hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
(03-31-2021, 10:12 AM)ZerBea Wrote: Thanks, I'm fine and I you you'll be fine, too.
hcxtools > v6 and hcxdumptool making life a little bit more easier and received a lot of improvements, but the basics are the same (that include filter modes, filter lists and Berkeley Packet Filter). Only default formats changed to pcapng.
capture traffic -> convert to hashcat (or john) hash format -> run hashcat (or john)

The same applies to the attack vectors:
attack vector 1 target AP (PMKID)
attack vector 2 CLIENT (M2)
attack vector 3 AP <-> CLIENT connection (PMKID, M1, M2, M3, M4)
attack vector 4 EAP (EAP-ID, EAP TLS, RADIUS)
or any combination of this.

Code:
attack vector 1, 2, 3, 4 (request EAP-ID, only)
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon

attack vector  2,  (request EAP-ID, only)
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon --disable_deauthentication --disable_ap_attacks -t 300

attack vector 1, 3
$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --disable_client_attacks

for attack vector 4 please read --help

If you're an experienced user (you know what you're doing, you are able to create a BPF, you don't need a beautiful real time status display), I recommend to use hcxlabtool from the wifi_laboratory series.

The basics of converting traffic to hashcat/john formats are the same, too, except that the default formats changed:
hcxpcapngtool:
default hash format now -> 22000 EAPOL + PMKID
storing possible PSKs, received from WiFi traffic can be done by -E -I -U

Example dump file is here:
https://github.com/evilsocket/pwnagotchi...nctest.zip
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
In this example, we must use  --nonce-error-corrections=8, because I converted the origin pcapng file to cap/pcap format (a few tools don't understand pcapng). This format is a very basic format and we loose some important information, stored in pcapng format.

hcxhashtool is new. Depending on the options you can filter the output hash file. That can be done by bash tools, too, because 22000 is no longer a binary format.
hcxeiutool is new. Depending on the options you can pre-process hcxpcapngtool -E -I -U output to a raw word list that can be used in combination with rules.

Thanks for such detailed information, cleared a lot of doubts, much appreciated!
However, when I run hashcat with attack mode 2200 ($ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist) I get an error message stating that there is no module named module_02200.dll (Cannot load module ./module/module_02200.dll). I have checked the modules directory and it is not there for some reason. I am using the default hashcat version 6.1.1 provided by hashcat.net on windows.

Btw, also tested this with hashcat version 4.1.1, same error.
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by sata - 03-31-2021, 05:50 PM