hashcat Forum Misc User Contributions v
hcxtools - solution for capturing wlan traffic and conversion to hashcat formats

Threaded Mode
hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
ZerBea Offline
Moderator
*****
Posts: 1,042
Threads: 2
Joined: Jun 2017
#621
03-27-2020, 07:41 PM (This post was last modified: 03-27-2020, 07:48 PM by ZerBea.)
hcxhashtool will do the job:

get example hash (22000) from here:
https://hashcat.net/wiki/doku.php?id=example_hashes

and run hcxhashtool to retrieve information
Code:
$ hcxhashtool -i example.22000 --info=stdout
SSID.......: hashcat-essid
MAC_AP.....: fc690c158264 (unknown)
MAC_CLIENT.: f4747f87f9f4 (unknown)
PMKID......: 4d4fe7aac3a2cecab195321ceb99a7d0
HASHLINE...: WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***


OUI information file...: /home/zerobeat/.hcxtools/oui.txt
OUI entires............: 27383
total lines read.......: 1
valid hash lines.......: 1
PMKID hash lines.......: 1
PMKID written..........: 1
MAC_AP and MAC_CLIENT are marked as unknown, because example hash is synthetic

The same applies to EAPOL hash lines
Get example (2500) from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
and convert it from 2500 to 22000
$ hcxmactool --hccapxin=hashcat.hccapx --pmkideapolout=example2.22000

now run hcxhastool to retrieve information about the hash
Code:
$ hcxhashtool -i example2.22000 --info=stdout
SSID.......: 8381533406003807685881523
MAC_AP.....: aef50f22801c (unknown)
MAC_CLIENT.: 987bdcf9f950 (unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA1
REPLAYCOUNT: 1
RC INFO....: replycount checked
MP M1M2 E2.: not authorized
MIC........: dd380bd54bc9c316dce31562c22c87d1
HASHLINE...: WPA*02*dd380bd54bc9c316dce31562c22c87d1*aef50f22801c*987bdcf9f950*38333831353333343036303033383037363835383831353233*1e33f3eca3a1f2216a52b60c87191e7473ac54ecb023ac5989becf1e3c7e4509*01030077fe010900200000000000000001faf192b205d47b81f43f91f850c81976da019e00722f3958370692ab0562f70b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*00


OUI information file...: /home/zerobeat/.hcxtools/oui.txt
OUI entires............: 27383
total lines read.......: 1
valid hash lines.......: 1
EAPOL hash lines.......: 1
EAPOL written..........: 1
MAC_AP and MAC_CLIENT are marked as unknown, because example hash is synthetic

Addditional you you have several options to manage the records of the hasfile:
Code:
$ hcxhashtool -h
hcxhashtool 6.0.0 (C) 2020 ZeroBeat
usage:
hcxhashtool <options>

options:
-i <file>   : input PMKID/EAPOL hash file
-o <file>   : output PMKID/EAPOL hash file
-E <file>   : output ESSID list (autohex enabled)
-d          : download http://standards-oui.ieee.org/oui.txt
            : and save to ~/.hcxtools/oui.txt
            : internet connection required
-h          : show this help
-v          : show version

--essid-group                : convert to ESSID groups in working directory
                               full advantage of reuse of PBKDF2
                               not on old hash formats
--oui-group                  : convert to OUI groups in working directory
                               not on old hash formats
--mac-group-ap               : convert APs to MAC groups in working directory
                               not on old hash formats
--mac-group-client           : convert CLIENTs to MAC groups in working directory
                               not on old hash formats
--type                       : filter by hash type
                             : default PMKID (1) and EAPOL (2)
--essid-len                  : filter by ESSID length
                             : default ESSID length: 0...32
--essid-min                  : filter by ESSID minimum length
                             : default ESSID minimum length: 0
--essid-max                  : filter by ESSID maximum length
                             : default ESSID maximum length: 32
--essid=<ESSID>              : filter by ESSID
--essid-part=<part of ESSID> : filter by part of ESSID
--mac-ap=<MAC>               : filter AP by MAC
                             : format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--mac-client=<MAC>           : filter CLIENT by MAC
                             : format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--oui-ap=<OUI>               : filter AP by OUI
                             : format: 001122, 00:11:22, 00-11-22 (hex)
--oui-client=<OUI>           : filter CLIENT by OUI
                             : format: 001122, 00:11:22, 00-11-22 (hex)
--vendor=<VENDOR>            : filter by (part of) VENDOR name
--authorized                 : filter EAPOL pairs by status authorized
--notauthorized              : filter EAPOL pairs by status not authorized
--rc                         : filter EAPOL pairs by replaycount status checked
--apless                     : filter EAPOL pairs by status M1M2ROGUE (M2 requested from CLIENT)
--info=<file>                : output detailed information about content of hash file
--info=stdout                : stdout output detailed information about content of hash file
--vendorlist                 : stdout output VENDOR list sorted by OUI
--psk=<PSK>                  : pre-shared key to test
                             : due to PBKDF2 calculation this is a very slow process
                             : no nonce error corrections
--pmk=<PMK>                  : plain master key to test
                             : no nonce error corrections
--hccapx=<file>              : output to deprecated hccapx file
--hccap=<file>               : output to ancient hccap file
--hccap-single               : output to ancient hccap single files (MAC + count)
--john=<file>                : output to deprecated john file
--help                       : show this help
--version                    : show version
Find
Reply
strike1953 Offline
Member
***
Posts: 58
Threads: 1
Joined: Oct 2017
#622
03-27-2020, 09:18 PM (This post was last modified: 03-27-2020, 09:26 PM by strike1953.)
(01-19-2020, 01:59 PM)ZerBea Wrote: There is no need to run hcxtools on the new hashline format. Nearly every bash cmd is working on the new hashline:

e.g. running a simple bash line will give you the ESSID in ASCII format:
cat test.22000 | awk 'BEGIN { FS = "*" } ; { print $6 }' | perl -pe 's/(..)/chr(hex($1))/ge'

I need to add the corresponding mac to each essid and thus be able to see the content of a multiple capture the essid with mac
Find
Reply
ZerBea Offline
Moderator
*****
Posts: 1,042
Threads: 2
Joined: Jun 2017
#623
03-27-2020, 09:53 PM (This post was last modified: 03-27-2020, 09:55 PM by ZerBea.)
can be done by bash scripts, too.

Quick and dirty solution:
Code:
#!/bin/bash

while read -r line;
do
    printf $line | awk 'BEGIN { FS = "*" } ; { printf $4 ":" }'
    printf $line | awk 'BEGIN { FS = "*" } ; { print $6 }' | perl -pe 's/(..)/chr(hex($1))/ge'
done < example2.22000

will print:
Code:
aef50f22801c:8381533406003807685881523

That is the real advantage of the new hash line. You can do everything, running bash commands (pearl, python, or what ever you want).

https://www.tutorialspoint.com/awk/index.htm
https://www.tutorialspoint.com/perl/index.htm
https://www.tutorialspoint.com/unix_commands/bash.htm
Find
Reply
strike1953 Offline
Member
***
Posts: 58
Threads: 1
Joined: Oct 2017
#624
03-27-2020, 10:02 PM
Thank you very much!
Find
Reply
strike1953 Offline
Member
***
Posts: 58
Threads: 1
Joined: Oct 2017
#625
04-07-2020, 07:39 PM (This post was last modified: 04-07-2020, 07:39 PM by strike1953.)
Hi ZerBea
hcxdumptool, how to attack a specific ap

Thank you
Find
Reply
ZerBea Offline
Moderator
*****
Posts: 1,042
Threads: 2
Joined: Jun 2017
#626
04-07-2020, 08:11 PM (This post was last modified: 04-07-2020, 08:11 PM by ZerBea.)
Hi strike1953.
2 ways:
less strict: add MAC_AP to filterlist.txt
hcxdumptool --filterlist_ap=filterlist.txt --filtermode=2 ...

strict: create bpfc
Code:
$ hcxdumptool -m <interface>
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf
add pbfc
hcxdumptool --bpfc=attack.bpf ...
Find
Reply
strike1953 Offline
Member
***
Posts: 58
Threads: 1
Joined: Oct 2017
#627
04-07-2020, 11:10 PM
Thank you
Find
Reply
ZerBea Offline
Moderator
*****
Posts: 1,042
Threads: 2
Joined: Jun 2017
#628
04-08-2020, 08:07 AM (This post was last modified: 04-08-2020, 08:25 AM by ZerBea.)
Difference between the two methods:
filtermode:
all CLIENTs handled (inclusive the ones running MAC randomization)
bpfc:
limited to CLIENTs connected to the AP.
you will receive a warning (hcxpcapngtool: missing frames) if you convert this pcapng file because undirected PROPEREQUESTs are filtered out.
Find
Reply
WPA_Catcher Offline
Junior Member
**
Posts: 42
Threads: 3
Joined: Jan 2020
#629
05-11-2020, 05:58 PM
Hi ZerBea

I have just popped back to this forum to let you know I am still keenly watching you work on github. I have to say a huge thanks to you for sharing your awesome wifi tools. I am still using the convert to vintage hccap tool you kindly made for me, which is working well.

The more I learn the more impressed I am with hcx-anything. You seem to have thought of everything well in advance of any feature requests and your code looks.... err ...beautiful.

I am so grateful for you sharing your tools and I hope you continue to optimise your code, you have not only made the best set of wifi tools but you seem to now be concentrating on making the code aesthetically pleasing too.

Good luck with all you do and thanks again. I will get back on this forum when time permits.
Find
Reply
ZerBea Offline
Moderator
*****
Posts: 1,042
Threads: 2
Joined: Jun 2017
#630
05-12-2020, 12:33 PM
Nice to hear that. Thanks.
Find
Reply