wpa2
#21
That would be a good starting point to hunt for the problem.
Please begin with output of
$ pwd
followed by (we are only interested in old .hc22000 files in the working directory)
$ ls *.hc22000
to find out if there is an old hc22000 file inside, because hcxpcapngtool appends entries to an existing file.
I just added this to hcxpcapngtool --help by last commit:
Code:
$ hcxpcapngtool --help
...
Do not edit, merge or convert pcapng files! This will remove optional comment fields!
Detection of bit errors does not work on cleaned dump files!
Do not use hcxpcapngtool in combination with third party cap/pcap/pcapng cleaning tools (except: tshark and/or Wireshark)!
It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this.
Output is appended to existing files.
Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark
Recommended tool to filter converted hash by several options: hcxhashtool
Recommended tool to get default or standard PSKs: hcxpsktool
Recommended tool to calculate wordlists based on ESSID: hcxeiutool
Recommended tools to retrieve PSK from hash: hashcat, JtR

You may have noticed that your problem helps me to improve hcxtools.
Reply
#22
ok so first i installed all tools using this link https://github.com/ZerBea/hcxtools
git clone https://github.com/ZerBea/hcxtools

then i stopped all wpa processes
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service

then i started hcxdumptool
sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=1

then i started all wpa processes
sudo systemctl start NetworkManager.service
sudo systemctl start wpa_supplicant.service

then i used hcxpcapngtool to decrypt file
hcxpcapngtool -o hash.hc22000 -E essidlist dumpfile.pcapng

and then when i try to crakc it with hashcat alway got error

the both files looks exactly like David Bombal ones in this video
I just watched it and he did same as me and it worked for him so idk wheres problem
https://www.youtube.com/watch?v=Usw0IlGbkC4
Reply
#23
Ok, thanks.
The command lines are ok.
Have you removed the old file "dumpfile.pcapng" before running hcxdumptool?
If not, hcxdumptool will create a new one with ending -x, where x is the number of tries. This prevent overwriting the old dump file and make sure that we store traffic from the current session with unique random values valid for this traffic.
Code:
first run:
$ sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=1
$ ls
dumpfile.pcapng

second run:
$ sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=1
$ ls
dumpfile.pcapng-0

third run:
$ sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=1
$ ls
dumpfile.pcapng-1

Have you removed the old file "hash.hc22000" before running hcxpcapngtool?
If not, all new hashes are appended to the damaged file.

To make sure, that you are not running on old files, I recommend to remove all files from your working directory, before doing a new attempt.


To make sure, your installation is ok, please run the example from here:
https://github.com/evilsocket/pwnagotchi...-598597214
This are the command lines:
$ wget https://github.com/evilsocket/pwnagotchi...nctest.zip
$ unzip -j nctest.zip
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
output should look like this:
Code:
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
hcxpcapngtool 6.2.7-1-g74374b3 reading from test.pcap...

summary capture file
--------------------
file name.................................: test.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 06.02.2020 12:23:49
timestamp maximum (GMT)..................: 06.02.2020 12:24:52
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 6
packets received on 2.4 GHz..............: 5
ESSID (total unique).....................: 2
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 5
PROBEREQUEST.............................: 1
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum usec)....: 16624455
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 62482
EAPOL M1 messages (total)................: 3
EAPOL M2 messages (total)................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file....: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2432: 5
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
output should look similar to this:
Code:
hashcat (v6.2.5-400-gf31dcc5d1) starting
...
OpenCL info removed to keep the post small
...
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: eapol.22000
Time.Started.....: Tue Apr 26 23:30:15 2022 (0 secs)
Time.Estimated...: Tue Apr 26 23:30:15 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       30 H/s (1.41ms) @ Accel:8 Loops:256 Thr:512 Vec:1
Recovered.Total..: 1/1 (100.00%) Digests
Progress.........: 2/2 (100.00%)
Rejected.........: 1/2 (50.00%)
Restore.Point....: 0/2 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms -> v+#gqu5g9pqnp%+7jbf%2uex+8hlo3ms
Hardware.Mon.#1..: Temp: 59c Fan: 36% Util: 46% Core:1885MHz Mem:5005MHz Bus:16
...
hashcat should have recovered the PSK:
Recovered.Total..: 1/1 (100.00%) Digests
Reply