hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi ee10.
You're too fast for me (asking this question). Added this option yesterday, but didn't have the time to write a post.

wlancap2hcx
added new option to remove handshakes that that belong to the same authentication sequence
-D        : remove handshakes that belong to the same authentication sequence
         : you must use nonce-error-corrections on that file!

wlanhcx2ssid
added new option to remove handshakes that that belong to the same authentication sequence
-D <file> : remove handshakes that belong to the same authentication sequence
         : you must use nonce-error-corrections on that file!

The new option -D remove all duplicate handshakes that are captured within the lease time of an EAPOL timer.
The options -n and -N remove all duplicates and keep one handshake each mac_ap, mac_sta, essid, message_pair combination (-N) or one handshake each mac_sta, essid combination (-n). They doesn't take care about the lease time!

-D removes less duplicates than -n or -N, but will keep the following:
- client tries to connect to the access point using the half of his password, then he tries to connect using the complete password
- access point / client changed the password during the capture time
- user merged two or more  different caps before he convert them to hccapx

-n or -N only keeps one of this handshakes and remove the other ones.

If you have enough gpu power or enough time, it's better to choose option -D.

The new option is designed on demand of wpa-sec.stanev.org to prepare incoming caps for the database (remove dupplicates, but keep all the gems). wpa-sec.stanev.org is on his way to finish the migration to hashcat 4.0.1 and need this option to reduce the size of the database, but keep important handshakes (the gems).  We can not assume that all handshakes in a submitted cap belong to the same authentication sequence in range of the lease time of an EAPOL timer (so we need -D).

Let's take a look on this example on a merged cap containing handshakes from 2 different EAPOL lease times:
$ wlanhcx2ssid -i complete.hccapx -D rem1.hccapx
2654 records read from complete.hccapx
2267 records removed
387 records written


$ wlanhcx2ssid -i complete.hccapx -N rem2.hccapx
2654 records read from complete.hccapx
363 records written to rem2.hccapx

$ wlanhcx2ssid -i complete.hccapx -n rem3.hccapx
2654 records read from complete.hccapx
273 records written to rem3.hccapx

Option -D keeps 24 handshakes captured from different lease times (you must enable at least default nonce-error-corrections).
Option -N removed them too, but take care of the message_pair.
Option -n removed more and doesn't take care of the message_pair (you must use high nonce-error-corrections values)

Option -D wlancap2hcx is similar to option -D wlanhcx2ssid (same source code).

And, as you can see, every single option of hcxtools has a price tag. If you choose this option, you have to pay the price.
Reply


Messages In This Thread
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 12-22-2017, 10:14 AM
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM