Half Handshake Tools?
#1
Hi, I have been using bettercap and have managed to capture a few half handshakes. The problem I am having is that none of the tools I find (github repos like "WPA2-HalfHandshake-Crack", "halfhandshaker", etc) for generating or cracking these half handshakes work . The only one that has actually generated a hash has been cap2hccapx.bin. Regarding this, I have a few questions:

1. Is there a more reliable tool that can actually parse these pcaps/caps/pcapng properly and generate the hashes from half handshakes besides cap2hccapx.bin?

2. Is there any way to convert the hccapx hashes generated to mode 22000?

3. Does airodump-ng or hcxdumptool capture and store half handshakes?

4. Is it safe to assume that if a device is constantly giving half handshakes, that the underlying PSK it is trying to authenticate with is wrong?
Reply
#2
IMHO the hcxtools suite (with hcxdumptool for capturing) by 'ZerBea' is by far the most capable and comprehensive tools for capturing, analyzing, and manipulating the WPA protocols (including partial M1-M4 'handshakes'!).

I'd advise diving deep into the many threads concerning WPA, WPA2, and PMKID capturing and conversion into Hashcat/JTR hash formats (https://hashcat.net/forum/thread-6661-po...l#pid52103) for a start!

PS: If you're consistently failing to capture complete 4-ways consider that the AP may be implementing MAC address filtering.
Reply
#3
airodump-ng is a passive dumper (like tcpdump) that doesn't include any active attack vector.
hcxdumptool is an interactive tool that respond to the target and request missing frames.

By default hcxdumptool will retrieve all(!) ASSOCIATION attempts of a CLIENT (EAPOL M2 frames = CHALLENGE). That will include all attempts (PSKs) that the USER tried to get access to the NETWORK or that are stored in the CLIENTs wpa-supplicant.conf.

This are the options related to this attack vector:
Code:
--essidlist=<file>                 : transmit beacons from this ESSID list
                                     maximum total entries: 256 ESSIDs

--active_beacon                    : transmit beacon from collected ESSIDs and from essidlist once every 10000000 nsec
                                     affected: ap-less


--stop_client_m2_attacks=<digit>   : stop attacks against CLIENTS after 10 M2 frames received
                                     affected: ap-less (EAPOL 2/4 - M2) attack
                                     require hcxpcangtool --all option

or

--all_m2                           : accept all connection attempts from a CLIENT
                                     affected: CLIENTs
                                     warning: that can prevent that a CLIENT can establish a connection to an assigned ACCESS POINT

By option --all hcxpcapngtool will convert all this tries to a hc22000 hash file accepted by hashcat.
e.g.: If the PSK of the target is rosebud2021 and the user tried rosebud1, rosebud2, rosebud1900, rosebud2022, ... all this hashes are converted to the hash file.
This attack will only work if the target is a CLIENT.
If the target is an AP, hcxdumptool will request the PMKID (if this mode is activated on the AP).

hcxmactool (deprecated and will be removed, soon, because I have good reasons to remove it) will do the conversion from hccapx to hc22000 but I do not recommend this. The quality of the hccapx file depend on the quality of the attack tool and the conversion tool. If one of this tools failed, you will waste your time.
It is much better restart the attack and to re-capture the traffic.

Please notice:
A successful WPA attack always starts on the RF channel. Everything that is filtered out, is gone forever:
https://github.com/aircrack-ng/aircrack-ng/issues/2290
https://github.com/evilsocket/pwnagotchi...-598597214
Please try the example mentioned above, and you'll know what you're missing if you filter something out.

By default, hcxdumptool is aggressive as hell and nothing is filtered: "Take what you can, give nothing back! (Jack Sparrow)"
Filtering must be done by additional options and/or later on, offline by hcxhashtool (which provide various filter options) after conversion to a hc22000 by hcxpcapngtool (--all).

Please also notice that in principle, hcxdumptool/hcxtools do the same thing as the other WiFi tools, but the philosophy and the underlying engine is totally different.
This tools are designed to be analysis tools and it takes a lot of experience (much more than running a simple script) to use them.

The basics are explained here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Reply
#4
Thank you both for your inputs evets97 and ZerBea. I am still learning much about this topic and would like to ask you more questions regarding hcxdumptool.

(01-10-2022, 11:16 AM)ZerBea Wrote: airodump-ng is a passive dumper (like tcpdump) that doesn't include any active attack vector.

hcxdumptool is an interactive tool that respond to the target and request missing frames.

In other words, if I were to do the hostapd method of setting up a fake AP based on a client's probe and run hcxdumptool in another process, it would be better in getting half handshakes as it would interact with the target instead of just running tcpdump/wireshark?




(01-10-2022, 11:16 AM)ZerBea Wrote: --stop_client_m2_attacks=<digit>  : stop attacks against CLIENTS after 10 M2 frames received

                                    affected: ap-less (EAPOL 2/4 - M2) attack

                                    require hcxpcangtool --all option


If I specify --disable_client_attacks, this option is affected correct?


If I do not specify --disable_client_attacks, is this the default behavior or is it --all_m2?

(01-10-2022, 11:16 AM)ZerBea Wrote: By option --all hcxpcapngtool will convert all this tries to a hc22000 hash file accepted by hashcat.

e.g.: If the PSK of the target is rosebud2021 and the user tried rosebud1, rosebud2, rosebud1900, rosebud2022, ... all this hashes are converted to the hash file.

This attack will only work if the target is a CLIENT.

Nice, so my assumption is most likely correct that the client constantly sending half handshakes is using a wrong/expired PSK on the AP.


(01-10-2022, 11:16 AM)ZerBea Wrote: hcxmactool (deprecated and will be removed, soon, because I have good reasons to remove it) will do the conversion from hccapx to hc22000 but I do not recommend this. The quality of the hccapx file depend on the quality of the attack tool and the conversion tool. If one of this tools failed, you will waste your time.

It is much better restart the attack and to re-capture the traffic.

Understandable, thank you for the clarification.

(01-10-2022, 11:16 AM)ZerBea Wrote: By default, hcxdumptool is aggressive as hell and nothing is filtered: "Take what you can, give nothing back! (Jack Sparrow)"

Filtering must be done by additional options and/or later on, offline by hcxhashtool (which provide various filter options) after conversion to a hc22000 by hcxpcapngtool (--all).



Please also notice that in principle, hcxdumptool/hcxtools do the same thing as the other WiFi tools, but the philosophy and the underlying engine is totally different.

This tools are designed to be analysis tools and it takes a lot of experience (much more than running a simple script) to use them.

Yes and that is why I have been avoiding using hcxdumptool and instead rely on more "newbie" passive dumpers like airodump-ng and bettercap.
I tried hcxdumptool a couple of days ago with the following flags and somehow it still disconnected my machine from the network:
--disable_deauthentication --disable_client_attacks

I wanted AP attacks on to capture PMKID, but I still have no reason as to why my machine got disconnected. If you could bring me some more insight as to what might have happened I would appreciate it very much. Is there something besides PMKID attack that occurs when AP attacks are enabled?

Lastly I wanted to ask you if by specifying "--silent", hxcdumptool would act exactly as tcpdump/wireshark, and if I still have to specify the other flags like "--disable_deauthentication --disable_client_attacks --disable_ap_attacks" when using --silent?
Reply
#5
"In other words, if I were to do the hostapd method of setting up a fake AP based on a client's probe and run hcxdumptool in another process, it would be better in getting half handshakes as it would interact with the target instead of just running tcpdump/wireshark?"
Depending on options (like active_beacon and essidlist) and filters in transmission branch hcxdumptool will interact with all CLIENTs.
Do not run hcxdumptool in combination with other tools (except Wireshark or tshark).

"If I specify --disable_client_attacks, this option is affected correct?"
Yes

"If I do not specify --disable_client_attacks, is this the default behavior or is it --all_m2?"
In that case hcxdumptool will stop attacks against CLIENTS after 10 M2 frames received

"Nice, so my assumption is most likely correct that the client constantly sending half handshakes is using a wrong/expired PSK on the AP."
Yes, but you need an attack vector whch is fast enough to respond to all requests.

"I tried hcxdumptool a couple of days ago with the following flags and somehow it still disconnected my machine from the network:
--disable_deauthentication --disable_client_attacks"
For sure, hcxdumptool will do that. Stupid injecting DEAUTHENTICATION frames is an old school attack vector and you can disable it by --disable_deauthentication
Hcxdumptool provide some new sophisticated and intelligent attacks to retrieve a 4way handshake and/or a PMKID. This attacks are not disabled by --disable_deauthentication --disable_client_attacks.
They are very effective, working against Protected Management Frames (PMF), too and are difficult to detect.
In case of this attack vector it is not hcxdumptool that disconnect all CLIENTs. It is the AP itself!!!

"I wanted AP attacks on to capture PMKID, but I still have no reason as to why my machine got disconnected. If you could bring me some more insight as to what might have happened I would appreciate it very much. Is there something besides PMKID attack that occurs when AP attacks are enabled?"
Looks like the target APs are vulnerable against this sophisticated attack vector as mentioned above

"Lastly I wanted to ask you if by specifying "--silent", hxcdumptool would act exactly as tcpdump/wireshark, and if I still have to specify the other flags like "--disable_deauthentication --disable_client_attacks --disable_ap_attacks" when using --silent?"
Running silent hcxdumptool will act like a passive dumper (e.g. Wireshark, tshark). It include all options that partly disable transmissions.

Please also take a look at the options which tell hcxdumptool when to stop an attack and when to resume it.

Also please take a look at the two filter methods:
1) filtermode in combination with filter lists which are working in transmission branch only
2) berkeley packet filter code which is working in receive and/or transmission branch - MACs can be specified as well as all kind of frame types on which hcxdumptool should act.
Reply
#6

Zerbea you seem to have private messages disabled Tongue

I managed to capture a Half-Handshake (EAPOL M1 & M2). However, I am unable to find a tool that can take the pcap file and analyze the packages to create the half handshake hash in mode 22000 or hccapx.

I used "tshark -i wlan0 -w half.pcap" to capture the packets.

"hxcpcapngtool --all" does not give me a hash.

It would be awesome if someone could explain how I could convert the M1 M2 challenge into hashcat 22000 format.

Any thoughts?
Reply
#7
PM are disabled because I received too many cracking requests - all other questions should be answered publicly.

tshark is not the best choice to get a handshake. It is a passive tool and doesn't take care about packet loss, EAPOL TIMER values and REPLAY COUNTER values (as all passive tools).

hcxpcapngtool (default options) didn't convert the handshake, because the criteria to calculate a valid MESSAGE PAIR are not met.

Criteria:
M1 M2 -> REPLAY COUNTER value must match and EAPOL TIME GAP between M1 and M2 must be <= 20000 msec!
If these conditions are not to be met it is not possible to get a valid handshake (valid = get a MESSAGEPAIR of which hashcat can get a PSK) by default options of hcxpcapngtool and hashcat (ignore REPLAY COUNTER value if NONCE ERROR CORRECTION is possible).

More information about this conditions:
https://hashcat.net/forum/thread-7514-po...l#pid40512
and NONCE ERROR CORRECTIONs:
https://hashcat.net/forum/thread-6361.html

More about EAPOL TIMERs:
https://community.cisco.com/t5/wireless-...-p/3122477

and REPLAY COUNTERs:
https://etutorials.org/Networking/802.11...n+for+WPA/


BTW:
This will not happen if you use an active tool that interacts with the target (calculate NONCEs, REPLAY COUNT and EAPOL TIME to retrieve a valid hash, detect packet loss).
hcxdumptool and hcxlabtool calculate all this values to get M1M2 challenges from a mobile target (a passive dumper not):
Code:
ACCESS POINT (ROGUE)......: 3cb87af43ec0 (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 3cb87af43ec1 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 3cb87af43ec2 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: e00db925c846
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62144
ANONCE....................: 94b3fa60baf0817cf3c18357a018050c89589ef433cf1b0e5795eceddabae3f9
SNONCE....................: ab3e5f717975b4d98b869d936d2ddd9abf04b85ae5344c0f4fda6d8d06df47ec

How many (different) challenges should be received can be controlled by stop_client_m2_attacks (hcxdumptool):
Code:
--stop_client_m2_attacks=<digit>   : stop attacks against CLIENTS after 10 M2 frames received
                                     affected: ap-less (EAPOL 2/4 - M2) attack

or m2attempt (hcxlabtool series):
Code:
--m2attempt=<digit>       : reject CLIENT request after n received M2 frames
                            default: 2 received M2 frames
The higher the value the better! Default setting is low, because this option could prevent that a CLIENT is able to connect to his NETWORK.
On some of my mobile (test) devices a window to ENTER a PSK will appear on the display. That depend on the OS of the mobile device.

On both cases, hcxpcapngtool --all should be used to convert all(!) retrieved/received challenges to a hc22000 file.

It is mandatory that hcxdumptool store the attack hash values to pacpng file format to let hcxpcapngtool work on them. You'll see the same hash / replay count values of hcxdumptool status output on hcxpcapngtool status output, too.

It is also mandatory that hcxpcapngtool store the information about the MESSAGE PAIR to hc22000 file format to let hashcat work on them.

For me (analyst), an (unencrypted) EAPOL M2 is the most important EAPOL MESSAGE!
Reply
#8
(09-20-2022, 08:13 AM)ZerBea Wrote: PM are disabled because I received too many cracking requests - all other questions should be answered publicly.

Fair enough.

(09-20-2022, 08:13 AM)ZerBea Wrote: tshark is not the best choice to get a handshake. It is a passive tool and doesn't take care about packet loss, EAPOL TIMER values and REPLAY COUNTER values (as all passive tools).

I forgot to mention that the AP is being created by me and tshark is being run with the same computer hosting the AP. Does this matter with tshark or is it the same anyway as you mentioned above and I would still need an active tool?

Just in case, I am using this tool for hosting the AP, if you have a better option please let me know:
https://github.com/oblique/create_ap

(09-20-2022, 08:13 AM)ZerBea Wrote: hcxpcapngtool (default options) didn't convert the handshake, because the criteria to calculate a valid MESSAGE PAIR are not met.



Criteria:

M1 M2 -> REPLAY COUNTER value must match and EAPOL TIME GAP between M1 and M2 must be <= 20000 msec!

If these conditions are not to be met it is not possible to get a valid handshake (valid = get a MESSAGEPAIR of which hashcat can get a PSK) by default options of hcxpcapngtool and hashcat (ignore REPLAY COUNTER value if NONCE ERROR CORRECTION is possible).

So let me see if I understand, even though I hosted the AP and captured the packets within the EAPOL TIME GAP 20000 msec limit from the same computer hosting the AP, since tshark does not save this information, then there is absolutely no way to get a valid handshake?

(09-20-2022, 08:13 AM)ZerBea Wrote: BTW:

This will not happen if you use an active tool that interacts with the target (calculate NONCEs, REPLAY COUNT and EAPOL TIME to retrieve a valid hash, detect packet loss).

hcxdumptool and hcxlabtool calculate all this values to get M1M2 challenges from a mobile target (a passive dumper not):

Code:
ACCESS POINT (ROGUE)......: 3cb87af43ec0 (BROADCAST WILDCARD used for the attack)

ACCESS POINT (ROGUE)......: 3cb87af43ec1 (BROADCAST OPEN used for the attack)

ACCESS POINT (ROGUE)......: 3cb87af43ec2 (used for the attack and incremented on every new client)

CLIENT (ROGUE)............: e00db925c846

EAPOLTIMEOUT..............: 20000 usec

EAPOLEAPTIMEOUT...........: 2500000 usec

REPLAYCOUNT...............: 62144

ANONCE....................: 94b3fa60baf0817cf3c18357a018050c89589ef433cf1b0e5795eceddabae3f9

SNONCE....................: ab3e5f717975b4d98b869d936d2ddd9abf04b85ae5344c0f4fda6d8d06df47ec



How many (different) challenges should be received can be controlled by stop_client_m2_attacks (hcxdumptool):

Code:
--stop_client_m2_attacks=<digit>  : stop attacks against CLIENTS after 10 M2 frames received

                                    affected: ap-less (EAPOL 2/4 - M2) attack



or m2attempt (hcxlabtool series):

Code:
--m2attempt=<digit>      : reject CLIENT request after n received M2 frames

                            default: 2 received M2 frames

I have a couple of questions regarding this:

1. Would I then need another interface (wlan1) to run hcxdumptool since I am already using wlan0 to host the fake AP?

2. Can I only use hcxdumptool to automate this attack? (host the fake AP AND capture M1M2 challenges with the required information for hcxpcapngtool) If so, what would be the full command so that it creates the AP and only targets that AP and clients authenticating to it exclusively?

This is the command I ran while I hosted the fake ap on wlan0. This required me to have another wireless interface:
hcxdumptool -o hash.pcap -i wlan1 --filterlist_ap=fakeapfilter.txt --filtermode=2 --enable_status 3

I am aware that with bettercap I can host a fake access point with wifi.ap.ssid and set the encryption with wifi.ap.encryption, but I have not tested this yet.
Reply
#9
1. Would I then need another interface (wlan1) to run hcxdumptool since I am already using wlan0 to host the fake AP?
Yes, because it is mandatory that hcxdumptool has full access to the hardware.
From help menu:
Code:
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not run hcxdumptool on virtual machines or emulators
do not run hcxdumptool in combination with tools (channel hopper), that take access to the interface (except: tshark,

2. Can I only use hcxdumptool to automate this attack? (host the fake AP AND capture M1M2 challenges with the required information for hcxpcapngtool) If so, what would be the full command so that it creates the AP and only targets that AP and clients authenticating to it exclusively?

Yes, because hcxdumptool is able to set up to 1024 rogue APs at the same time
Code:
$ sudo hcxdumptool -i INTERFACE -c 1 --disable_ap_attacks --disable_deauthentication --essidlist=essidlist.txt --active_beacon --stop_client_m2_attacks=1000 -o dump.pcapng --enable_status=31
Please notice:
Due to MAC randomization (every modern CLIENT is doing this) it is not possible to filter unwanted CLIENTs and hcxdumptool respond to every CLIENT that request an AUTHENTICATION!

c
channel should be a less crowded channel

disable_ap-attacks
do not attack APs - there are more (and better) ways to attack an AP than stupidly injecting DEAUTHENTICATION frames.

disable_deauthentication
do not disconnect connected CLIENTs from their APs - stealth mode to fool a DEAUTHENTICATION detector.


essidlist:
essidlist.txt should contain a list of target ESSIDs the CLIENT can connect to.
Additional hcxdumptool will respond to every PROBEREQUEST of a CLIENT.

active_beacon
enable beaconing


How many (different) challenges should be received can be controlled by stop_client_m2_attacks (hcxdumptool).
If you want to annoy a user, too (that he types a new PSK) >= 1000

So let me see if I understand, even though I hosted the AP and captured the packets within the EAPOL TIME GAP 20000 msec limit from the same computer hosting the AP, since tshark does not save this information, then there is absolutely no way to get a valid handshake?
Partly correct
After M1 was transmitted, M2 must be received before EAPOL TIMEOUT value reached and M1 and M2 REPLAY COUNT must match. Only than you get a valid MESSAGE PAIR.
tshark will get this values from AP (REPLAY COUNT and ANONCE) and from CLIENT (REPLAY COUNT and SNONCE). It is mandatory to receive both! Otherwise you will not get a valid MESSAGE PAIR.

While hcxdumptool acts as an AP and use own values (REPLAY COUNT and ANONCE) to which the CLIENT respond (REPLAY COUNT as requested and SNONCE as requested). We only need the values from the CLIENT, because all other vales are generated by hcxdumptool and stored to comment fields of the pcapng file.


The entire procedure of a 4way handshake, especially the formula to calculate the PTK
PTK = PRF (PMK + ANONCE + SNONCE + Mac (AP)+ Mac (CLIENT))
is explained here:
https://www.wifi-professionals.com/2019/...-handshake

If received ANONCE and SNONCE doesn't match (by REPLAY COUNT), it is not possible to calculate the PTK.
This can happen after a packet loss or if the AP renew all EAPOL values because it started a new AUTHENTICATION sequence (e.g. due to excessive injecting DEAUTHENTICATION frames).


An example from a test series:
Code:
EAPOL messages (total)...................: 14883
EAPOL RSN messages.......................: 14883
EAPOLTIME gap (measured maximum usec)....: 570083779
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 8
EAPOL M1 messages (total)................: 11697
EAPOL M2 messages (total)................: 3026
EAPOL M3 messages (total)................: 51
EAPOL M4 messages (total)................: 109
EAPOL pairs (total)......................: 7420
EAPOL pairs (useful).....................: 7419
EAPOL ROGUE pairs........................: 7214
EAPOL M12E2 (challenge)..................: 7400
EAPOL M32E2 (authorized).................: 18
EAPOL M34E4 (authorized).................: 1

EAPOL M12E2 (challenge)..................: 7400
total challenges (interactive and passive)

EAPOL ROGUE pairs........................: 7214
interactive branch
M2 requested by hcxdumptool.

EAPOL M32E2 (authorized).................: 18
passive branch
The test CLIENTs connect to the test router (running in parallel for test purpose to get an idea about the packet loss inside the passive reception branch of hcxdumptool). Please notice that hcxdumptool is acting interactive with the target as well as a passive reception only tool (receive everything that is on the air).

EAPOL M34E4 (authorized).................: 1
passive branch
we got only one(!) single complete 4way handshake.

Now you can imagine how big the packet loss is if you try to get/receive matching values from the connection attempt of a CLIENT to its regular AP, passively
in contrast to active request them directly from the CLIENT.

This should make it clear:
EAPOL messages (total)...................: 14883
most of them are useless (to calculate a valid MESSAGE PAIR) and only this ones really matches
EAPOL M12E2 (challenge)..................: 7400
EAPOL M32E2 (authorized).................: 18
EAPOL M34E4 (authorized).................: 1

Will say, running hcxdumptool it is easy to get a challenge (M1M2) without fear of a packet loss
EAPOL ROGUE pairs........................: 7214


BTW:
First choice to setup a regular AP should be hostapd:
https://w1.fi/hostapd/

First choice to setup a regular CLIENT should be wpa_supplicant:
https://w1.fi/wpa_supplicant/

Both tools are widely used by routers, Linux, Android and other IoT devices.
Reply
#10
(09-20-2022, 05:40 PM)ZerBea Wrote: Yes, because it is mandatory that hcxdumptool has full access to the hardware.

From help menu:

Code:
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)

do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw

do not run hcxdumptool on virtual machines or emulators

do not run hcxdumptool in combination with tools (channel hopper), that take access to the interface (except: tshark,

Got it, thanks for the explanation.

(09-20-2022, 05:40 PM)ZerBea Wrote: Yes, because hcxdumptool is able to set up to 1024 rogue APs at the same time

Code:
$ sudo hcxdumptool -i INTERFACE -c 1 --disable_ap_attacks --disable_deauthentication --essidlist=essidlist.txt --active_beacon --stop_client_m2_attacks=1000 -o dump.pcapng --enable_status=31

Please notice:

Due to MAC randomization (every modern CLIENT is doing this) it is not possible to filter unwanted CLIENTs and hcxdumptool respond to every CLIENT that request an AUTHENTICATION!

Thanks for this. I did notice a flaw when running this command though. hcxdumptool sets up the rogue APs from the essidlist.txt file as expected, but when you say that it responds to every client authentication, it responds to EVERY client authentication from EVERY AP, not just the ones setup by hcxdumptool itself.

The issue is this:
It would be simple to do a --filterlist_ap=hcxdumptool_rogue_AP_MAC.txt with --filtermode=2, but since hcxdumptool randomizes the MAC I have no way of specifying the correct MAC to filter. In the hcxdumptool man page it specifies that "--mac_ap" should be used to set a specific MAC, but in the latest version on Github when I add "--mac_ap=AAAAAAAAAAAA" it results in
Code:
hcxdumptool: unrecognized option '--map_ap'
Reply