hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi MadMeow.
First of all, thanks. I am very pleased about that.
1.
I'm not shure, how to handle the TL-WN722N. I noticed some issues in handling the FCS. You can read more about that here:
https://github.com/qca/open-ath9k-htc-fi...issues/126
https://wikidevi.com/wiki/Wireless_adapt...pset_table (do a search for "broken")
https://github.com/vanhoefm/modwifi/issues/9
https://github.com/ZerBea/hcxdumptool/is...-410726219

(https://forums.The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali).org/showthread.php?34265-K a l i-linux-2016-2-amd64-problem-AWUS036H-wifi-card&styleid=2)

Sometimes the delivered packets (from userspace via raw socket to driver) are cut by the driver (last 2 bytes - I assume that is the FCS). After a while, the driver crashes. You can reproduce this using Wireshark. Wireshark will show you many "Malformed Packets", even if hcxdumptool is not running!

2.
Format of the 16800 potfile:
PMKID*MAC_AP*MAC*STA*ESSID followed by the PSK
Format of the 16801 potfile:
PMKID*MAC_AP*MAC*STA folowed by the PMK

If you have more hashlines with the same MAC_AP (BSSID) you can remove all, except of one. THis will speed up hashcat a little bit.

Using Version 4.2.1 you will notice some improvements:
--enable_status=<digit> : enable status messages
bitmask:
1: EAPOL
2: PROEBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION

For example to retrieve EAPOL and PROEBEREQUEST/PROBERESPONSE you can use
--enable_status=1 --enable_status=2
or via bitmask
--enable_status=3

status out will show you:
[FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 11132]
This Packets will be marked green in Wireshark.

[FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2129]
[FOUND PMKID]
[FOUND PMKID CLIENT-LESS]
or if hcxdumptool restarts the authentication sequence between a client and an access point
[EAPOL 4/4 - M4 RETRY ATTACK]
if you get more of this messages, you are too far away from the accesspoint.

--enable_status=2 will show you possible PSKs retrieved from the traffic, as well es ESSIDs.

Also we do a measurement of the EAPOL key timeout.
High timeout means: much traffic on the channel or weak signals

Get more informations and some nice how-tos here:
https://medium.com/@adam.toscher/new-att...c3119f7f99
and here:
https://www.youtube.com/watch?v=ve_0Qhd0bSM
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 08-08-2018, 12:19 AM