forced to hccapx file) wlancap2hcx -W test1.hccapx *.cap at this point you can use hashcat -m 2500 --nonce-error-corrections=0 test1.hccapx wordlist 3. increase cracking speed further: use wlanhcx2ssid to make nets unique (option -n <file> : output stripped file (only one record each mac_sta, essid) wlanhcx2ssid -i test1.hccapx -n test2.hccapx at this point you can use hashcat -m 2500 --nonce-error-corrections=0 test2.hccapx wordlist That will work on hash-modes 2500 and 2501. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 08-17-2017 How to convert hccapx back to cap: cap2hccapx and wlancap2hcx don't convert the following message pairs: MESSAGE_PAIR_M32E3 3 MESSAGE_PAIR_M32E3 131 MESSAGE_PAIR_M34E3 4 MESSAGE_PAIR_M34E3 132 because conversation from hccapx to cap is not lossless and this types can't be converted back. Both tools writing instead the message pairs MESSAGE_PAIR_M32E2 2 MESSAGE_PAIR_M32E2 130 MESSAGE_PAIR_M34E4 5 MESSAGE_PAIR_M34E4 133 to a hccapx file. So it's possible to convert a hccapx file back to a cap file: wlanhcx2cap -i test.hccapx -o test.cap -m 40 Option -m means that max. 40 different cap files are written (depending on total number of nets in the hccapx): each cap file contains only one combination of mac_ap, mac_sta, ESSID per network. For example: http://wpa-sec.stanev.org/? will accept this back-converted caps. RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - freeroute - 08-17-2017 I use this tool to convert hccapx back to cap, but it was sometimes unsuccessful. So this is the reason. Thanks. |