hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi ZerBea

You are incredibly productive, I am starting to think you are one of those AI bots who can write forum posts and code awesome programs!

I appreciate you supporting "ancient" formats as it must be time consuming but those of us with no option other than to use older versions of hashcat are very, very grateful.

I thought I would write back now to say thank you for your reply as I will be testing the new hcx(all) features after work.  It takes me longer to learn and test than it does for you to code!

As you will be depreciating wlanhcx2ssid will the following (very useful) options be available in the finished hcxhashtool?

-a : output file by mac_ap's
-s : output file by mac_sta's
-o : output file by vendor's (oui)
-e : output file by essid's

I would love to be able to output all good quality handshakes, converted to hccap's, contained within a given pcapng into separate files named by MAC.

If the option --authorized in the new hcxhashtool means what I think it does then that is GREAT!  I guess it means only output handshakes that are likely to be both crackable and the password is the correct one for the AP.

Just as a side note, I am proud to say hcxtools is the very first program I have ever compiled!

Thanks again for your work.
Reply
This are the available options. If there is need for more, please let me know.
Decided to add filter by MAC CLIENT, too, because hcxdumptool is able to request the original MAC of a CLIENT.

Code:
$ hcxhashtool -h
hcxhashtool 6.0.0 (C) 2020 ZeroBeat
usage:
hcxhashtool <options>

options:
-i <file>   : input PMKID/EAPOL hash file
-o <file>   : output PMKID/EAPOL hash file
-E <file>   : output ESSID list (autohex enabled)
-d          : download http://standards-oui.ieee.org/oui.txt
            : and save to ~/.hcxtools/oui.txt
            : internet connection required
-h          : show this help
-v          : show version

--essid-group                : convert to ESSID groups in working directory
                               full advantage of reuse of PBKDF2
                               not on old hash formats
--oui-group                  : convert to OUI groups in working directory
                               not on old hash formats
--type                       : filter by hash type
                             : default PMKID (1) and EAPOL (2)
--essid-len                  : filter by ESSID length
                             : default ESSID length: 0...32
--essid-min                  : filter by ESSID minimum length
                             : default ESSID minimum length: 0
--essid-max                  : filter by ESSID maximum length
                             : default ESSID maximum length: 32
--essid=<ESSID>              : filter by ESSID
--essid_part=<part of ESSID> : filter by part of ESSID
--mac-ap=<MAC>               : filter by AP MAC
--mac-client=<MAC>           : filter by CLIENT MAC
--oui-ap                     : filter AP by OUI
                             : format: 001122 (hex)
--oui-client                 : filter CLIENT by OUI
                             : format: 001122 (hex)
--vendor=<VENDOR>            : filter by (part of) VENDOR name
--authorized                 : filter EAPOL pairs by status authorized
--notauthorized              : filter EAPOL pairs by status not authorized
--rc                         : filter EAPOL pairs by replaycount status checked
--apless                     : filter EAPOL pairs by status M2 requested from client
--info=<file>                : output detailed information about content of hash file
--info=stdout                : stdout output detailed information about content of hash file
--vendorlist                 : stdout output VENDOR list sorted by OUI
--psk=<PSK>                  : pre-shared key to test
                             : due to PBKDF2 calculation this is a very slow process
                             : no nonce error corrections
--pmk=<PMK>                  : plain master key to test
                             : no nonce error corrections
--hccapx=<file>              : output to deprecated hccapx file
--hccap=<file>               : output to ancient hccap file
--john=<file>                : output to deprecated john file
--help                       : show this help
--version                    : show version
Reply
I really like the -E option,.. autohex was going to be one of my feature requests!

Reading the help I am not sure how I would do the folling for hccap

Filter good quality (crackable) handshakes only
Output individual files for each ESSID or capture
Include all AP_Less captures and test these for quality
Outputs would be user-defined as hccap, hccapx or PMKID etc

All above from a single large pcapng in an automated way

My guess would be something like the following:

hcxhashtool -i myfile.pcapng --type 2 --hccap=(this requires a file but multiple output would need directory)

I am asking rather than testing as I don't have a pcapng with multiple known captures so I can test to see if the outputted hccaps are crackable for me with old hashcat.

Thank you
Reply
No, there will be no "all in one tool". The workflow is:
hcxdumptool -> hcxpcapngtool -> hcxhashtool -> (optional hcxpsktool) -> hashcat

Detection of handshakes and PMKIDs is really complex and I don't want to add additional features to the converter (hcxpcapngtool).

BTW:
The Linux philosophy (an mine, too) is:
Write programs that do one thing and do it well.
Write programs to work together.
Write programs to handle text streams, because that is a universal interface.
https://en.wikipedia.org/wiki/Unix_philosophy
Reply
Oh I see I have to chain them.

So automating the process of outputting everything is possible?

With the oncoming of your new tools v6 I think I will have to wait for the official release and then try to work it out.  I am not a computer expert just a keen hobbyist so this will take me some time.

Your tools are brilliant and I cannot thank you enough for making them available.
Reply
"Oh I see I have to chain them."
Yes!

The new has format (2200x) is plain HEX-ASCII. That means you will get a read able hashline (not binary hccap or hccapx).
Depending on the WiFi related filters of hcxpcapngtool, everything is converted to this hash format. WiFi related filters are filters that do not work on already converted hashes:
- filter by EAPOLTIME
- filter bei replaycount
- filter by information element (IE)
- filter by ESSID changes / damaged ESSIDs
This information is present in a cap/pcap file (and a pcapng contain much more information than a cap/pcap)
You can use Wireshark (convert by hand) or hcxpcapngtool.

After that process, we have a plain HEX ASCII hashfile, you can use hash related filters on:
- filter by ESSID
- filter by VENDOR
- filter by MAC
- filter by ....
You can use a text editor (by hand) or hcxhashtool.
If you get them by hand, you have to use hcxhashtool again to convert them to hccap.

Now we have the hashfile, which is the first file we have to feed to hashcat. For the second file (wordlist), you can use your own wordlist to feed hashcat or run hcxpsktool to generate a wordlist based on the hashfile.

We have tested this since the decision to add this new hashmode:
https://github.com/hashcat/hashcat/issues/1816
and JtR will implement it, too:
https://github.com/magnumripper/JohnTheR...ssues/4183
BTW:
I know this is hashcat forum, but for me it is amazing, that both coder (Atom and Magnum) working together, here!!!!!!!!
...and several other coder, too:
https://github.com/RealEnder/dwpa
https://github.com/kimocoder/wifite2
https://github.com/s77rt/multicapconverter
Reply
Hi ZerBea

I really like the idea of the hashes being exported from hcxpcapngtool as text (.22000).  As you are currently designing the format could I make a request that, assuming I understand autohex to mean write in ASCII unless the output would crash you system if so then use Hex, would it be possible to have autohex on ESSID names written to each text line?

Example:

Netgear123:WPA*01*2f5c05d6ad2070743...etc  or if the AP name is bad then "Hex...:WPA*01*2f5c05d6ad2070743...etc"

When using hcxpcapngtool if a user outputs the entire contents of their .pcapng file to hccap each network is merged into a single .hccap.  This is no use to the user as hccap's have to only contain a single network per hccap.

As it seems possible to make hccapx and hccap files directly from the new text format (.22000) I am not sure why hcxpcapngtool has the --hccap option.  Perhaps the conversion should be left solely to hcxhashtool?  Hopefully this will be easier for you to maintain as only one tool converts to hccap and hccapx.

If the user directly converts the .22000 text output to hccap using hcxhashtool how will the resulting hccap be crackable?  I ask because when converting to hccap using hcxpcapngtool it requires --ignore-ie.


hcxhashtool

Could hcxhashtool please have the features wlanhcx2ssid has but for the text hash and not wifi?  The -a option in wlanhcx2ssid allows the user to recursively and automatically output each network to it's own file named by the AP mac.  As mentioned before the following options in hcxhashtool (copied from wlanhcx2ssid) would be very useful to have in hcxhashtool.

-a : output file by mac_ap's
-s : output file by mac_sta's
-o : output file by vendor's (oui)
-e : output file by essid's

The option --hccap= or --hccapx= would ideally allow the user to select a folder to send the individual conversions to not a specific file as currently is.


To explain what I am trying to say above.

Say my capture file (.pcapng) contains the following:

1 x PMKID of Network1
1 x AP and client handshake Network2
1 x AP-Less capture hcxdumptool to target client Network3

(In reality there could be 30 or 40 valid networks)

I would like to be able to output these in an automated way.

I use:

hcxdumptool to capture
hcxpcapngtool to convert to .22000 (what about the --ignore-ie option if I know I will later be converting the text hash to hccap?)
hcxhashtool to convert .22000 to hccap(x) or hccap

Obviously it would be time consuming for the user to have to manually alter each filter for every valid handshake which is why I ask for the same options available in wlanhcx2ssid to be in hcxhashtool so I can create a folder containing converted versions of the PMKID, AP and client handshake and AP-Less capture to a specified folder.

The result would be a folder containing the following.

Network1.hccap
Network2.hccap
Network3.hccap

Just a side question.

I assume setting --authorized in hcxhashtool will only output more reliable hashes as in more likely to be correct and crackable?

Thank you for reading this far!
Reply
Most of the features you requested are already build in. The rest can be done by bash commands.

Example:
Netgear123:WPA*01*2f5c05d6ad2070743...etc or if the AP name is bad then "Hex...:WPA*01*2f5c05d6ad2070743...etc"
--info=stdout will do it
We do not touch the hash line (-o output), because neither hashcat nor JtR like this)

Don't worry about a "big" hccap file. You can split it into single parts, running split -b
use hcpcapngtool to convert to .22000 hashfile
use hcxhashtool to filter and to write result all to a single hccap
use bashtool split to the "big hccap" into single parts:
$ split -b 392 --additional-suffix=.hccap test.hccap
use bashtool grep -r NETGEAR to find your desired hccap
$ grep -r NETGEAR
Binary file xzrdg.hccap matches
Binary file xzequ.hccap matches
Binary file xzasl.hccap matches
Binary file xzask.hccap matches
Binary file test.hccap matches <- that is the big one

feed old hashcat with desired single hccap
hashcat -m 2500 xzequ.hccap wordlist


--ignore-ie should be used on damaged cap files, or cap files which doesn't provide RSN-IE and/or WPA-IE elements.

"I assume setting --authorized in hcxhashtool will only output more reliable hashes as in more likely to be correct and crackable?"
No, all hashes should be recoverable. --authorized means that the CLIENT from which we take the M2 is allowed to enter the network. --unauthorized means that a CLIENT tries to get access to the network, but is not allowed to enter it.
PSKs you recovered from both kinds of hashes are valid, but only one of them belongs to the network.


Please keep in mind:
hcxtools are designed as analysis tools and not to "crack" a single network. If you would like to use them you should know basics of LINUX, basics of ieee802.11 and basics of radio technology.
Running K*A*L*I and a high power WiFi adapter is far from enough.
Reply
Hi ZerBea

Thank you for explaining how I can sort the output using bash.  It just seems a shame the very useful feature of outputting all networks recursively and auto naming each file, as with wlanhcx2ssid, will not be possible with hcxhashtool.

Thanks for explaining --authorized in hcxhashtool, it is what I was hoping it meant.

Quote:Please keep in mind:

hcxtools are designed as analysis tools and not to "crack" a single network. If you would like to use them you should know basics of LINUX, basics of ieee802.11 and basics of radio technology.

You are of course correct, I have much to learn about all the things you mention.

Thanks again for helping and obviously for hcxtools.
Reply
The major advantage of the new hashline is that you can use bash tools on it, because it isn't any longer binary. Playing around with this bash tools you can do nearly everything (grep, sort, cut, cat, sed, awk, ...). There is no longer need for tools, working on binary hash formats.
Now it is time for a change. Please let hccap/hccapx rest in peace (R.I.P) after release of hashcat v6.0.0.

But anyway, you're right, we are missing some options in hcxhashtool, compared to wlanhcx2ssid. I'm going to add them, step by step. This are the first ones:
--mac-group-ap (old -a)
--mac-group-client (old -s)

BTW:
replacement for this old two options is already implemented:
-o : output file by vendor's (oui) (hcxhashtool : --oui-group)
-e : output file by essid's (hcxhashtool: --essid-group)
Reply