hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#22
I've been asked to write a basic tutorial for wpa/wpa2 on hash-modes 2500, 2501, 12000.
Well, let's start:

1.
Get our example cap from https://wiki.wireshark.org/SampleCaptures
Download wpa-Induction.pcap frome here:
https://wiki.wireshark.org/SampleCapture...ction.pcap
Password is: Induction

2.
create a folder, copy the cap into the folder and open a terminal in that folder
let's see if we' re right:
$ ls *
wpa-Induction.pcap

3.
let's get some infos about the cap
$ wlancapinfo -i wpa-Induction.pcap
input file.......: wpa-Induction.pcap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 127 (DLT_IEEE802_11_RADIO) [http://www.tcpdump.org/linktypes.html]
packets inside...: 1093
last pcap error..: flawless

It's a normal pcap file. Many useless things inside and some important things are not captured.
cap2hccapx, wlancap2hcx and the online converter https://hashcat.net/cap2hccapx/
should be able to convert this cap into a hccapx

4.
convert the cap file
$ wlancap2hcx -o test.hccapx -e testlist -f testpmklist -u usernameslist -S hashinfo wpa-Induction.pcap
start reading from wpa-Induction.pcap
1093 packets processed (1093 wlan, 0 lan, 0 loopback)
found 2 usefull wpa handshakes
found WPA encrypted data packets

testlist (networknames and possible passworts should be inside this unsorted list):
Coherer
linksys
only 2 networknames (ESSIDs) inside - no passwords

testpmklist is empty - no plainmasterkey captured
there is no usernamelist - no usernames/identities captured

hashinfo:
814b242275c668e321b145c2e981f351:000c4182b255:000d9382363a:Coherer
814b242275c668e321b145c2e981f351:000c4182b255:000d9382363a:Coherer
2 hashes inside
hcxtools using the same internal md5_64 algo to make records unique like hashcat
internal_md5_64_algo:mac_ap:mac_sta:essid


That means:
a. passwords, usernames or plainmasterkeys are not transmitted
b. you didn't use wlandump-ng or wlanresponse (this tools are able to capture the relevant things)
c. the capture was cleaned (bad idea to do this)

5.
let's get some infos about our test.hccapx
$ wlanhcxinfo -i test.hccapx
total hashes read from file..: 4
wlandump forced handshakes...: 0
802.1x Version 2001..........: 0
802.1x Version 2004..........: 4
key version wpa1.............: 0
key version wpa2.............: 4
message pair M12E2...........: 2 (0 not replaycount checked)
message pair M14E4...........: 0 (0 not replaycount checked)
message pair M32E2...........: 2 (0 not replaycount checked)
message pair M32E3...........: 0 (0 not replaycount checked)
message pair M34E3...........: 0 (0 not replaycount checked)
message pair M34E4...........: 0 (0 not replaycount checked)

We have a complete handshake (M1/M2 and M2/M3). That's really good.
Reply


Messages In This Thread
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 07-17-2017, 01:32 PM
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM