hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Alright; I am pretty new to hxctools (I was introduced to this suite of utilities by the recent PMKID attack blogpost), so please forgive my ignorance (and my haste, because I am just too curious to be satisfied by doing the research, I guess).
I'm used to the interface provided by the aircrack suite--especially besside-ng for automated WPA attacks.

Besside-ng has the ability to output a list of networks that it has found the handshake for, including the ESSID in plaintext, the BSSID, and the fact that the handshake has been found for the network.

Is there any possible way for me to derive a similar list of networks and which information (PMK/Handshake/PMKID) is available for retrieving the PSK from hcxdumptool's pcapng output? (EDIT: Found a partial workaround for the handshakes, at least, in the edited section 1)

I'm also used to using wpaclean to slim down the file to the absolute minimum available. Is there a way to do that with hcxtools?

Additionally, I usually upload my caps to stanev's wpa-sec. Does stanev's wpa-sec site support the PMKID derived from the recent PMKID attack, or is it only going to show networks that have the handshake captured? (Pretty sure I know the answer somewhat, see edited section 2)

I tried reading the documentation to understand this, but I either missed it (likely; sorry!) or the information is not present.

Finally, does hcxdumptool truly need to scan through channels other than 1, 6, and 11? I thought every other channel had overlap with those three.

Thanks a ton for your work, ZerBea.


After doing some research and playing around a bit, I think I have some questions of my own answered.
1) hcxpcaptool can output to an hccapx file. From there, you can use wlanhcx2cap to output to a format that can be read by aircrack-ng to list the ESSIDS, BSSIDS, and the handshakes available.
2) The PMKID retrieval process is fundamentally different from the handshake retrieval process. Also, when converting to hccapx, you can see how many PMKIDs are in the file(s) and how many Handshakes are in the file(s). Unfortunately, this does not tell you if those are discrete, individual networks, or anything else. hcxdumptool seems to not discriminate. With this in mind, though, I still have no 'easy' way to see what ESSIDs the PMKID-pwned networks have, and also can't see them when I upload to wpa-sec, presumably. Perhaps wpa-sec can change in the future to incorporate PMKID attacks? Also, unfortunately, the WPA upload feature for multiple pcaps will put in duplicate entries to wpa-sec instead of consolidating them all into the minimum necessary information. Perhaps that can be changed in a future version to minimize data transfer to the internet?

Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by recombinant - 08-14-2018, 11:04 AM