search

ZerBea / hcxtools

A small set of tools to convert packets from capture files to hash files for use with Hashcat or John the Ripper.
MIT License
1.96k stars 384 forks source link

Static compilation #123

Closed adrastee closed 4 years ago

adrastee commented 4 years ago

Hi Zerbea, Are you able to help me in compiling hcxtools statically ? Or provide static binaries ? I cannot install librairies on the server I want to use, so I cannot install some dependencies like libcrypto. Thanks a lot.

I edit the Makefile to add "-static" at the end of this line: CFLAGS ?= -O3 -Wall -Wextra -static

But I have this error on Ubuntu 18: https://pastebin.com/Dngzd87R

ZerBea commented 4 years ago

That is very, very difficult: https://stackoverflow.com/questions/15165306/compile-a-static-binary-which-code-there-a-function-gethostbyname You must remove the whole server/client code - than it may(!) work.

ZerBea commented 4 years ago

BTW: The same applies to the crypto stuff, too.

adrastee commented 4 years ago

Thanks. I was able to statically compile hcxpcaptool v5.1.6. But not the latest one (v5.3.0) Any hints why? network functions?

ZerBea commented 4 years ago

massive network and crypto inside.

adrastee commented 4 years ago

Ok. So.. no way to manage a static compilation?

ZerBea commented 4 years ago

I don't see a chance - glibc sets the rules!

RealEnder commented 4 years ago

We have several dependencies: openssl, zlib and some glibc networking for wlancap2wpasec. First two should be OK for static compilation and wlancap2wpasec can be skipped for static compilation with Makefile flag. There is also #106 , which will require more work though.

RealEnder commented 4 years ago

Forgot curl, but anyways. BTW, from zlib we're using only decompression, so it may be useful to include only minimal decompress code like this: https://liblzg.bitsnbites.eu/ or this: https://github.com/pfalcon/uzlib . This a bit over engineering and may get us to obscure errors/performance issues.

adrastee commented 4 years ago

Understood. I'm mainly interested in hcxpcapngtool. Is my best option to use python tool https://github.com/s77rt/multicapconverter ? Hoping it is as well coded as hcxpcapngtool :D

RealEnder commented 4 years ago

Well, you can always compare the results and submit bugs upstream ;)

ZerBea commented 4 years ago

multicapconverter is a good and portable alternative. It is coded well (we share knowledge), but provides less functions (BTW: hcxpcapngtool is still missing many functions, too - netNTLMv1, MD5 challenge, TACACS+ - I'll add them step by step, before I'm going to remove deprecated hcxtools). If the migration to hash mode 22000 finished (that is a lot of work to do), I'll put put focus on EAP.

BTW: The crypto stuff inside of hcxdumptool, hcxpcapngtool and hcxhashtool is the first step into EAP direction.

adrastee commented 4 years ago

Ok ! I have already found something, don't know if it"s a bug, don't know if it's multicapconverter or hcxpcapngtool. Using both tools at latest version as of Jan 7 2020 https://pastebin.com/n0qEnLWy TL;DR: hcxpcapngtool find a WPA*02 while multicapconverter find nothing because it considers that the packet is unauthenticated. How does hcxpcapngtool handle unauthenticated packet?

ZerBea commented 4 years ago

Good investigation. I'm interested in that cap file. Can you please attach it, to perform an analysis?

Handling of handshakes and PMKIDs depend on the selected options: examples: $ hcxpcapngtool -o test.22000 in.pcapng convert the best handshake with lowest EAPOL TIME, matching RC, valid AKM, valid cypher suite) once for every MAC_AP(MAC_STA/ESSID combination. We do not take care about message pair (authenticated not authenticated)

$ hcxpcapngtool --do-not-clean -o test.22000 in.pcapng convert the all(!) handshakes with low EAPOL TIME, matching RC, valid AKM, valid cypher suite) once for every MAC_AP(MAC_STA/ESSID combination. We do not take care about message pair (authenticated not authenticated)

$ hcxpcapngtool -ignore-ie -o test.22000 in.pcapng convert the best handshake with lowest EAPOL TIME, matching RC) once for every MAC_AP(MAC_STA/ESSID combination. We do not take care about message pair (authenticated not authenticated)

$ hcxpcapngtool --nonce-error-corrections=8 -o test.22000 in.pcapng convert the best handshake with lowest EAPOL TIME, RC GAP +/- 8, valid AKM, valid cypher suite) once for every MAC_AP(MAC_STA/ESSID combination. We do not take care about message pair (authenticated not authenticated)

$ hcxpcapngtool --max-essids=2 -o test.22000 in.pcapng convert the best handshake with lowest EAPOL TIME, matching RC, valid AKM, valid cypher suite) once for every MAC_AP(MAC_STA/ESSID combination. Allow one ESSID change in case of user defined ESSID change during capture time and/or damaged ESSID). We do not take care about message pair (authenticated not authenticated)

All options can be cascaded!

The more option - hcxpcapngtool will become more "non-restrict". It will convert more hashes, but some/many/lots of them are not recover able (like an E-function). But some of them are recover able due to nonce error corrections of hashcat. hcxpcangtool will tell hascat that, using the message pair field and hashcat activate/deactive NC.

multicapconverter now about this and will take correct MP, too.

ZerBea commented 4 years ago

BTW: Contrary to the other tools, hcxdumptool/hcxtools is not interested to to distinguish between not authenticated (M1M2) and authenticated (M1M4, M2M3, M4M4) message pairs. I have good reasons for that.

adrastee commented 4 years ago

I've just sent the cap file on your email. Thanks for the details. Will try.