hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
small notice about hcxpcaptool option -I:
hcxdumptool is able to request identities from a client (for example the International Mobile Subscriber Identity [IMSI] Number from a mobile phone). Running --enable_status=1 will immediately show you this identities.
The IMSI is a string of not more than 15 digits.  It is composed of a three digit Mobile country Code (MCC), a two or three digit Mobile Network Code (MNC), and a Mobile Subscriber Identification Number (MSIN) of no more than 10 digits. MCC and MNC uniquely identify the GSM operator (read more in RFC4186).

If you run hcxpcaptool on this pcapng file, you will get this information:
found........................: EAP-SIM (GSM Subscriber Modules) Authentication

The file, selected by -I will show you either the user's IMSI (permanent) or his temporary identity (pseudonym).

Permanent usernames:
1123456789098765@myoperator.com might be a valid permanent identity.
1123456789098765 is the permanent username.
1 = permanent
12345 = MNC
123 = MCC

Pseudonym usernames:
3s7ah6n9q@myoperator.com might be a valid pseudonym identity.
3s7ah6n9q is the pseudonym username.

Fast re-authentication usernames.
53953754@myoperator.com might be a valid fast re-authentication identity.
53953754 is the fast re-authentication username.  Unlike permanent usernames and pseudonym usernames, fast re-authentication usernames are one-time identifiers.

In all three cases, it is possible to retrieve MNC and NCC from the suffix, too:
xxxxx...xxx@wlan.mncYYY.mccZZZ.@myoperator.com
YYY = MNC
ZZZ = MCC
Reply
Hi, i get this error with hcxdumptool  when i capture the PMKID.

i capture the PMKID no problem, FOUND PMKID

but when i try to convet the capture file that i -o utput in hcxdumptool

i get this error

EAPOL timout is to low

So i cannot convert the file for hashcat

Any ideas why im getting this error any1

is it a common error with hcxdumptool

thanks for any advice...





i capture with this code.

hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1


get resuts
[08:50:37 - 006] 002417bdb675 -> d8cf9c805f44 [FOUND PMKID]


the convert code i use is as follows after i capture the pmkid

hcxdumptool -E essidlist -I identitulist -U usernamelist -z capturedthis.16800 pmkid.pcapng

then i get the error

EAPOL timeout is low
Reply
allready answered here: https://hashcat.net/forum/thread-8183-po...l#pid43956
Reply
@Zerbea
have noticed couple of times now that not all probe request/probe response from the live terminal window are exported to probelist using command (hcxpcaptool dump1.pcapng -E probelist). sometimes those missed live probe request/probe response were the passwords !
using the latest version of tools
Reply
Please attach an example pcapng so that I'm able to reproduce it. You can use tshark to find the ESSIDs.

Example:
You captured test.pcapng

Now run tshark
$ tshark -r test.pcapng -T fields -e wlan.ssid | sort | uniq > essids.tshark

Than run hcxpcaptool:
$ hcxpcaptool -E essids.tmp test.pcapng

Sort the list:
$ cat essids.tmp | sort | uniq > essids.hcxpcaptool

Compare both:
$ diff essids.tshark essids.hcxpcaptool

if essids.hcxpcaptool contains less ESSIDs than essids.tshark, zip and attach the pcapng file here.
Reply
Fixed that issue with commit:
https://github.com/ZerBea/hcxtools/commi...7ebee1373c
The function to detect broken ESSIDs didn't work as expected and removed more ESSIDs then necessary.
Thanks for reporting it.

And I added a new option (-M) to hcxpcaptool.
Now we can store IMSI numbers in combination with hcxdumptool, if they are part of the WiFi traffic.
Reply
hi everyone, i started using this tools a few days ago, and everythink work very good. i have a question.
in the client list,i have something like this             
6x1cbxedx2x1 :$HEX[0c00030008560300000000000800]  so it's a mac address and a hex sting. i changed the mac address string for privacy. not sure about the hex sting, can somebody tell me about please?
Reply
Hi ciccio17.
According to the documentation of the standard, the length of an SSID should be a maximum of 32 characters (32 octets, normally ASCII letters and digits, though the standard itself doesn't exclude values). For example some access point/router firmware versions use null-terminated strings and accept only 31 characters.
In other words, every character from 0x00 up to 0xff is allowed, so we can't detect whether the ESSID is valid or broken.
The solution is to hexify the ESSID if non ASCII characters are inside ($HEX[..]). hashcat is able to handle this hexified values!
Reply
hi zerbea, thanks for your help, i'm back! lol. after a capture with hcxdumptool i estracted all with hcxpcaptool.
hcxdupmtool -E lista -I informazioni -U utenti -o cattura.hccapx -z cattura.16800 -P probabili-pass prova.pcapng. in -P probabili-pass, i found two long string, is that pmk? and if so whats the command in hashcat? i tried 2501 and 16801 but nothing happen.
Reply
You can retrieve a PSK or a PMK only from a weak client. Therefore you must run hcxdumptool over a long time against your penetration target.
We can not distinguish between an ESSID, a damaged ESSID, a PSK and a PMK within wlan traffic. So we assume a 32 byte string could be possible a PMK and store this one running option -P into your list probabili-pass.

Also a PMK attack is only usefull if your penetration test target uses AKM (Authentication Key Management). Normally it is useless on PBKDF2 related networks (WPA1, WPA2, WPA2 key version 3).
The simplest correct commandline for hashcat is:
hashcat -m 2501 test.hccapx pmkfile
Yo can test it, running examples from here:
https://hashcat.net/forum/thread-7717-po...l#pid42813
copy PMK to pmklist
use hcxpcaptool -O option:

$ hcxpcaptool -O test.hccapx sae4way.pcapng
reading from sae4way.pcapng
summary:                                        
file name....................: sae4way.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.16-arch1-1-ARCH
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
probe requests...............: 1
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
EAPOL packets (total)........: 6
EAPOL packets (AKM defined)..: 4
EAPOL packets (WPA2).........: 2
EAPOL PMKIDs (total).........: 1
EAPOL PMKIDs (AKM defined)...: 1
raw handshakes...............: 1 (ap-less: 0)

1 handshake(s) written to test.hccapx

$ hashcat -m 2501 test.hccapx pmklist
hashcat (v5.1.0-895-g8121073d) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PMK
Hash.Target......: mynet (AP:c8:3a:35:ce:46:3f STA:c8:3a:35:c2:4f:bc)
Time.Started.....: Wed Apr 10 09:24:42 2019 (0 secs)
Time.Estimated...: Wed Apr 10 09:24:42 2019 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2078 H/s (0.00ms) @ Accel:1024 Loops:512 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 53c Fan: 39% Util: 14% Core:1835MHz Mem:5005MHz Bus:16
Started: Wed Apr 10 09:24:27 2019
Stopped: Wed Apr 10 09:24:43 2019

or from here:
https://wiki.wireshark.org/SampleCaptures
search for eap-tls and you find this:
File: wpa-eap-tls.pcap.gz
Description: 802.11 capture with WPA-EAP. PSK's to decode: a5001e18e0b3f792278825bc3abff72d7021d7c157b600470ef730e2490835d4 79258f6ceeecedd3482b92deaabdb675f09bcb4003ef5074f5ddb10a94ebe00a 23a9ee58c7810546ae3e7509fda9f97435778d689e53a54891c56d02f18ca162
download  wpa-eap-tls.pcap.gz
(https://wiki.wireshark.org/SampleCapture...ls.pcap.gz)
copy PMKs to pmklist
run hcxpcaptool and hashcat

$ hcxpcaptool -O test.hccapx wpa-eap-tls.pcap.gz
decompressing wpa-eap-tls.pcap.gz to /tmp/wpa-eap-tls.pcap.gz.tmp
reading from wpa-eap-tls.pcap.gz.tmp
summary:                                        
file name....................: wpa-eap-tls.pcap.gz.tmp
file type....................: pcap 2.4
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 86
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
EAPOL packets (total)........: 4
EAPOL packets (WPA2).........: 4
EAPOL PMKIDs (total).........: 1
EAPOL PMKIDs (WPA2)..........: 1
EAP packets..................: 20
found........................: EAP type ID
found........................: EAP-TLS Authentication
raw handshakes...............: 1 (ap-less: 0)
best handshakes..............: 1 (ap-less: 0)
best PMKIDs..................: 1

1 handshake(s) written to test.hccapx

$ hashcat -m 2501 test.hccapx pmklist
hashcat (v5.1.0-895-g8121073d) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PMK
Hash.Target......:  (AP:10:6f:3f:0e:33:3c STA:24:77:03:d2:5e:a8)
Time.Started.....: Wed Apr 10 09:30:26 2019 (0 secs)
Time.Estimated...: Wed Apr 10 09:30:26 2019 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     9880 H/s (0.00ms) @ Accel:1024 Loops:512 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 23a9ee58c7810546ae3e7509fda9f97435778d689e53a54891c56d02f18ca162
Hardware.Mon.#1..: Temp: 44c Fan: 29% Util: 16% Core:1911MHz Mem:5005MHz Bus:16
Started: Wed Apr 10 09:30:18 2019
Stopped: Wed Apr 10 09:30:27 2019

You can see also a best PMKID, but you can't convert it for use with hashcat, because that PMKID isn't PBKDF2 based.  I disabled the conversion of non PBKDF2 related PMKIDs in latest hcxpcaptool.
The EAPOL frame is converted only running option -O(!), because hashcat is able to verify AKM based EAPOL since this pull request:
https://github.com/hashcat/hashcat/commi...eb046e5047
I disabled the conversion of non PBKDF2 related EAPOL frames running option -o(!), too.

All examples only work on latest hcxdumptool, hcxtools and hashcat!

I suggest to run hcxdumptool over a long time and to collect the lists you retrieved by -E, -I -U. From time to time, run
your EAPL (hccapx) and/or PMKID (16800) hashes against this lists. Run hcxwltool on that lists
Also run hcxpsktool on the hasfiles (hccaxp and 16800).

Also we need a new hashline to distinguish between PBKDF2 (incl. crossover/reuse PBKDF2) and AKM related handshakes.
Read more here:
https://github.com/hashcat/hashcat/issues/1816

Remarks:
All used hashes and PMKs are public demo hashes and public demo PMKs!
Reply