hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi recombinant

are you accepting pull requests?
-> yes, but under the restrictions of README.md:
- Multiple stand-alone binaries - designed to run on  Arch Linux.
- All of these utils are designed to execute only one specific function.
hcxdumptool = attack and dump - nothing else
hcxpcaptool = conversion and basic informations about content of a cap, pcap, pcapng file to determine if it's damaged) - nothing else
wlanhcxinfo = info about content of hccapx file - nothing else
wlanhcx2ssid = select special records to work on hashcat - nothing else
...
So:
- I will not add things that makes the code slower or more complex.
- I will not add things that can be done by scripts (comparing lists or potfiles)
- I will not add scripts which can do this.
- I will not add special code for other distributions than Arch Linux
- Form follows function and not: function follows form (no beautiful lists, status output and no correlation of data)

we would have to write a script ...
-> Yes. Such scripts are running on wpa-sec and I have some similar ones in my environment. If you need a scipt to correlate the data, you have to code it!

find exactly which networks were pwned specifically, but that information is probably already in the pcapng, right?
-> Yes, but you can find it in 16800.hash, 16801.hash, hccapx, too!

If you like to work on ESSIDs (ASCII/UTF-8) - be warned and make sure your terminal will display this!
We did some analysis on submitted caps to wpa-sec and we found zeroed ESSIDs, damaged ESSIDs with CTRL, UTF-8, ASCII and non ASCII characters inside. We also found zeroed PSKs and PSKs with CTRL, UTF-8, ASCII and non ASCII characters inside.
... and we found tons of deadly cleaned cap files with zeroed timestamps.

Right now, I only need the ESSID to calculate a PMK (by PBKDF2) and that's all. Than I prefer hashmodes 2501 and 16801. (wpa-sec use -m 2501 an every incomming cap file, first)
With the introduction of WPA3, PBKDF2 will die:
PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)
and the PMKID:
PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
...and PBKDF2 allready died on WPA ENTERPRISE:
https://hashcat.net/forum/thread-7717-po...l#pid41571


BTW:
hcxdumptoo/hcxtools/hcxkeys are  n o t  aircrack-ng, kismet or tcpdump
The tools are designed as analysis tools to develop new procedures (like the PMKID attack). So you should know what you are doing!
Take a look at a hcxdumptool pcapng file and compare it with an aircrack-ng, kismet or tcpdump cap file. I'm sure you see the difference:
hcxdumptool provides three different types of pcapng files (wep traffic, unencrypted IPv4/IPv6 traffic and EAP/EAPOL traffic).
No useless management, control or data frames inside the EAP/EAPOL traffic pcapng. One beacon proberequest/proberesponse and all authentications (authentication, associationrequest/response, rassociationrequest/response, EAP/EAPOL) are stored. We store all authentication frames, to determine if some frames changed during the attacks (remember: designed as analysis tools)

I recommend to use different hashcat potfiles instead of one single potfile:
2500.pot
2501.pot
16800.pot
16801.pot
You can run simple bash commands (cat, cut, awk) on them to get all informations you need.
The rest of the information can be retrieved form the hashfiles (hccapx, 16800/16801).
Now you can correlate the data in an easy way by bash scripts.


Some internal infos about hcxdumptool:
- designed to run on a raspberry pi
- handle 512 access points simultaneously
- handle 512 clients simultaneously
- 32 filter list entries
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 08-15-2018, 10:35 AM