hcxpcaptool does not detect beacon packet
#1
I have pcapng file of 5 packets (attachment https://easyupload.io/74zyro). Four of them are handshake EAPOLs and one is beacon. I think it should be enough information for hcxpcaptool to create hash file.

But when I run command "hcxpcaptool -o /root/HS.hash /root/hs_plus_beacon.pcapng"

I get this result:

summary capture file:                         
---------------------
file name........................: hs_plus_beacon.pcapng
file type........................: pcapng 1.0
file hardware information........: unknown
capture device vendor information: 000000
file os information..............: Linux 5.2.0-kali2-amd64
file application information.....: Mergecap (Wireshark) 3.0.3 (Git v3.0.3 packaged as 3.0.3-1) (no custom options)
network type.....................: DLT_IEEE802_11 (105)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 11.10.2005 23:07:52 (GMT)
maximum time stamp...............: 11.10.2005 23:07:52 (GMT)
packets inside...................: 5
skipped damaged packets..........: 0
packets with GPS NMEA data.......: 0
packets with GPS data (JSON old).: 0
packets with FCS.................: 0
association requests.............: 1
EAPOL packets (total)............: 4
EAPOL packets (WPA2).............: 4
best handshakes (total)..........: 1 (ap-less: 0)

summary output file(s):
-----------------------


Beacon is not detected, just EAPOLs, and I don't get any output file.

I need to say that, this pcapng file was created with text2pcap and mergecap tools, because I am using raw packets captured by tshark and written to database.

I use this commands:

"text2pcap ap_rawfile ap_raw_file.pcapng -n -l 127"
"text2pcap eapols_rawfile eapols_rawfile.pcapng -n -l 105"
"mergecap ap_raw_file.pcapng eapols_rawfile.pcapng -F pcapng -w hs_plus_beacon.pcapng"
Reply
#2
The timestamps are completely useless:
$ tshark -r hs_plus_beacon.pcapng -T fields -e frame.number -e frame.time
1 Feb 14, 2020 11:43:57.000000000 CET
2 Feb 14, 2020 11:43:57.000000000 CET
3 Feb 14, 2020 11:43:57.000000001 CET
4 Feb 14, 2020 11:43:57.000000002 CET
5 Feb 14, 2020 11:43:57.000000003 CET


The merged pcapng file is a mixed header file:
DLT_IEEE802_11 (105)
DLT_IEEE802_11_RADIO (127).

Added support (hcxpcapngtool) for multiple interfaces by this commit:
https://github.com/ZerBea/hcxtools/commi...bbfdf54bc1

Code:
hcxpcapngtool -o test.22000 hs_plus_beacon.pcapng
reading from hs_plus_beacon.pcapng...

summary capture file
--------------------
file name................................: hs_plus_beacon.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.2.0-kali2-amd64
application..............................: Mergecap (Wireshark) 3.0.3 (Git v3.0.3 packaged as 3.0.3-1)
interface name...........................: N/A
interface vendor.........................: 000000
weak candidate...........................: N/A
MAC ACCESS POINT.........................: 000000000000 (incremented on every new client)
MAC CLIENT...............................: 000000000000
REPLAYCOUNT..............................: 0
ANONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
SNONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
timestamp minimum (GMT)..................: 14.02.2020 11:43:57
timestamp maximum (GMT)..................: 14.02.2020 11:43:57
used capture interfaces..................: 2
link layer header type...................: DLT_IEEE802_11_RADIO (127)
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 5
frames with correct FCS..................: 1
BEACON (total)...........................: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 1
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages........................: 1
EAPOL M2 messages........................: 1
EAPOL M3 messages........................: 1
EAPOL M4 messages........................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file...: 1 (RC checked)
EAPOL M12E2..............................: 1

Warning: missing frames!
This dump file contains no important frames like
authentication, association or reassociation.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file contains no undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file doesn't contain enough EAPOL M1 frames.
That makes it impossible to calculate nonce-error-correction values.

Please keep in mind:
Neither EAPOLTIME calculation nor detection of nonce error correction will work on text2cap converted files, because we are missing original timestamps and multiple M1 frames.

Edit:
By latest commit hcxpcangtool is able to handle tv_nsec from this cap files, too.
Reply
#3
It is not a good idea to remove origin timestamps!
It is not a good idea to use tools that remove timestamps!
It is not a good idea to use tools that replace the original timestamp by their own timestamp!

https://community.cisco.com/t5/wireless-...-p/3122477
https://ieeexplore.ieee.org/document/4251170
https://networkengineering.stackexchange...on-the-wlc

You can't rely on the replaycount alone. Disregarding the EAPOL time between EAPOL messages will lead to unrecoverable hashes, even if the replay count matches.

If you don't believe it. This is an exaggerated example:
Take a BEACON.
Take a M3 from the last year.
Take a M4 from this year.
zero the origin timestamps or replace them
merge this 3 packets to a capfile
and try to recover the PSK.
So, good luck!

Explanation:
For an authentication we have a time gap. The authentication is successful if all frames are transmitted within this gap.
Also we have time gaps between the request and answer or challenge and response.
If we are outside this gap, the NONCEs are renewed.
So, even if we have received EAPOL M2 replaycount (RC) 3 and EAPOL M3 RC 4 and the time gap is greater than the EAPOL timer, this message pair will not match! It is not possible to recover the PSKs from this message pair.

We distinguish several methods how an ACCESS POINT (AP) renew the values when the EAPOL timer has expired:
- leave RC increase ANONCE - great, nonce error corrections (NC) is working on it
- increase RC increase ANONCE - great, NC is working on it, too
- leave RC renew ANONCE - NC is not working.
- increase RC renew ANONCE - NC is not working.

NC is an amazing feature of hashcat - if you know about the "secrets" of EAPOL timers. Disregarding them will lead to unrecoverable PSKs and you will waste your GPU time.

Also do not transmit deauthentication or disassociation packets within an authentication sequence. That will cause the AP to destroy his EAPOL timer and to renew all NONCEs!

BTW:
hcxdumptool can do this, because it is able to request a new authentication sequence from an AP or to initiate a new authentication sequence for a CLIENT.
Reply
#4
Lot of thanks ZerBea.

When I added timestamps to packets, hcxpcaptool found handshake and wrote it to the file.

Interesting thing is that when I tried to find the password with aircrack-ng, it worked without timestamps. But I wanted to handle the password by hashcat, because as I read, it is a little bit faster...
Reply
#5
hcxpcaptool is deprecated. Please use hcxpcapngtool from latest git head hcxtools.
hcxpcangtool doesn't require  a timestamp. But, if we have no timestamp, a zeroed timestamp or not the origin timestamp, we are not able to calculate nonce-error-corrections (NC). The same applies to a cleaned cap file!.
Attached an example here:

.zip   nctest.zip (Size: 1.75 KB / Downloads: 1)
and for non forum members, here:
https://www.sendspace.com/file/vcn6e0

Inside are 3 files from a test suite and an example PSK to demonstrate the power of NC and the advantage of uncleaned dump files with origin timestamps:
1. pcap file (partly cleaned and converted to pcap so that aircrack is able handle it)
2. cap file, cleaned by wpaclean
3. wordlist (for use with aircrack)

First we use hcxpcangtool and hashcat:
hcxpcapngtool to do the conversion and retrieve the PSK from the pcap file:
Code:
$ hcxpcapngtool -o test.22000 -E wordlist test.pcap
reading from test.pcap...
summary capture file
--------------------
file name................................: test.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 06.02.2020 12:23:49
timestamp maximum (GMT)..................: 06.02.2020 12:24:52
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 6
BEACON (total)...........................: 1
PROBEREQUEST.............................: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
ESSID (total unique).....................: 2
EAPOLTIME gap (measured maximum usec)....: 16624455
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 62482
EAPOL M1 messages........................: 3
EAPOL M2 messages........................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file...: 1 (RC checked)
EAPOL M12E2..............................: 1

Warning: missing frames!
This dump file contains no important frames like
authentication, association or reassociation.
That makes it hard to recover the PSK.

and hashcat to recover the PSK:
Code:
$ hashcat -m 22000 test.22000 --nonce-error-corrections=8 wordlist
hashcat (v5.1.0-1685-gf946e321) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Mon Feb 17 17:50:23 2020 (0 secs)
Time.Estimated...: Mon Feb 17 17:50:23 2020 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      77 H/s (0.71ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3/3 (100.00%)
Rejected.........: 1/3 (33.33%)
Restore.Point....: 0/3 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms -> v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms
Hardware.Mon.#1..: Temp: 58c Fan: 39% Util: 47% Core:1847MHz Mem:5005MHz Bus:16

As expected, the PSK is successfully recovered by hashcat.

Running latest git head hcxtools (as of today), you can run automatic mode, too. This mode will work up to hashcat's default NC value 8. Higher values require to set hashcat option --nonce-error-corrections=x:
Code:
$ hashcat -m 22000 test.22000 wordlist
hashcat (v5.1.0-1685-gf946e321) starting...
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Mon Feb 17 17:54:53 2020 (0 secs)
Time.Estimated...: Mon Feb 17 17:54:53 2020 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      83 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3/3 (100.00%)
Rejected.........: 1/3 (33.33%)
Restore.Point....: 0/3 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms -> v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms
Hardware.Mon.#1..: Temp: 53c Fan: 32% Util: 75% Core:1898MHz Mem:5005MHz Bus:16

Now we do the same, running aircrack:
Code:
$ ./aircrack-ng test_clean.cap -w wordlist
Reading packets, please wait...
Opening test_clean.cap
Read 3 packets.
  #  BSSID              ESSID                    Encryption
  1  A0:F3:C1:50:3E:62  hascat                    WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening test_clean.cap
Read 3 packets.
1 potential targets
                        Aircrack-ng 1.6 rev 499d72ad
      [00:00:00] 1/1 keys tested (23.13 k/s)
      Time left: --
                                KEY NOT FOUND
      Master Key    : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      EAPOL HMAC    : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and it failed.

BTW:
If you compare the wpaclean cap file, with the pcapfile, you'll notice, that the PSK (received from WiFi traffic) was removed by wpaclean!

That lead me to this advices:
It is not good idea to clean a cap file.
It is not a good idea to use tools that clean a cap file
It is not a good idea to use tools that doesn't store or ignore useful frames.
Reply
#6
I don't know why, but hashes gained with hcxpcapngtool in hashcat give me the following result:

Code:
Hashfile '/root/HS_output.hash': Invalid hccapx signature

No hashes loaded.

And no matter if I use EAPOL packets with or without timestamp:
For example result of "hcxpcapngtool -o /root/HS_output.hash /root/eapols_beacon_ts.pcapng" (with timestamp):

Code:
summary capture file
--------------------
file name..............................: eapols_beacon_ts.pcapng
version (pcapng).......................: 1.0
operating system.......................: Linux 5.2.0-kali2-amd64
application............................: Mergecap (Wireshark) 3.0.3 (Git v3.0.3 packaged as 3.0.3-1)
interface name.........................: N/A
interface vendor.......................: 000000
weak candidate.........................: N/A
MAC ACCESS POINT.......................: 000000000000 (incremented on every new client)
MAC CLIENT.............................: 000000000000
REPLAYCOUNT............................: 0
ANONCE.................................: 0000000000000000000000000000000000000000000000000000000000000000
SNONCE.................................: 0000000000000000000000000000000000000000000000000000000000000000
timestamp minimum (GMT)................: 15.08.52099 03:36:37
timestamp maximum (GMT)................: 28.10.52099 18:50:00
link layer header type.................: DLT_IEEE802_11_RADIO (127)
endianess (capture system).............: little endian
packets inside.........................: 5
frames with correct FCS................: 5
BEACON (total).........................: 1
EAPOL messages (total).................: 4
EAPOL RSN messages.....................: 4
ESSID (total unique)...................: 1
EAPOLTIME gap (measured maximum usec)..: 4072225
EAPOL M1 messages......................: 1
EAPOL M2 messages......................: 1
EAPOL M3 messages......................: 1
EAPOL M4 messages......................: 1
EAPOL pairs (total)....................: 2
EAPOL pairs (best).....................: 1
EAPOL pairs written to combi hash file.: 1 (RC checked)
EAPOL M12E2............................: 1

Here is original file - eapols_beacon_ts.pcapng: https://easyupload.io/n9f0bg
Reply
#7
Please post your hashcat command line.

You must use the matching hash mode on hcxpcapngtool and hashcat .

This command lines are valid:
WPA-PBKDF2-PMKID+EAPOL:
$ hcxpcapngtool -o test.22000 *.capng
$ hashcat -m 22000 test.22000 wordlist

WPA-EAPOL-PBKDF2:
$ hcxpcapngtool --hccapx test.hccapx *.capng
$ hashcat -m 2500 test.hccapx wordlist

WPA-PMKID-PBKDF2:
$ hcxpcapngtool --pmkid test.16800 *.capng
$ hashcat -m 16800 test.16800 wordlist

otherwise hashcat will report: Invalid .... signature
Reply
#8
Yes, my commands were wrong.
I was using:
"hcxpcapngtool -o /root/test.hash /root/output_hs.pcapng"
"hashcat -m 2500 /root/test.hash passes.txt --force"
Thank you
Reply