hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Thanks for the answer.
The problem is lack of knowledge..
I thought that plainmasterkey I can get with wpa2-psk. Now I know that this is only for wpa-enterprise.
Reply
Hi mob_new
I thought that plainmasterkey I can get with wpa2-psk. Now I know that this is only for wpa-enterprise.

No, that is only one half of the knowledge.

Both, WPA and WPA2 using plainmasterkeys as main part for the encryption.

In WPA Personal mode one password applies to all users.
The plainmasterkey is calculated form this password using PBKDF2 (a slow algo).

M2M (machine to machine communication) and WPA Enterprise doesn't need this kind of retrieving the key from a password. In many cases they are using pure plainmasterkeys (mostly not calculated by BBKDF2).

That means: The plainmasterkey is the of the same kind (64 xdigits) for both Personal and Enterprise.
But the calculation to get the pmk is different.
In my own WPA2 Personal network I do not use PBKDF2 calculated plainmasterkeys. Instead I use a random calculated plainmasterkey shared with all clients.
Reply
Not all WiFi adapters and drivers are able to do packet injection.
This is an overview of some tested and working WiFi adapters
(they run "out of the box" on common LINUX kernels >= 4.9):

USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter
USB ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
PCIe RTL8821AE 802.11ac PCIe Wireless Network Adapter
Reply
Hey,

I may have an issue while running wlandump-ng. My country does not include channels 12+ and while attempting to collect information the scan runs through all channels including 12-14 which causes the command to terminate due to an error on the Wifi adapter not being able to change to that channel.

Is there a way to strictly target channels 1-11 by default?
Reply
Hi.
There is no way to do this in the settings of wlandump-ng. But I pushed an update:
Now wlandump-ng doesn't terminate. Instead it increase internal errorcount and fall back to channel 1.

Keep that in mind, if you use the -T option:
-T <maxerrors> : enable auto reboot after <xx> maximal pcap errors (default: disabled)

Depending on your LINUX distribution, there is a way to alow this channels in the wireless regulatory domain
run
$ sudo iw reg get
to retrieve informations about your wireless regulatory domain

then run:
$ sudo iw reg set XX
where XX is the ISO-Country code for the wireless regulatory domain you want to set.

A good idea is to use the world domain:
global
country 00: DFS-UNSET
(2402 - 2472 @ 40), (6, 20), (N/A)
(2457 - 2482 @ 20), (6, 20), (N/A), AUTO-BW, PASSIVE-SCAN
(2474 - 2494 @ 20), (6, 20), (N/A), NO-OFDM, PASSIVE-SCAN
(5170 - 5250 @ 80), (6, 20), (N/A), AUTO-BW, PASSIVE-SCAN
(5250 - 5330 @ 80), (6, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
(5490 - 5730 @ 160), (6, 20), (0 ms), DFS, PASSIVE-SCAN
(5735 - 5835 @ 80), (6, 20), (N/A), PASSIVE-SCAN
(57240 - 63720 @ 2160), (N/A, 0), (N/A)

Read about the wireless regulatory domain here:
https://fitzcarraldoblog.wordpress.com/2...ur-laptop/
Reply
With the GPIO mod, you have a control that signals a clean shutdown. Could you add an option so that instead of shutting down the pi, it would just cleanly exit wlandump?

In my trials I have written a boot script that loads wlandump, and when I manually exit (ctrl^c) the script does some post processing work and then shuts down the pi. But if I use the button, the post script never runs. This behavior appears to be defined in wlandump-ng.c in the signal_handler() function around line 1135 by making a call to system("poweroff") after closing the pcap cleanly.

It would be great if a command line switch let use decide if it should power off or just quit when the signal is received on the GPIO pin.
Reply
Hi MrShannon.
Nice idea. Pushed an update to git:

added new option -P for use with hard coded GPIO switch
-P : terminate program and poweroff raspberry pi by GPIO switch
      default: terminate program and do not power off
Reply
added a new git repository: https://github.com/ZerBea/hcxtoolsbleeding
This is a playground and testarea for new/upcomming versions of hcxtools - use with care!

wlandump-ng (3. generation)
- dropped libpcap dependency
- instead use raw sockets (much faster then libpcap)
   not all adapters support this(!)
   tested with this adapters: https://hashcat.net/forum/thread-6661-po...l#pid37592
- write complete radiotap header to capture file (for offline GPS correlation)
- use encryption type of ap on existing connections
- dropped Berkeley Packet Filter (makes no longer sense on random generated mac's by newer devices)
- instead use host blacklist (do not send deauthentications to this networks)
- stop attack if handhshake is retrieved
- only attack ap's / clients in range
- refactored authentication sequence to retrieve again all M2's(!)
- retrieve parameters from ap's in range (beacons no longer needed)

Typical commandline:
$ wlandump-ng -s -c 1 -t 15 -2 -i <interface> -o output.pcap
or use with blacklist:
$ wlandump-ng -s -c 1 -t 15 -2 -i <interface> -o output.pcap -B blacklist

see help (-h) for more options
Reply
Great. I will test it today.
Thank you.
Reply
Thanks. It's important to get some feedback.
The changes are very extensive. It's a complete re-design of wlandump-ng. I dropped libpcap and go closer to the hardware. The authentication engine was completely rewritten and some options changed (to satisfy the wishes of user) or removed (no longer neccessary):
-i <interface> : interface
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set channel (default = channel 1)
-2             : scan 2.4 GHz channels (default scan off)
                 1, 3, 5, 7, 9, 11, 6, 2, 4, 12, 8, 10, 13,
-5             : scan 5 GHz channels (default scan off)
                 36, 40, 44, 48, 52, 56, 60, 64
                 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140
                 149, 153, 157, 161, 165
-t <seconds>   : stay time on channel before hopping to the next channel
                 default = 5 seconds
-B <file>      : blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx)
-I             : show suitable wlan interfaces and quit
-T <maxerrors> : terminate after <xx> maximal errors
                 default: 1000
-P             : enable poweroff
-s             : enable status messages
-h             : show this help
-v             : show version

Only if everything works like expected I replace the stable version with the new one.
During the initial tests, we saw that some drivers are broken (for example rt2x00 on kernel 4.4) or doesn't support (full) monitor mode.
Reply