hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#81
(10-19-2017, 03:51 PM)winxp5421 Wrote: Zerbea, No I have not received any mail from you. I just got done searching my mailbox. I sent you an email via Hashcat.net's Email function to see if this site function is actually working. If you did not receive an email feel free to contact me directly.

<my hashcat.net username>@gmail.com
<my hashcat.net username>@hotmail.com
keybase.io/winxp5421

Well, answered direct via mail.

Cheers
Mike
Reply
#82
hcxtools and hcxkeys v 4.0.0 released
-------------------------------------------
https://github.com/ZerBea/hcxtools
https://github.com/ZerBea/hcxkeys

many bug- and stability fixes
initial OSX support
detection of big endian systems (only detection - running hcxtools on big endian systems is a still a challenge)
many new options
improved status messages
improved and speed up authentication engine
better support for cap2hccapx and wpapcap2john (makes detection of handshakes easier for both of them)
better detection of groupkeys
(that has nothing to do with KRACK - this groupkeys are installed instead of pairwise keys; they are very rare)
and more...

Many thanks for the great support: Atom, Magnum, RealEnder and Neheb
I could not achieve any of this without your courageously incessant support!
So again, thank you so much for this.

Cheers
Mike
Reply
#83
Regarding winxp's question about ignoring clients that were previously captured, would it make sense to add the mac adddy's of those to a bpf and use -F to filter them out in later runs? I'm wondering if there's a sanity threshold on how many entries can be processed by the filter before it becomes a problem. dozens of rules? hundreds? thousands?
Reply
#84
The BPF works on wlandump-ng, wlanresponse and wlancap2hcx and is extreme fast. The maximum instruction limit per program is restricted to 4096 BPF instructions. That should be enough for stationary operations (surveillance). Create different filter files for different surveillance operations (for example, my BPF for an operation in an allready discovered area contains 25 instructions).
It doesn't make sense to use a BPF ‎during fast moving operations (reconnaissance).
Use different options and filters tailored to the mission!
Reply
#85
Hi newbie here,

I tried to use wlandump-ng but couldn't make it work (compilation worked fine). I placed the wifi card into monitor mode but somehow wlandump doesn't like wlan0

windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~$ service network-manager stop
windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~$ sudo airmon-ng start wlan0
[sudo] password for windmaple:


Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID    Name
603    avahi-daemon
675    avahi-daemon
787    wpa_supplicant


Interface    Chipset        Driver

wlan0        Unknown     rtl8192ce - [phy0]
                (monitor mode enabled on mon0)

windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~$ cd Desktop/crackwifi/
windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~/Desktop/crackwifi$ sudo ../hcxtools/wlandump-ng -i wlan0 -o capture.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20
sudo: ../hcxtools/wlandump-ng: command not found
windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~/Desktop/crackwifi$ sudo ./hcxtools/wlandump-ng -i wlan0 -o capture.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20
error opening device wlan0: wlan0: That device is not up
windmaple@windmaple-HP-Pavilion-dv4-Notebook-PC:~/Desktop/crackwifi$ iwconfig
eth0      no wireless extensions.

mon0      IEEE 802.11bgn  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr=2347 B   Fragment thr:off
          Power Management:on
          
wlan0     IEEE 802.11bgn  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr=2347 B   Fragment thr:off
          Power Management:off
          
docker0   no wireless extensions.

lo        no wireless extensions.
Reply
#86
systemctl network-manager stop
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
systemctl network-manager start
Reply
#87
windmaple: There are some major problems in your configuration:

1. do not use aircrack-ng tools or scripts in combination with hcxtools.
    airmon-ng creates a virtual interface (monx) and leaves wlan0 managed!

2. do not use wlandump-ng/wlanresponse on virtual devices like monx
    "I placed the wifi card into monitor mode but somehow wlandump doesn't like wlan0"
    wlandump-ng/wlanresponse likes wlan0, but they don't like virtual devices!

3. as freeroute wrote, you must identify all services that takes access to your capture device and stop them (at least this 2):
    sudo systemctl stop NetworkManager.service
    sudo systemctl stop wpa_supplicant.service

4. as freeroute wrote, you must put the interface into monitor mode (where $WLANDEV is your device name)
    sudo ip link set $WLANDEV down
    sudo iw dev $WLANDEV set type monitor
    sudo ip link set $WLANDEV up
    sudo iw dev $WLANDEV info

5. if you got pcap read errors like this:
    internal pcap errors.....................................: 12
    there are more services that prevent wlandump-ng/wlanresponse to access the device - you must identify and stop them.

6. if you finished capturing do not forget to put the device back into managed mode
    sudo ip link set $WLANDEV down
    sudo iw dev $WLANDEV set type managed
    sudo ip link set $WLANDEV up
    sudo iw dev $WLANDEV info

7. and start the services - otherwise you will have no connectivity!
    sudo systemctl start NetworkManager.service
    sudo systemctl start wpa_supplicant.service


I prefer ip in combination with iw which is much more powerful than ifconfig (archlinux dropped support for deprecated ifconfig “net-tools” sometime back).
Read about the difference between both tools here:
https://www.tecmint.com/ifconfig-vs-ip-c...iguration/
https://p5r.uk/blog/2010/ifconfig-ip-comparison.html
Reply
#88
Thanks for the handholding, ZerBea and freeroute!

So I followed the instructions here and was able to run wlandump-ng on wlan0. I think I'm getting close to making it work but right now it seems it doesn't hop to diff channels (it pretty much is stuck on channel 4, which I specified w/ '-c 4'). My understanding has been that wlandump-ng will automatically hop to another channel after 60s. Isn't that the case?

interface................................: wlan0
internal pcap errors/maximal pcap errors.: 0/0
interface channel/hop timer..............: 04/60
private-mac (oui/nic)....................: 1000006f7656
deauthentication/disassociation count....: 100/10
current/maximum ringbuffer entries.......: 9/512
proberequests/proberesponses.............: 61/31
associationrequests/reassociationrequests: 0/0
transmitted m1/received appropriate m2...: 0/0
received regular m1/m2/m3/m4.............: 0/0/0/0

mac_ap       hs xe essid (countdown until next deauthentication/disassociation)
-------------------------------------------------------------------------------
000fe29538e1 00 00 @city (41/10)
000fe29538e4 00 00 !MoDuWiFi (37/10)
000fe29538e0 00 00 ChinaNet (44/10)
000fe29538e5 00 00 aWiFi (36/10)
00226c06a978 00 00 Crea2015_A978 (83/10)
cc81da38f1a8 00 00 @PHICOMM_A0 (100/10)
808917f1e454 00 00 5F (99/10)




(10-25-2017, 08:04 AM)ZerBea Wrote: windmaple: There are some major problems in your configuration:

1. do not use aircrack-ng tools or scripts in combination with hcxtools.
    airmon-ng creates a virtual interface (monx) and leaves wlan0 managed!

2. do not use wlandump-ng/wlanresponse on virtual devices like monx
    "I placed the wifi card into monitor mode but somehow wlandump doesn't like wlan0"
    wlandump-ng/wlanresponse likes wlan0, but they don't like virtual devices!

3. as freeroute wrote, you must identify all services that takes access to your capture device and stop them (at least this 2):
    sudo systemctl stop NetworkManager.service
    sudo systemctl stop wpa_supplicant.service

4. as freeroute wrote, you must put the interface into monitor mode (where $WLANDEV is your device name)
    sudo ip link set $WLANDEV down
    sudo iw dev $WLANDEV set type monitor
    sudo ip link set $WLANDEV up
    sudo iw dev $WLANDEV info

5. if you got pcap read errors like this:
    internal pcap errors.....................................: 12
    there are more services that prevent wlandump-ng/wlanresponse to access the device - you must identify and stop them.

6. if you finished capturing do not forget to put the device back into managed mode
    sudo ip link set $WLANDEV down
    sudo iw dev $WLANDEV set type managed
    sudo ip link set $WLANDEV up
    sudo iw dev $WLANDEV info

7. and start the services - otherwise you will have no connectivity!
    sudo systemctl start NetworkManager.service
    sudo systemctl start wpa_supplicant.service


I prefer ip in combination with iw which is much more powerful than ifconfig (archlinux dropped support for deprecated ifconfig “net-tools” sometime back).
Read about the difference between both tools here:
https://www.tecmint.com/ifconfig-vs-ip-c...iguration/
https://p5r.uk/blog/2010/ifconfig-ip-comparison.html
Reply
#89
hi windmaple
"I think I'm getting close to making it work but right now it seems it doesn't hop to diff channels (it pretty much is stuck on channel 4, which I specified w/ '-c 4'). My understanding has been that wlandump-ng will automatically hop to another channel after 60s. Isn't that the case?"

No.
Option c -4 means that you start scanning on channel 4.
Refresh of the upper part of the status display depends on received frames (only important frames, we need for calculating candidates).
In your case:
interface channel/hop timer..............: 04/60
The last frames are received on channel 4.
No newer frames received on other channels.

If you receive newer frames for example on channel 1, next refresh will show you this:
interface channel/hop timer..............: 01/60
Reply
#90
according to many user requests:
merged wlanresponse and wlandump-ng
refactored wlandump-ng and removed wlanresponse

wlandump-ng
----------------
- waterfall status
- improved deauthentication
  stop when retrieved one complete handshake (M1-M4) from ap <-> client
- improved disassociation
  stop when received one complete handshake (M1-M4) from ap <-> client
- send one undirected proberequest to broadcast after channel change
- improved expanded EAPOL handling
- improved authentication
- improved beaconing on proberequests
- now wlandump-ng is passive by default (only receive) - transmit must be enabled
- changed / new options:
 -R         : enable to respond to all requests
 -D         : enable deauthentications
 -d         : enable disassociations
 -E <digit> : stop deauthentications and disassociations if xx complete handshakes received
            : default = 1 complete handshake (M1-M4)
 -U         : send one undirected proberequest to broadcast after channel change
 -B         : enable beaconing on last proberequest
 -s        : enable status messages\n"

localtime, channel, mac_ap, mac_sta, information
11:02:52  11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (forced)          
11:01:45  11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (forced-retransmission)          
11:03:57  11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (not verified)          
11:03:57  11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M2M3 handshake (verified)          
11:03:57  11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M3M4 handshake (established)

and full detection of WPS:
16:36:13   1 xxxxxxxxxxxx --> xxxxxxxxxxxx identity request: hello          
16:36:13   1 xxxxxxxxxxxx <-- xxxxxxxxxxxx identity response: WFA-SimpleConfig-Registrar-1-0          
16:36:14   1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M1 message          
16:36:14   1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M2 message          
16:36:16   1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M3 message          
16:36:16   1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M4 message          
16:36:16   1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M5 message          
16:36:16   1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M6 message          
16:36:16   1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M7 message          
16:36:16   1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M8 message

aggressive mode:
wlandump-ng -i <device> -o output.cap -c 1 -t 4 -D -d -E 2 -R -U -B
wlandump-ng attacks everything - deauthentication/disassociation stops when 2 complete handshakes retrieved (ap-client)

friendly mode:
wlandump-ng -i $WLANDEV -o output.cap -c 1 -t 120 -R -B
wlandump-ng just looks for clients

silent mode:
wlandump-ng -i $WLANDEV -o output.cap -c 1 -t 120
wlandump-ng doesn't transmit
Reply