hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hi, ZerBea!
Merry Christmas and all the best for the coming 2022.
It seems the last hcxdumptool commit is causing a segmentation fault.
Probably today's commit. Previous worked Ok.
Tested on the latest version of Arch Linux.
it's enough to run hcxdumptool -i wlan0 --check_driver
ath9k_htc in my case.
Reply
Thanks for reporting that issue.
More changes than expected were needed to detect the frequency by the decimal places. That included a nasty copy and paste error.
It should be fixed by this commit:
https://github.com/ZerBea/hcxdumptool/co...0df4471471

Code:
$ lsusb
Bus 005 Device 028: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n

$ sudo hcxdumptool -I
wlan interfaces:
f81a67178a73 wlp39s0f3u1u1u1 (ath9k_htc)

$ sudo hcxdumptool -i wlp39s0f3u1u1u1 --check_driver
initialization of hcxdumptool 6.2.5-25-ga62a745...
starting driver test...
driver tests passed...
all required ioctl() system calls are supported by driver

terminating...

$ sudo hcxdumptool -i wlp39s0f3u1u1u1 -C
initialization of hcxdumptool 6.2.5-25-ga62a745...
wlp39s0f3u1u1u1 available frequencies, channels and tx power reported by driver:
2412MHz   1 (20 dBm)
2417MHz   2 (20 dBm)
2422MHz   3 (20 dBm)
2427MHz   4 (20 dBm)
2432MHz   5 (20 dBm)
2437MHz   6 (20 dBm)
2442MHz   7 (20 dBm)
2447MHz   8 (20 dBm)
2452MHz   9 (20 dBm)
2457MHz  10 (20 dBm)
2462MHz  11 (20 dBm)
2467MHz  12 (20 dBm)
2472MHz  13 (20 dBm)
2484MHz  14 (20 dBm)

terminating...

Have a good start into 2022 and a happy new year.
See you again in 2022.
Reply
I found that probably the easiest way for newbies to run hcxdumptool/hcxtools in Arch Linux is to use the Live USB.
Perhaps this should be mentioned in the README.md
https://wiki.archlinux.org/title/USB_fla...ion_medium

The Live USB includes Midnight Commander, which makes it easy to use the CLI. Simply type mc
After booting, I already have an ethernet configured and working. And can use the iwctl utility for WiFi.
Then
pacman -Sy
pacman -S hcxdumptool
You have installed hcxdumptool. Unfortunately, not the most recent version.

To install the latest version:
pacman -R hcxdumptool
pacman -S git make pkg-config gcc
Then follow the instructions on https://github.com/ZerBea/hcxdumptool
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
make
make install
You have installed the most recent version!

BTW, do you have any idea why Hashcat v6.2.5 slower than v5.1.0 in my case?
Please see here
https://hashcat.net/forum/thread-10548.html
Reply
I have no idea why v6.2.5 is slower in your case.
Regarding my systems (GTX1060 and GTX1080Ti) everything is working as expected. Both cards are downclocked, because I neither run big word lists nor big masks or excessive rules. Mostly "Util" is only at 50% because I use hcxtools only to feed hashcat.
Code:
$ uname -r
5.15.12-arch1-1

$ pacman -Q | grep nvidia
nvidia 495.46-6
nvidia-settings 495.46-2
nvidia-utils 495.46-1
opencl-nvidia 495.46-1

$ pacman -Q | grep cuda
cuda 11.5.1-1

$ hashcat --version
v6.2.5-79-g656ed048f

BTW:
No need to mention that Arch is providing a live system, because nearly every distribution is doing that.
Arch provide the latest tested version of hcxdumptool/hcxtools and hcxkeys.
Whenever I release a new version, I flag the old one out, e.g.:
https://archlinux.org/packages/?q=hcxtools
Reply
Hello community,

I see from the manual that hcxpsktool can get weak PSK candidates. Forgive me for asking what may seem elementary but can some show an example of this. I have tried the following command on a .hc22000 file converted by hcxpcapngtool

hcxpsktool --weakpass  -o pskoutput -i test.hc22000

The 'pskoutput' file then contains a long list of strings. How to I leverage this info? what am I missing here?

Thansk
LL
Reply
hcxpsktool calculate default key spaces based on ESSID, BSSID and analysis of wpa-sec submissions:
https://wpa-sec.stanev.org/

In contrast to RouterKeyGen, that calculate a single PSK
https://github.com/routerkeygen
it calculate a range of possible PSKs to feed hashcat with.

hcxpsktool is the missing tool between hashcat rule option and hashcat mask option. It is similar to hashcat's new -a9 option (calculate a word list based on the target):
https://hashcat.net/forum/thread-9534-po...l#pid54596

BTW: Your command line is not correct, because -i expect a binary hccapx file as input while -c expect hc22000 files

You can pipe the calculated PSKs directly to hashcat or write them to a word list file (-o option), e.g:
Code:
$ hcxpsktool --weakpass | hashcat -m 22000 test.hc22000
That will calculate a list of known weak default PSKs (retrieved by analysis of wpa-sec results)

Code:
$ hcxpsktool --maconly -c test.hc22000 | hashcat -m 22000 test.hc22000
This will calculate PSKs based on the BSSID

Code:
$ hcxpsktool -c test.hc22000 | hashcat -m 22000 test.hc22000
This will calculate PSKs based on the ESSID and BSSID

Code:
$ hcxpsktool --netgear | hashcat -m 22000 test.hc22000
This will calculate PSKs for NETGEARxx routers.

example using -o output (useful in combination with hashcat checkpoint request and --session --restore in case of big PSK files):
Code:
$ hcxpsktool --netgear -o wordlist
$ hashcat -m 22000 test.hc22000 wordlist

You can cascade all options (see --help for all options).

To increase hashcat speed (in case of big hc22000 files), I recommend to filter the hc22000 files by hcxhashtool (tailored to target) before calculating PSK lists.
That will keep the list small.
Reply
Dear ZerBea,

Thank you for taking the time to delineate such a clear and details explanation-I truly appreciate it!

For fun and perhaps quick linking to a legacy tool, is there a way to pull a targeted *.cap file from a *.hcc22000 file?

Many thanks
LL
Reply
Yes, hcxhash2cap will do this:
Code:
$ hcxhash2cap -h
hcxhash2cap 6.2.5-8-gbb72f57 (C) 2021 ZeroBeat
usage:
hcxhash2cap <options>

options:
-c <file> : output cap file
            if no cap file is selected, output will be written to single cap files
            format: mac_sta.cap (mac_sta.cap_x)
-h       : show this help
-v       : show version

--pmkid-eapol=<file> : input PMKID EAPOL (22000) combi hash file
--pmkid=<file>       : input deprecated PMKID (16800) hash file
--hccapx=<file>      : input deprecated hccapx (2500) hash file
--hccap=<file>       : input ancient hccap (2500) file
--john=<file>        : input John the Ripper WPAPSK hash file
--help              : show this help
--version           : show version

Please notice that it is not flawless. EAPOL MESSAGEPAIRs M2M3 (where EAPOL is taken from M3) can't be converted back to a cap file!
Reply
Excellent video how to use hcxdumptool -> hcxtools -> hashcat in practice (especially for beginners running K A L I):
https://davidbombal.com/wifi-wpa-wpa2-cr...xdumptool/
It describe how to install the tools (by apt and by git) and how to use them.
This is one of the best video tutorials I've ever seen!
Reply
I have been using this tool since the beginning, intermittently. The default settings are noisy. Weird that i have to disable noisy attacks manually. Deauthentication as default is weirdest. At least there is --silent option.
Thanks for making this tool.
P.S. -h -> "do not run hcxdumtool on virtual machines or emulators" -> Missing "p".
Just saying.
Reply