hcxpcaptool does not detect beacon packet
#5
hcxpcaptool is deprecated. Please use hcxpcapngtool from latest git head hcxtools.
hcxpcangtool doesn't require  a timestamp. But, if we have no timestamp, a zeroed timestamp or not the origin timestamp, we are not able to calculate nonce-error-corrections (NC). The same applies to a cleaned cap file!.
Attached an example here:

.zip   nctest.zip (Size: 1.75 KB / Downloads: 1)
and for non forum members, here:
https://www.sendspace.com/file/vcn6e0

Inside are 3 files from a test suite and an example PSK to demonstrate the power of NC and the advantage of uncleaned dump files with origin timestamps:
1. pcap file (partly cleaned and converted to pcap so that aircrack is able handle it)
2. cap file, cleaned by wpaclean
3. wordlist (for use with aircrack)

First we use hcxpcangtool and hashcat:
hcxpcapngtool to do the conversion and retrieve the PSK from the pcap file:
Code:
$ hcxpcapngtool -o test.22000 -E wordlist test.pcap
reading from test.pcap...
summary capture file
--------------------
file name................................: test.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 06.02.2020 12:23:49
timestamp maximum (GMT)..................: 06.02.2020 12:24:52
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 6
BEACON (total)...........................: 1
PROBEREQUEST.............................: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
ESSID (total unique).....................: 2
EAPOLTIME gap (measured maximum usec)....: 16624455
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 62482
EAPOL M1 messages........................: 3
EAPOL M2 messages........................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file...: 1 (RC checked)
EAPOL M12E2..............................: 1

Warning: missing frames!
This dump file contains no important frames like
authentication, association or reassociation.
That makes it hard to recover the PSK.

and hashcat to recover the PSK:
Code:
$ hashcat -m 22000 test.22000 --nonce-error-corrections=8 wordlist
hashcat (v5.1.0-1685-gf946e321) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Mon Feb 17 17:50:23 2020 (0 secs)
Time.Estimated...: Mon Feb 17 17:50:23 2020 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      77 H/s (0.71ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3/3 (100.00%)
Rejected.........: 1/3 (33.33%)
Restore.Point....: 0/3 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms -> v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms
Hardware.Mon.#1..: Temp: 58c Fan: 39% Util: 47% Core:1847MHz Mem:5005MHz Bus:16

As expected, the PSK is successfully recovered by hashcat.

Running latest git head hcxtools (as of today), you can run automatic mode, too. This mode will work up to hashcat's default NC value 8. Higher values require to set hashcat option --nonce-error-corrections=x:
Code:
$ hashcat -m 22000 test.22000 wordlist
hashcat (v5.1.0-1685-gf946e321) starting...
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: test.22000
Time.Started.....: Mon Feb 17 17:54:53 2020 (0 secs)
Time.Estimated...: Mon Feb 17 17:54:53 2020 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      83 H/s (0.70ms) @ Accel:8 Loops:128 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3/3 (100.00%)
Rejected.........: 1/3 (33.33%)
Restore.Point....: 0/3 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms -> v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms
Hardware.Mon.#1..: Temp: 53c Fan: 32% Util: 75% Core:1898MHz Mem:5005MHz Bus:16

Now we do the same, running aircrack:
Code:
$ ./aircrack-ng test_clean.cap -w wordlist
Reading packets, please wait...
Opening test_clean.cap
Read 3 packets.
  #  BSSID              ESSID                    Encryption
  1  A0:F3:C1:50:3E:62  hascat                    WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening test_clean.cap
Read 3 packets.
1 potential targets
                        Aircrack-ng 1.6 rev 499d72ad
      [00:00:00] 1/1 keys tested (23.13 k/s)
      Time left: --
                                KEY NOT FOUND
      Master Key    : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      EAPOL HMAC    : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
and it failed.

BTW:
If you compare the wpaclean cap file, with the pcapfile, you'll notice, that the PSK (received from WiFi traffic) was removed by wpaclean!

That lead me to this advices:
It is not good idea to clean a cap file.
It is not a good idea to use tools that clean a cap file
It is not a good idea to use tools that doesn't store or ignore useful frames.
Reply


Messages In This Thread
RE: hcxpcaptool does not detect beacon packet - by ZerBea - 02-17-2020, 07:03 PM