hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Your assumption is correct. I noticed that, too.
Some devices probe their entire NVRAM to hcxdumptool:
Code:
NVRAM
NVRAM WARNING
NVRAM WARNING: ERR 0x10
NVRAM WARNING: Err = 0x01
NVRAM WARNING: Err = 0x02
NVRAM WARNING: Err = 0x06
NVRAM WARNING: Err = 0x10
NVRAM WARNING: Err = 0x1p
NVRAM WARNING: Err=7x13
NVRAM WARNING: Errel WiFi
NVRAMERROR
NVRAM_Err_0x10
Reply
hi zerbea, hope all is good, sorry for this question not really related to hashcat or hcxdumptool.just a curiosity, will hcxdumptool work with ath10k driver, i really don't get that. some say that injection work some not. i never buy a device if hcxdumptool does not work, lol.
Reply
I'm fine, thanks and I hope you're fine, too.
First a general answer:
hcxdumptool is working on every driver (e.g.: mt76, rt2800usb, ath9k) that is able to run full monitor mode, full packet injection, accept ioctl() system calls and doesn't depend on NETLINK.
Unfortunately some drivers are hit by issues that (e.g. freeze/timeout on ath9k):
https://bugzilla.kernel.org/show_bug.cgi?id=207397

Now to answer your question: atk10k will not work due to firmware/driver limitations:
https://wireless.wiki.kernel.org/en/user...ers/ath10k
Code:
firmware does not support association to the same AP from different virtual STA interfaces (driver prints “ath10k: Failed to add peer XX:XX:XX:XX:XX:XX for VDEV: X” in that case)
packet injection isn't supported yet
applying ath9k regulatory domain hack patch from OpenWRT causes firmware crash (reason: regulatory hint function is never called and ath10k never sends scan channel list to the firmware which in turn causes firmware to crash on scan)
tx rate is reported as 6mbps due to firmware limitation (no tx rate information in tx completions); instead see /sys/kernel/debug/ieee80211/phyX/ath10k/fw_stats
WEP doesn't work with AP_VLANs - frames are sent unencrypted (observed on: 999.999.0.636, 10.2.4.20-1, 10.1.467.2-1)
TX speeds are extremely poor on certain chips (QCA6174 is one). A patch solves the issue in most cases

Please notice:
We are talking about Linux kernel stock firmware/drivers
https://git.kernel.org/pub/scm/linux/ker...rmware.git
https://git.kernel.org/pub/scm/linux/ker...h=v5.10.15
and not about third party firmware/drivers/patches included in special penetration testing distributions (e.g.: K A L I).
BTW:
I do not use K A L I , because I'm not a penetration tester!

I fully agree:
I'll never buy a device if I know that the kernel stock driver doesn't support full monitor mode, full packet injection and ioctl() system calls.
But some times I get a device to test some third party drivers, e.g. new rtw88 stack (Realtek):
https://github.com/kimocoder/realtek_rtwifi
If you are a Linux newbee (or an unexperienced K A L I user), I can't recommend to use third party or patched firmware/drivers, because you'll run into several issues (at the latest on a kernel update).

A good start to get an information about driver, driver updates, issues and chipset:
https://wireless.wiki.kernel.org/en/users/Drivers
https://patchwork.kernel.org/project/lin...less/list/
https://bugzilla.kernel.org/
https://deviwiki.com/wiki/

But be warned: Manufacturers often change the chipset, but will use the same case and customary packing!
Reply
Hello ZerBea, when using hcxeiutool -h command and following the example listed at the bottom of the help, the last line of the example where it runs hashcat, is the "dump.pcapng" supposed to be "test.22000" instead?

I'm assuming so, unless I'm missing something important.  Thanks.
Reply
Hi walterlacka.
Thanks for reporting that ugly copy and paste error.
Fixed by this commit:
https://github.com/ZerBea/hcxtools/commi...28af54dbf6
Reply
(07-22-2017, 10:07 AM)ZerBea Wrote: basic tutorial about the features to capture passwords from wlantraffic

1.
Choose a place where you do expect to receive many, many clients.
run wlandump-ng or wlanresponse for a while (one or more hours) using this options:

on a notebook
wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 512 -b -r -l -L -s 20

on a raspberry
wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 128 -b -r -l -L -s 0
wlanresponse -i <mywlandevice> -o test.cap -t 3 -b -l -L


mydevice is your WLAN device (it must be running allready in monitor mode on a real device - do not use virtual devices like mon0).

Please download and use the attached test.cap for this tutorial
Extract and copy the cap to a folder and open a terminal inside.

2.
Let's check the cap:

$ wlancapinfo -i test.cap
input file.......: test.cap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
packets inside...: 6
last pcap error..: flawless

The cap looks like a normal cap, but you should convert it only by using wlancap2hcx, because there are informations inside, other tools are not able to strip.


Let's convert the cap:

$ wlancap2hcx -o test.hccapx -e wordlist test.cap
start reading from test.cap
6 packets processed (6 wlan, 0 lan, 0 loopback)
found 1 wpa2 AES Cipher, HMAC-SHA1
found 1 valid wpa handshake (by wlandump-ng/wlanresponse)

You can see that there's a valid WPA2 handshakles inside and that
wlandump-ng/wlanresponse initiates the authentication with the client.
No accesspint captured - there is no need to capture an accesspoint to get the data!
We use the -e option to save networknames and passwords to a file (it's a good idea to use this option everytime you run wlancap2hcx).

$ ls
test.hccapx test.cap  wordlist

now sort our wordlist
$ sort wordlist | uniq > wordlistsort
you need to do this, because there are many dupes inside.

$ ls
test.hccapx test.cap  wordlist wordlistsort

now run hashcat
$ hashcat -m 2500 --potfile-path=hc2500.pot test.hccapx wordlistsort
hashcat (v3.6.0-247-g8f2cbb26) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: UPC501953949 (AP:8c:84:01:09:e9:e6 STA:bc:44:86:a1:66:82)
Time.Started.....: Sat Jul 22 09:59:12 2017 (0 secs)
Time.Estimated...: Sat Jul 22 09:59:12 2017 (0 secs)
Guess.Base.......: File (wordlistsort)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.36ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2/2 (100.00%)
Rejected.........: 0/2 (0.00%)
Restore.Point....: 0/2 (0.00%)
Candidates.#1....: AXNDFNEU -> UPC501953949
HWMon.Dev.#1.....: Temp: 42c Fan: 28% Util:100% Core:1303MHz Mem:3004MHz Bus:8

Take a look into the potfile and you can imagine what's going on.
You cracked the hash, using the captured password from wlantraffic.

It's a good Idea to add/copy/cat the wordlist to your wordlist(s) - everytime you run wlancap2hcx on new cap files.

Hello ZerBea, I hope you are doing well.
I tried to understand and reproduce this exact same procedure in hopes to recover the PSK if its present in the network traffic. As these tools are not available anymore because they are updated to the latest hcxtools, I am unable to reproduce this.

Can you please update this exact tutorial using the latest set of hcxtools?

regards.
Reply
Thanks, I'm fine and I you you'll be fine, too.
hcxtools > v6 and hcxdumptool making life a little bit more easier and received a lot of improvements, but the basics are the same (that include filter modes, filter lists and Berkeley Packet Filter). Only default formats changed to pcapng.
capture traffic -> convert to hashcat (or john) hash format -> run hashcat (or john)

The same applies to the attack vectors:
attack vector 1 target AP (PMKID)
attack vector 2 CLIENT (M2)
attack vector 3 AP <-> CLIENT connection (PMKID, M1, M2, M3, M4)
attack vector 4 EAP (EAP-ID, EAP TLS, RADIUS)
or any combination of this.

Code:
attack vector 1, 2, 3, 4 (request EAP-ID, only)
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon

attack vector  2,  (request EAP-ID, only)
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon --disable_deauthentication --disable_ap_attacks -t 300

attack vector 1, 3
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --disable_client_attacks

for attack vector 4 please read --help

If you're an experienced user (you know what you're doing, you are able to create a BPF, you don't need a beautiful real time status display), I recommend to use hcxlabtool from the wifi_laboratory series.

The basics of converting traffic to hashcat/john formats are the same, too, except that the default formats changed:
hcxpcapngtool:
default hash format now -> 22000 EAPOL + PMKID
storing possible PSKs, received from WiFi traffic can be done by -E -I -U

Example dump file is here:
https://github.com/evilsocket/pwnagotchi...nctest.zip
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
In this example, we must use --nonce-error-corrections=8, because I converted the origin pcapng file to cap/pcap format (a few tools don't understand pcapng). This format is a very basic format and we loose some important information, stored in pcapng format.

hcxhashtool is new. Depending on the options you can filter the output hash file. That can be done by bash tools, too, because 22000 is no longer a binary format.
hcxeiutool is new. Depending on the options you can pre-process hcxpcapngtool -E -I -U output to a raw word list that can be used in combination with rules.
Reply
(03-31-2021, 10:12 AM)ZerBea Wrote: Thanks, I'm fine and I you you'll be fine, too.
hcxtools > v6 and hcxdumptool making life a little bit more easier and received a lot of improvements, but the basics are the same (that include filter modes, filter lists and Berkeley Packet Filter). Only default formats changed to pcapng.
capture traffic -> convert to hashcat (or john) hash format -> run hashcat (or john)

The same applies to the attack vectors:
attack vector 1 target AP (PMKID)
attack vector 2 CLIENT (M2)
attack vector 3 AP <-> CLIENT connection (PMKID, M1, M2, M3, M4)
attack vector 4 EAP (EAP-ID, EAP TLS, RADIUS)
or any combination of this.

Code:
attack vector 1, 2, 3, 4 (request EAP-ID, only)
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon

attack vector  2,  (request EAP-ID, only)
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon --disable_deauthentication --disable_ap_attacks -t 300

attack vector 1, 3
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --disable_client_attacks

for attack vector 4 please read --help

If you're an experienced user (you know what you're doing, you are able to create a BPF, you don't need a beautiful real time status display), I recommend to use hcxlabtool from the wifi_laboratory series.

The basics of converting traffic to hashcat/john formats are the same, too, except that the default formats changed:
hcxpcapngtool:
default hash format now -> 22000 EAPOL + PMKID
storing possible PSKs, received from WiFi traffic can be done by -E -I -U

Example dump file is here:
https://github.com/evilsocket/pwnagotchi...nctest.zip
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
In this example, we must use  --nonce-error-corrections=8, because I converted the origin pcapng file to cap/pcap format (a few tools don't understand pcapng). This format is a very basic format and we loose some important information, stored in pcapng format.

hcxhashtool is new. Depending on the options you can filter the output hash file. That can be done by bash tools, too, because 22000 is no longer a binary format.
hcxeiutool is new. Depending on the options you can pre-process hcxpcapngtool -E -I -U output to a raw word list that can be used in combination with rules.

Thanks for such detailed information, cleared a lot of doubts, much appreciated!
However, when I run hashcat with attack mode 2200 ($ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist) I get an error message stating that there is no module named module_02200.dll (Cannot load module ./module/module_02200.dll). I have checked the modules directory and it is not there for some reason. I am using the default hashcat version 6.1.1 provided by hashcat.net on windows.

Btw, also tested this with hashcat version 4.1.1, same error.
Reply
Maybe you're running an old version of hashcat.
hashcat 6.1.1 support 22000 and 22001.
hashcat 4.1.1 is ancient.

Code:
$ hashcat -m 22000 --benchmark
hashcat (v6.1.1-144-g9e474e1e8) starting in benchmark mode...
CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1080 Ti, 10875/11175 MB, 28MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.162) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1080 Ti, skipped

Benchmark relevant options:
===========================
* --optimized-kernel-enable

Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095)

Speed.#1.........:   620.7 kH/s (90.65ms) @ Accel:32 Loops:256 Thr:1024 Vec:1

Started: Wed Mar 31 18:33:56 2021
Stopped: Wed Mar 31 18:33:59 2021
Reply
(03-31-2021, 06:37 PM)ZerBea Wrote: Maybe you're running an old version of hashcat.
hashcat 6.1.1 support 22000 and 22001.
hashcat 4.1.1 is ancient.

Code:
$ hashcat -m 22000 --benchmark
hashcat (v6.1.1-144-g9e474e1e8) starting in benchmark mode...
CUDA API (CUDA 11.2)
====================
* Device #1: GeForce GTX 1080 Ti, 10875/11175 MB, 28MCU

OpenCL API (OpenCL 1.2 CUDA 11.2.162) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1080 Ti, skipped

Benchmark relevant options:
===========================
* --optimized-kernel-enable

Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095)

Speed.#1.........:  620.7 kH/s (90.65ms) @ Accel:32 Loops:256 Thr:1024 Vec:1

Started: Wed Mar 31 18:33:56 2021
Stopped: Wed Mar 31 18:33:59 2021

Thanks, I downloaded latest hashcat and installed it again, it worked!
Reply