hcxpcapngtool doesn't convert hashes

[5vl]

So when I run sudo hcxpcapngtool -o hash.hc22000 -E essidlist dumpfile.pcapng it gives me the following output:

I don't know what I did wrong, and to get the file i did the command sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=15

I followed this tutorial: https://www.youtube.com/watch?v=Usw0IlGbkC4

Please help me fix this!

[ZerBea]

hcxpcapngtool found neither PMKIDs nor EAPOL 4way handshakes in the dump file. There is nothing to convert and hcxpcapngtool told you this: Information: no hashes written to hash files

You command line to attack the target is correct: sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=15 But you have to run it as long as you get either a PMKID or an EAPOL 4way handshake. Depending on your hardware (interface and antenna) and your environment (distance to target), one and a half minute hcxdumptool runtime may not be enough.

Try this example, taken from https://wiki.wireshark.org/SampleCaptures

$ wget  https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/wpa-Induction.pcap
$ hcxpcapngtool -o test.hc22000 -E essid wpa-Induction.pcap
hcxpcapngtool 6.2.7-19-g48b6193 reading from wpa-Induction.pcap...

summary capture file
--------------------
file name................................: wpa-Induction.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 04.01.2007 07:14:45
timestamp maximum (GMT)..................: 04.01.2007 07:15:26
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 1093
frames with correct FCS..................: 1080
packets received on 2.4 GHz..............: 1093
WIRELESS DISTRIBUTION SYSTEM.............: 1
ESSID (total unique).....................: 2
BEACON (total)...........................: 398
BEACON on 2.4 GHz channel (from IE_TAG)..: 1 
PROBEREQUEST.............................: 12
PROBEREQUEST (directed)..................: 1
PROBERESPONSE (total)....................: 26
DISASSOCIATION (total)...................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (OPEN SYSTEM).............: 2
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
RESERVED MANAGEMENT frame................: 4
WPA encrypted............................: 280
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum usec)....: 4998
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (recommended NC).........: 8
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
PMKID (total)............................: 1
PMKID (from zeroed PMK)..................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2412: 1093 

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead.
The PCAP Next Generation dump file format is an attempt to overcome the limitations
of the currently widely used (but limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.

session summary
---------------
processed cap files...................: 1

$ cat essid
Coherer
linksys

$ hashcat -m 22000 test.hc22000 -a 3 Induction
hashcat (v6.2.5-482-g6886a7069) starting
...
a462a7029ad5ba30b6af0df391988e45:000c4182b255:000d9382363a:Coherer:Induction

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.hc22000
Time.Started.....: Sat Jun 25 07:04:45 2022 (0 secs)
Time.Estimated...: Sat Jun 25 07:04:45 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: Induction [9]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       41 H/s (0.63ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered.Total..: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Induction -> Induction
Hardware.Mon.#1..: Temp: 46c Util: 57% Core:1890MHz Mem:4001MHz Bus:8

Started: Sat Jun 25 07:04:43 2022
Stopped: Sat Jun 25 07:04:46 2022

Take a look at hcxpcapngtool output, especially this part

EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

The dumpfile contain EAPOL data, hcxpcapngtool found and converted them.

Closed, because it is not an hcxpcapngtool issue, but you can still ask your questions here

[5vl]

Hi, thanks for your response. I knew this was probably an issue on my end, but couldn't really think of any other method of contacting you.

I tried to run hcxdumptool for longer this time. After some time, it threw a "driver is busy" error at me for some reason. I stopped the networkmanager and the wpa_supplicant before running the command. Is my wifi adapter not working with this? I have a Gembird WNP-UA-005.

Thank you in advance for your help!

[ZerBea]

No problem. I searched for the device and noticed that it is running a Realtek chipset (RTL8192EU). In that case, hcxdumptool will not work as expected due to NETLINK dependency and several other problems of the driver: https://www.reddit.com/r/Kalilinux/comments/mp94lh/does_the_rtl8192eu_support_monitoring_mode/

To confirm this, please comment output of $ hcxdumptool -I and $ lsusb and try this procedure before starting hcxdumptool: $ sudo ip link set INTERFACE down comment this output, too: $ sudo iw INTERFACE set monitor none $ sudo ip link set INTERFACE up than run hcxdumptool and ignore the warning that monitor mode is already activated

[5vl]

Alright, I ran the first 2 commands you sent me. Yes, it is true that I'm running Kali in a VM.

After running the last 3 commands you sent, it gives me this (left the SSID's etc out)

I also tried to let it run longer, but that didn't do anything.

I did try to run the ncxpcapngtool again, but as I expected it did not work.

[ZerBea]

Thanks for the screen shots. As expected, hcxdumptool will not run for two reasons: first reason (from --help): do not run hcxdumptool on virtual machines or emulators second reason (from README.md):

Not recommended WiFi chipsets (Broadcom, Intel, Realtek and Atheros), especially:
* Broadcom (neither monitor mode nor frame injection)
* Intel PRO/Wireless (due to several driver issues and NETLINK dependency)
* Realtek RTL8811AU, RTL8812AU, RTL8814AU (due to NETLINK dependency)
more information about possible issues on https://bugzilla.kernel.org

This ERROR message: driver is busy: failed to transmit .... told you that the driver doesn't support packet injection as expected by hcxdumptool.

There is nothing I can do to get this driver work.

[ZerBea]

This is an output of hcxdumptool injection test, if the requirements (as described in README.md and --help) are met:

$ sudo hcxdumptool -i wlp5s0f3u2 --check_injection
initialization of hcxdumptool 6.2.6-34-g1a4c150 (depending on the capabilities of the device, this may take some time)...
starting antenna test and packet injection test (that can take up to two minutes)...
stage 2 of 2 probing frequency 2472/13 proberesponse 130   
packet injection is working on 2.4GHz!
injection ratio: 87% (BEACON: 149 PROBERESPONSE: 130)
your injection ratio is excellent, let's ride!
antenna ratio: 100% (NETWORK: 7 PROBERESPONSE: 7)
your antenna ratio is huge - say kids what time is it?

terminating...

driver and chipset information:

$ lsusb
Bus 001 Device 015: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi

$ hcxdumptool -I
wlan interfaces:
phy7    74da38eb4600    (spoofed MAC:ba70446612f5 detected) wlp5s0f3u2  (driver:mt7601u)

[ZerBea]

I guess KALI use the rtl8xxxu driver from here: https://github.com/kimocoder/realtek_rtwifi

The issue regarding packet injection is reported here: https://github.com/kimocoder/realtek_rtwifi/issues/28

You have to wait for a driver fix.

[5vl]

Thank you for all of this info - I found another driver for the wifi adapter, but it was from 2011 and couldn't get it to install.

I'll try to run Kali off of a live usb I guess, my laptop has built in wifi, although it's still intel. It might work, it might not.

The person I was following the tutorial from also used a VM so I thought that was fine.

[ZerBea]

Some VMs are working, others not: https://github.com/ZerBea/hcxdumptool/issues/196

[5vl]

Ah, I use VMWare Workstation Pro. When I get back home I'll try it through a live usb anyways I guess.

Edit: I tried a live USB, but it didn't want to boot on my laptop. I don't know why. I've never tried to boot something from an USB on this laptop, it's pretty new.

[carkod]

Hi, I also got a similar issue, but I have plenty of EAPOL and one PMKID? I ran it for about 3 hours. Any advice? Thanks. Command: sudo hcxpcapngtool -o hash.hc22000 --all -E wordlist dumpfile.pcapng OS: Ubuntu 22.04 Interface: wlx1cbfcebf5087 driver: rt2800usb

summary capture file
--------------------
file name................................: dumpfile.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.15.0-48-generic
application..............................: hcxdumptool 6.2.7-12-g8959359
interface name...........................: wlx1cbfcebf5087
interface vendor.........................: 1cbfce
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 28ef016df51e (incremented on every new client)
MAC CLIENT...............................: b0febd6dd554
REPLAYCOUNT..............................: 63365
ANONCE...................................: 239d275762ce1c74c3b2b980a4c9831ecf165ac7e3f266b3bfc51ea3b8223be2
SNONCE...................................: 02ef1ed075374f34d81c38a9f2df4e26bcf66d3c167fe6a9e579c5426dbb410b
timestamp minimum (GMT)..................: 29.09.2022 17:09:52
timestamp maximum (GMT)..................: 29.09.2022 17:20:25
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 4245
packets received on 2.4 GHz..............: 4245
ESSID (total unique).....................: 10
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 3 
ACTION (total)...........................: 3378
PROBEREQUEST.............................: 9
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 1
AUTHENTICATION (OPEN SYSTEM).............: 1
EAPOL messages (total)...................: 853
EAPOL RSN messages.......................: 853
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 853

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2412: 1     2422: 3699  2427: 525   2432: 5    
 2437: 9     2442: 3     2447: 1     2457: 1    
 2462: 1    

Information: no hashes written to hash files

session summary
---------------
processed pcapng files................: 1

[ZerBea]

The status of hcxpcapngtool doesn't match to your comment: I ran it for about 3 hours but the status show:

timestamp minimum (GMT)..................: 29.09.2022 17:09:52
timestamp maximum (GMT)..................: 29.09.2022 17:20:25

That are 10 minutes and 33 seconds only (not 3 hours).

...but I have plenty of EAPOL and one PMKID? There is no PMKID:

EAPOL messages (total)...................: 853
EAPOL RSN messages.......................: 853
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 853

It looks like the target doesn't transmit a PMKID.

Are you sure you converted the right dumpfile?

Please comment the full command line of hcxdumptool. Looks like you used filter options?