hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
@WPA_Catcher nice suggestion, but not the philosophy of Arch Linux:
"Arch Linux adheres to five principles: simplicity, modernity, pragmatism, user centrality and versatility. In general, the principles maintain minimal distribution-specific changes, minimal breakage with updates, pragmatic over ideological design choices, user-friendliness, and minimal bloat."
hcxtools/hcxdumptool/hcxkeys are part of Arch Linux:
https://www.archlinux.org/packages/?q=hcx

From README.md:
Multiple stand-alone binaries - designed to run on Arch Linux.

No chance for old tools working on old formats, only. I leave a limited option to convert to this old formats, but not more.

And, of course, the Unix philosophy, too (Linux is similar):
https://en.wikipedia.org/wiki/Unix_philosophy
Reply
OK, no problem.
I just thought it would have been something you might have liked.
I am still learning in my spare time. Smile
Reply
Well, I'm retired, but I am still learning something new, too.
Reply
(01-14-2020, 06:31 PM)ZerBea Wrote: Well, not easy to explain:
https://www.kernel.org/doc/html/v4.17/pr...tches.html
But in simple words, it works like this procedure:
First step is to report an issue (if it is related to the kernel and not not to your distribution) here:
https://bugzilla.kernel.org
Next step is to wait for a fix/patch and to test it.
Third step is to wait until the fix reach the mainline kernel.
Last step is to wait until the (fixed) mainline kernel reach your distribution.

So, patience issue or change my wifi adapter
Reply
Patience....
example:
issue reported: 2019-10-24 08:50:38
https://bugzilla.kernel.org/show_bug.cgi?id=205305
received patch: 2019-10-28 11:59:09
https://bugzilla.kernel.org/show_bug.cgi?id=205305#c2
tested patch: 2019-10-28 12:49:18
https://bugzilla.kernel.org/show_bug.cgi?id=205305#c3
...
waiting for Kernel....
$ hcxdumptool -I
wlan interfaces:
503eaa1c3eab wlan0 (usb)

$ uname -r
5.4.11-arch1-1

so, not arrived, yet!
Reply
Ah you’re retired, I wondered how you were working on hcxtools so quickly.

As I am stuck with old formats I have always been concerned any capture I have may be unbreakable due to error/corruption and not password strength.

I understand all hcxtools are unlikely to produce an uncrackable hash which is due to error.  Are we allowed to know how you do this?  Is there a pdf or something explaining it?

As part of my learning I would like to look through a capture with wireshark and see if I can manually fix broken caps.

Also is there a gradient of good - excellent within hcxtools of the likely-hood of the hash being crackable?  What I am trying to ask is if there are several text hashes (new format) within the output for the same AP - Client is there a way for the user to pick the best option?

Thanks
Reply
Before you start with Wireshark, take a look at the basics of 802.11
here:
https://en.wikipedia.org/wiki/802.11_Frame_Types
Than dive into the study guide here:
https://mrncciew.com/tag/802-11-overview/
Start with a simple frame here:
https://mrncciew.com/2014/10/08/802-11-m...con-frame/
Find it in your sample cap, using Wireshark.
Understand the information elements (IE) inside the frame and how a CLIENT acts, if he received this frame.
Do this on all frames of an authentication process:
Beacon
Proberequest
Proberesponse
Authentication
Association request
Association response
M1
M2
M3
M4
Investigate, why some APs transmitting/requesting additional frames (e.g.: action frames during an authentication)

Read about EAPOL TIMER here:
https://www.researchgate.net/publication...entication
What is their purpose, what will happen if a timer expire - and you will know why some of your converted handshakes are not recoverable.

If we include the radio part (HF) some knowledge about radio basics isn't so bad, too:
radio transmission power
antenna types
wave propagation
radio phase shift
radio modulation types
Reply
Thank you!
Reply
Don't thank me. That are only the basics.
Next part is to understand RSN-IE and WPA-IE. How do they affect the following EAP authentication.
Why isn't it enough to capture a BEACON and M2M3 (discover the difference between RSN-IE/WPA-IE of a BEACON and RSN-IE/WPA-IE of an ASSOCIATION REQUEST) within the same authentication sequence.
What is EAP, EXPANDED EAP, EAPOL.
What is the function of AKM PSK/PSK256 and how does it affect calculation of the PMK.
And much more...
Reply
There is no need to run hcxtools on the new hashline format. Nearly every bash cmd is working on the new hashline:

e.g. running a simple bash line will give you the ESSID in ASCII format:
cat test.22000 | awk 'BEGIN { FS = "*" } ; { print $6 }' | perl -pe 's/(..)/chr(hex($1))/ge'
Reply