hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#66
I have tested the most used wpa cracking tools hascat (google: about 274,000 results), aircrack-ng (google: about 535,000 results) and John the Ripper jumbo (google: about 311,000 results) how they work on wpa using their own conversion tools and how they work closely together with hcxtools.

Overview of the tests:
1. cap2hccapx -> hashcat
2. wpapcap2john -> john
3. aircrack-ng
4. wlancap2hcx -> hashcat
5. wlancap2hcx -> wlanhcx2john -> john


1. Test: cap2hccapx -> hashcat
(https://github.com/hashcat/hashcat-utils)
$ time cap2hccapx 20170228.cap cap2hccapx.hccapx
Written 12736 WPA Handshakes to: cap2hccapx.hccapx
real 4m37,154s
user 4m36,964s
sys 0m0,170s

a) no nonce-error-correction
$ hashcat -m 2500 --nonce-error-corrections=0 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 cap2hccapx.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: cap2hccapx.hccapx
Time.Started.....: Wed Sep 27 10:05:30 2017 (1 min, 40 secs)
Time.Estimated...: Wed Sep 27 10:07:10 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   403.0 kH/s (0.93ms)
Recovered........: 1297/8967 (14.46%) Digests, 227/1059 (21.44%) Salts
Recovered/Time...: CUR:681,N/A,N/A AVG:782,46927,1126251 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 84% Util: 10% Core:1847MHz Mem:5005MHz Bus:16

b) nonce-error-correction 8 (default)
$ hashcat -m 2500 --nonce-error-corrections=8 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 cap2hccapx.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: cap2hccapx.hccapx
Time.Started.....: Wed Sep 27 10:07:45 2017 (2 mins, 47 secs)
Time.Estimated...: Wed Sep 27 10:10:32 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   264.7 kH/s (0.94ms)
Recovered........: 1901/8967 (21.20%) Digests, 242/1059 (22.85%) Salts
Recovered/Time...: CUR:702,N/A,N/A AVG:682,40959,983039 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 71c Fan: 33% Util: 24% Core:1847MHz Mem:5005MHz Bus:16


2. Test: wpapcap2john -> john
(https://github.com/magnumripper/JohnTheRipper)
$ time wpapcap2john 20170228.cap > wpapcap2john.john
Dumping 212780 unverified auths
18500 ESSIDS processed
real 0m49,941s
user 0m44,413s
sys 0m1,621s

as of today nonce-error-corrections isn't implemented in JtR (but in progress for the next update)
$ john -w:wlan --format=wpapsk-opencl --pot=john.pot wpapcap2john.john
Device 0: GeForce GTX 1080 Ti
Local worksize (LWS) 64, global worksize (GWS) 2097152
Loaded 7481 password hashes with 7481 different salts (wpapsk-opencl, WPA/WPA2 PSK [PBKDF2-SHA1 OpenCL])
1767g 0:00:01:18 DONE (2017-09-27 09:44) 22.57g/s 476.3p/s 3563Kc/s 3563KC/s GPU:79°C util:99% fan:60%


3. Test: aircrack-ng
(http://svn.aircrack-ng.org/trunk/)
$ time aircrack-ng -J aircrackng 20170228.cap
Opening 20170228.cap
Reading packets, please wait...
Index number of target network ? 17887
Opening 20170228.cap
Reading packets, please wait...
Building Hashcat (1.00) file...
Successfully written to aircrackng.hccap
Quitting aircrack-ng...
real 3m17,601s
user 1m40,430s
sys 0m0,107s

Remarks:
only hashes from 16927 up to 17887 displayed
only 1 hash written to hashfile
only support hashcat 1.0 hccap format
real handshakes detected:
$ aircrack-ng  20170228.cap | grep "1 hand" > aircrackhandshakes
$ wc -l aircrackhandshakes
1356 aircrackhandshakes found (5 with empty ESSIDs)
I didn't have the time to test 1356 single hashes!

now the same, but using wpaclen on 20170228.cap
$ wpaclean wpaclean.cap 20170228.cap
$ aircrack-ng wpaclean.cap | grep "1 hand" > aircrackhandshakescleaned
$ wc -l aircrackhandshakescleaned
1305 aircrackhandshakescleaned
I didn't have the time to test 1305 single hashes!

$ wlancap2hcx -o wpacleaned.hccapx wpaclean.cap
start reading from wpaclean.cap
4056 packets processed (4056 wlan, 0 lan, 0 loopback)
total 1259 usefull wpa handshakes
found 1 handshake with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
found 30 WPA1 RC4 Cipher, HMAC-MD5
found 1229 WPA2 AES Cipher, HMAC-SHA1
found 68 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
warning: use of wpaclean detected

a) no nonce-error-correction on that cleaned cap
$ hashcat -m 2500 --nonce-error-corrections=0 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wpacleaned.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wpacleaned.hccapx
Time.Started.....: Wed Sep 27 11:50:11 2017 (1 min, 31 secs)
Time.Estimated...: Wed Sep 27 11:51:42 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   417.6 kH/s (0.95ms)
Recovered........: 356/1257 (28.32%) Digests, 266/1016 (26.18%) Salts
Recovered/Time...: CUR:221,N/A,N/A AVG:234,14046,337111 (Min,Hour,Day)
Progress.........: 37881560/37881560 (100.00%)
Rejected.........: 0/37881560 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 78% Util: 66% Core:1860MHz Mem:5005MHz Bus:16

a) nonce-error-correction 8 (default) on that cleaned cap
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wpacleaned.hccapx
Time.Started.....: Wed Sep 27 11:52:14 2017 (1 min, 40 secs)
Time.Estimated...: Wed Sep 27 11:53:54 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   378.6 kH/s (0.94ms)
Recovered........: 365/1257 (29.04%) Digests, 273/1016 (26.87%) Salts
Recovered/Time...: CUR:202,N/A,N/A AVG:218,13091,314184 (Min,Hour,Day)
Progress.........: 37881560/37881560 (100.00%)
Rejected.........: 0/37881560 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 75% Util: 44% Core:1860MHz Mem:5005MHz Bus:16


4. Test: wlancap2hcx -> hashcat
(https://github.com/ZerBea/hcxtools)
$ time wlancap2hcx -o wlancap2hcx.hccapx 20170228.cap
start reading from 20170228.cap
1396632 packets processed (1396632 wlan, 0 lan, 0 loopback)
total 18537 usefull wpa handshakes
found 21 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
found 184 WPA1 RC4 Cipher, HMAC-MD5
found 18353 WPA2 AES Cipher, HMAC-SHA1
found 1431 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx
found WDS or Mesh packets
real 0m0,911s
user 0m0,760s
sys 0m0,149s

a) no nonce-error-correction
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wlancap2hcx.hccapx
Time.Started.....: Wed Sep 27 09:58:34 2017 (1 min, 40 secs)
Time.Estimated...: Wed Sep 27 10:00:14 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   407.1 kH/s (0.93ms)
Recovered........: 2871/11989 (23.95%) Digests, 266/1059 (25.12%) Salts
Recovered/Time...: CUR:2017,N/A,N/A AVG:1713,102790,2466976 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 73c Fan: 71% Util: 49% Core:1860MHz Mem:5005MHz Bus:16

b) nonce-error-correction 8 (default)
$ hashcat -m 2500 --nonce-error-corrections=8 --logfile-disable --potfile-disable --outfile-format=2 -o foundhashcat.2500 wlancap2hcx.hccapx wlan
hashcat (4.0.0-rc1) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: wlancap2hcx.hccapx
Time.Started.....: Wed Sep 27 10:01:29 2017 (3 mins, 13 secs)
Time.Estimated...: Wed Sep 27 10:04:42 2017 (0 secs)
Guess.Base.......: File (wlan)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   290.9 kH/s (0.94ms)
Recovered........: 2969/11989 (24.76%) Digests, 282/1059 (26.63%) Salts
Recovered/Time...: CUR:870,N/A,N/A AVG:922,55330,1327926 (Min,Hour,Day)
Progress.........: 39484815/39484815 (100.00%)
Rejected.........: 0/39484815 (0.00%)
Restore.Point....: 37285/37285 (100.00%)
Candidates.#1....:          -> волчонок
HWMon.Dev.#1.....: Temp: 72c Fan: 42% Util: 75% Core:1860MHz Mem:5005MHz Bus:16


5. Test: wlancap2hcx -> wlanhcx2john -> john
(https://github.com/ZerBea/hcxtools)
$ time wlancap2hcx -o wlancap2hcx.hccapx 20170228.cap
start reading from 20170228.cap
1396632 packets processed (1396632 wlan, 0 lan, 0 loopback)
total 18537 usefull wpa handshakes
found 21 handshakes with zeroed plainmasterkeys (hashcat -m 2501 with a zeroed plainmasterkey)
found 184 WPA1 RC4 Cipher, HMAC-MD5
found 18353 WPA2 AES Cipher, HMAC-SHA1
found 1431 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
you should use hashcat --nonce-error-corrections=64 (or greater) on wlancap2hcx.hccapx
found WDS or Mesh packets
real 0m0,911s
user 0m0,760s
sys 0m0,149s

$ wlanhcx2john -o wlanhcx2john.john wlancap2hcx.hccapx
18537 records read from wlancap2hcx.hccapx
18537 records written to wlanhcx2john.john

as of today nonce-error-corrections isn't implemented in JtR (but in progress for the next update)
$ john -w:wlan --format=wpapsk-opencl --pot=john.pot wlanhcx2john.john
Device 0: GeForce GTX 1080 Ti
Local worksize (LWS) 64, global worksize (GWS) 2097152
Loaded 11984 password hashes with 11984 different salts (wpapsk-opencl, WPA/WPA2 PSK [PBKDF2-SHA1 OpenCL])
2871g 0:00:01:23 DONE (2017-09-27 10:12) 34.21g/s 444.3p/s 5325Kc/s 5325KC/s GPU:81°C util:99% fan:62%

Well, no conclusion from me, so make your own conclusion about all tools, results and features (nonce-error-corrections).
Reply


Messages In This Thread
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 09-27-2017, 04:10 PM
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM