08-04-2018, 05:35 AM
how to properly update the old files, I did a "git pull" on hcxtools & hcxdumptool, buts its still not updated ..
hashcat Forum
›
Misc
›
User Contributions
hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
|
hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
|
08-04-2018, 10:24 AM
Latest update hcxtools (17 hours ago): https://github.com/ZerBea/hcxtools/commi...58b3c808a5
Update hcxdumptool to 4.2.0: today or tomorrow, because I received many feature requests and I'll try to add most of them. Atom and I doing final tests, so please stay tuned...
hcxdumptool 4.2.0 released read more about some of the new features here:
https://hashcat.net/forum/thread-7717-po...l#pid41427 complete refactored: -various new options -measurement of EAPOL timeout -full support for hashcat hashmodes -m 16800 and 16801 -now default format is pcapng $ hcxdumptool --help hcxdumptool 4.2.0 (C) 2018 ZeroBeat usage : hcxdumptool <options> example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status options: -i <interface> : interface (monitor mode must be enabled) ip link set <interface> down iw dev <interface> set type monitor ip link set <interface> up -o <dump file> : output file in pcapngformat management frames and EAP/EAPOL frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -O <dump file> : output file in pcapngformat unencrypted IPv4 and IPv6 frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -W <dump file> : output file in pcapngformat encrypted WEP frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -c <digit> : set scanlist (1,2,3,...) default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12 maximum entries: 127 allowed channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 147, 149, 151, 153, 155, 157 161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216 -t <seconds> : stay time on channel before hopping to the next channel default: 5 seconds -E <digit> : EAPOL timeout default: 100000 = 1 second value depends on channel assignment -D <digit> : deauthentication intervall default: 20 (every 20 beacons) the target beacon intervall is used as trigger -A <digit> : ap attack intervall default: 20 (every 20 beacons) the target beacon intervall is used as trigger -I : show suitable wlan interfaces and quit -h : show this help -v : show version --filterlist=<file> : mac filter list format: 112233445566 + comment maximum line lenght 128, maximum entries 32 --filtermode=<digit> : mode for filter list 1: use filter list as protection list (default) 2: use filter list as target list --disable_deauthentications: disable transmitting deauthentications affected: connections between client an access point deauthentication attacks will not work against protected management frames --give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries default: 10 tries (minimum: 4) affected: connections between client an access point deauthentication attacks will not work against protected management frames --disable_disassociations : disable transmitting disassociations affected: retry (EAPOL 4/4 - M4) attack --disable_ap_attacks : disable attacks on single access points affected: client-less (PMKID) attack --give_up_ap_attacks=<digit> : disable transmitting directed proberequests after n tries default: 10 tries (minimum: 4) affected: client-less attack deauthentication attacks will not work against protected management frames --disable_client_attacks : disable attacks on single clients points affected: ap-less (EAPOL 2/4 - M2) attack --enable_status : enable status messages --help : show this help --version : show version 
08-05-2018, 12:51 AM
(This post was last modified: 08-05-2018, 11:07 AM by espfound.
Edit Reason: found answers in a previous post by Zerbea
)
Hello Zerbea!
Congratulations on the success of this project and many thanks for your consistent support. At your convenience, please address the following: a. Does the use of the -N switch in wlanhcx2ssid, to strip an output file, increase cracking speed or reduce the integrity of the file? b. In a previous post, you wrote about creating more efficient channel scan-lists when probing with hcxdumptool-using wlanrcascan. In theory, what hardware (e.g. actual NIC) and situation would we use channels 14,15....? I'm thinking 5Gz networks, cards and locations. c. I read your tutorial on WPA Enterprise Networks. The tools you used are deprecated-would you amend this to use your current tool set? Thanks Espfound
Hi espfound.
Thanks for the congratulations. a. Nearly every wlanhcx2ssid option will increase speed of hashcat, because we reduce the hashes we will feed hashcat with. But most of them will increase the possibility that we will use a faulty handshake. There are many reasons: - packet loss of the dumper, not seen by conversion tool - crappy/no replaycount check by the conversion tool - no EAPOL timeout check by the conversion tool (there are some tools which assume that the second received packet on a M1 is the correct M2 - also there are tools which zeroes the timestamp; in that case we are not able to detect EAPOL timeout). If you are shure, the captured handshake is valid, then only one handshake is ok. In that case you will get full hashcat speed. Mostly hcxpcaptool will give you the best handshake. BTW: I randomized the ap-less attack to prevent counter measures against us. INTERFACE:...............: wlp39s0f3u4u5 FILTERLIST...............: 0 entries MAC CLIENT...............: f0a2255ab3b0 (client) MAC ACCESS POINT.........: 00234aca3243 (start NIC) EAPOL TIMEOUT............: 100000 DEAUTHENTICATIONINTERVALL: 20 beacons GIVE UP DEAUTHENTICATIONS: 10 tries REPLAYCOUNTER............: 64105 ANONCE...................: a7b5e3f9cdacb546352fc96559f9a3bf7d7f73ba3d3e17a25c28098c65b2e80d Next hcxdumptool will use the comment field of pcapng EHBs (Enhanced Packet Block) to inform the hcxpcaptool about this (a very good reason to use pcapng instead of pcap, cap). hcxdumptool will save replaycount and anonce value into the comment field of the M2 EPB. b. The reason for the duplicates in is simple to explain. We make shure that we are more often on common used channels than on other ones: - 1,6,11 are most common default channels - so a good scanlist is: 1,6,11,2,1,6,11,3,1,6,11..... - we can run "frequency overlapped attacks" if we are near of an access point. If we are on channel 2, neighbour channels 1 and 3 are under attack, too. So a good scanlist for that purpose is 1,3,5,7...2,4,6,8 c. Still we have some om them in the wildness. So there is no real need to remove them. BTW: aircrack-ng has wep support (haven't seen wep encrypted networks for a long time here) reaver, bully and pixie have wps support (haven't seen wps enabled networks or vulnerable networks for a long time here)
08-05-2018, 02:13 PM
Thank you Zerbea!
On question c, I am confused WPA/WPA2 Enterprise (radius credentials and so forth). Can you guide on how we can use hcxtool framework for these networks?
08-05-2018, 02:45 PM
hcxdumptool will capture all the required informations and
hcxdumptool is able to detect all kinds of EAP authentications. If hashcat has a correspondending hashmode to recover the password, you can convert the required data easyly, using this switches (hcxpcaptool): --netntlm-out=<file> : output netNTLMv1 file (hashcat -m 5500, john netntlm) --md5-out=<file> : output MD5 challenge file (hashcat -m 4800) --md5-john-out=<file> : output MD5 challenge file (john chap) --tacacsplus-out=<file> : output TACACS+ authentication file (hashcat -m 16100, john tacacs-plus) hcxdumptool and hcxtools will follow the crackers (hashcat and JtR). If a hash cracker will be able to crack something, hcxtools will parse it to the hash cracker. BTW: This is a nice wireshark filter to take a look inside the pcapng: wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x01 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x03 || eapol || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x0b || eapol We do not need a beacon!
08-06-2018, 07:39 AM
Thank you for the update Zerbea, ran hcxdumptool 4.2.0 for an hour, working on Huawei routers for PMKID
================================================= summary: -------- file name....................: dump1.cap file type....................: pcapng 1.0 file hardware information....: x86_64 file os information..........: Linux 4.14.32-wifislax64 file application information.: hcxdumptool 4.2.0 network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: little endian read errors..................: flawless packets inside...............: 217 skipped packets..............: 0 packets with FCS.............: 0 beacons (with ESSID inside)..: 5 probe requests...............: 12 probe responses..............: 15 association requests.........: 27 association responses........: 50 authentications (OPEN SYSTEM): 66 authentications (BROADCOM)...: 21 authentications (APPLE)......: 4 EAPOL packets................: 42 EAPOL PMKIDs.................: 2 best handshakes..............: 1 (ap-less: 0)
08-06-2018, 08:47 AM
(This post was last modified: 08-06-2018, 08:48 AM by RashidMalik.)
Hello ZerBea
Great to see you working hard on making hcxtools one of a kind. You guys have left other similar tools way way behind. Hats off and a bow to your tireless dedication. Q - Regrading hcxpcaptool -o and -O option. Are they mutually exclusive (that is what -o captures -O does not and vice versa) or does -O include all you could capture with -o and then some more handshakes? I mean whats the difference and when to use which option? |
|
« Next Oldest | Next Newest »
|
