hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
how to properly update the old files, I did a "git pull" on hcxtools & hcxdumptool, buts its still not updated ..
Reply
Latest update hcxtools (17 hours ago): https://github.com/ZerBea/hcxtools/commi...58b3c808a5
Update hcxdumptool to 4.2.0: today or tomorrow, because I received many feature requests and I'll try to add most of them. Atom and I doing final tests, so please stay tuned...
Reply
hcxdumptool 4.2.0 released read more about some of the new features here:
https://hashcat.net/forum/thread-7717-po...l#pid41427

complete refactored:
-various new options
-measurement of EAPOL timeout
-full support for hashcat hashmodes -m 16800 and 16801
-now default format is pcapng

$ hcxdumptool --help
hcxdumptool 4.2.0 (C) 2018 ZeroBeat
usage  : hcxdumptool <options>
example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status

options:
-i <interface> : interface (monitor mode must be enabled)
                ip link set <interface> down
                iw dev <interface> set type monitor
                ip link set <interface> up
-o <dump file> : output file in pcapngformat
                management frames and EAP/EAPOL frames
                including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : output file in pcapngformat
                unencrypted IPv4 and IPv6 frames
                including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-W <dump file> : output file in pcapngformat
                encrypted WEP frames
                including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set scanlist  (1,2,3,...)
                default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
                maximum entries: 127
                allowed channels:
                1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
                100, 104, 108, 112, 116, 120, 124, 128, 132,
                136, 140, 144, 147, 149, 151, 153, 155, 157
                161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216
-t <seconds>   : stay time on channel before hopping to the next channel
                default: 5 seconds
-E <digit>     : EAPOL timeout
                default: 100000 = 1 second
                value depends on channel assignment
-D <digit>     : deauthentication intervall
                default: 20 (every 20 beacons)
                the target beacon intervall is used as trigger
-A <digit>     : ap attack intervall
                default: 20 (every 20 beacons)
                the target beacon intervall is used as trigger
-I             : show suitable wlan interfaces and quit
-h             : show this help
-v             : show version

--filterlist=<file>                : mac filter list
                                    format: 112233445566 + comment
                                    maximum line lenght 128, maximum entries 32
--filtermode=<digit>               : mode for filter list
                                    1: use filter list as protection list (default)
                                    2: use filter list as target list
--disable_deauthentications:         disable transmitting deauthentications
                                    affected: connections between client an access point
                                    deauthentication attacks will not work against protected management frames
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
                                    default: 10 tries (minimum: 4)
                                    affected: connections between client an access point
                                    deauthentication attacks will not work against protected management frames
--disable_disassociations          : disable transmitting disassociations
                                    affected: retry (EAPOL 4/4 - M4) attack
--disable_ap_attacks               : disable attacks on single access points
                                    affected: client-less (PMKID) attack
--give_up_ap_attacks=<digit>       : disable transmitting directed proberequests after n tries
                                    default: 10 tries (minimum: 4)
                                    affected: client-less attack
                                    deauthentication attacks will not work against protected management frames
--disable_client_attacks           : disable attacks on single clients points
                                    affected: ap-less (EAPOL 2/4 - M2) attack
--enable_status                    : enable status messages
--help                             : show this help
--version                          : show version
Reply
Hello Zerbea!

Congratulations on the success of this project and many thanks for your consistent support. At your convenience, please address the following:

a. Does the use of the -N switch in wlanhcx2ssid, to strip an output file, increase cracking speed or reduce the integrity of the file?

b. In a previous post, you wrote about creating more efficient channel scan-lists when probing with hcxdumptool-using wlanrcascan. In theory, what hardware (e.g. actual NIC) and situation would we use channels 14,15....? I'm thinking 5Gz networks, cards and locations.

c. I read your tutorial on WPA Enterprise Networks. The tools you used are deprecated-would you amend this to use your current tool set?

Thanks
Espfound
Reply
Hi espfound.
Thanks for the congratulations.
a.
Nearly every wlanhcx2ssid option will increase speed of hashcat, because we reduce the hashes we will feed hashcat with.
But most of them will increase the possibility that we will use a faulty handshake. There are many reasons:
- packet loss of the dumper, not seen by conversion tool
- crappy/no replaycount check by the conversion tool
- no EAPOL timeout check by the conversion tool (there are some tools which assume that the second received packet on a M1 is the correct M2 - also there are tools which zeroes the timestamp; in that case we are not able to detect EAPOL timeout).
If you are shure, the captured handshake is valid, then only one handshake is ok. In that case you will get full hashcat speed. Mostly hcxpcaptool will give you the best handshake.
BTW:
I randomized the ap-less attack to prevent counter measures against us.
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a2255ab3b0 (client)
MAC ACCESS POINT.........: 00234aca3243 (start NIC)
EAPOL TIMEOUT............: 100000
DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 64105
ANONCE...................: a7b5e3f9cdacb546352fc96559f9a3bf7d7f73ba3d3e17a25c28098c65b2e80d

Next hcxdumptool will use the comment field of pcapng EHBs (Enhanced Packet Block) to inform the hcxpcaptool about this (a very good reason to use pcapng instead of pcap, cap). hcxdumptool will save replaycount and anonce value into the comment field of the M2 EPB.

b.
The reason for the duplicates in is simple to explain. We make shure that we are more often on common used channels than on other ones:
- 1,6,11 are most common default channels - so a good scanlist is: 1,6,11,2,1,6,11,3,1,6,11.....
- we can run "frequency overlapped attacks" if we are near of an access point. If we are on channel 2, neighbour channels 1 and 3 are under attack, too. So a good scanlist for that purpose is 1,3,5,7...2,4,6,8

c.
Still we have some om them in the wildness. So there is no real need to remove them.
BTW:
aircrack-ng has wep support (haven't seen wep encrypted networks for a long time here)
reaver, bully and pixie have wps support (haven't seen wps enabled networks or vulnerable networks for a long time here)
Reply
Thank you Zerbea!

On question c, I am confused WPA/WPA2 Enterprise (radius credentials and so forth). Can you guide on how we can use hcxtool framework for these networks?
Reply
hcxdumptool will capture all the required informations and
hcxdumptool is able to detect all kinds of EAP authentications. If hashcat has a correspondending hashmode to recover the password, you can convert the required data easyly, using this switches (hcxpcaptool):
--netntlm-out=<file> : output netNTLMv1 file (hashcat -m 5500, john netntlm)
--md5-out=<file> : output MD5 challenge file (hashcat -m 4800)
--md5-john-out=<file> : output MD5 challenge file (john chap)
--tacacsplus-out=<file> : output TACACS+ authentication file (hashcat -m 16100, john tacacs-plus)

hcxdumptool and hcxtools will follow the crackers (hashcat and JtR). If a hash cracker will be able to crack something, hcxtools will parse it to the hash cracker.

BTW:
This is a nice wireshark filter to take a look inside the pcapng:
wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x01 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x03 || eapol || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x0b || eapol
We do not need a beacon!
Reply
Thank you for clarifying Wink
Reply
Thank you for the update Zerbea, ran hcxdumptool 4.2.0 for an hour, working on Huawei routers for PMKID
=================================================
summary:
--------
file name....................: dump1.cap
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.14.32-wifislax64
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 217
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 5
probe requests...............: 12
probe responses..............: 15
association requests.........: 27
association responses........: 50
authentications (OPEN SYSTEM): 66
authentications (BROADCOM)...: 21
authentications (APPLE)......: 4
EAPOL packets................: 42
EAPOL PMKIDs.................: 2
best handshakes..............: 1 (ap-less: 0)
Reply
Hello ZerBea

Great to see you working hard on making hcxtools one of a kind. You guys have left other similar tools way way behind. Hats off and a bow to your tireless dedication.

Q - Regrading hcxpcaptool -o and -O option. Are they mutually exclusive (that is what -o captures -O does not and vice versa) or does -O include all you could capture with -o and then some more handshakes? I mean whats the difference and when to use which option?
Reply