hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Thumbs Up 
(06-27-2019, 04:11 PM)ZerBea Wrote: GPS output is not included in --prefix-out because it depend on hcxdumptool.
In other words:
You must run hcxdumptool with connected GPS receiver and option --use_gpsd
--use_gpsd                        : use GPSD to retrieve position
                                    add latitude, longitude and altitude to every pcapng fram
hcxpcaptool will add a GPS position to every received packet.

tshark and wireshark is able to show you the positions (and more) directly from the pcpang file:
$ tshark -r test.pcapng -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment
172 Mar  6, 2019 23:01:48.793212000 CET 1a:f8:7c:91:24:a3 lat:49.126337,lon:4.626268,alt:129.500000,date:06.03.2019,time:22:01:48

If you run hcxpcaptool with option -g on such a pcapng file, you will get a GPS track (inclusive WiFi information).
-g <file> : output GPS file
            format = GPX (accepted for example by Viking and GPSBabel)

Viking understand and show you the track. GPSBabel is able to convert it to other formats.

BTW 1:
Do not try to run hcxpcaptool -g option on cap or pcap files. This (ancient) format doesn't allow additional comment fields.

BTW 2:
hcxdumptool use gpsd. So GPS receiver must be supported by gpsd (https://gpsd.gitlab.io/gpsd/index.html)

BTW 3:
What do you mean GPS does not work?
If you are on a kernel > 4.19, bluetooth may not work like expected, because some
external devices are affected by an xhci issue:
https://bugzilla.kernel.org/show_bug.cgi?id=202541#c32
That means, if your device is connected via USB bluetooth adapter, it may not work as expected.

ok, I thought that when using hcapcaptool --prefix-out included gps.
Reply
(06-09-2019, 07:49 PM)ZerBea Wrote: Edimax EW-7811UAC
ID 7392:a812 Edimax Technology Co., Ltd

$ hcxdumptool -I
wlan interfaces:
74da380645e7 wlp0s20f0u1 (rtl88xxau)

$ hcxdumptool -i wlp0s20f0u1 -C
initialization...
available channels:
  1 / 2412MHz (18 dBm)
  2 / 2417MHz (18 dBm)
  3 / 2422MHz (18 dBm)
  4 / 2427MHz (18 dBm)
  5 / 2432MHz (18 dBm)
  6 / 2437MHz (18 dBm)
  7 / 2442MHz (18 dBm)
  8 / 2447MHz (18 dBm)
  9 / 2452MHz (18 dBm)
10 / 2457MHz (18 dBm)
11 / 2462MHz (18 dBm)
12 / 2467MHz (18 dBm)
13 / 2472MHz (18 dBm)
14 / 2484MHz (18 dBm)
36 / 5180MHz (18 dBm)
40 / 5200MHz (18 dBm)
44 / 5220MHz (18 dBm)
48 / 5240MHz (18 dBm)
52 / 5260MHz (18 dBm)
56 / 5280MHz (18 dBm)
60 / 5300MHz (18 dBm)
64 / 5320MHz (18 dBm)
100 / 5500MHz (18 dBm)
104 / 5520MHz (18 dBm)
108 / 5540MHz (18 dBm)
112 / 5560MHz (18 dBm)
116 / 5580MHz (18 dBm)
120 / 5600MHz (18 dBm)
124 / 5620MHz (18 dBm)
128 / 5640MHz (18 dBm)
132 / 5660MHz (18 dBm)
136 / 5680MHz (18 dBm)
140 / 5700MHz (18 dBm)
144 / 5720MHz (18 dBm)
149 / 5745MHz (18 dBm)
153 / 5765MHz (18 dBm)
157 / 5785MHz (18 dBm)
161 / 5805MHz (18 dBm)
165 / 5825MHz (18 dBm)
169 / 5845MHz (18 dBm)
173 / 5865MHz (18 dBm)

$ uname -r
5.1.7-arch1-1-ARCH

Running not out of the box. Get driver from here:
https://github.com/aircrack-ng/rtl8812au

aircrack-ng team is doing a really good job here!

Using Alfa dongle with the 8812au chip.. seems that cant capture packages. any idea of what to check after installing drivers from Aircrack?

root@raspberrypi:/home/pi# hcxdumptool -I
wlan interfaces:
00c0ca9005f5 wlan0 (rtl88xxau)
root@raspberrypi:/home/pi# hcxdumptool -i wlan0 -C
initialization...
available channels:
  1 / 2412MHz
  2 / 2417MHz
  3 / 2422MHz
  4 / 2427MHz
  5 / 2432MHz
  6 / 2437MHz
  7 / 2442MHz
  8 / 2447MHz
  9 / 2452MHz
  10 / 2457MHz
  11 / 2462MHz
  12 / 2467MHz
  13 / 2472MHz
  14 / 2484MHz
  36 / 5180MHz
  37 / 5185MHz
  38 / 5190MHz
  39 / 5195MHz
  40 / 5200MHz
  41 / 5205MHz
  42 / 5210MHz
  43 / 5215MHz
  44 / 5220MHz
  45 / 5225MHz
  46 / 5230MHz
  47 / 5235MHz
  48 / 5240MHz
  49 / 5245MHz
  50 / 5250MHz
  51 / 5255MHz
  52 / 5260MHz
  53 / 5265MHz
  54 / 5270MHz
  55 / 5275MHz
  56 / 5280MHz
  57 / 5285MHz
  58 / 5290MHz
  59 / 5295MHz
  60 / 5300MHz
  61 / 5305MHz
  62 / 5310MHz
  63 / 5315MHz
  64 / 5320MHz
  65 / 5325MHz
  66 / 5330MHz
  67 / 5335MHz
  68 / 5340MHz
  69 / 5345MHz
  70 / 5350MHz
  71 / 5355MHz
  72 / 5360MHz
  73 / 5365MHz
  74 / 5370MHz
  75 / 5375MHz
  76 / 5380MHz
  77 / 5385MHz
  78 / 5390MHz
  79 / 5395MHz
  80 / 5400MHz
  81 / 5405MHz
  82 / 5410MHz
  83 / 5415MHz
  84 / 5420MHz
  85 / 5425MHz
  86 / 5430MHz
  87 / 5435MHz
  88 / 5440MHz
  89 / 5445MHz
  90 / 5450MHz
  91 / 5455MHz
  92 / 5460MHz
  93 / 5465MHz
  94 / 5470MHz
  95 / 5475MHz
  96 / 5480MHz
  97 / 5485MHz
  98 / 5490MHz
  99 / 5495MHz
100 / 5500MHz
101 / 5505MHz
102 / 5510MHz
103 / 5515MHz
104 / 5520MHz
105 / 5525MHz
106 / 5530MHz
107 / 5535MHz
108 / 5540MHz
109 / 5545MHz
110 / 5550MHz
111 / 5555MHz
112 / 5560MHz
113 / 5565MHz
114 / 5570MHz
115 / 5575MHz
116 / 5580MHz
117 / 5585MHz
118 / 5590MHz
119 / 5595MHz
120 / 5600MHz
121 / 5605MHz
122 / 5610MHz
123 / 5615MHz
124 / 5620MHz
125 / 5625MHz
126 / 5630MHz
127 / 5635MHz
128 / 5640MHz
129 / 5645MHz
130 / 5650MHz
131 / 5655MHz
132 / 5660MHz
133 / 5665MHz
134 / 5670MHz
135 / 5675MHz
136 / 5680MHz
137 / 5685MHz
138 / 5690MHz
139 / 5695MHz
140 / 5700MHz
141 / 5705MHz
142 / 5710MHz
143 / 5715MHz
144 / 5720MHz
145 / 5725MHz
146 / 5730MHz
147 / 5735MHz
148 / 5740MHz
149 / 5745MHz
150 / 5750MHz
151 / 5755MHz
152 / 5760MHz
153 / 5765MHz
154 / 5770MHz
155 / 5775MHz
156 / 5780MHz
157 / 5785MHz
158 / 5790MHz
159 / 5795MHz
160 / 5800MHz
161 / 5805MHz
162 / 5810MHz
163 / 5815MHz
164 / 5820MHz
165 / 5825MHz
166 / 5830MHz
167 / 5835MHz
168 / 5840MHz
169 / 5845MHz
170 / 5850MHz
171 / 5855MHz
172 / 5860MHz
173 / 5865MHz
174 / 5870MHz
175 / 5875MHz
Reply
It looks like there are some driver issues:

https://github.com/aircrack-ng/rtl8812au/issues/387

https://github.com/aircrack-ng/rtl8812au/issues/380

https://github.com/aircrack-ng/rtl8812au/issues/376

https://forum.aircrack-ng.org/index.php/...6.html#new



and we still have the xhci issue:

https://bugzilla.kernel.org/show_bug.cgi?id=202541



The EDIMAX doesn't work any longer:

https://github.com/aircrack-ng/rtl8812au...-504895951


Please read also this:
"RTW88 is the successor to the long-in-standing RTLWIFI driver"
https://www.phoronix.com/scan.php?page=n...nux-Driver

and the comments here:
https://www.phoronix.com/forums/forum/ha...nux-kernel

and this:
"supported modes: Basic STA/AP/ADHOC mode, and TDLS (STA is well tested)"
https://lwn.net/Articles/786478/
Reply
Well, seems that for the moment we are better off using trusty 2,4 ghz dongles. For the moment the more reliable that I found in the TPlink w772n, cheap and super efficient, way more that the Alfa's that I own and no longer work, only I have an honorable mention to the awus036neh.

Is the TPlink T2UH working without conflicts?

BTW Is there any clean way of removing the installed driver from Aircrack or changing the version?
Reply
Is the TP-Link T2UH working without conflicts?
Unfortunately not:
https://github.com/openwrt/mt76/issues/2...-500999516
but it is on its way to be fixed and it is an official kernel driver on which work is in progress:
https://git.kernel.org/pub/scm/linux/ker...h=v5.2-rc7

Is there any clean way of removing the installed driver from Aircrack:
if installed via dkms: dkms-remove.sh (should work, but I'm not sure because I don't use dkms)
if inserted via insmod 88XXau.ko use rmmod 88XXau.ko (I prefer this way)

or changing the version?
change version can be done via git (git checkout)
$ git branch -a
* v5.2.20
  remotes/origin/HEAD -> origin/v5.2.20
  remotes/origin/master
  remotes/origin/revert-325-MikeColes-dkms-install.sh-backticks
  remotes/origin/v4.3.21
  remotes/origin/v5.1.5
  remotes/origin/v5.2.20
  remotes/origin/v5.2.9
  remotes/origin/v5.3.4
  remotes/origin/v5.6.4
  remotes/origin/v5.6.4.1

than switch branch:
git checkout v5.3.4
Reply
Hello ZerBea my new potfile does not work with hashcat
Reply
hashcat changed potfile format and out file format on 2500 and 16800. Both hashmodes now using the same potfile format and the same outfile format. For example:
hashcat -m 16800 --remove --potfile-path="hashcat.pmk.pot" -o hashcat.psk.out" hash.16800 wordlist
hashcat -m 2500 --remove --potfile-path="hashcat.pmk.pot" -o hashcat.psk.out" hash.hccapx wordlist
will give you the same output on both lists! Already recovered PSKs from hashmode 16800 are detected and not calculated again on hashmode 2500.
new potfile format:
PMK : ESSID(in HEX-ASCII) : PSK
new out file format:
MAC_AP : MAC : STA : ESSID : PSK

This was necessary because an EAPOL handshake and/or a PMKID is not unique for a WPA1, WPA2, WPA2 keyver 3 network, while a PMK is unique! Now we identify a network by the PMK! That keep the potfile small and we can remove allready cracked networks in a fast way.
Also you can run simple bash scripts to get/extract all the information from this files you need.

For example to get the PSK from a potfile:
cat hashcat.pmk.pot | awk 'BEGIN { FS = ":" } ; { print $NF }' >> wordlist
the same script works on the outfile
cat hashcat.psk.out | awk 'BEGIN { FS = ":" } ; { print $NF }' >> wordlist

or to get the PMKs:
cut -c -64 hashcat.pmk.pot >> pmklist

I recommend to use the same potfile/outfile for 2500 and 16800. Do not use this files on other hashmodes! I use this methods to clean my data base, because it is extrem fast on big hash lists:
$ hcxcleanpmkiddb
hashcat (v5.1.0-1186-g07915692) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PMKID-PMK
Hash.Target......: archiv.16800
Time.Started.....: Tue Jul 9 09:32:32 2019 (46 secs)
Time.Estimated...: Tue Jul 9 09:33:18 2019 (0 secs)
Guess.Base.......: Pipe
Speed.#1.........: 180.8 MH/s (0.00ms) @ Accel:1024 Loops:1024 Thr:64 Vec:1
Recovered........: 63430/64658 (98.10%) Digests, 61923/63151 (98.06%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:83134,4988093,119714233 (Min,Hour,Day)
Progress.........: 8217460724
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:63150 Amplifier:0-1 Iteration:0-1
Candidates.#1....: removed -> removed
Hardware.Mon.#1..: Temp: 62c Fan: 44% Util: 67% Core:1885MHz Mem:5005MHz Bus:16
Started: Tue Jul 9 09:32:30 2019
Stopped: Tue Jul 9 09:33:18 2019


$ hcxcleaneapoldb
hashcat (v5.1.0-1186-g07915692) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PMK
Hash.Target......: archiv.hccapx
Time.Started.....: Tue Jul 9 09:36:32 2019 (16 mins, 21 secs)
Time.Estimated...: Tue Jul 9 09:52:53 2019 (0 secs)
Guess.Base.......: Pipe
Speed.#1.........: 12806.0 kH/s (0.00ms) @ Accel:1024 Loops:1024 Thr:64 Vec:1
Recovered........: 239521/245611 (97.52%) Digests, 88814/92027 (96.51%) Salts
Recovered/Time...: CUR:15113,N/A,N/A AVG:14642,878549,21085176 (Min,Hour,Day)
Progress.........: 11979338644
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:92026 Amplifier:0-1 Iteration:0-1
Candidates.#1....: removed -> removed
Hardware.Mon.#1..: Temp: 73c Fan: 57% Util: 88% Core:1860MHz Mem:5005MHz Bus:16
Started: Tue Jul 9 09:36:29 2019
Stopped: Tue Jul 9 09:52:54 2019

WPA-EAPOL-PMK took a little bit more time, because I'm running a high nonce error correction!
potfile and outfile working like expected.
Reply
(07-09-2019, 09:08 AM)ZerBea Wrote: hashcat changed potfile format and out file format on 2500 and 16800. Both hashmodes now using the same potfile format and the same outfile format. For example:
hashcat -m 16800 --remove --potfile-path="hashcat.pmk.pot" -o hashcat.psk.out" hash.16800 wordlist
hashcat -m 2500 --remove --potfile-path="hashcat.pmk.pot" -o hashcat.psk.out" hash.hccapx wordlist
will give you the same output on both lists! Already recovered PSKs from hashmode 16800 are detected and not calculated again on hashmode 2500.
new potfile format:
PMK : ESSID(in HEX-ASCII) : PSK
new out file format:
MAC_AP : MAC : STA : ESSID : PSK

This was necessary because an EAPOL handshake and/or a PMKID is not unique for a WPA1, WPA2, WPA2 keyver 3 network, while a PMK is unique! Now we identify a network on the PMK! That keep the potfile small and we can remove allready cracked networks in a fast way.
Also you can run simple bash scripts to get/extract all the information from this files you need.

For example to get the PSK from a potfile:
cat hashcat.pmk.pot | awk 'BEGIN { FS = ":" } ; { print $NF }' >> wordlist
the same script  works on the outfile
cat hashcat.psk.out | awk 'BEGIN { FS = ":" } ; { print $NF }' >> wordlist

or to get the PMKs:
cut -c -64 hashcat.pmk.pot >> pmklist

I recommend to use the same potfile/outfile for 2500 and 16800. Do not use this files on other hashmodes! I use this methods to clean my data base, because it is extrem fast on big hash lists:
$ hcxcleanpmkiddb
hashcat (v5.1.0-1186-g07915692) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PMKID-PMK
Hash.Target......: archiv.16800
Time.Started.....: Tue Jul  9 09:32:32 2019 (46 secs)
Time.Estimated...: Tue Jul  9 09:33:18 2019 (0 secs)
Guess.Base.......: Pipe
Speed.#1.........:  180.8 MH/s (0.00ms) @ Accel:1024 Loops:1024 Thr:64 Vec:1
Recovered........: 63430/64658 (98.10%) Digests, 61923/63151 (98.06%) Salts
Recovered/Time...: CUR:N/A,N/A,N/A AVG:83134,4988093,119714233 (Min,Hour,Day)
Progress.........: 8217460724
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:63150 Amplifier:0-1 Iteration:0-1
Candidates.#1....: removed -> removed
Hardware.Mon.#1..: Temp: 62c Fan: 44% Util: 67% Core:1885MHz Mem:5005MHz Bus:16
Started: Tue Jul  9 09:32:30 2019
Stopped: Tue Jul  9 09:33:18 2019


$ hcxcleaneapoldb
hashcat (v5.1.0-1186-g07915692) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PMK
Hash.Target......: archiv.hccapx
Time.Started.....: Tue Jul  9 09:36:32 2019 (16 mins, 21 secs)
Time.Estimated...: Tue Jul  9 09:52:53 2019 (0 secs)
Guess.Base.......: Pipe
Speed.#1.........: 12806.0 kH/s (0.00ms) @ Accel:1024 Loops:1024 Thr:64 Vec:1
Recovered........: 239521/245611 (97.52%) Digests, 88814/92027 (96.51%) Salts
Recovered/Time...: CUR:15113,N/A,N/A AVG:14642,878549,21085176 (Min,Hour,Day)
Progress.........: 11979338644
Rejected.........: 0
Restore.Point....: 0
Restore.Sub.#1...: Salt:92026 Amplifier:0-1 Iteration:0-1
Candidates.#1....: removed -> removed
Hardware.Mon.#1..: Temp: 73c Fan: 57% Util: 88% Core:1860MHz Mem:5005MHz Bus:16
Started: Tue Jul  9 09:36:29 2019
Stopped: Tue Jul  9 09:52:54 2019

WPA-EAPOL-PMK took a little bit more time, because I'm running a high nonce error correction!
potfile and outfile working like expected.

Perfect, very clear. Please, can you give me hcxcleanpmkiddb and hcxcleaneapoldb
Thank you
Reply
And another, good reason for HEX-ESSID is:
123456789abcdef0123456789abcdef01:112233445566:aabbccddeeff:5072696d656e6574
vs.
123456789abcdef0123456789abcdef01:112233445566:aabbccddeeffTonguerimenet
if you like to post the hash in a forum.
Reply
(07-09-2019, 05:23 PM)ZerBea Wrote: And another, good reason for HEX-ESSID is:
123456789abcdef0123456789abcdef01:112233445566:aabbccddeeff:5072696d656e6574
vs.
123456789abcdef0123456789abcdef01:112233445566:aabbccddeeffTonguerimenet
if you like to post the hash in a forum.

I lost, I do not understand
Reply