hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#51
How to build up an environment for advanced wpa cracking:

Don't waste your time by testing useless wordlists, downloaded from the internet.
Create your own environment, using real hashes and passwords!

Only a few files needed:
new.hccapx
database.hccapx
hashcat.pot.2500
hashcat.pot.2501
knownpasswords.txt
foundpasswords.txt
essidlist.txt
foundpmks.txt

1. Build hccapx hashdatabase
cat all your hccapx files to one big hccapx: database.hccapx
download caps frome here: https://forum.antichat.ru/threads/435763/page-581
convert them to hccapx (wlancap2hcx) and add the hccapx to database.hccapx
use the -e option to save networknames and found passwords and save them to essids.txt
search for known passwords here: https://forum.antichat.ru/threads/435763/page-581
and add them to knownpasswords.txt
download hccaps from here: https://xsrc.ru/list/
you can use a simple script to download them all:

#!/bin/bash
cd $HOME/Downloads
let i=$1

while [ $i -le $2 ]
do
curl -o $i.hccap -L https://xsrc.ru/download/$i
i=$[$i+1]
done

run the script with this parameters: 1 26068
where xxx is the last contribution number:
https://xsrc.ru/view/26068
convert them to hccapx (wlanhc2hcx) and add the hccapx to database.hccapx

Get your initial wordlist here:
http://wpa-sec.stanev.org/dict/cracked.txt.gz
and copy contence into knownpasswords.txt

2. Build your password database
cat knownpasswords.txt foundpasswords.txt essidlist.txt > testlist.txt
sort your testlist.txt > unique
hashcat -m 2500 --nonce-error-corrections=8 --remove --logfile-disable --potfile-path=hashcat.2500.pot --outfile-format=2 -o foundpasswords.txt database.hccapx testlist.txt
create from every found password a plainmasterkey (wlangenpmk, wlangenpmkocl) and save them to foundpmks.txt

Now you can start your loop if you got new hashes and/or new passwords:
capture or download your hashes
convert and add them to new.hccapx and database.hccapx
add new password to knownpasswords.txt
check for allready cracked hashes:
hashcat -m 2501 --nonce-error-corrections=8 --remove --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundpmks.txt new.hccapx foundpmks.txt
check for new passwords:
cat knownpasswords.txt foundpasswords.txt essidlist.txt > testlist.txt
hashcat -m 2500 --nonce-error-corrections=32 --remove --logfile-disable --potfile-path=hashcat.2500.pot --outfile-format=2 -o foundpasswords.txt new.hccapx testlist.txt
create from every found password a plainmasterkey (wlangenpmk, wlangenpmkocl) and save them to foundpmks.txt
remove found hashes from your database:
hashcat -m 2501 --nonce-error-corrections=8 --remove --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundpmks.txt database.hccapx foundpmks.txt
remove new.hccapx
sort your lists> unique

To find new passwords take advantage of hashcat's reuse of PBKDF2 on common ESSIDs
for example: save all nets with the ESSID AndroidAP to AndroidAP.hccapx
use wlanhcx2ssid -i database.hccapx -X AndroidAP
run hashcat on AndroidAP.hccapx using a mask ore a favourite small wordlist or a rule on essidlist.txt:
hashcat -m 2500 --nonce-error-corrections=8 --remove --logfile-disable --potfile-path=hashcat.2500.pot --outfile-format=2 -o foundpasswords.txt AndroidAP.hccapx -a 3 ?l?l?l?l?d?d?d?d
step into your loop here:
create from every found password a plainmasterkey (wlangenpmk, wlangenpmkocl) and save them to foundpmks.txt
remove found hashes from your database:
hashcat -m 2501 --nonce-error-corrections=8 --remove --logfile-disable --potfile-path=hashcat.2501.pot --outfile-format=2 -o foundpmks.txt database.hccapx foundpmks.txt

After a while, you'll see your database (hccapx and passwords) growing up.
Play around with --nonce-error-corrections=x on hash-mode 2501 (test values 32 or 64)
Reply
#52
advanced wpa cracking - weak point analyse (1)

After a while it's time to do a weak point analyse.

Take a look into hashcat.pot.2500 and search for networks
using simliar default passwords.
You can do this with simple bash commands:
sort by ESSID:
cat hashcat.2500.pot | sort -t ':' -k 4
sort by pw:
cat hashcat.2500.pot | sort -t ':' -k 5
sort by mac_ap:
cat hashcat.2500.pot | sort -t ':' -k 2
or by networkname
cat hashcat.2500.pot | grep <networkname>

then search for similar networks in your database
wlanhcxinfo -i database.hccapx -a -e | grep <networkname>

If you find something, search www or forum for default pw's or a keygen

create a wordlist using the default pw's and step into your loop, using this passwordlist.

If the wordlist is small, run it against your complete database
(some vendors using the same pw).

If the wordlist is big (like from this thread https://hashcat.net/forum/thread-6170.html)
extract the nets from your database using wlanhcx2ssid -i database.hccapx -X <exactnetworkname>

If the wordlist is smaller or usefull for a complete group of ESSID'S
extract the groups from your database using wlanhcx2ssid -i database.hccapx -E <partofnetworkname>

Do not add new passwords or pmks from unknown sources to your found lists.
This list should contain only your founds!
Reply
#53
weak point analyse (2)

Take a look into hashcat.pot.2500 and search for networks
using simliar default passwords.

Try to figure out how the algo is calculated.
pwhash will help you on hash calculated algos

example:
If you think the algo uses the mac and the keyspace is ABCDEFGHIJKLMNOPQRSTUVWXYZ
and you have two mac_ap and 2 passwords

mac_ap: 001122334455 password: JMNADJAT
mac_ap: AABBCCDDEEFF password: WVRNVEJJ


pwhash 001122334455 ABCDEFGHIJKLMNOPQRSTUWVXYZ
...
md5-hex.......: 572e74cdf761d0e4038509919cd8af1a
md5-base64....: Vy50zfdh0OQDhQmRnNivGg==
md5-ascii.....: JUMXNTAUDDJPAITA
...

pwhash AABBCCDDEEFF ABCDEFGHIJKLMNOPQRSTUWVXYZ
...
md5-hex.......: 7d6d7ec9459bdd10988abaf6bfa5232f
md5-base64....: fW1+yUWb3RCYirr2v6UjLw==
md5-ascii.....: WFVTRZNQVIEMJJJW
...

password1: JMNADJAT
password2: WVRNVEJJ

md5-ascii.....: JUMXNTAUDDJPAITA
md5-ascii.....: WFVTRZNQVIEMJJJW

Congratulations, you found the default algo.
Reply
#54
hcxtools filter options
------------------------
To satisfy hashcat, hcxtools have many build-in filteroptions:

1.
The Berkeley Packet Filter (BPF) is a very fast kernel filter.
It allows many filter options (by mac_ap, mac_sta, frametyp, ...)

You have two choices:

a. hard-coded BPF
works for wlandump-ng, wlanresponse and wlancap2hcx together
add your filter string to berkeleyfilter.h
then compile hcxtools
 
b. soft-coded BPF (option -F)
works for wlandump-ng or wlanresponse or wlancap2hcx
overrides hard-coded BPF

Syntax can be found here:
https://biot.com/capstats/bpf.html
http://www.tcpdump.org/manpages/pcap-filter.7.html

A good idea is to use the BPF only on mac_ap's and/or mac_sta's you don't want to attack!
For example: place the mac's from your own ap and your own devices into the BPF!


2.
For all other cases use the various filter options from wlanhcx2ssid:

-i <file>     : input hccapx file
-p <path>     : change directory for outputfiles
-a            : output file by mac_ap's
-s            : output file by mac_sta's
-o            : output file by vendor's (oui)
-e            : output file by essid's
-E <essid>    : output file by part of essid name
-X <essid>    : output file by essid name (exactly)
-x <digit>    : output by essid len (1 <= 32)
-A <mac_ap>   : output file by single mac_ap
-S <mac_sta>  : output file by single mac_sta
-O <oui>      : output file by single vendor (oui)
-L <mac_list> : input list containing mac_ap's (need -l)
             : format of mac_ap's each line: 112233445566
-l <file>     : output file (hccapx) by mac_list (need -L)
-w <file>     : write only wlandump forced to hccapx file
-W <file>     : write only not wlandump forced to hccapx file
-r <file>     : write only replaycount checked to hccapx file
-R <file>     : write only not replaycount checked to hccapx file
-N <file>     : output stripped file (only one record each mac_ap, mac_sta, essid, message_pair combination)
-n <file>     : output stripped file (only one record each mac_sta, essid)
-0 <file>     : write only MESSAGE_PAIR_M12E2 to hccapx file
-1 <file>     : write only MESSAGE_PAIR_M14E4 to hccapx file
-2 <file>     : write only MESSAGE_PAIR_M32E2 to hccapx file
-3 <file>     : write only MESSAGE_PAIR_M32E3 to hccapx file
-4 <file>     : write only MESSAGE_PAIR_M34E3 to hccapx file
-5 <file>     : write only MESSAGE_PAIR_M34E4 to hccapx file
Reply
#55
some information about the versioning of hcxtools:

hcxtools are based on a rolling development git branch. This branch is pretty closely synced to hashcat git branch.
That means: latest hcxtools matching on latest hashcat beta.

If you need an older version of hcxtools matching to an older version of hashcat you must do a git checkout <sha1>.
Reply
#56
update on hcxtools (https://github.com/ZerBea/hcxtools):
added detection of WDS (Wireless Distribution System) and Mesh networking
many stability and security fixes

$ wlancap2hcx -o test.hccapx 201709101045.cap
start reading from 201709101045.cap
101623 packets processed (101623 wlan, 0 lan, 0 loopback)
total 538 usefull wpa handshakes
found 538 WPA2 AES Cipher, HMAC-SHA1
found 317 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
found EAP-SIM (GSM Subscriber Modules) Authentication
found WDS or Mesh packets
Reply
#57
Great job!
Thank you for sharing.

(09-11-2017, 08:52 AM)ZerBea Wrote: update on hcxtools (https://github.com/ZerBea/hcxtools):
added detection of WDS (Wireless Distribution System) and Mesh networking
many stability and security fixes

$ wlancap2hcx -o test.hccapx 201709101045.cap
start reading from 201709101045.cap
101623 packets processed (101623 wlan, 0 lan, 0 loopback)
total 538 usefull wpa handshakes
found 538 WPA2 AES Cipher, HMAC-SHA1
found 317 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
found EAP-SIM (GSM Subscriber Modules) Authentication
found WDS or Mesh packets
Reply
#58
hcxtools and "cleaned caps"

First of all: It's a good idea to take a look into a wlandump-ng / wlanresponse cap to learn about 802.11x and the authentication process.

But it's not a good idea to use wpaclean or simple wireshark filters on this caps.
Unless you do not know what you are doing, that will fail.

hcxtools aren't stupid deauth tools. Instead of sending tons of deauth frames, they will go direct into the authentication process by sending their own proberesponses, associationresponses, re-associationresponses, anonces and ack frames.
And they are doing this faster than the regular access point (ap).

If you decide to clean the cap by hand, you must know which packets belongs to wlandump-ng association and which packets belongs to ap association. They are totally mixed in the cap!
Using the wrong wireshark filter, you will not be able to see this!

Do not trust beacons and proberesponses in hcxtools caps!
hcxtools captures beacons and proberesponses, redirects them or transmits fake beacons and proberesponses, transmits fake mac's using fake or captured original mac's. hcxtools also use real or fake vendor identifications (oui).

Trust only in associationrequests - responses, re-associationrequests - responses, followed by ack frames and anonces / snonces followed by ack frames! Nevertheless, a captured wlandump-ng forced handshake is valid and 100% crackable!

Also you can trust proberequests from the clients (directed to mac_ap - or undirected to broadcast). They often contain passwords and / or plainmasterkeys. But keep in mind that some devices will transmit their passwords / plainmasterkeys only once a day or once a week (mainly S.M.A.R.T devices).

Do not trust timestamps between packets!
hcxtools disables all eapol-timers. That means a wlandump-ng forced message pair
M1 transmited at 07:00 pm
M2 received at 07:10 pm
is valid and 100% crackable!
Reply
#59
Thanks the info about hcxtools and "cleaned caps", ZerBea. It was very useful.
Reply
#60
hcxtools and cap2hccapx (two good friends)
If you are interested in wpa / wpa2 only, you can savely use cap2hccapx (https://github.com/hashcat/hashcat-utils) or the online converter (https://hashcat.net/cap2hccapx/) to convert hcxtools caps. cap2hccapx knows all about the features of hcxtools and will convert this cap to hccapx.
cap2hccapx also knows all about hcxtools beacons and proberesponses and prioritized association / re-associationrequests (https://github.com/hashcat/hashcat-utils/issues/27).
It is also possible to convert hccapx files (from cap2hccapx) back to a cap file, as cap2hccapx writes only message pairs which can be converted back (https://github.com/hashcat/hashcat-utils/issues/32).
cap2hccapx is also able to handle "big data" caps captured by hcxtools (https://github.com/hashcat/hashcat-utils/issues/28).
Reply