hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
(08-06-2018, 08:47 AM)RashidMalik Wrote: Hello ZerBea

Great to see you working hard on making hcxtools one of a kind. You guys have left other similar tools way way behind. Hats off and a bow to your tireless dedication.

Q - Regrading hcxpcaptool -o and -O option. Are they mutually exclusive (that is what -o captures -O does not and vice versa) or does -O include all you could capture with -o and then some more handshakes? I mean whats the difference and when to use which option?

see answer inĀ postĀ #275
Reply
ZerBea

hcxdumptool 4.2.0 says powned=4 (after having been running for a while) on its status bar;

Is that a spelling mistake?
What does it mean? Does it mean it has pawned 4 networks (how)? If yes how can I see which four are they and what are their passwords?
Reply
Select your target and crack the PSK with hashcat
Reply
Small update hcxdumptool:
Now we use hardware handshake of the driver. ATHEROS chipset should work, now.
Reply
hcxtools and hcxdumptool moved to version 4.2.1
added communication between hcxdumptool and hcxpcaptool via pcapng option field
in SHB and EHB block:
SHB block: 62108 REPLAYCOUNT uint64_t
SHB block: 62019 ANONCE uint8_t[32]

EHB block: 1 "HANDSHAKE AP-LESS" (green field in Wireshark Packet Comments)
EHB block: 62109 ANONCE uint8_t[32]

hcxdumptool: new status display options
ATHEROS still not working like expected.

randomized hcxdumptool AP-LESS attack now detected by hcxpcaptool:

summary:
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 200
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 2
beacons (with ESSID inside)..: 14
probe requests...............: 2
probe responses..............: 7
association requests.........: 6
association responses........: 11
authentications (OPEN SYSTEM): 140
authentications (BROADCOM)...: 6
EAPOL packets................: 21
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 1)
Reply
Good day, Zerbea.
First of all, i want to thank you for extremely useful set of utilities. Excellent work! I use your utilities from the very beginning of development and i always happy with results.
I had several questions now related to new version of hcxdumptool.
1. I faced that the utility ceases to work after a while. I am connected to Raspberry (3 with Raspbian 9 kernel 4.14) through ssh and i watch that how many packets it was received by the radio interface. After a while works of the program i notice that when switching to the following channel the number of collected packets (rx) increases by only one packet and at the same time transfer of packets stops. I can start the program again, but it does not help. Also the stop and start monitor mode (i use Atheros in TP-Link 722N) does not help. After reboot for some time everything becomes normal, but then the situation repeats again. I was updated about 8 hours ago. Can you tell me what I can check to localize this problem?
2. I tried the new attack mode and it really works great! I would just like to clarify some details about the output format of a file that contains PMKID. When using Hashcat (16800), I noticed that several APs with different MACs, but the same ESSID and pass were restored (of course it could be CAPsMAN or similar, for example) and i had some doubts as to whether i correctly understood the format of the pot file. Correctly I understand that the second position in the pot file after "*" is exactly the MAC address of the AP, which was successfully attacked?
Forgive me for my bad English and Thanks in advance!

Update:
The second question is removed from the agenda, i managed to repeat the situation in the lab.
Now i have updated to the latest version of the utility (4.2.1) and after building a new system image for Raspberry, it seems that i do not observe what i described earlier. Is it possible that there were some performance issues? In any case, i will try to reproduce this problem.
Reply
Hi MadMeow.
First of all, thanks. I am very pleased about that.
1.
I'm not shure, how to handle the TL-WN722N. I noticed some issues in handling the FCS. You can read more about that here:
https://github.com/qca/open-ath9k-htc-fi...issues/126
https://wikidevi.com/wiki/Wireless_adapt...pset_table (do a search for "broken")
https://github.com/vanhoefm/modwifi/issues/9
https://github.com/ZerBea/hcxdumptool/is...-410726219

(https://forums.The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali).org/showthread.php?34265-K a l i-linux-2016-2-amd64-problem-AWUS036H-wifi-card&styleid=2)

Sometimes the delivered packets (from userspace via raw socket to driver) are cut by the driver (last 2 bytes - I assume that is the FCS). After a while, the driver crashes. You can reproduce this using Wireshark. Wireshark will show you many "Malformed Packets", even if hcxdumptool is not running!

2.
Format of the 16800 potfile:
PMKID*MAC_AP*MAC*STA*ESSID followed by the PSK
Format of the 16801 potfile:
PMKID*MAC_AP*MAC*STA folowed by the PMK

If you have more hashlines with the same MAC_AP (BSSID) you can remove all, except of one. THis will speed up hashcat a little bit.

Using Version 4.2.1 you will notice some improvements:
--enable_status=<digit> : enable status messages
bitmask:
1: EAPOL
2: PROEBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION

For example to retrieve EAPOL and PROEBEREQUEST/PROBERESPONSE you can use
--enable_status=1 --enable_status=2
or via bitmask
--enable_status=3

status out will show you:
[FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 11132]
This Packets will be marked green in Wireshark.

[FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2129]
[FOUND PMKID]
[FOUND PMKID CLIENT-LESS]
or if hcxdumptool restarts the authentication sequence between a client and an access point
[EAPOL 4/4 - M4 RETRY ATTACK]
if you get more of this messages, you are too far away from the accesspoint.

--enable_status=2 will show you possible PSKs retrieved from the traffic, as well es ESSIDs.

Also we do a measurement of the EAPOL key timeout.
High timeout means: much traffic on the channel or weak signals

Get more informations and some nice how-tos here:
https://medium.com/@adam.toscher/new-att...c3119f7f99
and here:
https://www.youtube.com/watch?v=ve_0Qhd0bSM
Reply
Pushed some updates: ATHEROS should work now, too:

Product:
TP-LINK TL-WN722N

$ uname -r
4.17.11-arch1

$ lsusb
Bus 005 Device 010: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n

$ dmesg
[22226.399738] usb 5-4.5: Manufacturer: ATHEROS
[22226.399740] usb 5-4.5: SerialNumber: 12345
[22226.489515] usb 5-4.5: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[22226.781615] usb 5-4.5: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[22227.031828] ath9k_htc 5-4.5:1.0: ath9k_htc: HTC initialized with 33 credits
[22227.267452] ath9k_htc 5-4.5:1.0: ath9k_htc: FW Version: 1.4
[22227.267454] ath9k_htc 5-4.5:1.0: FW RMW support: On
[22227.271109] ieee80211 phy3: Atheros AR9271 Rev:1
[22227.273600] ath9k_htc 5-4.5:1.0 wlp39s0f3u4u5: renamed from wlan0

$ sudo hcxdumptool -o atherostest.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status=1

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc233e628d4 (client)
MAC ACCESS POINT.........: 000d58c18ab7 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64450
ANONCE...................: d420b933a2b78ea4a77febbaed22a8bf9cf37b45bcaab23323f46f40d2789ca7

[16:08:35 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND PMKID CLIENT-LESS]
[16:08:36 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 3126]
[16:08:37 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND PMKID]
[16:08:39 - 001] xxxxxxxxxxxx -> xxxxxxxxxxxx [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 11996]
Reply
Thank you very much for your help, ZerBea.
After some field tests, i think the problem really is with Atheros driver (I really miss my broken Alfa with 3070). But if I run the program with a "--disable_ap_attacks" key, then this problem does not happen. There is one more observation. If i do not use additional parameters, but simply specify the interface and output file, then the program works without problems if there are not more than half a dozen access points around. As soon as i start the program in a place where the radio air is very busy, after a while problems begin. I can not even connect to the ssh until i disconnect my adapter from usb, that causes hcxdumptool to stop working and after that i can connect via ssh again. I can still capture PMKID from the access point to client, but i do not initiate this process through hcxdumptool.

With my second question, everything is very clear to me. I'm really clearing the file manually to reduce hashat worktime. In my case, I need all MAC for my personal database and I just wanted to make sure that there is no error. This really can happen if I stumble upon Mikrotik CAPsMAN or access points that automatically organize a single wireless infrastructure (like some Asus models, for example).

Once again, thank you for all the information and I wish you great success in the development of your project.

Update: Oh. I must try new version now, i think.
Reply
Hello ZerBea,
seems AP's with special characters (" ' * ) are auto converted to $HEX[xxxxxxx] in PROEBEREQUEST/PROBERESPONSE.
is this something that can be fixed/added in a future release.
Reply