hcxtools - solution for capturing wlan traffic and conversion to hashcat formats

[ZerBea]

Good point, thanks.

Main purpose of info option is to show detailed information of the content of a hash file before hash cat is feed with it.
Due to many, many filter options, the evaluation is going to be complex and I lost the overview.

By latest commit, all filter options are disabled in combination with info options and --help is updated:

Code:

--info=<file>                : output detailed information about content of hash file
                               no filter options available
--info=stdout                : stdout output detailed information about content of hash file
                               no filter options available
--info-vendor=<file>         : output detailed information about ACCESS POINT and CLIENT VENDORs
                               no filter options available
--info-vendor-ap=<file>      : output detailed information about ACCESS POINT VENDORs
                               no filter options available
--info-vendor-client=<file>  : output detailed information about ACCESS POINT VENDORs
                               no filter options available
--info-vendor=stdout         : stdout output detailed information about ACCESS POINT and CLIENT VENDORs
                               no filter options available
--info-vendor-ap=stdout      : stdout output detailed information about ACCESS POINT VENDORs
                               no filter options available
--info-vendor-client=stdout  : stdout output detailed information about ACCESS POINT VENDORs
                               no filter options available

Using regex is not planed, because it is yet another dependency.
#include <regex.h>

[oayz]

Super, thanks!

[oayz]

Sorry, can't stop complaining about this "list" feature. Why ESSID filter only works for "-o"? OK, it doesn't work for "info" why not even for JtR?!

total lines read..............: 76
valid hash lines..............: 76
PMKID hash lines..............: 30
EAPOL hash lines..............: 46
EAPOL written.................: 2
EAPOL written to john.........: 46

CMD line:

hcxhashtool.exe -i ssid_all.hc22000 -o ssid_new.hc22000 --john=ssid_new.john --essid-list=ssid_new.lst

List has only one ESSID. If I use the same ESSID in "----essid=" everything is as expected:

total lines read..............: 76
valid hash lines..............: 76
PMKID hash lines..............: 30
EAPOL hash lines..............: 46
filter by ESSID...............: takenoko
EAPOL written.................: 2
EAPOL written to john.........: 2

Am I missing intent of the filter? I didn't check the code but shouldn't filter remove ESSIDs from the input and then generate all required outputs?

BTW, it would be nice if filter could have inclusive and exclusive options (e.g. to keep or discard listed ESSIDs). Global, not per ESSID

[ZerBea]

To speed up filtering, hcxhashtool is running only one stage. Therefore less common filter option combinations which do not make sense are ignored.
In that case, it is mandatory to run hcxhashtool a second time (third time, ...) on the output of the task before.

Purpose of ESSID filtering is to get benefit of reuse of PBKDF2, which will speed up hashcat.

Code:

--essid-group
--essid
--essid-list

Filtering e.g. ESSIDs by occurrence of characters (e.g. x digit, digit, alfa...) doesn't make sense, because it will not speed up hashcat task.

BTW:
It is mandatory that the user knows what he is doing (analytical competencies):
- knowledge of radio technology and electromagnetic-wave engineering (RF power vs. antenna gain vs. range)
- detailed knowledge of 802.11 protocol (AUTHENTICATION sequences)
- detailed knowledge of key derivation functions (PBKDF2 and HMAC functions)
- detailed knowledge of Linux (driver specification, monitor mode, bash)

Otherwise the result is always unexpected.
e.g. as mentioned here:
https://hashcat.net/forum/thread-10441-p...l#pid53995

This applies in particular if you decide to use hcxdumptool/hcxtools, because they are analysis tools.
There is no script inside hcxtools that replaces this knowledge.

[oayz]

Nah, I'm not trying "filtering by occurrence", I just have huge file of hashes and I want to run attack only on few ESSIDs. JTR file has clear text ESSIDs so I can simply run grep/egrep. HC22000 has ESSID in hex, I guess to properly handle foreign chars. BTW, hcxhashtool takes input as a text which seems to contradict hex intent

Anyway I think I need tool to convert HC22000 hash from ESSID_hex to ESSID_text and back. If you are happy with the way filtering is done in hcxhashtool then I'll move on.

[ZerBea]

The major reason to use HEX_ASCII within hash lines:
"Unlike basic service set identifiers, SSIDs are usually customizable. These SSIDs can be zero to 32 octets (32 bytes) long, and are, for convenience, usually in a natural language, such as English. The 802.11 standards prior to the 2012 edition did not define any particular encoding or representation for SSIDs, which were expected to be treated and handled as an arbitrary sequence of 0–32 octets that are not limited to printable characters. IEEE Std 802.11-2012 defines a flag to express that the SSID is UTF-8-encoded and could contain any Unicode text. Wireless network stacks must still be prepared to handle arbitrary values in the SSID field."

Due to my analyses of wpa-sec submissions, I've seen almost everything within SSID IE_TAG.

And the script (one liner) you're looking for:

Code:

$ printf hashline | awk 'BEGIN { FS = "*" } ; { print $6 }' | perl -pe 's/(..)/chr(hex($1))/ge'

From hashcat example hashes
https://hashcat.net/wiki/doku.php?id=example_hashes

Code:

$ printf "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" | awk 'BEGIN { FS = "*" } ; { print $6 }' | perl -pe 's/(..)/chr(hex($1))/ge'
hashcat-essid

or

Code:

$ whoismac -x 686173686361742d6573736964
hashcat-essid

or

Code:

$ whoismac -x `printf "WPA*01*5ce7ebe97a1bbfeb2822ae627b726d5b*27462da350ac*accd10fb464e*686173686361742d6573736964***" | awk 'BEGIN { FS = "*" } ; { print $6 }'`
hashcat-essid

or (if you know the PSK)

Code:

$ hcxpmktool -i "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" -p 'hashcat!'

ESSID.............: hashcat-essid
PSK  .............: hashcat!
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)

or (if you know the PMK)

Code:

$ hcxpmktool -i "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***" -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc

ESSID.............: hashcat-essid
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)

or what ever you want.

BTW:
Magnum (JtR) is involved, too:
https://github.com/hashcat/hashcat/issue...-446117257

[oayz]

Oh, thanks, I had no doubt there is a way to achieve my goal and in Unix there 1000 ways to skin the cat. Just liked hcxtools much and prefer to use one tool. Cheers!

P.S. 1) I'm on windows and using Unix tricks is kind of PITA 2) I only know SSID

[ZerBea]

Take care about your terminal settings if you convert ESSID HEX values to ASCII.
As far as I know, Windows doesn't like some characters within a terminal session.

A very bad example of handling ESSIDs has been described here:
https://nakedsecurity.sophos.com/2021/07...i-fi-hack/

[v71221]

Hi, Zerbea!
Could you please answer.

Currently (December 2021), which chipsets/adapters are you testing hcxdumptool on?
Specifically, which 5GHz dongles are your favorite at the moment?
Thanks in advance.

P.S.
I read your previous posts about your favorite chipsets/adapters.

02-13-2021
https://hashcat.net/forum/thread-6661-po...l#pid51653
hcxdumptool is working on every driver (e.g.: mt76, rt2800usb, ath9k) that is able to run full monitor mode, full packet injection, accept ioctl() system calls and doesn't depend on NETLINK.

02-23-2020
https://hashcat.net/forum/thread-6661-po...l#pid47734
As of today, I only use/test devices running mt76 and rt2800usb driver.

01-21-2020
https://hashcat.net/forum/thread-8899-po...l#pid47284
I suggest to buy an adapter whose driver (native driver within official kernel, e.g.: rt2800usb, mt76) support monitor mode and packet injection.

[ZerBea]

Tested devices by ID (Arch Linux, kernel >= 5.10):

Code:

USB:
ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter
ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi
ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter
ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter
ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter

PCIe:
Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter

To get additional information about the ID
just do a DuckDuckGo search, e.g.:
https://duckduckgo.com/?t=ffab&q=ID+148f%3A7601&ia=web
or a device hunt:
https://devicehunt.com/view/type/usb/ven...evice/761A


My favourite 5GHz adapters:
ALFA ALFA Network AWUS036ACM (MT7612U)
ASUS AC51 (MT7610U)
CSL - 300Mbit USB WLAN (RT5572)


In detail:
CH 14 limited tx power due to wireless regdomain settings
hcxdumptool and hcxlabtool series using the same functions to get device information (I prefer hcxlabtool series due to performance reasons on headless operation).

ALFA ALFA Network AWUS036ACM (MT7612U)
ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter

Code:

$ sudo hcxlabgetmall -C
wlp39s0f3u1u6 available frequencies, channels and tx power reported by driver:
2412MHz   1 (20 dBm)
2417MHz   2 (20 dBm)
2422MHz   3 (20 dBm)
2427MHz   4 (20 dBm)
2432MHz   5 (20 dBm)
2437MHz   6 (20 dBm)
2442MHz   7 (20 dBm)
2447MHz   8 (20 dBm)
2452MHz   9 (20 dBm)
2457MHz  10 (20 dBm)
2462MHz  11 (20 dBm)
2467MHz  12 (20 dBm)
2472MHz  13 (20 dBm)
2484MHz  14 ( 0 dBm)
5180MHz  36 (20 dBm)
5200MHz  40 (20 dBm)
5220MHz  44 (20 dBm)
5240MHz  48 (20 dBm)
5260MHz  52 (20 dBm)
5280MHz  56 (20 dBm)
5300MHz  60 (20 dBm)
5320MHz  64 (20 dBm)
5500MHz 100 (20 dBm)
5520MHz 104 (20 dBm)
5540MHz 108 (20 dBm)
5560MHz 112 (20 dBm)
5580MHz 116 (20 dBm)
5600MHz 120 (20 dBm)
5620MHz 124 (20 dBm)
5640MHz 128 (20 dBm)
5660MHz 132 (20 dBm)
5680MHz 136 (20 dBm)
5700MHz 140 (20 dBm)
5720MHz 144 (20 dBm)
5745MHz 149 (20 dBm)
5765MHz 153 (20 dBm)
5785MHz 157 (20 dBm)
5805MHz 161 (20 dBm)
5825MHz 165 (20 dBm)
5845MHz 169 (20 dBm)
5865MHz 173 (20 dBm)

0 error(s) encountered

ASUS AC51
ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]

Code:

$ sudo hcxlabgetmall -C
wlp39s0f3u1u6 available frequencies, channels and tx power reported by driver:
2412MHz   1 (16 dBm)
2417MHz   2 (16 dBm)
2422MHz   3 (16 dBm)
2427MHz   4 (16 dBm)
2432MHz   5 (16 dBm)
2437MHz   6 (16 dBm)
2442MHz   7 (16 dBm)
2447MHz   8 (16 dBm)
2452MHz   9 (16 dBm)
2457MHz  10 (16 dBm)
2462MHz  11 (16 dBm)
2467MHz  12 (16 dBm)
2472MHz  13 (16 dBm)
2484MHz  14 ( 0 dBm)
5180MHz  36 (19 dBm)
5200MHz  40 (19 dBm)
5220MHz  44 (19 dBm)
5240MHz  48 (19 dBm)
5260MHz  52 (19 dBm)
5280MHz  56 (19 dBm)
5300MHz  60 (19 dBm)
5320MHz  64 (19 dBm)
5500MHz 100 (19 dBm)
5520MHz 104 (19 dBm)
5540MHz 108 (19 dBm)
5560MHz 112 (19 dBm)
5580MHz 116 (19 dBm)
5600MHz 120 (19 dBm)
5620MHz 124 (19 dBm)
5640MHz 128 (19 dBm)
5660MHz 132 (19 dBm)
5680MHz 136 (19 dBm)
5700MHz 140 (19 dBm)
5720MHz 144 (19 dBm)
5745MHz 149 (19 dBm)
5765MHz 153 (19 dBm)
5785MHz 157 (19 dBm)
5805MHz 161 (19 dBm)
5825MHz 165 (19 dBm)
5845MHz 169 (19 dBm)
5865MHz 173 (19 dBm)

0 error(s) encountered

CSL 300MBit
ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter

Code:

$ sudo hcxlabgetmall -C
wlp39s0f3u1u1u4 available frequencies, channels and tx power reported by driver:
2412MHz   1 (20 dBm)
2417MHz   2 (20 dBm)
2422MHz   3 (20 dBm)
2427MHz   4 (20 dBm)
2432MHz   5 (20 dBm)
2437MHz   6 (20 dBm)
2442MHz   7 (20 dBm)
2447MHz   8 (20 dBm)
2452MHz   9 (20 dBm)
2457MHz  10 (20 dBm)
2462MHz  11 (20 dBm)
2467MHz  12 (20 dBm)
2472MHz  13 (20 dBm)
2484MHz  14 ( 0 dBm)
5180MHz  36 (30 dBm)
5190MHz  38 (30 dBm)
5200MHz  40 (30 dBm)
5210MHz  42 (30 dBm)
5220MHz  44 (30 dBm)
5230MHz  46 (30 dBm)
5240MHz  48 (30 dBm)
5250MHz  50 (24 dBm)
5260MHz  52 (24 dBm)
5270MHz  54 (24 dBm)
5280MHz  56 (24 dBm)
5290MHz  58 (24 dBm)
5300MHz  60 (24 dBm)
5310MHz  62 (24 dBm)
5320MHz  64 (24 dBm)
5500MHz 100 (24 dBm)
5510MHz 102 (24 dBm)
5520MHz 104 (24 dBm)
5530MHz 106 (24 dBm)
5540MHz 108 (24 dBm)
5550MHz 110 (24 dBm)
5560MHz 112 (24 dBm)
5570MHz 114 (24 dBm)
5580MHz 116 (24 dBm)
5590MHz 118 (24 dBm)
5600MHz 120 (24 dBm)
5610MHz 122 (24 dBm)
5620MHz 124 (24 dBm)
5630MHz 126 (24 dBm)
5640MHz 128 (24 dBm)
5650MHz 130 (24 dBm)
5660MHz 132 (24 dBm)
5670MHz 134 (24 dBm)
5680MHz 136 (24 dBm)
5690MHz 138 (24 dBm)
5700MHz 140 (24 dBm)
5745MHz 149 (30 dBm)
5755MHz 151 (30 dBm)
5765MHz 153 (30 dBm)
5775MHz 155 (30 dBm)
5785MHz 157 (30 dBm)
5795MHz 159 (30 dBm)
5805MHz 161 (30 dBm)
5825MHz 165 (30 dBm)

0 error(s) encountered

Please notice:
On 5GHz the range is very limited and good antennas are mandatory!
Wireless regulatory domain must not be be unset!