hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi ZerBea,

Do you have a suggested way to extract WPS model number and WPS model name from the pcapng output? I did not see a way with hcxpcaptool or hcxpcapngtool.  Maybe something like --filter-wps-model-number=NVG589


Attached Files
.png   Wireshark.png (Size: 159.01 KB / Downloads: 2)
Reply
I'm working on this feature
https://github.com/ZerBea/hcxtools/blob/...ol.c#L1664
but it has very low priority, because tshark and/or Wireshark can do it much better:
$ tshark -r test.pcapng.cap -T fields -e wps.device_name -e wps.serial_number
or (inclusive transmitter address and ESSID):
$ tshark -r test.pcapng.cap -T fields -e wlan.ta -e wlan.ssid -e wps.device_name -e wps.serial_number

reference is here:
https://www.wireshark.org/docs/dfref/w/wps.html
full reference is here:
https://www.wireshark.org/docs/dfref/

From several analysis I noticed that many VENDORs doesn't use this fields or fill it with garbage. So don't expect "amazing results":
Running the above cmd we will receive:
"XYZ AP 12345678"
Totally useless!

BTW:
Highest priority, as of today:
AKM (Authentication and Key Management) and EAP (Extensible Authentication Protocol)!
Reply
tshark will work thank you
Reply
If you got more information on how many VENDORs still using this fields, please keep us in the loop, here.

BTW:
tshark is a powerfull tool to perform several kinds of analysis and to receive the results directly on the command line. Via simple bash scripts, you can evaluate the results of tshark and hcxdumptool/hcxtools in an easy way. Wireshark's default capture format is pcapng, too. So the tools are nearly 100% compatible to each other.
Only one exception:
tshark/Wireshark can't handle foreign binary custom option fields, well.

This are hcxdumptool options codes to "communicate" with hcxpcangtool or multicapconverter (conversion tool):
Code:
pcapng option codes (Custom Block and/or Section Header Block) used by hcxdumptool:
ENTERPRISE NUMBER        0x2a, 0xce, 0x46, 0xa1
MAGIC NUMBER             0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33,
                         0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62,
                         0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f,
                         0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98
OPTIONCODE_MACMYORIG     0xf29a (6 byte)
OPTIONCODE_MACMYAP       0xf29b (6 byte)
OPTIONCODE_RC            0xf29c (8 byte)
OPTIONCODE_ANONCE        0xf29d (32 byte)
OPTIONCODE_MACMYSTA      0xf29e (6 byte)
OPTIONCODE_SNONCE        0xf29f (32 byte)
OPTIONCODE_WEAKCANDIDATE 0xf2a0 (64 byte) == 63 characters + zero
OPTIONCODE_GPS           0xf2a1 (max 128 byte)

This are hcxpcapngtool messagepair codes to "communicate" with hashcat:
Code:
Bitmask message pair field used by hcxpcapngtool:
0: MP info (https://hashcat.net/wiki/doku.php?id=hccapx#message_pair_table)
1: MP info (https://hashcat.net/wiki/doku.php?id=hccapx#message_pair_table)
2: MP info (https://hashcat.net/wiki/doku.php?id=hccapx#message_pair_table)
3: x unused
4: ap-less attack (set to 1) - no nonce-error-corrections neccessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary
Reply
Hello ZerBea, how to convert potfile 16800 and hccapx to 22000 mode.
Thank you
Reply
Hi strike1953.
This is another amazing feature of the new hashline: you can use simple bash commands to work on it.

e.g. the awk way:
Code:
$ cat test.16800 | awk 'BEGIN { FS = ":" } ; { print "WPA*01*"$1"***"}' > new.22000
Reply
That is another amazing feature.
$ hcxpcapngtool -o test.22000 -E wordlist test.pcap
$ hashcat -m 22000 test.22000 wordlist

hcxdumptool attack vector against weak client, converted to pcap by tshark, so that you can test it running other tools, too:


.zip   test.pcap.zip (Size: 1.41 KB / Downloads: 6)

What do you think?
How much time will hashcat take to recover the PSK?
How much time will hashcat take to recover the PSK without a little help of hcxdumptool/hcxtools?

Can you imagine what you are missing...
- if you don't capture this frames
- if you don't save this frames
- if you ignore this frames
- if you filter this frames out
- if you remove this frames from your cap file

BTW:
This is a test network: hashcat and a test PSK.
Reply
(02-06-2020, 01:44 PM)ZerBea Wrote: Hi strike1953.
This is another amazing feature of the new hashline: you can use simple bash commands to work on it.

e.g. the awk way:
Code:
$ cat test.16800 | awk 'BEGIN { FS = ":" } ; { print "WPA*01*"$1"***"}'

oh sorry my knowledge is huge. Sorry, my question is oriented to how to convert my old potfile (16800 mode) to the new 22000 mode.
Something like hcxhashcattool
Reply
Ok, my fault. Didn't noticed that you mean the potfile.
That depend on your hascat version. The new potfile format is the result of PBKDF2:
Code:
PMK*ESSID(in HEX)*PSK
So you have to recalculate your old values by PBKDF2 and store this result as new potfile. It can be done by simple pearl/python scripts.
Or you can use wlangenpmk/wlangenpmkocl, hcxpmkidtool. That require a little bit bash scripting to convert the results to the final potfile format.
Reply
(02-06-2020, 02:56 PM)ZerBea Wrote: Ok, my fault. Didn't noticed that you mean the potfile.
That depend on your hascat version. The new potfile format is the result of PBKDF2:
Code:
PMK*ESSID(in HEX)*PSK
So you have to recalculate your old values by PBKDF2 and store this result as new potfile. It can be done by simple pearl/python scripts.
Or you can use wlangenpmk/wlangenpmkocl, hcxpmkidtool. That require a little bit bash scripting to convert the results to the final potfile format.

My current version of hashcat is beta 1644.
Escape to my knowledge formulate the conversions.
Pity
Reply