hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#21
created a new branch: https://github.com/ZerBea/hcxkeys
added tools wlangenpmk (CPU) and wlangenpmkocl (GPU) to generate rainbowtables of common ESSIDS for use with hash-mode 2501


wlangenpmk 3.6.0 (C) 2017 ZeroBeat
usage: wlangenpmk <options>

options:
-e <essid>    : input single essid (networkname: 1 .. 32 characters)
-p <password> : input single password (8 .. 63 characters)
-i <file>     : input passwordlist
-I <file>     : input combilist (essid:password)
-a <file>     : output plainmasterkeys as ASCII file (hashcat -m 2501)
-A <file>     : output plainmasterkeys:password as ASCII file
-c <file>     : output cowpatty hashfile (existing file will be replaced)
-h            : this help


wlangenpmkocl 3.6.0 (C) 2017 ZeroBeat
usage: wlangenpmkocl <options>

options:
-e <essid>    : input single essid (networkname: 1 .. 32 characters)
-p <password> : input single password (8 .. 63 characters)
-i <file>     : input passwordlist
-I <file>     : input combilist (essid:password)
-a <file>     : output plainmasterkeys as ASCII file (hashcat -m 2501)
-A <file>     : output plainmasterkeys:password as ASCII file
-c <file>     : output cowpatty hashfile (existing file will be replaced)
-P <platform> : input platform, default 0 (first platform)
-D <device>   : input platform, default 0 (first device)
-l            : list device info
-h            : this help
Reply
#22
I've been asked to write a basic tutorial for wpa/wpa2 on hash-modes 2500, 2501, 12000.
Well, let's start:

1.
Get our example cap from https://wiki.wireshark.org/SampleCaptures
Download wpa-Induction.pcap frome here:
https://wiki.wireshark.org/SampleCapture...ction.pcap
Password is: Induction

2.
create a folder, copy the cap into the folder and open a terminal in that folder
let's see if we' re right:
$ ls *
wpa-Induction.pcap

3.
let's get some infos about the cap
$ wlancapinfo -i wpa-Induction.pcap
input file.......: wpa-Induction.pcap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 127 (DLT_IEEE802_11_RADIO) [http://www.tcpdump.org/linktypes.html]
packets inside...: 1093
last pcap error..: flawless

It's a normal pcap file. Many useless things inside and some important things are not captured.
cap2hccapx, wlancap2hcx and the online converter https://hashcat.net/cap2hccapx/
should be able to convert this cap into a hccapx

4.
convert the cap file
$ wlancap2hcx -o test.hccapx -e testlist -f testpmklist -u usernameslist -S hashinfo wpa-Induction.pcap
start reading from wpa-Induction.pcap
1093 packets processed (1093 wlan, 0 lan, 0 loopback)
found 2 usefull wpa handshakes
found WPA encrypted data packets

testlist (networknames and possible passworts should be inside this unsorted list):
Coherer
linksys
only 2 networknames (ESSIDs) inside - no passwords

testpmklist is empty - no plainmasterkey captured
there is no usernamelist - no usernames/identities captured

hashinfo:
814b242275c668e321b145c2e981f351:000c4182b255:000d9382363a:Coherer
814b242275c668e321b145c2e981f351:000c4182b255:000d9382363a:Coherer
2 hashes inside
hcxtools using the same internal md5_64 algo to make records unique like hashcat
internal_md5_64_algo:mac_ap:mac_sta:essid


That means:
a. passwords, usernames or plainmasterkeys are not transmitted
b. you didn't use wlandump-ng or wlanresponse (this tools are able to capture the relevant things)
c. the capture was cleaned (bad idea to do this)

5.
let's get some infos about our test.hccapx
$ wlanhcxinfo -i test.hccapx
total hashes read from file..: 4
wlandump forced handshakes...: 0
802.1x Version 2001..........: 0
802.1x Version 2004..........: 4
key version wpa1.............: 0
key version wpa2.............: 4
message pair M12E2...........: 2 (0 not replaycount checked)
message pair M14E4...........: 0 (0 not replaycount checked)
message pair M32E2...........: 2 (0 not replaycount checked)
message pair M32E3...........: 0 (0 not replaycount checked)
message pair M34E3...........: 0 (0 not replaycount checked)
message pair M34E4...........: 0 (0 not replaycount checked)

We have a complete handshake (M1/M2 and M2/M3). That's really good.
Reply
#23
6.
let's start to crack it using hash-mode 2500 (the traditional way):
echo "Induction" > wordlist
$ hashcat -m 2500 --potfile-path=hc2500.pot test.hccapx wordlist
hashcat (v3.6.0-207-g1cd0212f) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: Coherer (AP:00:0c:41:82:b2:55 STA:00:0d:93:82:36:3a)
Time.Started.....: Mon Jul 17 12:46:27 2017 (0 secs)
Time.Estimated...: Mon Jul 17 12:46:27 2017 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 2/2 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.36ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Candidates.#1....: Induction -> Induction
HWMon.Dev.#1.....: Temp: 38c Fan: 33% Util:100% Core:1303MHz Mem:3004MHz Bus:8

take a look into the potfile hc2500.pot:
814b242275c668e321b145c2e981f351:000c4182b255:000d9382363a:Coherer:Induction
We cracked it using hash-mode 2500
Reply
#24
7.
let's start to crack it using hash-mode 2501 (the new and fast way):
generate the plainmasterkey
$ wlangenpmk -e Coherer -p Induction
essid (networkname): Coherer
password...........: Induction
plainmasterkey.....: a288fcf0caaacda9a9f58633ff35e8992a01d9c10ba5e02efdf8cb5d730ce7bc

echo "a288fcf0caaacda9a9f58633ff35e8992a01d9c10ba5e02efdf8cb5d730ce7bc" > pmklist
$ hashcat -m 2501 --potfile-path=hc2501.pot test.hccapx pmklist
hashcat (v3.6.0-207-g1cd0212f) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2 PMK
Hash.Target......: Coherer (AP:00:0c:41:82:b2:55 STA:00:0d:93:82:36:3a)
Time.Started.....: Mon Jul 17 12:52:10 2017 (0 secs)
Time.Estimated...: Mon Jul 17 12:52:10 2017 (0 secs)
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.01ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Candidates.#1....: a288fcf0caaacda9a9f58633ff35e8992a01d9c10ba5e02efdf8cb5d730ce7bc -> a288fcf0caaacda9a9f58633ff35e8992a01d9c10ba5e02efdf8cb5d730ce7bc
HWMon.Dev.#1.....: Temp: 31c Fan: 28% Util: 99% Core:1303MHz Mem:3004MHz Bus:8

take a look into the potfile hc2501.pot:
814b242275c668e321b145c2e981f351:000c4182b255:000d9382363a:Coherer:a288fcf0caaacda9a9f58633ff35e8992a01d9c10ba5e02efdf8cb5d730ce7bc
We cracked it using hash-mode 2501
Reply
#25
8.
let's start to crack it using hash-mode 12000 (the unconventional way):
$ wlanpmk2hcx -e Coherer -p a288fcf0caaacda9a9f58633ff35e8992a01d9c10ba5e02efdf8cb5d730ce7bc
use hashcat hash-mode -m 12000 to get password
sha1:4096:Q29oZXJlcg==:ooj88Mqqzamp9YYz/zXomSoB2cELpeAu/fjLXXMM57w=

echo "sha1:4096:Q29oZXJlcg==:ooj88Mqqzamp9YYz/zXomSoB2cELpeAu/fjLXXMM57w=" > hashlist

$ hashcat -m 12000 --potfile-path=hc12000.pot hashlist wordlist
hashcat (v3.6.0-207-g1cd0212f) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: PBKDF2-HMAC-SHA1
Hash.Target......: sha1:4096:Q29oZXJlcg==:ooj88Mqqzamp9YYz/zXomSoB2cEL...MM57w=
Time.Started.....: Mon Jul 17 13:29:16 2017 (0 secs)
Time.Estimated...: Mon Jul 17 13:29:16 2017 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.26ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Candidates.#1....: Induction -> Induction
HWMon.Dev.#1.....: Temp: 36c Fan: 28% Util: 98% Core:1303MHz Mem:3004MHz Bus:8

take a look into the potfile hc12000.pot:
sha1:4096:Q29oZXJlcg==:ooj88Mqqzamp9YYz/zXomSoB2cELpeAu/fjLXXMM57w=:Induction
We cracked it using hash-mode 12000
Reply
#26
basic tutorial for usie of hash-modes 4800 and 5500 (WPA-ENTERPRISE)

preparation:
We need some example caps. Download
http://www.willhackforsushi.com/code/asl...ap-2.2.tgz
and
http://www.willhackforsushi.com/code/eap...ss-1.4.tgz

unpack both  the tgz files.

create a folder: test
create a subfolder inside test: caps
copy this files from asleap-2.2 folder to caps folder:
joshlea.dump
copy this files from asleap-2.2/data folder to caps folder:
leap.dump
leap2.dump
pptp.dump
copy this files from eapmd5pass folder to caps folder:
brad.eaptest2.cap
brad.eaptest.cap
EAPMD5-Challenge-01.cap
eapmd5-sample.dump

now open a terminal in our test folder
check if the caps are inside the caps folder
$ ls caps/*
aps/brad.eaptest2.cap  caps/EAPMD5-Challenge-01.cap  caps/joshlea.dump  caps/leap.dump
caps/brad.eaptest.cap   caps/eapmd5-sample.dump       caps/leap2.dump    caps/pptp.dump

create a wordlist (wordlist) and copy the following passwords inside:
beaVIs
bradtest
turquoise
leap.dump
qaleap
leap.apc
blamo

Finished. We're now ready to start

1.
Let's do some checks on the capfiles:
$ wlancapinfo -i caps/brad.eaptest2.cap
input file.......: caps/brad.eaptest2.cap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
packets inside...: 5
last pcap error..: flawless

$ wlancapinfo -i caps/eapmd5-sample.dump
input file.......: caps/eapmd5-sample.dump
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
packets inside...: 77
last pcap error..: flawless

everything seems to be ok.
we can use the caps.
Reply
#27
2.
prepare to get passwords for hash-modes 4800 and 5500 and usernames:

$ wlancap2hcx -m hashes4800 -n hashes5500 -u usernames caps/*.*
start reading from caps/brad.eaptest2.cap
5 packets processed (5 wlan, 0 lan, 0 loopback)
found MD5-Challenge (hashcat -m 4800)
start reading from caps/brad.eaptest.cap
37 packets processed (37 wlan, 0 lan, 0 loopback)
found MD5-Challenge (hashcat -m 4800)
start reading from caps/EAPMD5-Challenge-01.cap
437 packets processed (437 wlan, 0 lan, 0 loopback)
found MD5-Challenge (hashcat -m 4800)
start reading from caps/eapmd5-sample.dump
77 packets processed (77 wlan, 0 lan, 0 loopback)
found MD5-Challenge (hashcat -m 4800)
found IPv4 packets
start reading from caps/joshlea.dump
2297 packets processed (2297 wlan, 0 lan, 0 loopback)
total 4 usefull wpa handshakes:
found 4 wpa1 RC4 Cipher, HMAC-MD5
hashcat --nonce-error-corrections is working on that file
found EAP-Cisco Wireless Authentication (hashcat -m 5500)
found IPv4 packets
found TCP packets
found UDP packets
found WPA encrypted data packets
start reading from caps/leap2.dump
18 packets processed (18 wlan, 0 lan, 0 loopback)
found EAP-Cisco Wireless Authentication (hashcat -m 5500)
found WEP encrypted data packets
start reading from caps/leap.dump
872 packets processed (872 wlan, 0 lan, 0 loopback)
found EAP-Cisco Wireless Authentication (hashcat -m 5500)
found WPA encrypted data packets
found WEP encrypted data packets
start reading from caps/pptp.dump
297 packets processed (297 wlan, 0 lan, 0 loopback)
found IPv4 packets
found TCP packets
found UDP packets
found PPP CHAP Authentication packets (hashcat -m 5500)

wlancap2hcx foundmany interesting things inside the caps.
so let's check the outputfiles:
$ ls
caps  hashes4800  hashes5500  usernames

hashes4800: use this hashfile for hash-mode 4800
hashes5500: use this hashfile for hash-mode 5500
usernames: copy/cat this file to your common wordlist(s), maybe it's usefull some day
Reply
#28
3.
run hashcat on hash-mode 4800 using the wordlist

$ hashcat -m 4800 --potfile-path=hc4800.pot hashes4800 wordlist
hashcat (v3.6.0-247-g8f2cbb26) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: iSCSI CHAP authentication, MD5(CHAP)
Hash.Target......: hashes4800
Time.Started.....: Fri Jul 21 17:45:43 2017 (0 secs)
Time.Estimated...: Fri Jul 21 17:45:43 2017 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.02ms)
Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress.........: 14/14 (100.00%)
Rejected.........: 0/14 (0.00%)
Restore.Point....: 0/7 (0.00%)
Candidates.#1....: beaVIs -> blamo
HWMon.Dev.#1.....: Temp: 44c Fan: 30% Util:100% Core:1202MHz Mem:3004MHz Bus:8

take a look into the potfile
$ cat hc4800.pot
9920418b3103652d3b80ffff04da5863:00000000000000000000000000000000:02:bradtest
1ffc6c2659bc5bb94144fd01eb756e37:d7ec2fff2ada437f9dcd4e3b0df44d50:02:beaVIs

You cracked your first WPA-ENTERPRISE using hash-mode 4800
Reply
#29
4.
now run hashcat on hash-mode 5500 using the wordlist

$ hashcat -m 5500 --potfile-path=hc5500.pot hashes5500 wordlist
hashcat (v3.6.0-247-g8f2cbb26) starting...
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NetNTLMv1 / NetNTLMv1+ESS
Hash.Target......: hashes5500
Time.Started.....: Fri Jul 21 17:49:10 2017 (0 secs)
Time.Estimated...: Fri Jul 21 17:49:10 2017 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:        0 H/s (0.04ms)
Recovered........: 3/6 (50.00%) Digests, 3/6 (50.00%) Salts
Progress.........: 42/42 (100.00%)
Rejected.........: 0/42 (0.00%)
Restore.Point....: 7/7 (100.00%)
Candidates.#1....: beaVIs -> blamo
HWMon.Dev.#1.....: Temp: 45c Fan: 31% Util: 99% Core:1303MHz Mem:3004MHz Bus:8

take a look into the potfile
$ cat hc5500.pot
qa_leap::::7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6:0786aea0215bc30a:qaleap
scott::::565fe2492fd5fb88edaec934c00d282c046227406c31609b:7c00a1a403ca7df5:turquoise
RSAINI::::5b79dab8bf72ed434ebca8a784466bffb28f6e94280c918d:afe811f2ae948bdb:blamo

You cracked your first WPA-ENTERPRISE using hash-mode 5500
Reply
#30
We are not able to crack all hashes because we used the default options of wlancap2hcx:

-i        : enable id check (default: disabled)
          : default: disabled - you will get more authentications, but some of them are uncrackable

Cheers
Reply