hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi wakawaka.
Nice, that the tools are working for you, now.
The difference between hcxpcaptool -o and -O is:
-o will convert only one handshake each mac_ap, mac_sta, ESSID combination. The handshake with the lowest timegap between M1 and M2, M2 and M3, M3 and M4 (if M4 isn't zeroed) or M1 and M4 (if M4 isn't zeroed) is used.
-O will convert all combinations (usefull if a client did a typo, like half of the PSK, for example)

Here is an explanation of the fields of your status output:
you captured a total of 1966 EAPOL frames, but only 11 handshakes are valid (matching replycount, matching timegap between the frames). 1966 frames means, you are not really in range of the AP and/or clients or your tx power is to high. Long range adapters like the ALFAs cause something like that. The have one or two watts and an AP or a client have only 10...100 milliwatts.

5 frames are captured from a client (connection hcxdumptool <-> client). AP-less attack
we have only the combination M1/M2, because we can't calculate a valid M3
you can strip them for a further going analysis and/or a hashcat run using
wlanhcx2ssid -i yourtest.hccapx -w apless.hccapx
wlanhcx2ssid -i apless.hccapx -N hashtotest.hccapx
hashcat -m 2500 --nonce-error-corrections=0 hashtotest.hccapx yourwordlist

1 frame is caputured from an AP (you attacked an established connection between an AP and a client)
you can strip this handshakes using:
wlanhcx2ssid -i yourtest.hccapx -2 established.hccapx
hashcat -m 2500 hashtotest.hccapx yourwordlist
hcxpcaptool detected that nonce-error-correction is possible and you should use at least the default value (8) on this hanshake(s), because we can't be shure whether there is a packetloss or not.

The question which option to use (hcxpcaptool -o -O) isn't easy to answer and depends on what result you expect.
As an analyst and in that case, I prefer -O to determine wheter the client tries several PSKs to connect to an AP or not.

I suggest to use 2 databases: one (-o) for the best handshakes and one (-O) for all handshakes. All your handshakes should went inside this 2 databeses.
Then strip, what ever you like to test from this databases using wlanhcx2ssid and run hashcat on this:
capture all you can get using hcxdumptool
convert all you captured into the 2 databases using hcxpcaptool
analyze the content using wlanhcxinfo (various options: -a, -s, -e,...)
strip what you like to test using wlanhcx2ssid
and run hashcat on this hashes

wlanhcxinfo and wlanhcx2ssid should be your "main" tools.
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 05-22-2018, 09:30 AM