hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi recombinant

are you accepting pull requests?
-> yes, but under the restrictions of README.md:
- Multiple stand-alone binaries - designed to run on  Arch Linux.
- All of these utils are designed to execute only one specific function.
hcxdumptool = attack and dump - nothing else
hcxpcaptool = conversion and basic informations about content of a cap, pcap, pcapng file to determine if it's damaged) - nothing else
wlanhcxinfo = info about content of hccapx file - nothing else
wlanhcx2ssid = select special records to work on hashcat - nothing else
- I will not add things that makes the code slower or more complex.
- I will not add things that can be done by scripts (comparing lists or potfiles)
- I will not add scripts which can do this.
- I will not add special code for other distributions than Arch Linux
- Form follows function and not: function follows form (no beautiful lists, status output and no correlation of data)

we would have to write a script ...
-> Yes. Such scripts are running on wpa-sec and I have some similar ones in my environment. If you need a scipt to correlate the data, you have to code it!

find exactly which networks were pwned specifically, but that information is probably already in the pcapng, right?
-> Yes, but you can find it in 16800.hash, 16801.hash, hccapx, too!

If you like to work on ESSIDs (ASCII/UTF-8) - be warned and make sure your terminal will display this!
We did some analysis on submitted caps to wpa-sec and we found zeroed ESSIDs, damaged ESSIDs with CTRL, UTF-8, ASCII and non ASCII characters inside. We also found zeroed PSKs and PSKs with CTRL, UTF-8, ASCII and non ASCII characters inside.
... and we found tons of deadly cleaned cap files with zeroed timestamps.

Right now, I only need the ESSID to calculate a PMK (by PBKDF2) and that's all. Than I prefer hashmodes 2501 and 16801. (wpa-sec use -m 2501 an every incomming cap file, first)
With the introduction of WPA3, PBKDF2 will die:
PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)
and the PMKID:
PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
...and PBKDF2 allready died on WPA ENTERPRISE:

hcxdumptoo/hcxtools/hcxkeys are  n o t  aircrack-ng, kismet or tcpdump
The tools are designed as analysis tools to develop new procedures (like the PMKID attack). So you should know what you are doing!
Take a look at a hcxdumptool pcapng file and compare it with an aircrack-ng, kismet or tcpdump cap file. I'm sure you see the difference:
hcxdumptool provides three different types of pcapng files (wep traffic, unencrypted IPv4/IPv6 traffic and EAP/EAPOL traffic).
No useless management, control or data frames inside the EAP/EAPOL traffic pcapng. One beacon proberequest/proberesponse and all authentications (authentication, associationrequest/response, rassociationrequest/response, EAP/EAPOL) are stored. We store all authentication frames, to determine if some frames changed during the attacks (remember: designed as analysis tools)

I recommend to use different hashcat potfiles instead of one single potfile:
You can run simple bash commands (cat, cut, awk) on them to get all informations you need.
The rest of the information can be retrieved form the hashfiles (hccapx, 16800/16801).
Now you can correlate the data in an easy way by bash scripts.

Some internal infos about hcxdumptool:
- designed to run on a raspberry pi
- handle 512 access points simultaneously
- handle 512 clients simultaneously
- 32 filter list entries

Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 08-15-2018, 10:35 AM