hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
(06-12-2019, 09:43 PM)ZerBea Wrote: Great. You did it! Next step is to create a database (collect data from -E -I and hashes) and I'm sure, your hit rate will increase:

The environment is not magic. It is a simple loop. Start at step one and if the last step fineshed, start the loop again
It depends on latest hashcat-git, hcxdumptool-g and hcxtools-git

Basic step (must be only done once) - create a working directory (wpa). We need the complete file path. In our example
$HOME/WPA

The cycle:
1) hcxdumptool -i interface -o $HOME/WPA/dumpfile.pcapng --enable_status=1
the default options are ok
run hcxdumptool for a while (at least > 2 hours)
then stop it

2) wlancap2wpasec dumpfile.pcapng
upload the pcpang file to wpa-sec.stanev.org and it will be tested against common wordlists - so there is no need for you to do this

3) hcxpcaptool -o $HOME/WPA/archive.hccapx -k $HOME/WPA/archiv.16800 -E $HOME/WPA/essidlist -I $HOME/WPA/identitylist -U $HOME/WPA/Passwortlisten/usernamelist dumpfile.pcapng
convert all hashes and information to database files. They are appended!!!

4) wait a while..., at least until wpa-sec.stanev.org reached "get works" of 15

5) download cracked.txt.gz and rkg.txt.gz from wpa-sec.stanev.org

6) decompress both files and copy them to your working directoy ($HOME/WPA)

7) cat $HOME/WPA/cracked.txt $HOME/WPA/rkg.txt $HOME/WPA/essidlist $HOME/WPA/identitylist $HOME/WPA/usernamelist | sort | uniq | hashcat -m 16800 --remove --nonce-error-corrections=2 --potfile-path=$HOME/WPA/hashcat.pmk -o $HOME/WPA/hashcat.mac archive.16800
sort the wordlists and run them against your hashes.
we run first 16800, because it is faster
founds are removed

8) cat $HOME/WPA/cracked.txt $HOME/WPA/rkg.txt $HOME/WPA/essidlist $HOME/WPA/identitylist $HOME/WPA/usernamelist sort | uniq | hashcat -m 2500 --remove --nonce-error-corrections=2 --potfile-path=$HOME/WPA/hashcat.pmk -o $HOME/WPA/hashcat.mac archive.hccapx
sort the wordlists and run them against your hashes
results are stored in $HOME/WPA/hashcat.mac
we are working on reuse of PBKDF2 and a crossover hashline for both modes. So we have to pay the price PBKDF2 only once and get MIC and PMKID for the same.

9) move dumpfile.pcapng to an archive folder or delete it, or rename it.

10) start again with step 1.

Keep in mind:
This is a basic loop. hashcat, hcxtools and hcxdumptool provide many options. Unfortunately every option has a price tag. Just play around with the options to improve your procedure.

BTW:
If you like to participate, just run help_crack.py from wpa-sec.stanev.org
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by Burguerman - 06-21-2019, 11:30 AM