Git Product home page Git Product logo

Comments (8)

phin3has avatar phin3has commented on May 24, 2024

Nevermind, grabbed a test pcap from Aircrack, no problems with that. Something is up with my pcap file. Thanks!

from hcxtools.

ZerBea avatar ZerBea commented on May 24, 2024

ok

from hcxtools.

l0rda avatar l0rda commented on May 24, 2024

Same issue with pcap file from bettercap.

from hcxtools.

ZerBea avatar ZerBea commented on May 24, 2024

Please attach pcap file (compressed as zip - git will accept this).

from hcxtools.

ZerBea avatar ZerBea commented on May 24, 2024

To use hashcat mode 16800 you need an ESSID and a PMKID!

If you take a look at #92 (comment)
you see that we have 2 good PMKIDs, but no(!) ESSID.
hashcat can't run this hash in hashmode 16800, so there is no need for hcxpcaptool to convert it.
BTW:
hcxdumptool will do that (make sure we got all information) during capturing process. If you run other tools to capture traffic, make sure that they really capture all(!) required packets to recover the PSK. Not all tools will do this!

If you really need to "clean/convert" a cap/pcap/pcapng file, run
$ tshark -r "inputfile" -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w "outputfile"

or, if you prefer ancient formats:
$ tshark -r "inputfile" -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcap -w "outputfile

from hcxtools.

ZerBea avatar ZerBea commented on May 24, 2024

Nevertheless: the PMKIDs are good and we can convert them to run hashmode 16801 on them.
Added 2 new options to hcxpcaptool to convert raw PMKIDs
-K : output raw PMKID file (hashcat hashmode -m 16801 new format)
-Z : output raw PMKID file (hashcat hashmode -m 16801 old format and john)

use this option(s) if you would like to verify a PMKID and you don't have an ESSID
$ hcxpcaptool -K raw.16801 test.pcapng
reading from test.pcapng
summary:
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.19.42-1-ARCH
file application information.: hcxdumptool 5.1.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 1
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
EAPOL packets (total)........: 1
EAPOL packets (WPA2).........: 1
EAPOL PMKIDs (total).........: 1
EAPOL PMKIDs (WPA2)..........: 1
best PMKIDs..................: 1
1 raw PMKID(s) written to raw.16801

keep in mind:
hashcat hash modes 16801 and 2501 are verification modes (verify EAPOL and/or PMKID by existing PMK).

from hcxtools.

l0rda avatar l0rda commented on May 24, 2024

Please attach pcap file (compressed as zip - git will accept this).

Unfortunately i cannot attach file with sensitive data, but you can try with bettercap.

Thanks for your answer about "ESSID and a PMKID". "-Z" option works.

from hcxtools.

ZerBea avatar ZerBea commented on May 24, 2024

Unfortunately I don't use bettercap (depend on deprecated tools: https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/)

But output of hcxpcaptool -V doesn't contain sensitive data, so you can add them here:
$ hcxpcaptool -V your_pcap_file

It looks like bettercap doesn't capture/store required packets (-Z convert hashes and -z doesn't).
Also there are many, many important informations within WiFi traffic, which are ingnored. It is really a good idea to capture them, too.

For example a typical hcxdumptool pcapng file (captured by https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-2)

$ hcxpcaptool -V capture.pcapng.gz
decompressing capture.pcapng.gz to /tmp/capture.pcapng.gz.tmp
reading from capture.pcapng.gz.tmp
summary:
file name....................: capture.pcapng.gz.tmp
file type....................: pcapng 1.0
file hardware information....: armv6l
file os information..........: Linux 4.19.37-2-ARCH
file application information.: hcxdumptool 5.1.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
read errors..................: flawless
packets inside...............: 19017
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
WDS packets..................: 116
beacons (with ESSID inside)..: 5258
beacons (with MESH-ID inside): 17
probe requests...............: 1097
probe responses..............: 1287
association requests.........: 662
association responses........: 604
reassociation requests.......: 183
reassociation responses......: 167
authentications (OPEN SYSTEM): 2499
authentications (BROADCOM)...: 2369
authentications (SONOS)......: 77
authentications (APPLE)......: 30
EAPOL packets (total)........: 6142
EAPOL packets (WPA1).........: 33
EAPOL packets (WPA2).........: 6109
EAPOL PMKIDs (total).........: 2552
EAPOL PMKIDs (WPA1)..........: 17
EAPOL PMKIDs (WPA2)..........: 2535
EAP packets..................: 726
EAP START packets............: 1
found........................: EAP type ID
found........................: PEAP Authentication
best handshakes..............: 448 (ap-less: 297)
best PMKIDs..................: 740

Running options -k and -o this hashes are witten:
446 handshake(s) written to eapol.hccapx
739 PMKID(s) written to pmkid.16800

You should consider to run hcxdumptool instead of bettercap, if hcxpaptool shows less on your pcap file than that .
And if you run -E option of hcxpcaptool on a hcxdumptool pcapng and feed it to hashcat:

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: eapol.hccapx
Time.Started.....: Fri May 31 09:36:17 2019 (6 secs)
Time.Estimated...: Fri May 31 09:36:23 2019 (0 secs)
Guess.Base.......: File (prlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 183.2 kH/s (2.39ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 25/446 (5.61%) Digests, 19/302 (6.29%) Salts
Progress.........: 1320344/1320344 (100.00%)
Rejected.........: 146772/1320344 (11.12%)
Restore.Point....: 4372/4372 (100.00%)
Restore.Sub.#1...: Salt:301 Amplifier:0-1 Iteration:0-1

you can imagine what you are missing, when you don't run hcxdumptool!

from hcxtools.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.