hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
By the latest hashcat improvement hcxtools are able to control hashcats nonce-error-corrections (nonce-error-corrections on/off):
hcxdumptool -> hcxpcaptool -> hashcat

https://github.com/hashcat/hashcat/commi...4fbefe08ff

Some tools doesn't check replaycount properly or set timestamps to zero. In that case you can override this automatic control by hashcats --nonce-error-corrections=x
Reply
Added full support (TZSP_ENCAP_IEEE_802_11) for TaZmen Sniffer Protocol (TZSP)

$ hcxpcaptool -V tzsp.pcap
start reading from tzsp.pcap
                                             
summary:                                        
--------
file name....................: tzsp.pcap
file type....................: pcap 2.4
network type.................: DLT_EN10MB (1)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 15
EAPOL packets................: 15
IPv4 packets.................: 15
UDP packets..................: 15
TZSP (802.11) packets........: 15


read more here:
https://wikivisually.com/wiki/TZSP
here:
https://wiki.mikrotik.com/wiki/Manual:To...et_Sniffer
and here:
https://github.com/hashcat/hashcat-utils/pull/45
Reply
hcxpcaptool: Added full support for AVS header (DLT_IEEE802_11_RADIO_AVS)

Read more about the common capture formats here:
https://www.lancom-systems.com/docs/LCOS..._86_1.html
Reply
hcxdumptool / hcxpcaptool: added detection of SAE authentication.

$ hcxpcaptool -V sae_simple_psk.pcapng
start reading from sae_simple_psk.pcapng
summary:                                        
file name....................: sae_simple_psk.pcapng
file type....................: pcapng 1.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 30
skipped packets..............: 0
packets with FCS.............: 0
beacons......................: 2
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
deauthentications............: 3
action packets...............: 1
EAPOL packets................: 4
best handshakes..............: 1 (ap-less: 0)


Read more about SAE authentication here:
http://www.mathyvanhoef.com/2018/03/wpa3...tails.html

Get example cap from here:
https://github.com/vanhoefm/wifi-example-captures
or here:
https://www.cloudshark.org/captures/3638626f4551

A good explanation (basic protocol and fundamentals) is here (page 22 - 25):
https://www.cwnp.com/covers/2014-09-SAE-at-CWNP.PDF

And a nice video that explains Diffie-Hellman keyexchange is here:
http://www.youtube.com/watch?v=3QnD2c4Xovk
Reply
Hey ZerBea!

thank you so much for this great work - this is simply the most interesting project I witnessed.

One question regarding focussing on ssid/bssid. How to analyze specific stations? Is it possible to read only packets coming from this ssid/bssid with hcxdumptool. Or is there a way to use hcxpcaptool only extract/filter information associated with specfici ssid/bssid? I would like to use this in your described workflow for extracting probes, identity, etc.

Thank you so much !
Reply
Hi rk3y.
How to analyze specific stations?
That depends on the depth of you analysis. For a simple analysis run:
hcxdumptool -> hcxpcaptool -T trafficlist *.cap
Result is a list, containig simple network relationships (european date : timestamp : mac_sta : mac_ap : essid)
Then use simple bash commands to filter the requiered informations (cat, grep , tail, head, awk).
To do a deep analysis, use wireshark. Wireshark contains a filter for every task, so there is no need for me to implement this to hcxtools.
BTW:
wlandump-ng and wlancap2hcx are outdated. I will remove them soon, because the depend on libpcap. Using raw sockets makes us much more flexible.
Reply
hcxpcaptool: added detection of FILS authentication.

$ hcxpcaptool -V -I identitylist *.pcapng
start reading from fils-handshake.pcapng
summary:
file name....................: fils-handshake.pcapng
file type....................: pcapng 1.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 92
skipped packets..............: 0
packets with FCS.............: 0
beacons......................: 25
probe responses..............: 2
association requests.........: 2
association responses........: 2
authentications (OPEN SYSTEM): 2
authentications (FILS).......: 2
deauthentications............: 5
action packets...............: 5
EAPOL packets................: 4
EAP packets..................: 6
found........................: EAP type ID
found........................: EAP-PSK Authentication

Get example cap from here:
https://github.com/vanhoefm/wifi-example...ake.pcapng

Retrieved identity is in identitylist.
Reply
hcxpcaptool: added detection of BROADCOM specific authentication.

BROADCOM adds a special vendor tag to the authentication sequence:
Tagged parameters (11 bytes)
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0202000c0000

From now on, hcxdumptool and hcxpcaptool are able to capture and detect this:
$ hcxpcaptool -V broadcomtag.pcap
start reading from broadcomtag.pcap
summary:
file name....................: broadcomtag.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 2
skipped packets..............: 0
packets with FCS.............: 0
authentications (OPEN SYSTEM): 2
authentications (BROADCOM)...: 1
Reply
hcxpcaptool: added detection of SONOS and APPLE specific authentication.

SONOS adds a special vendor tag to the authentication sequence, too:
Tagged parameters (8 bytes)
Tag: Vendor Specific: Sonos, Inc.
   Tag Number: Vendor Specific (221)
   Tag length: 6
   OUI: 00:0e:58 (Sonos, Inc.)
   Vendor Specific OUI Type: 2
   Vendor Specific Data: 020101

APPLE adds a special vendor tag to the authentication sequence, too:
Tagged parameters (13 bytes)
   Tag: Vendor Specific: Apple, Inc.
   Tag Number: Vendor Specific (221)
   Tag length: 11
   OUI: 00:17:f2 (Apple, Inc.)
   Vendor Specific OUI Type: 10
   Vendor Specific Data: 0a00010400000000


From now on, hcxdumptool and hcxpcaptool are able to capture and detect this:
$ hcxpcaptool -V tags.pcap
start reading from tags.pcap
summary:                                        
file name....................: tags.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 4
skipped packets..............: 0
packets with FCS.............: 0
authentications (OPEN SYSTEM): 4
authentications (SONOS)......: 1
authentications (APPLE)......: 3


That are really nice fingerprints!
Reply
We have some bad issues in radioptap and/or wireshark.
read more about the issue here:
https://github.com/secdev/scapy/issues/1465

hcxpcaptool and hcxdumptool will ignore this issues.

Get example pcap from here:
https://github.com/secdev/scapy/files/20...t.pcap.txt
and rename to rt_ext.pcap (not neccessary for hcxpcaptool, but wireshark requiere this).

$ hcxpcaptool -V *.pcap
start reading from rt_ext.pcap
summary:
--------
file name....................: rt_ext.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 10
skipped packets..............: 0
packets with FCS.............: 10
beacons (with ESSID inside)..: 9

and compare to wireshark output (Malformed Packet)!

BTW:
Normally hcxtools are not interested in evaluation of BEACON frames, but BEACON frames which contain an ESSID are counted by hcxpcaptool.
AUTHENTICATION, ASSOCIATIONREQUEST, ASSOCIATIONRESPONSE, REASSOCIATIONREQUEST, REASSOCIATIONRESPONSE frames contains more and important informations than stupid BEACON frames.
So do not use tools which remove (clean) this frames from your capfiles!
Reply