hcxpcaptool does not detect beacon packet - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat-utils, maskprocessor, statsprocessor, md5stress, wikistrip (https://hashcat.net/forum/forum-28.html) +--- Thread: hcxpcaptool does not detect beacon packet (/thread-8965.html) |
hcxpcaptool does not detect beacon packet - vladinko0 - 02-14-2020 I have pcapng file of 5 packets (attachment https://easyupload.io/74zyro). Four of them are handshake EAPOLs and one is beacon. I think it should be enough information for hcxpcaptool to create hash file. But when I run command "hcxpcaptool -o /root/HS.hash /root/hs_plus_beacon.pcapng" I get this result: summary capture file: --------------------- file name........................: hs_plus_beacon.pcapng file type........................: pcapng 1.0 file hardware information........: unknown capture device vendor information: 000000 file os information..............: Linux 5.2.0-kali2-amd64 file application information.....: Mergecap (Wireshark) 3.0.3 (Git v3.0.3 packaged as 3.0.3-1) (no custom options) network type.....................: DLT_IEEE802_11 (105) endianness.......................: little endian read errors......................: flawless minimum time stamp...............: 11.10.2005 23:07:52 (GMT) maximum time stamp...............: 11.10.2005 23:07:52 (GMT) packets inside...................: 5 skipped damaged packets..........: 0 packets with GPS NMEA data.......: 0 packets with GPS data (JSON old).: 0 packets with FCS.................: 0 association requests.............: 1 EAPOL packets (total)............: 4 EAPOL packets (WPA2).............: 4 best handshakes (total)..........: 1 (ap-less: 0) summary output file(s): ----------------------- Beacon is not detected, just EAPOLs, and I don't get any output file. I need to say that, this pcapng file was created with text2pcap and mergecap tools, because I am using raw packets captured by tshark and written to database. I use this commands: "text2pcap ap_rawfile ap_raw_file.pcapng -n -l 127" "text2pcap eapols_rawfile eapols_rawfile.pcapng -n -l 105" "mergecap ap_raw_file.pcapng eapols_rawfile.pcapng -F pcapng -w hs_plus_beacon.pcapng" RE: hcxpcaptool does not detect beacon packet - ZerBea - 02-14-2020 The timestamps are completely useless: $ tshark -r hs_plus_beacon.pcapng -T fields -e frame.number -e frame.time 1 Feb 14, 2020 11:43:57.000000000 CET 2 Feb 14, 2020 11:43:57.000000000 CET 3 Feb 14, 2020 11:43:57.000000001 CET 4 Feb 14, 2020 11:43:57.000000002 CET 5 Feb 14, 2020 11:43:57.000000003 CET The merged pcapng file is a mixed header file: DLT_IEEE802_11 (105) DLT_IEEE802_11_RADIO (127). Added support (hcxpcapngtool) for multiple interfaces by this commit: https://github.com/ZerBea/hcxtools/commit/70e9798c4a030a0e5d8c2360b3ee8ebbfdf54bc1 Code: hcxpcapngtool -o test.22000 hs_plus_beacon.pcapng Please keep in mind: Neither EAPOLTIME calculation nor detection of nonce error correction will work on text2cap converted files, because we are missing original timestamps and multiple M1 frames. Edit: By latest commit hcxpcangtool is able to handle tv_nsec from this cap files, too. RE: hcxpcaptool does not detect beacon packet - ZerBea - 02-15-2020 It is not a good idea to remove origin timestamps! It is not a good idea to use tools that remove timestamps! It is not a good idea to use tools that replace the original timestamp by their own timestamp! https://community.cisco.com/t5/wireless-mobility-documents/eap-timers-on-wireless-lan-controllers/ta-p/3122477 https://ieeexplore.ieee.org/document/4251170 https://networkengineering.stackexchange.com/questions/25251/what-should-be-the-eapol-key-timeout-setting-on-the-wlc You can't rely on the replaycount alone. Disregarding the EAPOL time between EAPOL messages will lead to unrecoverable hashes, even if the replay count matches. If you don't believe it. This is an exaggerated example: Take a BEACON. Take a M3 from the last year. Take a M4 from this year. zero the origin timestamps or replace them merge this 3 packets to a capfile and try to recover the PSK. So, good luck! Explanation: For an authentication we have a time gap. The authentication is successful if all frames are transmitted within this gap. Also we have time gaps between the request and answer or challenge and response. If we are outside this gap, the NONCEs are renewed. So, even if we have received EAPOL M2 replaycount (RC) 3 and EAPOL M3 RC 4 and the time gap is greater than the EAPOL timer, this message pair will not match! It is not possible to recover the PSKs from this message pair. We distinguish several methods how an ACCESS POINT (AP) renew the values when the EAPOL timer has expired: - leave RC increase ANONCE - great, nonce error corrections (NC) is working on it - increase RC increase ANONCE - great, NC is working on it, too - leave RC renew ANONCE - NC is not working. - increase RC renew ANONCE - NC is not working. NC is an amazing feature of hashcat - if you know about the "secrets" of EAPOL timers. Disregarding them will lead to unrecoverable PSKs and you will waste your GPU time. Also do not transmit deauthentication or disassociation packets within an authentication sequence. That will cause the AP to destroy his EAPOL timer and to renew all NONCEs! BTW: hcxdumptool can do this, because it is able to request a new authentication sequence from an AP or to initiate a new authentication sequence for a CLIENT. RE: hcxpcaptool does not detect beacon packet - vladinko0 - 02-17-2020 Lot of thanks ZerBea. When I added timestamps to packets, hcxpcaptool found handshake and wrote it to the file. Interesting thing is that when I tried to find the password with aircrack-ng, it worked without timestamps. But I wanted to handle the password by hashcat, because as I read, it is a little bit faster... RE: hcxpcaptool does not detect beacon packet - ZerBea - 02-17-2020 hcxpcaptool is deprecated. Please use hcxpcapngtool from latest git head hcxtools. hcxpcangtool doesn't require a timestamp. But, if we have no timestamp, a zeroed timestamp or not the origin timestamp, we are not able to calculate nonce-error-corrections (NC). The same applies to a cleaned cap file!. Attached an example here: nctest.zip (Size: 1.75 KB / Downloads: 1) and for non forum members, here: https://www.sendspace.com/file/vcn6e0 Inside are 3 files from a test suite and an example PSK to demonstrate the power of NC and the advantage of uncleaned dump files with origin timestamps: 1. pcap file (partly cleaned and converted to pcap so that aircrack is able handle it) 2. cap file, cleaned by wpaclean 3. wordlist (for use with aircrack) First we use hcxpcangtool and hashcat: hcxpcapngtool to do the conversion and retrieve the PSK from the pcap file: Code: $ hcxpcapngtool -o test.22000 -E wordlist test.pcap and hashcat to recover the PSK: Code: $ hashcat -m 22000 test.22000 --nonce-error-corrections=8 wordlist As expected, the PSK is successfully recovered by hashcat. Running latest git head hcxtools (as of today), you can run automatic mode, too. This mode will work up to hashcat's default NC value 8. Higher values require to set hashcat option --nonce-error-corrections=x: Code: $ hashcat -m 22000 test.22000 wordlist Now we do the same, running aircrack: Code: $ ./aircrack-ng test_clean.cap -w wordlist BTW: If you compare the wpaclean cap file, with the pcapfile, you'll notice, that the PSK (received from WiFi traffic) was removed by wpaclean! That lead me to this advices: It is not good idea to clean a cap file. It is not a good idea to use tools that clean a cap file It is not a good idea to use tools that doesn't store or ignore useful frames. RE: hcxpcaptool does not detect beacon packet - vladinko0 - 02-18-2020 I don't know why, but hashes gained with hcxpcapngtool in hashcat give me the following result: Code: Hashfile '/root/HS_output.hash': Invalid hccapx signature And no matter if I use EAPOL packets with or without timestamp: For example result of "hcxpcapngtool -o /root/HS_output.hash /root/eapols_beacon_ts.pcapng" (with timestamp): Code: summary capture file Here is original file - eapols_beacon_ts.pcapng: https://easyupload.io/n9f0bg RE: hcxpcaptool does not detect beacon packet - ZerBea - 02-18-2020 Please post your hashcat command line. You must use the matching hash mode on hcxpcapngtool and hashcat . This command lines are valid: WPA-PBKDF2-PMKID+EAPOL: $ hcxpcapngtool -o test.22000 *.capng $ hashcat -m 22000 test.22000 wordlist WPA-EAPOL-PBKDF2: $ hcxpcapngtool --hccapx test.hccapx *.capng $ hashcat -m 2500 test.hccapx wordlist WPA-PMKID-PBKDF2: $ hcxpcapngtool --pmkid test.16800 *.capng $ hashcat -m 16800 test.16800 wordlist otherwise hashcat will report: Invalid .... signature RE: hcxpcaptool does not detect beacon packet - vladinko0 - 02-19-2020 Yes, my commands were wrong. I was using: "hcxpcapngtool -o /root/test.hash /root/output_hs.pcapng" "hashcat -m 2500 /root/test.hash passes.txt --force" Thank you |