hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi DKblue.
You've done the right things. That is the way to make a flawless and clean cap.
The second way is to use the option -p from wlancap2hcx:
-p <file> : output merged pcap file (upload this file to http://wpa-sec.stanev.org)
In that case you get a flawless (uncleaned) cap.

This behavior is normal for capture tools which doesn't take care about "save terminating" or a script that kills the capture tool.
In your case the cap is cutted and you get this message:
pcap read error: invalid packet capture length 1960823124, bigger than maximum of 262144
You will also get this error if you try to read this cap using wireshark.

I should like to point out that the result of minidwep-gtk is very poor comparing to a wlandump-ng (raspberry pi) capture:
$ wlancap2hcx 201711290935.pcap
start reading from 201711290935.pcap
11698 packets processed (11698 wlan, 0 lan, 0 loopback)
total 320 usefull wpa handshakes
found 7 WPA1 RC4 Cipher, HMAC-MD5
found 313 WPA2 AES Cipher, HMAC-SHA1
found 164 valid WPA handshakes (by wlandump-ng/wlanresponse)
nonce-error-corrections is working on that file
found FAST Authentication

By the way:
I power on my raspberry pi. Than I take a walk through the city. After I returned, I power off the raspberry
and copy the cap to the gpu rig and do the conversation to hccapx. Thats all.

And even with a very small wordlist and a simple notebook, I have a hitrate of 8% on that cap:
Session..........: hashcat                       
Status...........: Exhausted
Hash.Type........: WPA/WPA2
Hash.Target......: test.hccapx
Time.Started.....: Sat Dec  2 15:42:36 2017 (1 min, 24 secs)
Time.Estimated...: Sat Dec  2 15:44:00 2017 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:    31164 H/s (3.68ms)
Recovered........: 18/225 (8.00%) Digests, 4/70 (5.71%) Salts
Progress.........: 2857610/2857610 (100.00%)
Rejected.........: 0/2857610 (0.00%)
Restore.Point....: 40823/40823 (100.00%)
Candidates.#1....: rsax4337 -> волчонок
HWMon.Dev.#1.....: Temp: 63c Util: 95% Core:1176MHz Mem: 900MHz Bus:4

Started: Sat Dec  2 15:42:28 2017
Stopped: Sat Dec  2 15:44:01 2017
Reply
Sorry for reply so late Zerbea!
really sorry!
Enlight by your case with raspberry pi  ,I'm fixing serveral grandpa-class notebooks,remove those mechnial hdd,trying to install The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) on u-disk .(as I hnow nothing about raspberry pi,so does my co-workers)
Reply
one more thing,I seem to find hcxtools has win-version realeased? If so,that would be most convenient


Attached Files
.jpg   111.JPG (Size: 67.45 KB / Downloads: 13)
Reply
Hi DKblue.
Nice snapshot. At least you are able to recover the key. That's great.

But it's not a good idea to use wlangenpmk (as it is much slower than hascat). This tool was designed for analysis purpose and to speed up hashcats hashing process of allready recovered passwords.

example:
Use wlangenpmk on your potfile to calculate PMKs for allready recovered networks.
Convert new captures to hccapx and do the first hashcat run using this calculated PMKs and hashcats --remove option.
Now all (allready) recovered passwords are filtered out (very fast).
Then use your prefered methods (crunch) on the remaining networks in your hccapx file.

I do not think about it to port hcxtools to windows.
First of all hcxtools are designed to be analysis tools and pre-processing tools for use with hashcat and JtR.
For that purpose you need  a system that you control(!!!) and not somebody in Silicon Valley.
If you decide to use hcxtools, your level of experience (LINUX and 802.11x) must be significantly higher than using a simple all-in-one-script. Only in that case you'll get good results.
Reply
Just out of curiosity, has anyone compiled this for OpenWRT? Looks like all the required packages are already available with Chaos Calmer, would be neat to set this up in my Ubiquiti unit and give it a try.
Reply
Hi slyexe
Yes, but we are still running into problems on big endian machines. The source contains allready some muscle fixes, but there is a lot of work todo. There are also many OSX fixes inside the latest git code (thanks to RealEnder, Neheb and Magnum).
Next step is to drop libpcap dependency. But that needs a complete rewrite of the tools.
wlandump-ng (https://github.com/ZerBea/hcxtoolsbleeding) is the first tool that dropped that dependency.
Now we use a file descriptor to read incomming packets from a raw socket and write outgoing packets to a raw socket (full duplex). Also, that makes it easier to port the code to other OS (I hope so).
Life would be easier, if I can get some big endian caps and a PRISM (I or II) header cap.
Reply
hi ZerBea
it's not mine command,here is original link:
http://arg-wireless.com.ar/index.php?topic=1927.15

Anyway I'd like to consult you on wlangenpmk later, while free.
Now I'm still busy fighting those rubbish notebooks,try to install kalie-light-version on sd-card.
It would be so nice to capture with your excellent wlandump-ng.

your suggestion is good,but we are electromechanical labourers,
pretty raspberry is a little delicate in our tools-bag.
Thanks.
Reply
Hi DKblue.
You're welcome. I know that ARG forum, well. There are nice posts inside about Fibertel's and Speedy's.

The solution for your problem is a simple bash script that:
disables NetworkManager and wpa_supplicant
enables monitor mode for the selceted device
brings interface up

and a second script that
disables monitor mode for selected device
brings interface up
enables NetworkManager and wpa_supplicant

I'm shure some UBUNTU/DEBIAN users can post their scripts here.

for an arch system:

makemonitor
---------------
#!/bin/sh
if test -z "$1"
then
for IFACE in `ls -1 /sys/class/net | grep ^wl`
do
printf "$IFACE "
cat /sys/class/net/$IFACE/address
done
printf "\nselect interface: "
read WLANDEV
else
WLANDEV=$1
fi
echo "deactivate monitor mode on $WLANDEV"
sudo ip link set $WLANDEV down
sudo iw dev $WLANDEV set type managed
sudo ip link set $WLANDEV up
sudo iw dev $WLANDEV info

echo "activate services"
sudo systemctl start NetworkManager.service
sudo systemctl start wpa_supplicant.service

killmonitor
-----------
#!/bin/sh

if test -z "$1"
then
for IFACE in `ls -1 /sys/class/net | grep ^wl`
do
printf "$IFACE "
cat /sys/class/net/$IFACE/address
done
printf "\nselect interface: "
read WLANDEV
else
WLANDEV=$1
fi
echo "deactivate services"
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service
echo "activate monitor mode on  $WLANDEV"
sudo ip link set $WLANDEV down
sudo iw dev $WLANDEV set type monitor
sudo ip link set $WLANDEV up
sudo iw dev $WLANDEV info
Reply
Thanks ZerBea!
Your scripts seems helpful.
Last month I learned from  your reply to windmaple here:

windmaple: There are some major problems in your configuration:
1. do not use aircrack-ng tools or scripts in combination with hcxtools.
    airmon-ng creates a virtual interface (monx) and leaves wlan0 managed!
2. do not use wlandump-ng/wlanresponse on virtual devices like monx
    "I placed the wifi card into monitor mode but somehow wlandump doesn't like wlan0"
    wlandump-ng/wlanresponse likes wlan0, but they don't like virtual devices!
3. as freeroute wrote, you must identify all services that takes access to your capture device and stop them (at least this 2):
    sudo systemctl stop NetworkManager.service
    sudo systemctl stop wpa_supplicant.service
4. as freeroute wrote, you must put the interface into monitor mode (where $WLANDEV is your device name)
    sudo ip link set $WLANDEV down
    sudo iw dev $WLANDEV set type monitor
    sudo ip link set $WLANDEV up
    sudo iw dev $WLANDEV info
5. if you got pcap read errors like this:
    internal pcap errors.....................................: 12
    there are more services that prevent wlandump-ng/wlanresponse to access the device - you must identify and stop them.
6. if you finished capturing do not forget to put the device back into managed mode
    sudo ip link set $WLANDEV down
    sudo iw dev $WLANDEV set type managed
    sudo ip link set $WLANDEV up
    sudo iw dev $WLANDEV info
7. and start the services - otherwise you will have no connectivity!
    sudo systemctl start NetworkManager.service
    sudo systemctl start wpa_supplicant.service

and now learned from you time after time.
I'll trie your scripts later,thanks again!
Reply
Hi DKblue.
The problems aren't so big as you might think.
Penetration distros doesn't start as many unwanted services as multimedia distros. So there are only a few services to stop.
There is no real need to use airmon-ng if you have common hardware (Realtek, Ralink or Atheros chipsets that support native monitor mode).
Aircrack-ng is able to run other services on the same interface (like hostapd, airbase-ng or airtun-ng). Therefore it use virtual devices. wlandump-ng is stand alone and needs full access to the hardcoded interface.
Thats all...

And please upload your capfiles to http://wpa-sec.stanev.org/
We need the caps for analysis purposes (weakpoints, keyspace, 802.11 protocol, ...)  to improve the tools (hashcat, JtR, hcxtools).

example:
You mentioned the arg-wireless forum in your post.
The user are interested in Fibertel routers.
We did an analysis of the database to get informations about the keyspace and
added this as new option to latest wlanhcx2psk

$ wlanhcx2psk -h
wlanhcx2psk 4.0.0 (C) 2017 ZeroBeat
usage..: wlanhcx2psk <options>
example: wlanhcx2psk -i <hccapx> -W -s | hashcat -m 2500 <hccapx>

options:
-i <file> : input hccapx file
-o <file> : output plainkeys to file
-s        : output plainkeys to stdout (pipe to hashcat)
-w        : include generic weak passwords
-W        : include complete wps keys
-D        : include complete european dates
-d        : include complete american dates
-N        : include NETGEARxx weak candidates
-F        : include Fibertel weak candidates
-h        : this help
-v        : version

Keep in mind, wlanhcx2psk is no key generator based on closed source firmware. Only results of open sources intelligence are used.
Reply