hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
I was able to fix the issue by downgrading to kal.i 2017.2. Yes I am using a VM.
Reply
Nice that it works again.
Reply
For some reason the website http://wpa-sec.stanev.org gives error "bad capture file" when trying to upload a few of my caps. All of them were gotten with hcxdumptool and havent been cleaned or whatever, they are the original caps from hcxdumptool
Reply
Hi sfw10625.
The reason is, that wpa-sec is doing full backend rewrite during the last weeks.That isn't finished, yet.
Alex hope that wpa-sec get rid of all those issues till the end of the week.
So, please stay tunned...
Reply
Thanks for the fast reply ! Great job on the tool also !

I also want to ask is there a way to remove handshakes from a cap generated by hcxdumptool. I have a 24 hr cap with like 4500 handshakes and
when i export with hcxpcaptool -o i get around around 260 best handshakes. Is there a way I can remove handshakes based on theyre ESSID. I ask this because if i feed the entire hccapx with the 260 handshakes it will take me a like 5 days to run a basic bruteforce on it, but if there are only 10 handshakes for example I can run that bruteforce for 1 hour. atleast thats what hashcat gives as an estimate using the same bruteforce options for both.
Or am I making something wrong in hashcat? should 260 handshakes take 5 days and 10 handshakes take 1 hour to bruteforce if im using the same mask for both - 8 digits ?
Reply
Yes, you can do this using wlanhcx2ssid:

$ wlanhcx2ssid -h
wlanhcx2ssid 4.0.2 (C) 2018 ZeroBeat
usage: wlanhcx2ssid <options>

options:
-i <file>     : input hccapx file
-p <path>     : change directory for outputfiles
-a            : output file by mac_ap's
-s            : output file by mac_sta's
-o            : output file by vendor's (oui)
-e            : output file by essid's
-E <essid>    : output file by part of essid name
-X <essid>    : output file by essid name (exactly)
-x <digit>    : output by essid len (1 <= 32)
-A <mac_ap>   : output file by single mac_ap
-S <mac_sta>  : output file by single mac_sta
-O <oui>      : output file by single vendor (oui)
-V <name>     : output file by single vendor name or part of vendor name
-L <mac_list> : input list containing mac_ap's (need -l)
             : format of mac_ap's each line: 112233445566
-l <file>     : output file (hccapx) by mac_list (need -L)
-w <file>     : write only forced from clients to hccapx file
-W <file>     : write only forced from access points to hccapx file
-r <file>     : write only replaycount checked to hccapx file
-R <file>     : write only not replaycount checked to hccapx file
-N <file>     : output stripped file (only one record each mac_ap, mac_sta, essid, message_pair combination)
-n <file>     : output stripped file (only one record each mac_sta, essid)
-g <file>     : write only handshakes with pairwise key flag set
-G <file>     : write only handshakes with groupkey flag set
-0 <file>     : write only MESSAGE_PAIR_M12E2 to hccapx file
-1 <file>     : write only MESSAGE_PAIR_M14E4 to hccapx file
-2 <file>     : write only MESSAGE_PAIR_M32E2 to hccapx file
-3 <file>     : write only MESSAGE_PAIR_M32E3 to hccapx file
-4 <file>     : write only MESSAGE_PAIR_M34E3 to hccapx file
-5 <file>     : write only MESSAGE_PAIR_M34E4 to hccapx file
-k <file>     : write keyversion based on key information field (use only basename)
             : output: basename.x.hccapx
             : WPA1 RC4 Cipher, HMAC-MD5..... basename.1.hccapx
             : WPA2 AES Cipher, HMAC-SHA1.... basename.2.hccapx
             : WPA2 AES Cipher, AES-128-CMAC2 basename.3.hccapx
             : all other are unknown
-F <file>     : remove bad records and write only flawless records to hccapx file
-D <file>     : remove duplicates from the same authentication sequence
             : you must use nonce-error-corrections on that file!
-h            : this help


for example:
$ hcxpcaptool -o test.hccapx 201801031743.cap
start reading from 201801031743.cap
                                             
summary:                                        
--------
file name..............: 201801031743.cap
file type..............: pcap 2.4
network type...........: DLT_IEEE802_11 (105)
endianess..............: little endian
read errors............: flawless
packets inside.........: 1785492
skippedpackets.........: 0
packets with FCS.......: 0
warning................: zero value timestamps detected
WDS packets............: 14
beacons................: 17182
probe requests.........: 8974
probe responses........: 25548
association requests...: 32142
reassociation requests.: 5299
EAPOL packets..........: 1693747
EAP packets............: 751
found..................: EAP type ID
found..................: EAP-SIM (GSM Subscriber Modules) Authentication
found..................: EAP-TTLS Authentication
found..................: PEAP Authentication
found..................: WPS Authentication
best handshakes........: 807 (ap-less: 387)

815 handshake(s) written to test.hccapx
wlanhcx2ssid -i test.hccapx -X Home
815 records read from test.hccapx
1 records written

$ ls
201801031743.cap  Home.hccapx

Do not wonder why we have 807 best handshakes and 815 handshakes written to hccapx.
Reason is that there are networks inside the cap which changed the ESSID during capture time!
We do not want to loose them.

It is also possible the you have less raw handshakes than best handshakes.
That depends on how many re-authentication sequences are captured:
less re-authentications sequences = less raw handshakes
Reply
thanks just tested it.

wlancap2hcx -f hashes *.cap - gives errors on some CAPs - pcap read error: a packet arrives on interface 8, but theres no interface description block for that interface.

Also, if i try to generate PMKs and use hashcat hash-mode 12000 will it reduce the time needed to crack all the 260 handshakes? Because my hashrate doesnt fall it stays the same but if i put 10 handshakes it finishes for 1 hour and if i input the 260 handshakes it wants 3 days although the hashrate is the same. I dont understand this, what is the reason for this to happen in hash-mode 2500.
Reply
No, hash-mode 12000 doesn't reduce the time. PBKDF2 is very, very computationally intensive.
Generating PMKs only makes sense on common ESSIDs like home, HOME, default, etc....
Once calculated (rainbowtable), you can use the PMK list against this ESSIDs.
But rainbowtables are outdated. I use them only to check allready recovered passwords. Therefore I calculated
a PMK list from the hashcat potfile.
Reply
thanks for the fast reply and support, you are a wonderful person!!

the errors i got with wlancap2hcx was because i inputted all the caps in my directory and there were caps that I have edited and played around. it was giving the error on those. The original caps are working so its my mistake
Reply
Nice to hear that it works.
BTW: It's not me alone (RealEnder, Atom, Magnum, Neheb, TOXIC, freeroute - ‎they all belong to the team)

Some words about m -12000 in combination with WiFi:
If you have captured a PMK from an EAP authentication (hcxtools can do this) and you have
- an idea about the salt
- the password
- or retrieved a possible password from the EAP ID (hcxtools can do this)
- or from the username (hcxtools can do this)
- or from the wlan traffic (hcxtools can do this)
then it's time for hashcat -m 12000
Reply