hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Can someone help me find the field order in the .22000 hashlist format?  I'm having a heck of a time tracking down the format description, and after digging through the .c code in hcxtools I am just not convinced that I understand what I am looking at :/

I am trying to extract the MAC Address of Clients and APs that were captured to build macfilters for hcxdumptool.

Before the .22000 format was introduced, I was using hcxpcaptool to convert .pcapng's to the .hccapx and older .16800 hashlist formats, then processing those with wlanhcxinfo or awk to get the mac addresses.  Of course, now that this tool and these formats are deprecated, I want to move to 22000, but here's how I was doing it:

Code:
# these tools/formats are now deprecated!

# Get Client MAC addresses to filter
# Convert the .pcapng to the older .hccapx format (EAPOL)
hcxpcaptool -o TEST.hccapx *.pcapng

# Get the "station" mac addresses (client MACs)
wlanhcxinfo -i TEST.hccapx -s | sort -u > GOTMACSCLI.txt

# Count how many we've got
wc -l GOTMACSCLI.txt
# 30 GOTMACSCLI.txt

# Convert the .pcapng to the old-older 16800 format (PMKID)
hcxpcaptool -z TEST.16800old *.pcapng
awk -F* '{print $2}' TEST.16800old | sort -u > GOTMACSAPS.txt

# Count how many we've got
wc -l GOTMACSAPS.txt
# 45 GOTMACSAPS.txt

Since the .22000 format combines both PMKID and EAPOL captures, I was hoping I could sift the MAC addresses out of the file with tools like awk/grep/sed, but since I don't know the format I am really just making guesses.  Can someone confirm my suspicions below?

Code:
# Convert the .pcapng to the new .22000 format (PMKID+EAPOL)
hcxpcapngtool --prefix="TEST" *.pcapng

Did a quick compare the contents of the GOTMACSCLI.txt and GOTMACSAPS.txt lists by grep'ing for a few examples
  • A MAC that was in GOTMACSCLI.txt should be the MAC of a captured Client.  These MACs were in the .22000 list on lines that started with "WPA*02" and were the FIFTH field on that line.
  • A MAC that was in GOTMACSAPS.txt should be the MAC of a captured Access Point.  These MACs were in the .22000 list on lines that started with "WPA*01" and were the FOURTH field on that line.
  • Some of the MACs that were in GOTMACSAPS.txt were in multiple lines of the .22000 list that started with both "WPA*01" and "WPA*02", but they were always in in the FOURTH field.  I assume this means the AP was involved in a client EAPOL capture as well as a PMKID capture.
Based on that, I assume...
  • lines that start with "WPA*02" are EAPOL hashes, so I want to grab the FIFTH field as the MAC of the Client to filter
  • lines that start with "WPA*01" are PMKID hashes, so I want to grab the FOURTH field as the MAC of the Access Point to filter
If that's right, then I can got a little grep/awk/sort to get my MAC addresses.

Code:
# Get Client MAC addresses to filter and Count how many we've got
grep 'WPA\*02' TEST.22000 | awk -F* '{print $5}' | sort -u | wc -l
# 30

# Get Access Point MAC addresses to filter and Count how many we've got
grep 'WPA\*01' TEST.22000 | awk -F* '{print $4}' | sort -u | wc -l
# 44

This looks pretty good, but there is a discrepancy in the number of Access Point MAC addresses.  I've found other differences in the count of hashes when comparing .hccapx with .22000 before, so I am not totally surprised.  That said, this new format seems to have fewer results that the older format.  Maybe that's ok...

Am I doing this right?
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by MrShannon - 03-15-2020, 09:12 PM