hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi espfound.
Thanks for the congratulations.
Nearly every wlanhcx2ssid option will increase speed of hashcat, because we reduce the hashes we will feed hashcat with.
But most of them will increase the possibility that we will use a faulty handshake. There are many reasons:
- packet loss of the dumper, not seen by conversion tool
- crappy/no replaycount check by the conversion tool
- no EAPOL timeout check by the conversion tool (there are some tools which assume that the second received packet on a M1 is the correct M2 - also there are tools which zeroes the timestamp; in that case we are not able to detect EAPOL timeout).
If you are shure, the captured handshake is valid, then only one handshake is ok. In that case you will get full hashcat speed. Mostly hcxpcaptool will give you the best handshake.
I randomized the ap-less attack to prevent counter measures against us.
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a2255ab3b0 (client)
MAC ACCESS POINT.........: 00234aca3243 (start NIC)
EAPOL TIMEOUT............: 100000
REPLAYCOUNTER............: 64105
ANONCE...................: a7b5e3f9cdacb546352fc96559f9a3bf7d7f73ba3d3e17a25c28098c65b2e80d

Next hcxdumptool will use the comment field of pcapng EHBs (Enhanced Packet Block) to inform the hcxpcaptool about this (a very good reason to use pcapng instead of pcap, cap). hcxdumptool will save replaycount and anonce value into the comment field of the M2 EPB.

The reason for the duplicates in is simple to explain. We make shure that we are more often on common used channels than on other ones:
- 1,6,11 are most common default channels - so a good scanlist is: 1,6,11,2,1,6,11,3,1,6,11.....
- we can run "frequency overlapped attacks" if we are near of an access point. If we are on channel 2, neighbour channels 1 and 3 are under attack, too. So a good scanlist for that purpose is 1,3,5,7...2,4,6,8

Still we have some om them in the wildness. So there is no real need to remove them.
aircrack-ng has wep support (haven't seen wep encrypted networks for a long time here)
reaver, bully and pixie have wps support (haven't seen wps enabled networks or vulnerable networks for a long time here)

Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 08-05-2018, 11:23 AM