hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
By this hcxtools commit
https://github.com/ZerBea/hcxtools/commi...0da23ddbcb
we detect and convert PMKIDs from clients, too. Therefore we use the RSN information field of the client.
The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID. Reassociationrequest and EAPOL M2 frames of clients can contain a PMKIDLIST at the end of the RSN IE.

Wireshark will show you this information:

Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 38
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Pairwise Cipher Suite Count: 1
Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
Auth Key Management (AKM) Suite Count: 1
Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
RSN Capabilities: 0x24ac
PMKID Count: 1
PMKID List

In case of a reassociationrequest frame, only one(!) packet is needed to retrieve all the information we need to recover the password. A reassociationrequest contain ESSID, MAC_AP, MAC_STA and it may contain the PMKID (keep in mind: not all clients will do this).
In case of an EAPOL M2, we need a second frame, too, which contain the ESSID (proberequest, proberesponse, associationrequest, beacon). That is similar to the method to retrieve a PMKID from an access point. In that case we use the EAPOL M1 to get the PMKID (keep in mind: not all access points will do this).

New status output of hcxpcaptool looks like that:
PMKIDs (WPA1)................: 5
PMKIDs (WPA2)................: 193
PMKIDs (WPA2 keyv 3).........: 72
PMKIDs from access points....: 258
PMKIDs from stations.........: 19
Reply
Here is an example running hcxdumptool-> hcxtools -> hashcat:

1) run hcxdumptool

2) get info about pcapng file
$ hcxpcaptool -o test.hccapx -k test.16800 hcxdumptool_dump.pcapng.gz
decompressing hcxdumptool_dump.pcapng.gz to /tmp/hcxdumptool_dump.pcapng.gz.tmp
reading from hcxdumptool_dump.pcapng.gz.tmp
summary:                                        
file name........................: hcxdumptool_dump.pcapng.gz.tmp
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.37-2-ARCH
file application information.....: hcxdumptool 5.1.4
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 76658
skipped packets..................: 0
packets with GPS data............: 0
packets with FCS.................: 0
WDS packets......................: 7
beacons (with ESSID inside)......: 323
beacons (with MESH-ID inside)....: 3
probe requests...................: 2754
probe responses..................: 132
association requests.............: 2570
association responses............: 856
reassociation requests...........: 5831
reassociation responses..........: 705
authentications (OPEN SYSTEM)....: 7183
authentications (BROADCOM).......: 6607
authentications (APPLE)..........: 316
EAPOL packets (total)............: 55013
EAPOL packets (WPA2).............: 55013
PMKIDs (total)...................: 324
PMKIDs (WPA2)....................: 308
PMKIDs from access points........: 308
PMKIDs from stations.............: 16
EAP packets......................: 782
EAP START packets................: 6
EAP LOGOFF packets...............: 7
found............................: EAP type ID
found............................: EAP-SIM (GSM Subscriber Modules) Authentication
found............................: UMTS Authentication and Key Agreement (EAP-AKA)
best handshakes..................: 430 (ap-less: 277)
best PMKIDs......................: 66

430 handshake(s) written to test.hccapx
66 PMKID(s) written to test.16800


Now we remove all(!) packets except of one single reassociationrequest from hcxdumptool_dump.pcapng.gz to demonstrate the attack vector.
Improtant: There is no need to do this and you shouldn't clean a hcxdumptool pcapng file, otherwise you will loose many, many important informations (https://hashcat.net/forum/thread-6661-po...l#pid44872).

$ hcxpcaptool -k test.16800 single_frame.pcapng.gz
decompressing single_frame.pcapng.gz to /tmp/single_frame.pcapng.gz.tmp
reading from single_frame.pcapng.gz.tmp
summary:                                        
file name........................: single_frame.pcapng.gz.tmp
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.42-1-ARCH
file application information.....: hcxdumptool 5.1.5
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
packets inside...................: 1
skipped packets..................: 0
packets with GPS data............: 0
packets with FCS.................: 0
reassociation requests...........: 1
PMKIDs (total)...................: 1
PMKIDs from stations.............: 1
best PMKIDs......................: 1

1 PMKID(s) written to test.16800

3) run hashcat
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: (removed)
Time.Started.....: Sat Jun  8 12:03:24 2019 (0 secs)
Time.Estimated...: Sat Jun  8 12:03:24 2019 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   296.9 kH/s (6.34ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 86027/101041 (85.14%)
Rejected.........: 11/86027 (0.01%)
Restore.Point....: 57354/101041 (56.76%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Siegen002& -> olivia12345
Hardware.Mon.#1..: Temp: 53c Fan: 38% Util: 33% Core:1835MHz Mem:5005MHz Bus:16

Started: Sat Jun  8 12:03:22 2019
Stopped: Sat Jun  8 12:03:25 2019
Reply
Do not clean  hcxdumptool pcapng files, otherwise you will loose important information.
This is  a complete run on all hash files: hcxdumptool -> hcxtools -> hashcat

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Sat Jun  8 11:59:37 2019 (33 secs)
Time.Estimated...: Sat Jun  8 12:00:10 2019 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   457.9 kH/s (3.99ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 162/430 (37.67%) Digests, 43/166 (25.90%) Salts
Progress.........: 16772806/16772806 (100.00%)
Rejected.........: 2158/16772806 (0.01%)
Restore.Point....: 101041/101041 (100.00%)
Restore.Sub.#1...: Salt:165 Amplifier:0-1 Iteration:0-1
Candidates.#1....: olivia2012 -> ١٢٣٤٥٦٧٨٩٠
Hardware.Mon.#1..: Temp: 76c Fan: 58% Util: 85% Core:1847MHz Mem:5005MHz Bus:16

Started: Sat Jun  8 11:59:36 2019
Stopped: Sat Jun  8 12:00:11 2019


Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: test.16800
Time.Started.....: Sat Jun  8 12:00:53 2019 (5 secs)
Time.Estimated...: Sat Jun  8 12:00:58 2019 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   452.5 kH/s (3.94ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 19/66 (28.79%) Digests, 4/26 (15.38%) Salts
Progress.........: 2627066/2627066 (100.00%)
Rejected.........: 338/2627066 (0.01%)
Restore.Point....: 101041/101041 (100.00%)
Restore.Sub.#1...: Salt:25 Amplifier:0-1 Iteration:0-1
Candidates.#1....: olivia2012 -> ١٢٣٤٥٦٧٨٩٠
Hardware.Mon.#1..: Temp: 68c Fan: 48% Util: 89% Core:1873MHz Mem:5005MHz Bus:16

Started: Sat Jun  8 12:00:51 2019
Stopped: Sat Jun  8 12:00:59 2019


This alone should be reason enough not(!) to clean a pacpng file!
Reply
Hi Zerbea,
From my own experience, using "hcxpcaptool (...) -I wordlist -E wordlist" and then hashcat on 'wordlist' never gave me any cracked password.
I have tested that on about 1000 unique ESSID (cap file).
Are you able to share the rate / ratio on your own tests ?
The 'wordlist' previously mentioned if full of ESSIDs names (entourage) and I doubt there are many real passwords inside.
Let us know your own experience Smile
Reply
That depend on your technics, tactics and procedures and a lot of experience.
You must establish an environment and a good database:

$ wc essidliste
5504870  7164072 73826553 essidliste

$ wc identityliste
15266  15520 930232 identityliste

But it is not the list alone. It is more  a combination of the lists, hcxdumptool, hcxwltool, hcxpsktool and hashcat, too. 

If you take the example from here:
https://hashcat.net/forum/thread-6661-po...l#pid44797
You will see many (default) PSKs inside.



BTW:
send you a private message.
Reply
Here is my experiencce on 10'000 cap files, command line was :
Code:
hcxpcaptool -M imsilist -X clientprobelist -I wordlist -E wordlist  -T trafficlist -g gpslist -U usernamelist -P pmklist --netntlm-out=netntlm --md5-out=md5chap --tacacsplus-out=tacacs --nonce-error-corrections=128 --time-error-corrections=10000  -z pmkid -o hccapx file.cap
(any advice on these arguments would of course be very appreciated!)

Results:
-M: gave 2 results (on 10000). What's inside : 15 digits (IMSI). Would that mean that the access point was a smartphone? Not useful for hashcat goal but for forensic maybe.
-X: 5000 results. Don't really think the content (mac address:essid) can help to crack password.
-I and -E : lots of results, as explained before, wordlist of ESSIDs and other things. Not convinced (yest!) if that can help to crack password.
-T: network information, not really useful for hashcat goal.
-g : only 1 result, gives the gps coordinates. not useful for hashcat be can be for other purpose (forensic)
-U: few results, but in my opinion not really useful for hashcat goal.
-P: few results, don't know what to do with that.
--netntlm-out: 0 result (on 10000 files). Don't know why.
--md5chap : same.
--tacacs: same.

Note: only 20% were captured with hcxdumptool, that can explain the results ?
Anyway, thanks again for this great tool !
Reply
No, wrong attempt:

-M = IMSIs of clients within your range - usful to set up an IMSI catcher
-X = useful to track the client
-T = only statistic purpose
-g = useful in combination with a GPS device and 3wifi
-U = useful only on http traffic
-P = useful only on RADIUS on networks to get the session PMK
--netntlm-out = useful only on RADIUS networks on http traffic
--md5chap  = useful only on RADIUS networks on http traffic
--tacacs = useful only on RADIUS networks on http traffic

only the combination of hcxdumptool -> hcxtools -> hashcat (or Jtr) is useful
the difference to other tools: hcxdumptool request (active) useful packets (for example you can use lower nonce-error-corrections 0..2)

Just compare the result (hcxpcaptool -V) of
airodump-ng cap file
besside-ng cap file
wpaclean cap file
kismet cap file
hcxdumptool pcapng file

I'm sure, you'll see the difference...
Reply
Thanks, for those great posts. After getting a pmkid file from a capture with -k, should I depure It and erase repeated ESSIDs ? The are different hashes with same ESSIDs, same AP MAC, but different station MAC.

Do you apply rules or masks with the ESSIDS list after -E, do you clean the EESID names from it? Would it make sense to combine all the output from -E from all the pcapng ?
Reply
After getting a pmkid file from a capture with -k, should I depure It and erase repeated ESSIDs ?
Yes you can do it, if ESSID and MAC_AP is the same - that will speed up hashcat a little bit

Do you apply rules or masks with the ESSIDS list after -E
No, i only use hcxwltool on them

Would it make sense to combine all the output from -E from all the pcapng ?
Of cource yes - that will update your database/environment.

Also cat all .16800 to an archiv.16800 and all .2500 to an archiv.2500
Than, from time to time, run your -E archiv against them.
Reply
Noted, that will do everything easier.
I saw people using Wlandump instead hcxdumptool.. any difference on the output?
Could be possible to create a minimal raspberry distro just for hcxtools and access via ssh only?
Reply