01-30-2020, 07:21 PM
An ideal use would be: hcxhashtool -i my22000hashlist –hccap-single -p mydirectoryofchoice
-> No, ideal within a bash script is
$ cd $HOME/.../mydirectoryofchoice
$ hcxhashtool -i $HOME/.../my22000hashlist –hccap-single
Another lucky part of this problem is the lack of randomness and the fact we only need to count upwards
-> No, because you don't know what frame exactly you're missing. The list is sorted by ANONCE.
... it does not affect genuine clients
-> If the CLIENT doesn't receive the requested frame, he will request it again. The same applies to hcxdumptool - it simply request a missing frame, too. A passive dumper doesn't request frames - result can/will be a packet loss!
I am still unsure how I manually determine ANONCEs which do not require NC
-> M2 frames, requested by hcxdumptool doesn't require NC. In this case NC == 0! On all other frames you can't be sure. If you send too many deauthentication frames, the AP will renew EAPOLCOUNTER, EAPOLTIMER and calculate a new ANONCE. In that case NC isn't working.
I notice you keep dropping very useful commands and info whilst talking with me which might get lost in this long thread for others reading at a later date.
-> 802.11 is a standard. All the basics can be found in www or in the PMKID thread or in this thread.
The more automated checks hcx-anything can do to validate a capture the better!
-> No, hcxtools are designed to be analysis tools. You must take a look at the results and improve your TTP's (Techniques Tactics Procedures) based on this results.
-> No, ideal within a bash script is
$ cd $HOME/.../mydirectoryofchoice
$ hcxhashtool -i $HOME/.../my22000hashlist –hccap-single
Another lucky part of this problem is the lack of randomness and the fact we only need to count upwards
-> No, because you don't know what frame exactly you're missing. The list is sorted by ANONCE.
... it does not affect genuine clients
-> If the CLIENT doesn't receive the requested frame, he will request it again. The same applies to hcxdumptool - it simply request a missing frame, too. A passive dumper doesn't request frames - result can/will be a packet loss!
I am still unsure how I manually determine ANONCEs which do not require NC
-> M2 frames, requested by hcxdumptool doesn't require NC. In this case NC == 0! On all other frames you can't be sure. If you send too many deauthentication frames, the AP will renew EAPOLCOUNTER, EAPOLTIMER and calculate a new ANONCE. In that case NC isn't working.
I notice you keep dropping very useful commands and info whilst talking with me which might get lost in this long thread for others reading at a later date.
-> 802.11 is a standard. All the basics can be found in www or in the PMKID thread or in this thread.
The more automated checks hcx-anything can do to validate a capture the better!
-> No, hcxtools are designed to be analysis tools. You must take a look at the results and improve your TTP's (Techniques Tactics Procedures) based on this results.