hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Hello, sorry for the newbie question but im looking to buy a laptop with a RTL8723BE 802.11 bgn wifi adapter. How can i know if hcxdumptool will work with its drivers?
Reply
From README.md section Adapter: https://github.com/ZerBea/hcxdumptool
"Not recommended WiFi chipsets (Broadcom, Intel, Realtek and Atheros), especially"

RTL8723BE == Realtek chipset.
Reply
Hey,

I really love your tools and had some great success with it. You really set a new standard for wifi-sec auditing!
But I can't really figure out, how to run the server / client stuff with hcxdumptool.
My current setup is a netbook with 4 wifi ifaces. Tried different approaches until I discovered the the server / client mode.
My wrapper / script looks like this

Code:
# Kill NetworkMangler / wpa_supplicant
blah

Iface0 & Iface1 & Iface2 & Iface3
tail -f -q ${LOGDIR}/Iface0.log ${LOGDIR}/Iface1.log ${LOGDIR}/Iface2.log (...)| tee -a $LOGDIR/hcxrun.log
# used to ssh from different mobiles tail -f-ed to see whats going on

==========================================
Iface0 () {
chann="-s 1"
opts="--enable_status=233 --stop_ap_attacks=6000 --resume_ap_attacks=12000 --ip=127.0.0.1"

timeout 30 hcxdumptool --do_rcascan -i $iface0 --bpfc=/root/hcx/protect.bpf
hcxdumptool -i $iface0 $opts $chann -o ${CAPDIR}/$iface0.pcapng | tee -a ${LOGDIR}/$iface0.log
}

==========================================
Iface1 () {
chann="-s 3"
opts="--enable_status=351 --stop_ap_attacks=6000 --resume_ap_attacks=12000 --ip=127.0.0.1"

timeout 30 hcxdumptool --do_rcascan -i $iface0 --bpfc=/root/hcx/protect.bpf
hcxdumptool -i $iface0 $opts $chann -o ${CAPDIR}/$iface0.pcapng | tee -a ${LOGDIR}/$iface0.log
}

==========================================
Iface2 () {
(...)
}

I left the --ip blank, works too
I'm assuming I don't need the -o ${CAPDIR}/$iface0.pcapng whith the clients since there will be only one cap, right?
Do I even need any enable_status other than 256 for the clients?
The logging would be redundant too, right?
Tinkered so much I seem to be stuck in a rut. Can you point me in a general direction where I can read more about server / client?

Thanks!
Reply
I suggest to do some tests running two terminals (attached screenshot).
It is important to start the CLIENT first

Code:
Terminal one -> hcxdumdptool in servermode
$ sudo hcxdumptool -i wlp39s0f3u1u6 --enable_status=128
initialization of hcxdumptool 6.2.7-16-g29c1743 (depending on the capabilities of the device, this may take some time)...

Terminal two -> hcxdumptool in client mode (start CLIENT first)
$ hcxdumptool --enable_status=287
initialization of hcxdumptool 6.2.7-16-g29c1743 (depending on the capabilities of the device, this may take some time)...
waiting for hcxdumptool server...
hello hcxdumptool client...

start capturing (stop with ctrl+c)
NMEA 0183 PROTOCOL........: N/A
PHYSICAL INTERFACE........: phy0
INTERFACE NAME............: wlp39s0f3u1u6
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 74da38f2038e (not used for the attack)
INTERFACE VIRTUAL MAC.....: 74da38f2038e (not used for the attack)
DRIVER....................: mt7601u
DRIVER VERSION............: 6.0.8-arch1-1
DRIVER FIRMWARE VERSION...: N/A
openSSL version...........: 1.0
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 000da7661a5f (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 000da7661a60 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 000da7661a61 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: fcc233734714
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62806
ANONCE....................: 53cef37b4adde1872c4d156fc17515d5892da3a4d77623f3818249d0df24fa5d
SNONCE....................: 54457ea7af879fb903b208ba6d99b5e7a57da8ed82ba7d4f4116718ac574f984

TIME    FREQ/CH  MAC_DEST    MAC_SOURCE  ESSID [FRAME TYPE]

Now play around with the status options until everything is shown as expected.

Please notice:
If the server - clients session is slow or timed out you run into a pselect() error which result in a heavy packet loss on the server. I do not recommend to use WiFi (overlapped channels) or bluetooth.


Attached Files
.png   screenshot1.png (Size: 163.48 KB / Downloads: 4)
Reply
Awesome, thanks!
Will test it today
Reply
I figured I'd post a feature request here.... I've been trying to figure out where to focus my efforts with those ZyXEL modems and managed to get access to a database with multiple caps. Now ZyXEL actually uses zyxel, Zyxel, ZyXEL and ZYXEL as ESSIDS. Would be possible to change the --essid-part option to case insensitive to catch all of these at once? Right now, I had to run hcxhashtool multiple times to get the four different case options for this particular vendor.
Reply
@drsnooker
Interesting feature request which will be a nice improvement.
Let me think awhile how to add this. I guess I'll add a new option.
After testing it against wpa-sec database I'll push the update (within they next few days).

BTW:
hcxdumptool (weak candidates in combination with hcxpcapng -R option) discovered some new kind of default PSKs:
ZYXEL-?d?d?d:?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d
and
ZyXEL_KEENETIC_LITE_?H?H?H?H?H?H:zyxel-?d?d?d?d?d?d-cbd

I have the firmware for the first one, but I have no time to dive into it and to add this to hcxpsktool.
At the moment I'm working on all tools to move to the new EVP API (OpenSSL 3.0). The code changes are huge.
Reply
That was less work than expected.
By latest commit:
https://github.com/ZerBea/hcxtools/commi...a191aacaf7
this feature is added.
Code:
--essid-part=<part of ESSID> : filter by part of ESSID (case sensitive)
--essid-partx=<part of ESSID>: filter by part of ESSID (case insensitive)

Thanks for your effort. You're doing a great work.
Please let me know if you need more options.
Reply
Another one, discovered during this hcxhashtool tests on wpa-sec:
ZyXEL_KEENETIC_LITE:zyxel-?d?d?d-?l?l?l

I'm sure, running your feature request we get some more.
Reply
Here is a new one:
ZyXEL_KEENETIC_LITE_?H?H?H?H?H?H:?d?d?d?d?d?d?d?d

The new option mutates the chain into a beast:
hcxdumptool -> hcxpcapngtool (-R and -D option) -> hcxhashtool (-> hcxeiutool) -> hashcat/jtr
Reply