hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Now, I'm a little bit confused:
Hello ZerBea, how to convert potfile 16800 and hccapx to 22000 mode.

Do you want to convert your 5.1.0 potfile format to new potfile format?
$ hcxhashcattool -p old.potfile -P new.potfile

Do you want to convert your old .16800 hashline format to new .22000 hashline format?
$ hcxmactool --pmkidin=old.16800 --pmkideapolout=new.22000

Do you want to convert your old hccapx to new.22000 format?
$ hcxmactool --hccapxin=hccapx.16800 --pmkideapolout=new.22000

Or use bash commands or use hcxtools or use a combination of hcxtools and bash commands. Everything is possible - if you're running Linux!
Reply
(02-06-2020, 03:28 PM)ZerBea Wrote: Now, I'm a little bit confused:
Hello ZerBea, how to convert potfile 16800 and hccapx to 22000 mode.

Do you want to convert your 5.1.0 potfile format to new potfile format?
$ hcxhashcattool -p old.potfile -P new.potfile

Do you want to convert your old .16800 hashline format to new .22000 hashline format?
$ hcxmactool --pmkidin=old.16800  --pmkideapolout=new.22000

Do you want to convert your old hccapx to new.22000 format?
$ hcxmactool --hccapxin=hccapx.16800  --pmkideapolout=new.22000

Or use bash commands or use hcxtools or use a combination of hcxtools and bash commands. Everything is possible - if you're running Linux!

Again sorry for the confusion. My English is bad.
My case is xxx.potfile (hashcat 5.1.0 / beta1644) PMK: ESSID (in HEX): PSK convert it to xxx.potfile mode 22000 PMK * ESSID (in HEX): PSK
Reply
reading for being updated... have a couple of questions.

mode 22000 is like a 2500 + 16800. so only one run on hashcat would be needed for both?

how to update HCX dump and tools on linux? Is an apt-get update && upgrade enought?¿
Reply
Correct: 22000 is 16800 + 2500
So we have to pay the price (PBKDF2) only once. Additional we're leaving binary hccapx format.

apt-get update && upgrade sounds Debian based. I don't know anything about their update policy.
But the packages looking old for me:
https://packages.debian.org/sid/hcxdumptool
and that is sid!

On Arch pacman -Syu is all you have to do. On other distributions you can do a git pull followed by make install.
Reply
Thanks a lot..

Just bought a T2UH dongle, do you have any experience with it? what driver do you recommend for install on a raspberry?

Cheers.
Reply
The TP-LINK Archer T2UH is working out of the box running kernel >= 4.19 and there are no additional driver necessary.

$ lsusb
ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter

Running a kernel < 5.5.2 the interface name is wlanX because the patch for this issue isn't back ported, yet.
https://bugzilla.kernel.org/show_bug.cgi?id=205305

Running kernel 5.5.2, the interface name is correct:
$ uname -r
5.5.2-arch1-1

$ hcxdumptool -I
wlan interfaces:
503eaaa08f6f wlp39s0f3u3u1u2 (mt76x0u)

The content of the dump file (Raspberry Pi Zero) is as expected:
Code:
$ hcxpcapngtool 202002041459.pcapng
summary capture file
--------------------
file name................................: 202002041459.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 4.19.97-1-ARCH
application..............................: hcxdumptool 6.0.1
interface name...........................: wlan0
interface vendor.........................: 503eaa
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 980ee4769225 (incremented on every new client)
MAC CLIENT...............................: c8aacc13c229
REPLAYCOUNT..............................: 64335
ANONCE...................................: e4afe682bee0da2829e8780800e720e001ce7af840ad3401904a2e2e36a3685b
SNONCE...................................: aec9e891edf4da663b6dc3a563f5d185916751b8d99a555de98852ad95d585e8
timestamp minimum (GMT)..................: 04.02.2020 14:59:15
timestamp maximum (GMT)..................: 04.02.2020 15:00:18
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 128
BEACON (total)...........................: 7
PROBERESONSE.............................: 6
AUTHENTICATION (total)...................: 4
AUTHENTICATION (OPEN SYSTEM).............: 4
EAPOL messages (total)...................: 107
EAPOL RSN messages.......................: 107
ESSID (total unique).....................: 7
EAPOL M1 messages........................: 107
PMKID (total)............................: 24
PMKID (best).............................: 1

The content of a dump file, running kernel 5.5.2 on an INTEL system is as expected, too:
Code:
$ hcxpcapngtool *.pcapng
reading from 202002081140.pcapng...

summary capture file
--------------------
file name................................: 202002081140.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.5.2-arch1-1
application..............................: hcxdumptool 6.0.1
interface name...........................: wlp0s20f0u3
interface vendor.........................: 503eaa
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 0086a0a67e30 (incremented on every new client)
MAC CLIENT...............................: dc7014286317
REPLAYCOUNT..............................: 63641
ANONCE...................................: 0f7bbac2bec9a7e9a5d23aafeba8f66f67625f1147b241e5bd27789165920be0
SNONCE...................................: 165df36ea2156576a14040190eadd1856aa1251edaee1ce6b87857e4b9db0372
timestamp minimum (GMT)..................: 08.02.2020 11:50:51
timestamp maximum (GMT)..................: 08.02.2020 11:50:58
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 413
BEACON (total)...........................: 34
PROBEREQUEST.............................: 6
PROBERESONSE.............................: 29
AUTHENTICATION (total)...................: 24
AUTHENTICATION (OPEN SYSTEM).............: 24
REASSOCIATIONREQUEST (total).............: 1
REASSOCIATIONREQUEST (PSK)...............: 1
EAPOL messages (total)...................: 301
EAPOL RSN messages.......................: 301
ESSID (total unique).....................: 31
EAPOL M1 messages........................: 301
PMKID (total)............................: 86
PMKID (useless)..........................: 19
PMKID (best).............................: 5


not working on AMD RYZEN systems if connected to USB 3 port, because of this kernel issue:
https://bugzilla.kernel.org/show_bug.cgi?id=202541
Code:
[16300.890097] mt76x0u 5-3.1.2:1.0: ASIC revision: 76100002 MAC revision: 76502000
[16301.239555] mt76x0u 5-3.1.2:1.0: EEPROM ver:02 fae:01
[16301.578393] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[16301.595805] mt76x0u 5-3.1.2:1.0 wlp39s0f3u3u1u2: renamed from wlan0
[16316.881303] device wlp39s0f3u3u1u2 entered promiscuous mode
[16316.881347] audit: type=1700 audit(1581158632.980:189): dev=wlp39s0f3u3u1u2 prom=256 old_prom=0 auid=1000 uid=0 gid=0 ses=2
[16316.882150] mt76x0u 5-3.1.2:1.0: tx urb failed: -71
[16316.882187] mt76u_complete_rx: 1989 callbacks suppressed
[16316.882190] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882227] mt76x0u 5-3.1.2:1.0: tx urb failed: -71
[16316.882267] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882346] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882426] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882505] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882586] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882666] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882745] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882825] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882905] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.911559] usb 5-3.1.2: USB disconnect, device number 8
[16316.911980] xhci_hcd 0000:27:00.3: WARN Cannot submit Set TR Deq Ptr
[16316.911982] xhci_hcd 0000:27:00.3: A Set TR Deq Ptr command is pending.
[16316.921294] mt76x0u 5-3.1.2:1.0: mac specific condition occurred
[16316.948240] device wlp39s0f3u3u1u2 left promiscuous mode
Reply
(02-08-2020, 12:56 PM)ZerBea Wrote: The TP-LINK Archer T2UH is working out of the box running kernel >= 4.19 and there are no additional driver necessary.

$ lsusb
ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter

Running a kernel < 5.5.2 the interface name is wlanX because the patch for this issue isn't back ported, yet.
https://bugzilla.kernel.org/show_bug.cgi?id=205305

Running kernel 5.5.2, the interface name is correct:
$ uname -r
5.5.2-arch1-1

$ hcxdumptool -I
wlan interfaces:
503eaaa08f6f wlp39s0f3u3u1u2 (mt76x0u)

The content of the dump file (Raspberry Pi Zero) is as expected:
Code:
$ hcxpcapngtool 202002041459.pcapng
summary capture file
--------------------
file name................................: 202002041459.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 4.19.97-1-ARCH
application..............................: hcxdumptool 6.0.1
interface name...........................: wlan0
interface vendor.........................: 503eaa
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 980ee4769225 (incremented on every new client)
MAC CLIENT...............................: c8aacc13c229
REPLAYCOUNT..............................: 64335
ANONCE...................................: e4afe682bee0da2829e8780800e720e001ce7af840ad3401904a2e2e36a3685b
SNONCE...................................: aec9e891edf4da663b6dc3a563f5d185916751b8d99a555de98852ad95d585e8
timestamp minimum (GMT)..................: 04.02.2020 14:59:15
timestamp maximum (GMT)..................: 04.02.2020 15:00:18
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 128
BEACON (total)...........................: 7
PROBERESONSE.............................: 6
AUTHENTICATION (total)...................: 4
AUTHENTICATION (OPEN SYSTEM).............: 4
EAPOL messages (total)...................: 107
EAPOL RSN messages.......................: 107
ESSID (total unique).....................: 7
EAPOL M1 messages........................: 107
PMKID (total)............................: 24
PMKID (best).............................: 1

The content of a dump file, running kernel 5.5.2 on an INTEL system is as expected, too:
Code:
$ hcxpcapngtool *.pcapng
reading from 202002081140.pcapng...

summary capture file
--------------------
file name................................: 202002081140.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.5.2-arch1-1
application..............................: hcxdumptool 6.0.1
interface name...........................: wlp0s20f0u3
interface vendor.........................: 503eaa
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 0086a0a67e30 (incremented on every new client)
MAC CLIENT...............................: dc7014286317
REPLAYCOUNT..............................: 63641
ANONCE...................................: 0f7bbac2bec9a7e9a5d23aafeba8f66f67625f1147b241e5bd27789165920be0
SNONCE...................................: 165df36ea2156576a14040190eadd1856aa1251edaee1ce6b87857e4b9db0372
timestamp minimum (GMT)..................: 08.02.2020 11:50:51
timestamp maximum (GMT)..................: 08.02.2020 11:50:58
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 413
BEACON (total)...........................: 34
PROBEREQUEST.............................: 6
PROBERESONSE.............................: 29
AUTHENTICATION (total)...................: 24
AUTHENTICATION (OPEN SYSTEM).............: 24
REASSOCIATIONREQUEST (total).............: 1
REASSOCIATIONREQUEST (PSK)...............: 1
EAPOL messages (total)...................: 301
EAPOL RSN messages.......................: 301
ESSID (total unique).....................: 31
EAPOL M1 messages........................: 301
PMKID (total)............................: 86
PMKID (useless)..........................: 19
PMKID (best).............................: 5


not working on AMD RYZEN systems if connected to USB 3 port, because of this kernel issue:
https://bugzilla.kernel.org/show_bug.cgi?id=202541
Code:
[16300.890097] mt76x0u 5-3.1.2:1.0: ASIC revision: 76100002 MAC revision: 76502000
[16301.239555] mt76x0u 5-3.1.2:1.0: EEPROM ver:02 fae:01
[16301.578393] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[16301.595805] mt76x0u 5-3.1.2:1.0 wlp39s0f3u3u1u2: renamed from wlan0
[16316.881303] device wlp39s0f3u3u1u2 entered promiscuous mode
[16316.881347] audit: type=1700 audit(1581158632.980:189): dev=wlp39s0f3u3u1u2 prom=256 old_prom=0 auid=1000 uid=0 gid=0 ses=2
[16316.882150] mt76x0u 5-3.1.2:1.0: tx urb failed: -71
[16316.882187] mt76u_complete_rx: 1989 callbacks suppressed
[16316.882190] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882227] mt76x0u 5-3.1.2:1.0: tx urb failed: -71
[16316.882267] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882346] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882426] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882505] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882586] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882666] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882745] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882825] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.882905] mt76x0u 5-3.1.2:1.0: rx urb failed: -71
[16316.911559] usb 5-3.1.2: USB disconnect, device number 8
[16316.911980] xhci_hcd 0000:27:00.3: WARN Cannot submit Set TR Deq Ptr
[16316.911982] xhci_hcd 0000:27:00.3: A Set TR Deq Ptr command is pending.
[16316.921294] mt76x0u 5-3.1.2:1.0: mac specific condition occurred
[16316.948240] device wlp39s0f3u3u1u2 left promiscuous mode

Thanks, something musk be missing.. what I got:

root@raspberrypi:/home/pi# lsusb
Bus 001 Device 004: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter

root@raspberrypi:/home/pi# iwconfig
eth0      no wireless extensions.
lo        no wireless extensions.

root@raspberrypi:/home/pi# uname -r
4.19.97-v7+
Reply
linux-firmware installed?

Files list for linux-firmware:
usr/lib/firmware/mediatek/
usr/lib/firmware/mediatek/mt7610e.bin
usr/lib/firmware/mediatek/mt7610u.bin
usr/lib/firmware/mediatek/mt7615_cr4.bin
usr/lib/firmware/mediatek/mt7615_n9.bin
usr/lib/firmware/mediatek/mt7615_rom_patch.bin
usr/lib/firmware/mediatek/mt7622pr2h.bin
usr/lib/firmware/mediatek/mt7650e.bin
usr/lib/firmware/mediatek/mt7662u.bin
usr/lib/firmware/mediatek/mt7662u_rom_patch.bin
usr/lib/firmware/mediatek/mt7668pr2h.bin

Overview of all includes fw's:
https://www.archlinux.org/packages/core/...are/files/
Reply
Hi ZerBea,

Thank you very much for your wonderful tools Smile

Noob question here:

Is there any way we can extract serial numbers, router/device information, and other AP information from PMKID & HCCAPX ?

Thanks in advance !!!
Reply
This information is only available in an original(!) and uncleaned(!) dump file (cap/pcap/pcapng format).
A single BEACON and a single M1 (with PMKID) or a single message pair (M1M2, M2M3, M3M4 not zeroed SNONCE, M1M4 not zeroed SNONCE) is is far from enough to retrieve all this information!
Due to my analysis of dump files submitted to wpa-sec, I noticed many dump files which doesn't contain important frames. Either this frames are not stored by the dump tool or they have been removed/cleaned by the submitter. That will make it hard to recover the PSK.
tshark is a very good tool, to retrieve all information on the command line. If you prefer a GUI, you can use Wireshark.

Hash formats 1680x and 250x (hccapx) only contain pure information, required to recover the PSK.

BTW:
And example, what you're missing on a cleaned dump file or a dump file which doesn't contain this frames is here:
https://hashcat.net/forum/thread-6661-po...l#pid47500

1680x and 250x will be deprecated as soon as release of hashcat 6.0.0
Successor is the new hashline/hashmode 22000, which will give you full advantage of reuse of PBKDF2 over PMKID and EAPOL.
Reply