search

ZerBea / hcxtools

A small set of tools to convert packets from capture files to hash files for use with Hashcat or John the Ripper.
MIT License
2.02k stars 392 forks source link

Warning: out of sequence timestamps! hcxpcapngtool/hcxdumptool #316

Closed CrilleH closed 1 year ago

CrilleH commented 1 year ago

Hi everyone!

These two apps don´t work as they should for me anymore, hcxpcapngtool and hcxdumptool. I get this error message when I run hcxpcapngtool on a file from hcxdumptool: "Warning: out of sequence timestamps! This dump file contains frames with out of sequence timestamps. That is a bug of the capturing tool.

Information: missing frames! This dump file does not contain enough EAPOL M1 frames. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it impossible to calculate nonce-error-correction values."

Everything worked just fine up until about a week or so ago when this started to happen. I don´t use any filters. I have googled very much but I can´t find a solution on my problem. I run Operating System: Kali GNU/Linux Rolling Kernel: Linux 6.4.0-kali3-amd64 Architecture: x86-64. Is there any more info you need from me to be able to help me?

I'm keeping my thumbs crossed that someone have the time to help me with this. I really don´t know what to do to fix this problem.

Thanks a million in advance!

ZerBea commented 1 year ago

First some words about the warnings.

Warning: out of sequence timestamps! This dump file contains frames with out of sequence timestamps. That is a bug of the capturing tool. That is a bug of the capturing tool (in that case hcxdumptool) and it is finaly fixed since hcxdumptool v6.3.0 (use nsec timestamps). As a result, latest hcxpcapngtool show this warning on older pcapng files recorded by hcxdumptool < v6.3.0 (use nsec timestamps)

Information: missing frames! This dump file does not contain enough EAPOL M1 frames. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it impossible to calculate nonce-error-correction values.

Usually this happens if the run time of hcxdumptool is too short and the pcapng file contain only a single handshake. To calculate nonce-error-correction values we need at least two different EAPOL M1 packets from an ACCESS POINT.

Both messages are just information/warnings. If the pcapng files contain valid MESSAGEPAIRs or PMKIDs they should be converted fine. The warning should not appear if you run latest hcxpcapngtool >= v6.3.1 on latest hcxdumptool >= v6.3.1 pcapng files.

To do some more investigations, please add output of:

$ hcxdumptool -v
$ hcxpcapngtool -v

and please attach an example pcapng file (zip compressed) that contain the out of sequence timestamps.

There is also a changelog (hcxtools) entry regarding the timestamps:

20.05.2020
==========
hcxpcapngtool: print warning if out of sequence time stamps detected
               hcxdumptool < 6.0.5 was affected, too and hcxpcapngtool will show you this warning
               hcxdumptool 6.0.6 is fixed
               improved conversion speed
CrilleH commented 1 year ago

First some words about the warnings.

Warning: out of sequence timestamps! This dump file contains frames with out of sequence timestamps. That is a bug of the capturing tool. That is a bug of the capturing tool (in that case hcxdumptool) and it is finaly fixed since hcxdumptool v6.3.0 (use nsec timestamps). As a result, latest hcxpcapngtool show this warning on older pcapng files recorded by hcxdumptool < v6.3.0 (use nsec timestamps)

Information: missing frames! This dump file does not contain enough EAPOL M1 frames. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it impossible to calculate nonce-error-correction values.

Usually this happens if the run time of hcxdumptool is too short and the pcapng file contain only a single handshake. To calculate nonce-error-correction values we need at least two different EAPOL M1 packets from an ACCESS POINT.

Both messages are just information/warnings. If the pcapng files contain valid MESSAGEPAIRs or PMKIDs they should be converted fine. The warning should not appear if you run latest hcxpcapngtool >= v6.3.1 on latest hcxdumptool >= v6.3.1 pcapng files.

To do some more investigations, please add output of:

$ hcxdumptool -v
$ hcxpcapngtool -v

and please attach an example pcapng file (zip compressed) that contain the out of sequence timestamps.

There is also a changelog (hcxtools) entry regarding the timestamps:

20.05.2020
==========
hcxpcapngtool: print warning if out of sequence time stamps detected
               hcxdumptool < 6.0.5 was affected, too and hcxpcapngtool will show you this warning
               hcxdumptool 6.0.6 is fixed
               improved conversion speed

Hi and thanks for the answer!

Here are the things you asked to see:

hcxdumptool -v "hcxdumptool 6.3.1-56-g89278de (C) 2023 ZeroBeat" hcxpcapngtool -v "hcxpcapngtool 6.3.1-92-gb6d2f43 (C) 2023 ZeroBeat" aik.pcapng.gz

The timestamp warning disappeared after I updated hcxpcapngtool (I had 6.2 something) to the version above. But now I have this warning: "Information: missing frames! This dump file does not contain enough EAPOL M1 frames. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it impossible to calculate nonce-error-correction values. Information: no hashes written to hash files" I ran hcxdumptool for just over 40 minutes.

What should my next step be?

Thanks a million for helping me with this!

ZerBea commented 1 year ago

Thanks for the information.

Looks like packet injection is not working as expected. There are absolutely no EAPOL frames captured by the driver.

Is hcxdumptool running in a VM? Are all services that take access to the device stopped(e.g. NetworkManager)? Are you running a BPF?

You can see that packet injection is working as expected, either when running: $ sudo hcxdumptool -i wlan0 --rds=1 If you don't see a "+" in the R column, packet injection is not working.

  CHA    LAST   R 1 3 P S    MAC-AP    ESSID (last EAPOL on top)  SCAN-FREQUENCY:   2437
-----------------------------------------------------------------------------------------
 [  6] 21:17:47 + +   + + 5004b8642f13 TEST_NETWORK

Or you can see it when running an active scan. $ sudo hcxdumptool -i wlan0 --rcascan=active If RESPONSES column is empty, packet injection is not working as expected. Usually both time stamps (BEACON and RESPONSES should increase.

  CHA  FREQ   BEACON  RESPONSE S   MAC-AP   ESSID  SCAN-FREQUENCY:   2412
--------------------------------------------------------------------------
 [ 11  2462] 21:18:50 21:18:50 + 5004b8642f13 TEST_NETWORK

In both cases, you should get a response within a few seconds. If not, possible reasons if packet injection is not working:

something take access to the interface and block hcxdumptool
driver problems
configuration problems

Please comment output of $ hcxumptool -L

CrilleH commented 1 year ago

Thanks for the information.

Looks like packet injection is not working as expected. There are absolutely no EAPOL frames captured by the driver.

Is hcxdumptool running in a VM? Are all services that take access to the device stopped(e.g. NetworkManager)? Are you running a BPF?

You can see that packet injection is working as expected, either when running: $ sudo hcxdumptool -i wlan0 --rds=1 If you don't see a "+" in the R column, packet injection is not working.

  CHA    LAST   R 1 3 P S    MAC-AP    ESSID (last EAPOL on top)  SCAN-FREQUENCY:   2437
-----------------------------------------------------------------------------------------
 [  6] 21:17:47 + +   + + 5004b8642f13 TEST_NETWORK

Or you can see it when running an active scan. $ sudo hcxdumptool -i wlan0 --rcascan=active If RESPONSES column is empty, packet injection is not working as expected. Usually both time stamps (BEACON and RESPONSES should increase.

  CHA  FREQ   BEACON  RESPONSE S   MAC-AP   ESSID  SCAN-FREQUENCY:   2412
--------------------------------------------------------------------------
 [ 11  2462] 21:18:50 21:18:50 + 5004b8642f13 TEST_NETWORK

In both cases, you should get a response within a few seconds. If not, possible reasons if packet injection is not working:

something take access to the interface and block hcxdumptool
driver problems
configuration problems

Please comment output of $ hcxumptool -L

Hi again! Here is the output from $ hcxumptool -L: phy idx hw-mac virtual-mac m ifname driver (protocol)

0 3 04d9f58b8c1f 04d9f58b8c1f - wlan1 wl (NETLINK) 5 13 30de4be0ec71 30de4be0ec71 + wlan0 rtl88x2bu (NETLINK)

No I don´t run a VM, I run dual booth linux/windows 10. Yes everything is turned off by check kill. Iḿ not really sure if I run BPF or not. Sorry for asking, but whats the best way of checking that?

I got strange results when checking the packet injection per you instructions. "sudo hcxdumptool -i wlan0 --rds=1" shows that packet injection isn´t working at all.

CHA LAST R 1 3 P S MAC-AP ESSID (last EAPOL on top) SCAN-FREQUENCY: 2412

[ 11] 12:30:59 + 5890435ee287 COMHEM_5ee282 [ 11] 12:30:59 + b8d94d6c9179 COMHEM_6c9174 [ 11] 12:30:59 + 841ea396b94b Tele2_96b946 [ 11] 12:30:58 + c412f5647dbc Blixthen [ 6] 12:30:57 + 3c585de677d6 Tele2_E677D6 [ 5] 12:30:57 + 180f7638e7a8 dlink-E7A8 [ 3] 12:30:55 + 0c0e76e0a6fb dlink--A6FA [ 1] 12:31:00 + 9c9726496569 TeliaGateway9C-97-26-49-65-69 [ 6] 12:30:57 fa8fca7c2b89 Vardagsrum.v, [ 1] 12:30:55 + f8084f384fe5 COMHEM_384fe0-2.4Ghz [ 1] 12:30:54 + a491b1756ee4 Telia-756EE4 [ 1] 12:30:45 + 04a151bcffc5 ComHemBCFFC1 [ 1] 12:30:10 + 02240146c966 Skott [ 1] 12:30:10 + 3093bc330890 COMHEM_33088b [ 1] 12:31:00 fa8fca89630a [ 13] 12:30:42 + 64209f21af47 Sverige Fosterland

But "sudo hcxdumptool -i wlan0 --rcascan=active" shows the opposite, that it is working: CHA FREQ BEACON RESPONSE A MAC-AP ESSID SCAN-FREQUENCY: 2437

[ 6 2437] 12:45:29 12:31:16 + 3c585de677d6 Tele2_E677D6 [ 6 2437] 12:45:29 12:31:16 fa8fca7c2b89 Vardagsrum.v, [ 1 2412] 12:45:29 12:31:16 + f8084f384fe5 COMHEM_384fe0-2.4Ghz [ 1 2412] 12:45:29 12:31:16 + 3093bc330890 COMHEM_33088b [ 1 2412] 12:45:29 12:31:16 + 04a151bcffc5 ComHemBCFFC1 [ 1 2412] 12:45:29 12:31:16 + 9c9726496569 TeliaGateway9C-97-26-49-65-69 [ 11 2462] 12:45:29 12:31:16 + c412f5647dbc Blixthen [ 11 2462] 12:45:28 12:31:16 + b8d94d6c9179 COMHEM_6c9174 [ 1 2412] 12:45:28 12:31:16 + a491b1756ee4 Telia-756EE4 [ 11 2462] 12:45:27 12:31:16 + 5890435ee287 COMHEM_5ee282 [ 11 2462] 12:45:27 12:31:16 + 841ea396b94b Tele2_96b946 [ 1 2412] 12:45:25 12:31:16 + 02240146c966 Skott [ 1 2412] 12:43:55 12:31:16 + a4b1e9e45df7 T-2000 [ 1 2412] 12:43:45 12:31:16 fa8fca89630a

Isn´t this quite strange?

Thanks a million again for helping me!

ZerBea commented 1 year ago

Thanks. No "+" in R columns means that packet injection is not working.

Timstamp in RESPONSES column does not increase means that packet injection is not working.

confirmed here, too: https://forums.kali.org/showthread.php?44810-Realtek-RTL8812BU-Driver-for-Kali-Linux

Latest hcxdumptool should show an empty field in RESPONSES column instead of an initial timestamp (which is equal to hcxdumptool start time). Should be fixed by this commit: https://github.com/ZerBea/hcxdumptool/commit/200658377867cec3ea87d8cd6f3a0864a4638905

I don't know from which source the driver (rtl88x2bu) was installed on KALI, but it is definitely not part of the official Linux kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/realtek?h=v6.5.5

On questions related to the third party driver (rtl88x2bu) I suggest fo ask here: https://github.com/morrownr/88x2bu-20210702 or here https://github.com/cilynx/rtl88x2bu

I think we can close this report, because the "out of sequence timestamp" has been fixed. If you have more questions related to hcxtools, hcxdumptool you can still ask them here.

ZerBea commented 1 year ago

I found this bug report: https://github.com/morrownr/88x2bu-20210702/issues/140

It confirms that packet injection is not working.

ZerBea commented 1 year ago

By latest commit I added a RESPONSE count to --rcascan=active. https://github.com/ZerBea/hcxdumptool/commit/67d3e68b0f9eb036947a9d88a98a3b8d850d2dd8

It will show a warning if no RESPONSE has been received on hcxdumptool's requests.

ZerBea commented 1 year ago

I got an answer regarding the driver.

Please read this comment: https://github.com/morrownr/88x2bu-20210702/issues/140#issuecomment-1742222009 and try the new rtw88 driver instead of the old rtl88x2bu driver.

ZerBea commented 1 year ago

Please notice:

The rtw88 driver is part of the official Linux kernel, e.g.: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/realtek/rtw88/rtw8822bu.c?h=v6.5.5