hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Running hcxpcaptool to convert EAPOL (-o) and PMKID (-k or -z) is fine.

The content of -E is very interesting, because we can find several passwords (PSK) inside. You should know, that
hcxdumptool captures more(!) PSKs than handshakes. So it may take a while until you get a matching handshake or a PMKID for an allready captured PSK. So it's a good idea to collect them and test them from time to time against your captured files.
To get a PSK, we only need one(!) packet (2 if we request it).
To get a PMKID, we need at least 2 packets (ESSID and M1). To request a PMKID, we need 14 packets (inclusive ack packets).
To get a handshake we need at least 3 packets (ESSID, M1, M2 or M2, M3, or if M4 is not zeroed, M1, M4 or M3, M4). To request an M2 from a client, we need 16 packets (inclusive ack packets).
Will say, if the client (or you) moving fast, it is possible that  the complete authentication process fails and we get nothing.

-U is only usefull if your captured file contains HTTP traffic:
hcxdumptool -O
-O <dump file> : output file in pcapng format
                unencrypted IPv4 and IPv6 frames

-I will give you identities (for example not encrypted IMEIs).

BTW:
Your "Test -E ESSID" contain some nice default key space PSKs:
lines 12, 53, 54, 70, 71, 72, 171, 179, 292
and some possible user defined PSKs like this ones:
lines 70, 321
All of them came from clients.

You can imagine, how much time hashcat will take to brute force a PSK like this one from line 53/54 (20 characters aZAZ09).
Will say, traffic from a client is a thousand times more interesting than stupid beacons from access points.

BTW:
To get the MAC of the client which use the 20 character PSK, run hcxpcaptool -X option.
This option is very useful for a penetration tester to identify a weak client within a company WiFi network.
@penetration testers: you can imagine, what will happen, if the PSK is not from the company WiFi network, but instead it is from the users WiFi network and the user is allowed to do "home office".....

hcxdumptool / hcxtools is designed to perform heavy attacks and to enable deep analysis of network traffic in combination with hashcat and JtR. Goal is to identify weak points or break the system not a single network in the neighborhood.
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 06-04-2019, 08:18 AM