hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Wondering if message pairs are still included, and easy to find/decode, in the new format?
M2M3 or M3M4 are good evidence that the password was correct.
Reply
Quote:But anyway, you're right, we are missing some options in hcxhashtool, compared to wlanhcx2ssid. I'm going to add them, step by step. This are the first ones:
--mac-group-ap (old -a)
--mac-group-client (old -s)


I am extremely grateful!

I am sure many people will appreciate this.

Thank you very much!
Reply
We are still running several tests, to get in shape for hashcat's new hashline. That included a complete rewrite (refactoring) from scratch. Nearly everything is new and improved. Also we are missing still some old features (e.g. the IPv4 and IPv6 part inclusive TACACS+, MD5 challenge, netNTLMv1). Also I received a feature request to detect device model, serial number and device ID. I'm going to add this, too (hcxpcangtool).
All features make it necessary to analyze tons of 802.11 frames (inclusive reverse engineering of proprietary parts inside the frames) - and that will take a lot of time.
Reply
This is all brilliant news!  I can't wait.

I hope there has been a change in hashcat filtering out passwords of less than length 8 for WPA, or at least make it optional.

The length test was applied to the password BEFORE the users rules were applied which meant many potential passwords were not tested.

Say user has password "pass" in their lists, hashcat would just ignore it when testing WPA even if the user has a rule $1$2$3$4 so "pass1234" would never be tested.

Anyway thank you for adding the output features to hcxhashtool, all your tools are a wifi enthusiasts dream!
Reply
In that case, just pipe it:
https://en.wikipedia.org/wiki/Pipeline_(Unix)

$ hashcat --stdout -r rule wordlist
passwor1
passwor2
passwor3
passwor4

wordlist:
passwor

rule
$1
$2
$3
$4

complete cmd:
$ hashcat --stdout -r rule wordlist | hashcat -m 22000 test.hash
Reply
it should also work with just adding -S to the command line
Reply
Recently added a USB GPS receiver my raspberry pi to get locations of the access points.
Used  " hcxdumptool -i wlan1mon -o real.pcapng --enable_status=1 --use_gpsd " capture 
and the following line to output to get the results 
 
" hcxpcaptool  -E opt_E  -T opt_T  -g opt_g --nmea=opt_nmea -o opt_o -z opt_z.16800  real.pcapng " 
The issue I have is that it says it's "3017 track points written"  to the -g output file but when I open it, there is no track.

What am I doing wrong? I have checked the gps receiver is working.

Code:
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~# hcxpcaptool  -E opt_E  -T opt_T  -g opt_g --nmea=opt_nmea -o opt_o -z opt_z.16800  real.pcapng

reading from real.pcapng

summary capture file:
---------------------
file name........................: real.pcapng
file type........................: pcapng 1.0
file hardware information........: aarch64
capture device vendor information: 00c0ca
file os information..............: Linux 4.19.66-Re4son-v8+
file application information.....: hcxdumptool 6.0.1 (custom options)
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 12.01.2020 16:55:44 (GMT)
maximum time stamp...............: 12.01.2020 17:19:57 (GMT)
packets inside...................: 10200
skipped damaged packets..........: 0
packets with GPS data............: 3017
packets with FCS.................: 0
beacons (total)..................: 878
beacons (WPS info inside)........: 248
beacons (device info inside).....: 3
probe requests...................: 229
probe responses..................: 714
association requests.............: 53
association responses............: 471
reassociation requests...........: 29
reassociation responses..........: 36
authentications (OPEN SYSTEM)....: 570
authentications (BROADCOM).......: 199
authentications (APPLE)..........: 4
authentications (NETGEAR)........: 1
EAPOL packets (total)............: 7220
EAPOL packets (WPA1).............: 7
EAPOL packets (WPA2).............: 7213
PMKIDs (zeroed and useless)......: 1408
PMKIDs (not zeroed - total)......: 176
PMKIDs (WPA2)....................: 4190
PMKIDs from access points........: 175
PMKIDs from stations.............: 1
best handshakes (total)..........: 49 (ap-less: 21)
best PMKIDs (total)..............: 176

summary output file(s):
-----------------------
176 PMKID(s) written to opt_z.16800
45 handshake(s) written to opt_o
message pair M12E2...............: 28
message pair M32E2...............: 16
message pair M34E4...............: 1
3017 track points written to opt_g


Code:
<?xml version="1.0"?>
<gpx version="1.0" creator="hcxpcaptool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.topografix.com/GPX/1/0"
xsi:schemaLocation="http://www.topografix.com/GPX/1/0 http://www.topografix.com/GPX/1/0/gpx.xsd">
<name>opt_g</name>
<trk>
  <name>real.pcapng</name>
  <trkseg>
  </trkseg>
</trk>
</gpx>
Reply
That depends on the version of the tools:

hcxdumptool >= v 6 require hcxpcapngtool --nmea to convert the NMEA sentences or hcxpcaptool --nmea. I dropped that xml conversion (and gpsd), because GPSBabel can do this much better.

hcxpcaptool -g uses old format from old hcxdumptool
hcxpcaptool ----nmea=<file> uses new format from latest hcxdumptool
format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL

hcxpcapngtool --nmea=<file> uses new format from latest hcxdumptool
output GPS data in NMEA format
format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL

BTW:
I pushed a fix for (old) hcxpcaptool. Now we have two internal counters: one for GPSD old JSON format and one for NME sentences.

JSON format produce too much overhead and that is the reason for me, to drop it.
If you run
case 1:
$ hcxdumptool --use_gps_device=your_device
NMEA sentences should be written directly to the pcpang file (custom comment field)
additional you can use --nmea=your_nmea_file to save them separate to a file (on the fly)

case 2:
To retrieve the NMEA data from the pcapng file (case 2), run:
$ hcxpcapngtool --nmea=converted_nmea_sentences_from_pcapng_file

Then use GPSbabel to convert them for use with Viking (case 2):
$ gpsbabel -i converted_nmea_sentences_from_pcapng_file -f hcxdumptool.nmea -o gpx -F file.gpx
or (case 1)
$ gpsbabel -i your_nmea_file -f hcxdumptool.nmea -o gpx -F file.gpx

gpsbabel offers hundreds of options to convert the NMEA sentences to whatever you want. See gpsbabel -h
A GUI is available, too:
https://www.gpsbabel.org/screenshots.html
Reply
(01-12-2020, 12:43 AM)Mem5 Wrote: Wondering if message pairs are still included, and easy to find/decode, in the new format?
M2M3 or M3M4 are good evidence that the password was correct.

For sure. Last 2 characters in the hashline (MP):
https://github.com/ZerBea/hcxtools/blob/...ool.c#L710
Code:
WPA*TYPE*PMKID-OR-MIC*MAC_AP*MAC_STA*ESSID_HEX*ANONCE*EAPOL*MP
and you can run bash tools to find them:

$ cat test.22000 | grep "\*02$"
will give you all M2M3E2 for example.

The new hashline in combination with the new potfile and outfile format will make life much easier.


Let's take the 2500 and the 16800 example hashes from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
To demonstrate hashcat's latest improvements, convert (hcxmactool) them to the new hash format 22000 WPA-PBKDF2-PMKID+EAPOL
Code:
WPA*01*2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a***
WPA*02*dd380bd54bc9c316dce31562c22c87d1*aef50f22801c*987bdcf9f950*38333831353333343036303033383037363835383831353233*1e33f3eca3a1f2216a52b60c87191e7473ac54ecb023ac5989becf1e3c7e4509*01030077fe010900200000000000000001faf192b205d47b81f43f91f850c81976da019e00722f3958370692ab0562f70b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*00

verify the hashline (is the conversion ok?):
Code:
$ hcxhashtool -i test.22000 --psk='hashcat!'
5b13d4babb3714ccc62c9f71864bc984efd6a55f237c7a87fc2151e1ca658a9d*ed487162465a774bfba60eb603a39f3a:hashcat!
27728647ac66c5edea4d448fd2c1da57cf02e6347b1465a0d43142c6bd6e37b6*38333831353333343036303033383037363835383831353233:hashcat!
looking good, so far - the PSK is confirmed on both hashes. This output is the result of PBKDF2 calculation and similar to hashcat's new potfile format: PMK * ESSID_HEX : PSK

and try to recover the PSKs, running hashcat:
Code:
$ hashcat -m 22000 test.22000 wordlist
hashcat (v5.1.0-1573-g7471ecee+) starting...

4604ba734d4e:89acf0e761f4:$HEX[ed487162465a774bfba60eb603a39f3a]:hashcat!
aef50f22801c:987bdcf9f950:8381533406003807685881523:hashcat!

Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Sun Jan 12 21:02:09 2020 (0 secs)
Time.Estimated...: Sun Jan 12 21:02:09 2020 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      24 H/s (0.25ms) @ Accel:16 Loops:32 Thr:1024 Vec:1
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 2/2 (100.00%)
Rejected.........: 0/2 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 34c Util: 82% Core:1176MHz Mem: 900MHz Bus:4
Started: Sun Jan 12 21:01:54 2020
Stopped: Sun Jan 12 21:02:11 2020
Both are recovered by hashcat, as expected. The output format is hashcat's new format: MAC_AP : MAC_STA : ESSID_ASCII (hexyfied only if necessary) : PSK

BTW:
Please do not wonder about the low speed. I'm running a very, very, very small wordlist (only a single word). We do not need big word lists, if we now what we are doing.

Additional hcxhashtool will show detailed information about the hashes:
Code:
$ hcxhashtool -i test.22000 --info=stdout
SSID.......: �HqbFZwK�����:
MAC_AP.....: 4604ba734d4e (unknown)
MAC_CLIENT.: 89acf0e761f4 (unknown)
PMKID......: 2582a8281bf9d4308d6f5731d0e61c61
HASHLINE...: WPA*01*2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a***

SSID.......: 8381533406003807685881523
MAC_AP.....: aef50f22801c (unknown)
MAC_CLIENT.: 987bdcf9f950 (unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA1
MP M1M2 E2.: not authorized
REPLAYCOUNT: 1
RC INFO....: replycount checked
MIC........: dd380bd54bc9c316dce31562c22c87d1
HASHLINE...: WPA*02*dd380bd54bc9c316dce31562c22c87d1*aef50f22801c*987bdcf9f950*38333831353333343036303033383037363835383831353233*1e33f3eca3a1f2216a52b60c87191e7473ac54ecb023ac5989becf1e3c7e4509*01030077fe010900200000000000000001faf192b205d47b81f43f91f850c81976da019e00722f3958370692ab0562f70b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*00



OUI information file...: /home/zerobeat/.hcxtools/oui.txt
OUI entires............: 27383
total lines read.......: 2
valid hash lines.......: 2
PMKID hash lines.......: 1
EAPOL hash lines.......: 1
PMKID written..........: 1
EAPOL written..........: 1
Reply
Hello ZerBea,
I am having problems with hcxdumptool. Using GPS and making a tour, 5 minutes after the trip, hcdumptool freezes. It doesn't work anymore. It hangs. What can happen?
The last Hcxdumptool
Sorry my English
Reply