hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
#11
capture:
sudo wlandump-ng -i wlp0s26u1u2 -o test.cap -c 1 -t 3 -d 100 -D 10 -m 512 -b -r -s 20
Options:
-i -> is the name of your wlan device - do not use virtual devices like mon0, mon1, monx
-o -> capture to this cap
-c -> start on channel 1
-t -> stay 3 seconds on this channel
-d -> deauthenticate  clients every 100 received management-packets
(do not use values below this, because this will ap change the anonce lease time - important for hashcat nonce-corr)
-D ->  disassociate clients every 10 received (NULL-, Powersave-, M4- packets)
(do not use values below this, because this will ap change the anonce lease time - important for hashcat nonce-corr)
-m -> size of internal ringbuffer (if more received, the oldest will be deleted)
-b -> activate beaconing on last ten probed clients
-r -> reset counter if channel 1 reached
-s -> show 20 additional status lines

wlanresponse is the "angry" brother of wlandump-ng !
sudo wlanresponse -b -t 3 -i wlp0s26u1u2 -o test.cap
-i -> is the name of your wlan device - do not use virtual devices like mon0, mon1, monx
-o -> capture to this cap
-b -> activate beaconing on last ten probed clients
-t -> stay 3 seconds on this channel
less options, no status display, but extreme fast!


convert:
wlancap2hcx -x -e wordlist -o test.hccapx *.cap
Options:
-x -> match exact mac_ap and mac_sta
-e -> extract also found passwords and networknames from wlan traffic (will be appended)
-o -> your hccapx file (new hashes will be appended)
*.cap -> do this from all cap files (or *.pcap from all pcap files or *.pcapng from all pcapng files)

if RADIUS authentications are inside your cap:
-m -> strip this hashes to file - iSCSI CHAP authentication, MD5(CHAP): use hashcat -m 4800
-n -> strip this hashes to file - PPP-CHAP and NetNTLMv1 authentication: use hashcat -m 5500
-u -> extract also user names, domain names or identities

Take a look into the help for more options

I will not give tutorials how to set device to monitor mode or how to disable systemd services that takes access to wlan devices - that's LINUX basic knowledge!
Cheers
Reply
#12
Did an update on hcxtools:
added detection of PPP CHAP Authentication in IPv4 packets (high experimental !)
to implement this function also on IPv6 packets - I need some of this caps (ethernet or wlan)

Cheers
Reply
#13
(06-26-2017, 09:40 PM)ZerBea Wrote: capture:
sudo wlandump-ng -i wlp0s26u1u2 -o test.cap -c 1 -t 3 -d 100 -D 10 -m 512 -b -r -s 20
Options:
-i -> is the name of your wlan device - do not use virtual devices like mon0, mon1, monx
-o -> capture to this cap
-c -> start on channel 1
-t -> stay 3 seconds on this channel
-d -> deauthenticate  clients every 100 received management-packets
(do not use values below this, because this will ap change the anonce lease time - important for hashcat nonce-corr)
-D ->  disassociate clients every 10 received (NULL-, powersave-, m4- packets
(do not use values below this, because this will ap change the anonce lease time - important for hashcat nonce-corr)
-m -> size of internal ringbuffer (if more received, the oldest will be deleted)
-b -> activate beaconing on last ten probed clients
-r -> reset counter if channel 1 reached
-s -> show 20 additional status lines

wlanresponse is the "angry" brother of wlandump-ng !
sudo wlanresponse -b -t 3 -i wlp0s26u1u2 -o test.cap
-i -> is the name of your wlan device - do not use virtual devices like mon0, mon1, monx
-o -> capture to this cap
-b -> activate beaconing on last ten probed clients
-t -> stay 3 seconds on this channel
less options, no status display, but extreme fast!


convert:
wlancap2hcx -x -e wordlist -o test.hccapx *.cap
Options:
-x -> match exact mac_ap and mac_sta
-e -> extract also found passwords and networknames from wlan traffic (will be appended)
-o -> your hccapx file (new hashes will be appended)
*.cap -> do this from all cap files (or *.pcap from all pcap files or *.pcapng from all pcapng files)

if RADIUS authentications are inside your cap:
-m -> strip this hashes to file - iSCSI CHAP authentication, MD5(CHAP): use hashcat -m 4800
-n -> strip this hashes to file - NetNTLMv1 authentication: use hashcat -m 5500
-u -> extract also user names, domain names or identities

Take a look into the help for more options

I will not give tutorials how to set device to monitor mode or how to disable systemd services that takes access to wlan devices - that's LINUX basic knowledge!
Cheers

thanks <3
Reply
#14
To test if your captured networks are vulnerable using common wordlists, upload your caps to http://wpa-sec.stanev.org/?nets

step 1:
wlancap2wpasec *.cap (internet connection required)

step 2:
wait one or two days, then download wordlist:
http://wpa-sec.stanev.org/dict/cracked.txt.gz
decompress and run against your test.hccapx

repeat step 2 at regular intervals
Cheers
Reply
#15
New update https://github.com/ZerBea/hcxtools
added PPP-CHAP Authentication

use wlandump-ng / wlanresponse option lima (-l) to capture IPv4 and IPv6 from WLAN
use wlancap2hcx -n <hashfile> to strip hashes (from WLAN and LAN caps)
use hashcat -m 5500 to find password
Reply
#16
New update https://github.com/ZerBea/hcxtools
added support for new hashcat hash-mode 2501 = WPA/WPA2 PMK

hcxtools are now able to capture and save possible plainmasterkeys (PMK) from wlantraffic
To test if your captured networks are vulnerable use wlancap2hcx option -f to save captured pmk's to a file
wlancap2hcx: -f <file> : output possible wpa/wpa2 pmk list (hashcat -m 2501)
pmks are appended to existing file

Now, you have four options to collect possible passwords:
1. collect networknames (using the same 802.11 frame) and passwords:
-e <file> : output wordlist to use as hashcat input wordlist
2. collect networknames (using the same 802.11 frame) and passwords (unicode):
-E <file> : output wordlist to use as hashcat input wordlist (unicode)
3. collect usernames, domains,identities (used by the authentification - system):
-u <file> : output usernames/identities file
4. collect plainmasterkeys for use with hashcat hash-mode -m 2501:
-f <file> : output possible wpa/wpa2 pmk list
it's possible that networknames (= 32) chars are converted to a pmk (64 hexadecimal)
because they are using the same 802.11 frame

Collect from all captures and run hashcat at regular intervals on that files.
Cheers
Reply
#17
New update https://github.com/ZerBea/hcxtools
added new tool wlancow2hcxpmk
convert cowpatty (pre-computed) hashfiles to hashcat pmklist for hash-mode 2501

Just run wlancow2hcxpmk -i cowhashfile to retrieve  information about essid
or pipe output to hashcat -m 2501 wlancow2hcxpmk -s -i cowhashfile

See help (-h) for more options

Cheers
Reply
#18
Unable to create a feature request or issue on GitHub, so figured I'd post here...

Would it be possible to add an option to write each handshake to an individual file using the SSID? All EAPOL messages for the network would be stored in each respective file. IMHO, this would allow easier storage and sharing.

Thanks for posting your project.
Reply
#19
This feature is allready implemented in wlanhcx2ssid:
$ wlanhcx2ssid -h
usage: wlanhcx2ssid <options>

options:
-i <file>     : input hccapx file
-p <path>     : change directory for outputfiles
-a            : output file by mac_ap's
-s            : output file by mac_sta's
-o            : output file by vendor's (oui)
-e            : output file by essid's
-E <essid>    : output file by part of essid name
-X <essid>    : output file by essid name (exactly)
-x <digit>    : output by essid len (1 <= 32)
-A <mac_ap>   : output file by single mac_ap
-S <mac_sta>  : output file by single mac_sta
-O <oui>      : output file by single vendor (oui)
-L <mac_list> : input list containing mac_ap's (need -l)
             : format of mac_ap's each line: 112233445566
-l <file>     : output file (hccapx) by mac_list (need -L)
-w <file>     : write only wlandump forced to hccapx file
-W <file>     : write only not wlandump forced to hccapx file
-r <file>     : write only replaycount checked to hccapx file
-R <file>     : write only not replaycount checked to hccapx file
-0 <file>     : write only MESSAGE_PAIR_M12E2 to hccapx file
-1 <file>     : write only MESSAGE_PAIR_M14E4 to hccapx file
-2 <file>     : write only MESSAGE_PAIR_M32E2 to hccapx file
-3 <file>     : write only MESSAGE_PAIR_M32E3 to hccapx file
-4 <file>     : write only MESSAGE_PAIR_M34E3 to hccapx file
-5 <file>     : write only MESSAGE_PAIR_M34E4 to hccapx file
-h            : this help


in your case (for essid) use:
wlanhcx2ssid -i yourhashfile.hccapx -p your_path_for_outputfiles -e
this will several hccapx files, each containing networks using the same essid

for mac_ap use:
wlanhcx2ssid -i yourhashfile.hccapx -p your_path_for_outputfiles -a
this will several hccapx files, each containing networks using the mac_ap

to strip all networks using the same essid use:
wlanhcx2ssid -i yourhashfile.hccapx -X your_essid
this will create a hccapx file named "your_essid.hccapx" containing all networks with them same essid to get full advantage of hashcats REUSE PBKDF2.


Cheers
Reply
#20
New update https://github.com/ZerBea/hcxtools
added new tool wlangenpmk (plainmasterkey generator)

example:
$ wlangenpmk -p mypassword -e mynetwork

essid (networkname): mynetwork
password...............: mypassword
plainmasterkey.......: 69e49214ef4e7e23d0ece077c2faf3c73f7522ad52a26b33527fa78d9033ff35
Reply