hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
(11-20-2017, 10:01 AM)ZerBea Wrote: A good idea is to use the world domain:
global

This solved all my issues, and great knowledge to know. Thank you for your great work and great application!
Reply
Hi slyexe.
That are good news. Take also a look at the complete regdb. There are some countries which allows high power by default.
And keep in mind that most of the issues regarding packet injection / packet capturing are caused by a misconfigured system:
- device is blocked by other services (networkmanager, wpa-supplicant)
  run:
  sudo systemctl list-unit-files | grep enabled
  to retrieve an overview of enabled services
- device is not set properly to monitor mode
- device isn't set up
- driver doesn't support monitor mode
- driver is broken
- wrong wireless regulatory domain
- missing user permissions
Reply
Some good "driver" news:
Neheb told me that there is a fix for the iwlwifi driver issue in upcomming kernel 4.15
Right now, this driver is broken!
More infos here:
https://git.kernel.org/pub/scm/linux/ker...e974480b34
Reply
hcxtools update: https://github.com/ZerBea/hcxtools

added detection of CISCO TACACS+ Authentication (on LoopBack, Ethernet and WLAN):

$ wlancap2hcx TACACS1Cisco123.pcapng
start reading from TACACS1Cisco123.pcapng
14 packets processed (0 wlan, 14 lan, 0 loopback)
found IPv4 packets
found TCP packets
found CISCO TACACS+ Authentication packets
Reply
Sorry if i missed something, but is there something like a whitelist inside wlandump-ng?
Reply
Hi.
Yes it is:
-F <file> : input file containing entries for Berkeley Packet Filter (BPF)
All entries in this filterlist are not attacked.

Plese read this how to use the white list:
https://hashcat.net/forum/thread-6661-po...l#pid37381
Reply
added full support for hashcat hashmode -m 16100 (TACAS+)
now detection and conversion of CISCO TACACS+ Authentication (on LoopBack, Ethernet and WLAN)
get the example cap from here: https://blog.synack.co.uk/2017/10/15/pca...pcap-file/

convert the pcapng to hashcat format:
$ wlancap2hcx -t tacacs TACACS1+.pcap.pcapng
start reading from TACACS1+.pcap.pcapng
14 packets processed (0 wlan, 14 lan, 0 loopback)
found IPv4 packets
found TCP packets
found CISCO TACACS+ Authentication packets (hashcat -m 16100, john tacacs-plus)

and run hashcat on tacacs
read how-to here: https://hashcat.net/forum/thread-7062-po...l#pid37789
Reply
(09-11-2017, 08:52 AM)ZerBea Wrote: update on hcxtools (https://github.com/ZerBea/hcxtools):
added detection of WDS (Wireless Distribution System) and Mesh networking
many stability and security fixes

$ wlancap2hcx -o test.hccapx 201709101045.cap
start reading from 201709101045.cap
101623 packets processed (101623 wlan, 0 lan, 0 loopback)
total 538 usefull wpa handshakes
found 538 WPA2 AES Cipher, HMAC-SHA1
found 317 valid WPA handshakes (by wlandump-ng/wlanresponse)
hashcat --nonce-error-corrections is working on that file
found EAP-SIM (GSM Subscriber Modules) Authentication
found WDS or Mesh packets

hi ZerBea ,what's the difference of "usefull" and "validWPA handshakes?
Does that means valid WPA handshakes is captured by wlandump-ng/wlanresponse and it's 100% crackable ?
Reply
Hi DKblue.

usefull
all handshakes (authenticated and not authenticated) , all message_pairs (including message_pairs that need nonce-error-corrections)

valid (matching M1 and M2)
wlandump-ng asked the client to send us his M2 (we now got a M2 that matches exact to this M1)
it isn't possible that the clients M2 doesn't match to our M1
it isn't possible that there is a packetloss between our M1 and the clients M2
it isn't possible that there is no password for this message_pair
this M12E2 message_pair can be used with hashcat to recover a real, "valid" password
the password may not necessarily be the correct password for that network
it is also possible that it is only a part of the correct password or a password for another network using the same ESSID or an old password for that network

so, you're right when you say a wlandump-ng "valid" handshake is 100% crackable!
Reply
(12-02-2017, 10:50 AM)ZerBea Wrote: Hi DKblue.

usefull
all handshakes (authenticated and not authenticated) , all message_pairs (including message_pairs that need nonce-error-corrections)

valid (matching M1 and M2)
wlandump-ng asked the client to send us his M2 (we now got a M2 that matches exact to this M1)
it isn't possible that the clients M2 doesn't match to our M1
it isn't possible that there is a packetloss between our M1 and the clients M2
it isn't possible that there is no password for this message_pair
this M12E2 message_pair can be used with hashcat to recover a real, "valid" password
the password may not necessarily be the correct password for that network
it is also possible that it is only a part of the correct password or a password for another network using the same ESSID or an old password for that network

so, you're right when you say a wlandump-ng "valid" handshake is 100% crackable!

Thxs for ur reply ZerBea
and here comes a related question,my co-workers can be trained to capture by minidwep-gtk ,a simple tool built-in cdlinux.
all is done just with click by wizards.
This awesome wlandump-ng,and those confusing shell commands are really too much for them.(Those systemctl stop and start,ip/iw dev up and down...etc)
So brief to say,I have many caps to deal with ,by wlandump-ng or not,and I wanna ensuring effective caps and nonce-error-corrections=0 for max speed.
Here is an example:
original26c4.cap captured by minidwep-gtk ,I cat *.caps got it.
wlancapinfo reported truncated file.
wlancap2hcx the original then got 1st26c4.hccapx
Ignore so many reading errors reported by wlancap2hcx  ,convert the 1st26c4.hccapx back to cap named 2nd26c4.cap
OK now wlancapinfo the new 2nd26c4.cap,reported flawless(maybe most people like flawless more)
wlancap2hcx it with -W ,finally get 2nd26c4.hccapx
Studing all these skills mainly from your posts,if there'r mistakes would u kindly show me plz? Thanks
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancapinfo -i original26c4.cap
input file.......: original26c4.cap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
packets inside...: 94497
last pcap error..: truncated dump file; tried to read 193104 captured bytes, only got 72696

root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancap2hcx -o 1st26c4.hccapx original26c4.cap
start reading from original26c4.cap
pcap read error: invalid packet capture length 6881280, bigger than maximum of 262144
pcap read error: invalid packet capture length 1835008, bigger than maximum of 262144
pcap read error: invalid packet capture length 2623291088, bigger than maximum of 262144
pcap read error: invalid packet capture length 1383399423, bigger than maximum of 262144
pcap read error: invalid packet capture length 12845056, bigger than maximum of 262144
pcap read error: invalid packet capture length 909837, bigger than maximum of 262144
pcap read error: invalid packet capture length 1960823124, bigger than maximum of 262144
pcap read error: invalid packet capture length 4294967295, bigger than maximum of 262144
pcap read error: invalid packet capture length 2683722260, bigger than maximum of 262144
pcap read error: invalid packet capture length 3377725880, bigger than maximum of 262144
pcap read error: invalid packet capture length 2683722260, bigger than maximum of 262144
pcap read error: invalid packet capture length 3377725556, bigger than maximum of 262144
pcap read error: invalid packet capture length 1079645251, bigger than maximum of 262144
pcap read error: invalid packet capture length 3489741312, bigger than maximum of 262144
 
pcap read error: truncated dump file; tried to read 193104 captured bytes, only got 72696
94493 packets processed (94493 wlan, 0 lan, 0 loopback)
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlanhcx2cap -i 1st26c4.hccapx -O 2nd26c4.cap
5 records read from 1st26c4.hccapx
5 handshakes written to 2nd26c4.cap
0 handshakes not written (?irreversible messagepair)
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancapinfo -h
wlancapinfo 4.0.0 (C) 2017 ZeroBeat
usage: wlancapinfo <options>
options:
-i <file> : input pcap file
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancapinfo -i 2nd26c4.cap
input file.......: 2nd26c4.cap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
packets inside...: 15
last pcap error..: flawless
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Downloads# wlancap2hcx -W 2nd26c4.hccapx 2nd26c4.cap
start reading from 2nd26c4.cap
15 packets processed (15 wlan, 0 lan, 0 loopback)
total 3 usefull wpa handshakes
found 3 WPA2 AES Cipher, HMAC-SHA1
Reply