hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
No, epical fail of me. Pushed a fix for that issue. Unfortunately we deleted all 392 byte hccap and leave the 0 size ones.

So if all .22000 format hashes are good what is it I need to check for with a hex viewer?
->you must check the ANONCE, because old hashcat isn't able to run nonce-error-corrections

Get the example from here:
https://hashcat.net/forum/thread-8910-po...l#pid47398
and check the anonces:

$ wlanhcxinfo -i hamza.hccapx -A
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e68
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e68 -> dupe
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e69
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e69 -> dupe
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e6a
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e6b
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e6b -> dupe
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e6c
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e6c -> dupe
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e6e
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e70
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e70 -> dupe
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e71
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e74
949c91f6e9732a5e036b962b6a4c8332705b8deedffbd58f8929082c410a3e74 -> dupe

6 are dupes, only 4 of them are recoverable without NC. The remaining ones require NC! Minimum value is NC > 13 in this case, better more, because we don't have the cap/pcap file to determine the correct values. Also keep in mind: NC detection doesn't work on wpaclean(ed) cap files!
This will happen to your hccap, too. Unfortunately you don't have an option to set NC on your old hashcat version.
Result is an unrecoverable hash.

I am just thinking when I master the use of hcxhashtool it will bring new life to old GPU as we will also be able to start to take advantage of PMKID captures!
-> No, hcxdumptool/hcxtools are just WiFi parser for hashcat and JtR. If both cracker doesn't support your old GPU, you will not take advantage of the new features. You must find the matching ANONCE "by hand"!

BTW:
Using hashline 22000, ANONCE is field 7 of the hashline
WPA * 02 * MIC * MAC_AP * MAC_STA * ESSID * ANONCE * EAPOL * MESSAGEPAIR

You can sort by ANONCE running:
$ cat hashline.22000 | sort -t "*" -k 7
or
$ sort hashline.22000 -t "*" -k 7

Now you can identify NC values (require hcxpcangtool --all option for conversion).
If you don't do this step (conversion to new hashline), you'll see the ANONCE in your hccap file only with a hex viewer!
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 01-29-2020, 08:15 PM