hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi walterlacka.
No, there is no new general tutorial, as the basic functions are untouched. You can always run hcxtools using the default options. If your knowledge is higher, you can choose several additional options. They are explained in the help menu of each tool. Well, some of the tools are obsolete (like wlanresponse) and I removed them. Some tools are new (like wlandump-rs), because things changed (new authentication procedure, drop dependencies, some really good user ideas). I made a little post (only in this thread), everytime important things changed.
I described the basic TTPs (Tactics, Techniques and Procedures) once and they didn't change since this time.
So it's enough, to follow this thread to understand the new features and, of course, the basics.
I admit, it is not easy to use hcxtools. Well, see it as a WiFi playground to expand your knowledge (and I mean learning by doing).

And last, but not least:
The main penetration distros added hcxtools to their repositories and keep them up to date:

http://mirror.easyname.at/blackarch/blac...os/x86_64/
hcxtools-609.b485155-1-x86_64.pkg.tar.xz 17-Dec-2017 16:01 96K

https://en.The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali).tools/all/?tool=1779
Last Updated: 2017-12-17

There is also a nice post in an other forum written by freeroute:
https://forum.hashkiller.co.uk/topic-vie...465#155465


If you're interested in the whole stuff, I suggest you to read this elementary basics:
https://en.wikipedia.org/wiki/Intelligence_cycle
https://en.wikipedia.org/wiki/Signals_intelligence
https://en.wikipedia.org/wiki/Traffic_analysis
https://en.wikipedia.org/wiki/Coding_theory
https://en.wikipedia.org/wiki/Cryptanalysis
and that (google for CWAP_WLAN_ANALYSIS.pdf):
Certified Wireless Analysis Professional Official Study Guide
Reply
Hi DKblue.
Again thanks and all my best season greetings
Reply
In wlanhcx2ssid, what's the difference between -n and -D?
Reply
Hi ee10.
You're too fast for me (asking this question). Added this option yesterday, but didn't have the time to write a post.

wlancap2hcx
added new option to remove handshakes that that belong to the same authentication sequence
-D        : remove handshakes that belong to the same authentication sequence
         : you must use nonce-error-corrections on that file!

wlanhcx2ssid
added new option to remove handshakes that that belong to the same authentication sequence
-D <file> : remove handshakes that belong to the same authentication sequence
         : you must use nonce-error-corrections on that file!

The new option -D remove all duplicate handshakes that are captured within the lease time of an EAPOL timer.
The options -n and -N remove all duplicates and keep one handshake each mac_ap, mac_sta, essid, message_pair combination (-N) or one handshake each mac_sta, essid combination (-n). They doesn't take care about the lease time!

-D removes less duplicates than -n or -N, but will keep the following:
- client tries to connect to the access point using the half of his password, then he tries to connect using the complete password
- access point / client changed the password during the capture time
- user merged two or more  different caps before he convert them to hccapx

-n or -N only keeps one of this handshakes and remove the other ones.

If you have enough gpu power or enough time, it's better to choose option -D.

The new option is designed on demand of wpa-sec.stanev.org to prepare incoming caps for the database (remove dupplicates, but keep all the gems). wpa-sec.stanev.org is on his way to finish the migration to hashcat 4.0.1 and need this option to reduce the size of the database, but keep important handshakes (the gems).  We can not assume that all handshakes in a submitted cap belong to the same authentication sequence in range of the lease time of an EAPOL timer (so we need -D).

Let's take a look on this example on a merged cap containing handshakes from 2 different EAPOL lease times:
$ wlanhcx2ssid -i complete.hccapx -D rem1.hccapx
2654 records read from complete.hccapx
2267 records removed
387 records written


$ wlanhcx2ssid -i complete.hccapx -N rem2.hccapx
2654 records read from complete.hccapx
363 records written to rem2.hccapx

$ wlanhcx2ssid -i complete.hccapx -n rem3.hccapx
2654 records read from complete.hccapx
273 records written to rem3.hccapx

Option -D keeps 24 handshakes captured from different lease times (you must enable at least default nonce-error-corrections).
Option -N removed them too, but take care of the message_pair.
Option -n removed more and doesn't take care of the message_pair (you must use high nonce-error-corrections values)

Option -D wlancap2hcx is similar to option -D wlanhcx2ssid (same source code).

And, as you can see, every single option of hcxtools has a price tag. If you choose this option, you have to pay the price.
Reply
You are awesome. I love your software. Thank you so much.
Reply
Happy newyear ZerBea !
I 've got the disable NetworkManager scripts to run!
That's not easy for me ,I referenced your example code  and googled word by word these 2 weeks.
Finaly here it is
#!/bin/sh
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service

sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
sudo iw dev wlan0 info
Now it's more easier to use your hcxtools.
Thanks again
Bye
Reply
Hi ZerBea!
I'm the guy from arg-wireless forum that compile wlangenpmk and wlangenpmkocl for windows!
ocl version is as fast as hashcat with my Nvidia GTX750 TI , its about 60000 pmk/s and haschcat -m 2500 60 Kh/s
i am not a C programmer, but i do have some free time and goolge a lot .
so i wonder it you could add pipping in/out to wlangenpmk tools. huh?
to be able to do something like this , instead of making large dictionaries
crunch --> wlangenpmk "ssid" --> hashcat -m 2501 capfile.hccapx
thanks!
Reply
Hi DKblue
Happy New Year.
Nice to read, that you are able to put your device into monitor mode.
Reply
Hi JuanBerta.
I really like the arg-wireless forum and pushed wlangenpmkocl stdin/stdout update:
$ wlangenpmkocl -h
wlangenpmkocl 4.0.1 (C) 2018 ZeroBeat
usage: wlangenpmkocl <options>
cat wordlist | wlangenpmkocl -e <essid> | hashcat -m 2501 ...

options:
-e <essid> : input single essid (networkname: 1 .. 32 characters) requires -p
-p <password> : input single password (8 .. 63 characters) requires -e
-i <file> : input passwordlist
-I <file> : input combilist (essid:password)
-a <file> : output plainmasterkeys as ASCII file (hashcat -m 2501)
-A <file> : output plainmasterkeys:password as ASCII file
-c <file> : output cowpatty hashfile (existing file will be replaced)
-P <platform> : input platform, default 0 (first platform)
-D <device> : input device, default 0 (first device)
-l : list device info
-h : this help
Reply
(01-04-2018, 08:55 PM)ZerBea Wrote: Hi JuanBerta.
I really like the arg-wireless forum and pushed wlangenpmkocl stdin/stdout update:
$ wlangenpmkocl -h
wlangenpmkocl 4.0.1 (C) 2018 ZeroBeat
usage: wlangenpmkocl <options>
      cat wordlist | wlangenpmkocl -e <essid> | hashcat -m 2501 ...

options:
-e <essid>    : input single essid (networkname: 1 .. 32 characters) requires -p
-p <password> : input single password (8 .. 63 characters) requires -e
-i <file>     : input passwordlist
-I <file>     : input combilist (essid:password)
-a <file>     : output plainmasterkeys as ASCII file (hashcat -m 2501)
-A <file>     : output plainmasterkeys:password as ASCII file
-c <file>     : output cowpatty hashfile (existing file will be replaced)
-P <platform> : input platform, default 0 (first platform)
-D <device>   : input device, default 0 (first device)
-l            : list device info
-h            : this help

Excellent news!
thank you so much!
Reply