hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
manually calculate hashcat's "--nonce-error-corrections" using hcxtools

If you use wlancap2hcx, you'll get a proposal for the --nonce-error-corrections value of hashcat.
It looks like this:
hashcat --nonce-error-corrections is working on that file (that means you can use the default value) or
you should use hashcat --nonce-error-corrections=16 (or greater) on ...
you should use hashcat --nonce-error-corrections=32 (or greater) on ...
you should use hashcat --nonce-error-corrections=64 (or greater) on ...

If, you like, you can calculate this value manually:
use wlanhcxinfo option -a -A to get  the required informations:
$ wlanhcxinfo -i yourhccapxfile.hccapx -a -A
This will show you all anonces (anonce = nonce transmited by the access point).
You will get something like this:
mac_ap          anonce
(for little endian ap's)

(for big endian ap's)

You can see, the last byte is counting up.
Also you can see that there are gaps between the values (caused by packetloss of the dumper).
Now take the highest value and substract the lowest value (little endian: 0xa8 - 0xa1 = 7, big endian: 0x40 - 0x3a = 6).
The result is the lowest value you should use for hashcat --nonce-error-corrections!

Keep in mind: This will only work on hccpax files converted from uncleaned(!) and unreduced(!) cap files.
It doesn't work on a single handshake!!!!

Background informations:
An access point uses several different EAPOL-timers like this:
EAP-Identity-Request Timeout (seconds)
EAP-Identity-Request Max Retries
EAP Key-Index for Dynamic WEP
EAP Max-Login Ignore Identity Response
EAP-Request Timeout (seconds)
EAP-Request Max Retries
EAPOL-Key Timeout (milliseconds)
EAPOL-Key Max Retries
EAP-Broadcast Key Interval

Calculating an anonce, releasing an anonce, calculation of the replaycount, releasing a replaycount, accepting an authentication, all this depends on that timers.
Knowing the "secrets" about this timers allows us to use nonce-error-corrections (and other features build-in in hashcat and hcxtools).
Disregarding this (by cleaning caps, reducing caps to only one handshake, capturing only one handshake, using to much deauthentications) possible will let you fail calculating the key!

Why will you possible fail?
wlanhcxinfo will show you this using the options -a -A -R
Well, let's take a look into the replaycount (-R):

$ wlanhcxinfo -i yourhccapxfile.hccapx -a -A -R
mac_ap          anonce                                                                                          replaycount
(on the little endian ap)

(on the big endian ap)

In both cases the ap's received to much deauthentications and didn't receive their clients packets.
So they resetted their replaycounters.
Without using nonce-error-corrections, in many cases you are not able to calculate the password because the M2 and/or M4 of the client doesn't match!
Sending more (than mutch) deauthentications causes ap's to release their complete anonce. In that case not even nonce-error-corrections will work!

update hcxtools 4.0.0-rc1:
Added new option -I to wlanhcxmnc:
-I          : show mac_ap and anonces

now you can use
$ wlanhcxmnc -i yourfile.hccapx -I
to get the required informations for hashcat's nonce-error-corrections

stdout is used for printing this informations. So it's possible to redirect the output to a file
$ wlanhcxmnc -i yourfile.hccapx -I > apinfos

wlanhcxinfo option -a -A no longer needed for this purpose!

Messages In This Thread
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 09-17-2017, 11:18 AM
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM