hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#41
To compile for Raspberry pi 3 I needed to add -std = c99 after CC = gcc on line 8 of the Makefile, just as I said in the error output.

Worked perfect on my headless raspberry pi 3 with tplinkwn722n dongle Smile
Reply
#42
Thanks for the feedback. hcxtools should work on raspberry A, A+, B, B+, 2B and 3 (3: except build in wifi).
The compiler options depending on the version:
for arch:
$ gcc --version
gcc (GCC) 7.1.1 20170630
but, raspbian or ubuntu should work, too
Reply
#43
(06-23-2017, 09:56 PM)winxp5421 Wrote: This is fantastic! Now, all we need is an automated way to scan client probe requests, setup fake AP with probe request info, client attempts authentication, save to .cap, rinse, repeat. Smile

So we can use wlandump-ng/wlanresponse to get the handshake (capture only M1-M2) without AP (using cliens probe requests) and than find the password using hashcat? Am I correct?
Reply
#44
Quick answer:
Yes, that's correct.

Long statement:
You need only to capture the M2 from a client. wlandump-ng and wlanresponse will calculate the M1.
wlandump-ng will show us this (using the -s xx option):
transmitted m1/received appropriate m2...: 343/719

and the regular messages from a real ap connected to a client:
received regular m1/m2/m3/m4.............: 146/98/143/68

Using the defaults, a client probes every ap which has an entry in his wpa_supplicant.conf.
A stupid client also probes and authenticates his 5GHz access point on 2.4GHz!
wlandump-ng accepts and transmitts a M1. After receiving this M1 the client transmitts his M2. So we receive a valid M2, calculated from an entry in his wpa_supplicant.conf.
If the client has 10 entries (from 10 different networks) in his wpa_supplicant.conf, we get 10 different crackable M2's.
Reply
#45
Thanks for your help. It is a unique tool.
You are great...
Reply
#46
It's just a wlan parser for hashcat - hashcat is the amazing tool.
Reply
#47
added detection of zeroed plainmasterkeys to hcxtools:

$ wlancap2hcx  -o test.hccapx *.cap
start reading from wlan.cap
8659109 packets processed (8659109 wlan, 0 lan, 0 loopback)
total 201527 usefull wpa handshakes
found 52 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
found 1642 WPA1 RC4 Cipher, HMAC-MD5
found 199883 WPA2 AES Cipher, HMAC-SHA1
found 2 WPA2 AES Cipher, AES-128-CMAC
found 90883 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
found MD5-Challenge (hashcat -m 4800)
found EAP-TLS Authentication
found EAP-Cisco Wireless Authentication (hashcat -m 5500)
found EAP-SIM (GSM Subscriber Modules) Authentication
found PEAP Authentication
found WPS Authentication
warning: use of wpaclean detected

found 52 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
means that a client uses a misconfigured wpa-supplicant or an accesspoint uses a misconfigured hostapd.

use hashcat -m 2501 test.hccapx pmkfile to crack the net

pmkfile:
0000000000000000000000000000000000000000000000000000000000000000

If you cracked M1/M2 or M1/M4 the client is misconfigured.
If you cracked M2/M3 or M3/M4 the accesspoint is misconfigured and you are able connect to the net using a zeroed plainmasterkey.
Reply
#48
How to increase hashcat's cracking speed on wpa/wpa2 by using wlandump forced handshakes only:

1. use wlandump-ng or wlanresponse to capture wlan traffic

2. increase cracking speed:
  use wlancap2hcx to convert cap to hccapx (option -w <file>     : write only wlandump forced to hccapx file)
  wlancap2hcx -W test1.hccapx *.cap
  at this point you can use hashcat -m 2500 --nonce-error-corrections=0 test1.hccapx wordlist

3. increase cracking speed further:
  use wlanhcx2ssid to make nets unique (option -n <file>     : output stripped file (only one record each mac_sta, essid)
  wlanhcx2ssid -i test1.hccapx -n test2.hccapx
  at this point you can use hashcat -m 2500 --nonce-error-corrections=0 test2.hccapx wordlist

That will work on hash-modes 2500 and 2501.
Reply
#49
How to convert hccapx back to cap:

cap2hccapx and wlancap2hcx don't convert the following message pairs:
MESSAGE_PAIR_M32E3 3
MESSAGE_PAIR_M32E3 131
MESSAGE_PAIR_M34E3 4
MESSAGE_PAIR_M34E3 132
because conversation from hccapx to cap is not lossless and this types can't be converted back.

Both tools writing instead the message pairs
MESSAGE_PAIR_M32E2 2
MESSAGE_PAIR_M32E2 130
MESSAGE_PAIR_M34E4 5
MESSAGE_PAIR_M34E4 133
to a hccapx file.

So it's possible to convert a hccapx file back to a cap file:
wlanhcx2cap -i test.hccapx -o test.cap -m 40

Option -m means that max. 40 different cap files are written (depending on total number of nets in the hccapx):
each cap file contains only one combination of
mac_ap, mac_sta, ESSID per network.

For example: http://wpa-sec.stanev.org/? will accept this back-converted caps.
Reply
#50
I use this tool to convert hccapx back to cap, but it was sometimes unsuccessful. So this is the reason. Thanks.
Reply