01-28-2020, 04:33 PM
Adding the option to run a user defined MAC_AP and/or MAC_CLIENT was only a test to demonstrate that it is useless.
Shortly after the start hcxdumptool adapts to the WiFi traffic and uses more and more received MAC addresses and ESSIDs.
Wireshark is a good tool to analyze traffic. But take care:
In monitor mode the adapter does not check to see if the cyclic redundancy check (CRC) values are correct for packets captured, so some captured packets may be corrupted (malformed).
http://www.ict-optimix.eu/images/a/ad/WiFiBitError.pdf
https://en.wikipedia.org/wiki/Monitor_mode
By latest commits, I added tons of code to detect this!
There is no need for an additional .pcapng output, because Atom added a similar feature to hashcat:
Now outfile contain the PMKID/MIC for the recovered hash. Just compare this field with the hashline field and take the option which was in use to successfully convert it.
Start with --all --ignore-ie --max-essids=5 --nonce-error-corrections=256 --eapoltimeout=43200000
and go more and more restrict.
You can use simple bash commands to do this comparison.
Read more here:
https://hashcat.net/forum/thread-8891-po...l#pid47266
Improving hcxpcapngtool isn't easy, because every code change due to an analysis of a single capfile has a huge impact on other capfiles (based on analysis of wpa-sec.stanev.org).
Shortly after the start hcxdumptool adapts to the WiFi traffic and uses more and more received MAC addresses and ESSIDs.
Wireshark is a good tool to analyze traffic. But take care:
In monitor mode the adapter does not check to see if the cyclic redundancy check (CRC) values are correct for packets captured, so some captured packets may be corrupted (malformed).
http://www.ict-optimix.eu/images/a/ad/WiFiBitError.pdf
https://en.wikipedia.org/wiki/Monitor_mode
By latest commits, I added tons of code to detect this!
There is no need for an additional .pcapng output, because Atom added a similar feature to hashcat:
Now outfile contain the PMKID/MIC for the recovered hash. Just compare this field with the hashline field and take the option which was in use to successfully convert it.
Start with --all --ignore-ie --max-essids=5 --nonce-error-corrections=256 --eapoltimeout=43200000
and go more and more restrict.
You can use simple bash commands to do this comparison.
Read more here:
https://hashcat.net/forum/thread-8891-po...l#pid47266
Improving hcxpcapngtool isn't easy, because every code change due to an analysis of a single capfile has a huge impact on other capfiles (based on analysis of wpa-sec.stanev.org).