search

ZerBea / hcxtools

A small set of tools to convert packets from capture files to hash files for use with Hashcat or John the Ripper.
MIT License
2.02k stars 392 forks source link

Please add obtain BSSID #336

Closed LLH-l closed 5 months ago

LLH-l commented 5 months ago

BSS Id: TpLinkTechno_cd:40:41 (8c:a6:df:cd:40:41)  Please add obtain BSSID

hcxpcapngtool -BSSID 8c:a6:df:cd:40:41 

ZerBea commented 5 months ago

The purpose of hcxpcapngtool is to convert all available data from a pcapng file to a hash file or to word lists (used by hashcat or JtR). Additional filter options will make this tool slow (especially when running in the background of web services (https://wpa-sec.stanev.org or https://hashcat.net/cap2hashcat). Filtering hashes can be done via hcxhashtool or bash options as explained here: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

All tools (hcxdumptool, hcxlabtool and hcxtools) were made to accomplish exactly one task. They are designed to be used inside of bash scripts which makes the entire workflow as flexible as wanted by the user without adding functions t them (which make them slow).

I recommend to write a simple bash script that combine hcxpcapngtool and hcxhashtool:

#!/bin/bash

export TMPPCPANG=`mktemp`
hcxpcapngtool -o "$TMPPCPANG" "$1"
hcxhashtool -i "$TMPPCPANG" --mac-ap=$2 -o $2.hc22000
rm $TMPPCPANG

name the scriot e.g. getbssid and store this bash script to /usr/local/bin/

to filter by BSSID run $ getbssid pcapngfile BSSID

https://linuxhandbook.com/bash/ or more: https://duckduckgo.com/?q=learn+bash+scripting&t=ffab&ia=web

LLH-l commented 5 months ago

Compile latest return of some info 61101

But end, they can be successfully compiled But no further in-depth testing was conducted to if everything was normal

Compilation 6.3.4 Everything is normal

ZerBea commented 5 months ago

Your git repository is broken and Make show this warning: "fatal: not a git repository......" https://duckduckgo.com/?q=fatal%3A+not+a+git+repository&t=ffab&ia=web

Get a fresh clone of hcxtools and try again. Make sure your Linux emulator (I think it is mingw) for windows support git.

LLH-l commented 5 months ago

Thanks although it returns some information, I guess compiling it should not affect normal work

ZerBea commented 5 months ago

It has only an affect on the version information. During compile time this information is directly taken from git:

$ hcxpcapngtool -v
hcxpcapngtool 6.3.4-22-gd4f1adb (C) 2024 ZeroBeat

hcxtools version 6.3.4 commit 22 since 6.3.4 g = git gd4f1adb = commit (https://github.com/ZerBea/hcxtools/commit/d4f1adb204d82593513be8fdc1f8a525fbf2aba7)

The other warnings are related to the windows emulator. You can ignore them. On a Linux system they do not appear:

$ make
mkdir -p .deps
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99    -MMD -MF .deps/hcxpcapngtool.d -o hcxpcapngtool hcxpcapngtool.c -lssl -lcrypto -lz  -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99    -MMD -MF .deps/hcxhashtool.d -o hcxhashtool hcxhashtool.c -lssl -lcrypto -lcurl  -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99   -MMD -MF .deps/hcxpsktool.d -o hcxpsktool hcxpsktool.c -lssl -lcrypto  -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99   -MMD -MF .deps/hcxpmktool.d -o hcxpmktool hcxpmktool.c -lssl -lcrypto  -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99   -MMD -MF .deps/hcxeiutool.d -o hcxeiutool hcxeiutool.c   -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99   -MMD -MF .deps/hcxwltool.d -o hcxwltool hcxwltool.c   -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99   -MMD -MF .deps/hcxhash2cap.d -o hcxhash2cap hcxhash2cap.c   -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99    -MMD -MF .deps/wlancap2wpasec.d -o wlancap2wpasec wlancap2wpasec.c -lssl -lcrypto -lcurl  -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
cc -O3 -Wall -Wextra -Wpedantic -Wchar-subscripts -std=gnu99    -MMD -MF .deps/whoismac.d -o whoismac whoismac.c -lssl -lcrypto -lcurl  -DVERSION_TAG=\"6.3.4-22-gd4f1adb\" -DVERSION_YEAR=\"2024\" -DWANTZLIB
LLH-l commented 5 months ago

Seems need improve detection logic(Detect corresponding SSID) I hanoticed some cases of this phenomenon before, But no time report  Corresponding SSID, May appear in an unknown location( possible ) To avoid this phenomenon, necessary be prepared for hcxpcapngtool 

ZerBea commented 5 months ago

The handshakes are not converted by default options, because the BEACON does not contain information about the CIPHER SUITE and the AUTHENTICATION management. RSN-IE and WPA-IE is missing

Frame 33: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
IEEE 802.11 Beacon frame, Flags: ........
IEEE 802.11 Wireless Management
    Fixed parameters (12 bytes)
    Tagged parameters (94 bytes)
        Tag: SSID parameter set: "ZYM"
        Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6(B), 9, 12(B), 18, [Mbit/sec]
        Tag: DS Parameter set: Current Channel: 11
        Tag: Traffic Indication Map (TIM): DTIM 0 of 1 bitmap
        Tag: ERP Information
        Tag: Extended Supported Rates 9, 18, 48, 54, [Mbit/sec]
        Tag: Vendor Specific: Atheros Communications, Inc.: Advanced Capability
        Tag: Vendor Specific: Atheros Communications, Inc.: Unknown
        Tag: Vendor Specific: Atheros Communications, Inc.: eXtended Range
        Tag: Vendor Specific: Global Sun Technology, Inc.

Please note that the BEACON frame is more than 37 years after the EAPOL messages and it announce an unencrypted network! This can not be converted by default.

$ tshark -r 012004532.cap -T fields -e frame.time
Jan  1, 1970 02:08:52.945423000 CET
Jan  1, 1970 02:08:52.956817000 CET
Jan  1, 1970 02:08:52.968423000 CET
Jan  1, 1970 02:08:52.970557000 CET
Jan  1, 1970 02:09:37.174984000 CET
Jan  1, 1970 02:09:37.189933000 CET
Jan  1, 1970 02:09:37.196945000 CET
Jan  1, 1970 02:09:37.200245000 CET
Jan  1, 1970 02:09:37.202073000 CET
Jan  1, 1970 02:09:46.639215000 CET
Jan  1, 1970 02:09:46.656098000 CET
Jan  1, 1970 02:09:46.661099000 CET
Jan  1, 1970 02:10:28.225912000 CET
Jan  1, 1970 02:10:28.248500000 CET
Jan  1, 1970 02:10:41.244633000 CET
Jan  1, 1970 02:10:41.250822000 CET
Jan  1, 1970 02:10:41.472913000 CET
Jan  1, 1970 01:01:10.738801000 CET
Jan  1, 1970 01:01:10.753733000 CET
Jan  1, 1970 01:01:10.759423000 CET
Jan  1, 1970 01:01:10.762742000 CET
Jan  1, 1970 01:01:18.353112000 CET
Jan  1, 1970 01:01:18.354724000 CET
Jan  1, 1970 01:01:18.959824000 CET
Jan  1, 1970 01:01:18.971410000 CET
Jan  1, 1970 01:01:24.995162000 CET
Jan  1, 1970 01:01:25.012582000 CET
Jan  1, 1970 01:01:25.018553000 CET
Jan  1, 1970 01:01:25.022256000 CET
Jan  1, 1970 01:02:14.988819000 CET
Jan  1, 1970 01:02:15.009380000 CET
Jan  1, 1970 01:02:15.011508000 CET
Feb  1, 2007 22:37:44.256918000 CET

This has been confirmed by hcxpcapngtool:

timestamp minimum (GMT)..................: 01.01.1970 01:01:10
timestamp maximum (GMT)..................: 01.02.2007 22:37:44

I guess this is a merged dump file and the BEACON does not belong to the EAPOL frames!

If you would like to convert this crap (against all warnings of hcxpcapngtool) it is mandatory to add "--ignore-ie"

$ hcxpcapngtool *.* -o test.22000 -E essid --ignore-ie
hcxpcapngtool 6.3.4-22-gd4f1adb reading from 012004532.cap...

summary capture file
--------------------
file name................................: 012004532.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 01.01.1970 01:01:10
timestamp maximum (GMT)..................: 01.02.2007 22:37:44
duration of the dump tool (minutes)......: 19506096
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 33
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 11 
EAPOL messages (total)...................: 32
EAPOL RSN messages.......................: 32
EAPOLTIME gap (measured maximum msec)....: 4170719
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 3
EAPOL M1 messages (total)................: 11
EAPOL M2 messages (total)................: 6
EAPOL M3 messages (total)................: 9
EAPOL M4 messages (total)................: 6
EAPOL M4 messages (zeroed NONCE).........: 6
EAPOL pairs (total)......................: 11
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing/cleaning tool.

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Information: missing frames!
This dump file does not contain important frames like authentication, association or reassociation.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it hard to recover the PSK.

session summary
---------------
processed cap files...................: 1

$ cat test.22000
WPA*02*e15f92cf8d3c1fd5c0f559ac60b34b60*fa4cda930ee8*e279729fa2ff*5a594d*51854d5cca913ca6557c29d4e095c0b754c776976ac052f72f3261695db0b410*0103007502010a000000000000000000018b86f559035eb361ffecd4375c51518bca72c577de7241f60e83b0f33302007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*82

If a NETWORK is encrypted, one of these or both INFORMATION ELEMNTS (IE) is mandatory. example of an RSN-IE

Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 20
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) TKIP
        Group Cipher Suite OUI: 00:0f:ac (Ieee 802.11)
        Group Cipher Suite type: TKIP (2)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
        Pairwise Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
            Pairwise Cipher Suite OUI: 00:0f:ac (Ieee 802.11)
            Pairwise Cipher Suite type: AES (CCM) (4)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
        Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) PSK
    RSN Capabilities: 0x0000
        .... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
        .... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
        .... .... .... 00.. = RSN PTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
        .... .... ..00 .... = RSN GTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
        .... .... .0.. .... = Management Frame Protection Required: False
        .... .... 0... .... = Management Frame Protection Capable: False
        .... ...0 .... .... = Joint Multi-band RSNA: False
        .... ..0. .... .... = PeerKey Enabled: False
        ..0. .... .... .... = Extended Key ID for Individually Addressed Frames: Not supported
        .0.. .... .... .... = OCVC: False

example of a WPA-IE:

Tag: Vendor Specific: Microsoft Corp.: WPA Information Element
    Tag Number: Vendor Specific (221)
    Tag length: 22
    OUI: 00:50:f2 (Microsoft Corp.)
    Vendor Specific OUI Type: 1
    Type: WPA Information Element (0x01)
    WPA Version: 1
    Multicast Cipher Suite: 00:50:f2 (Microsoft Corp.) TKIP
        Multicast Cipher Suite OUI: 00:50:f2 (Microsoft Corp.)
        Multicast Cipher Suite type: TKIP (2)
    Unicast Cipher Suite Count: 1
    Unicast Cipher Suite List 00:50:f2 (Microsoft Corp.) TKIP
        Unicast Cipher Suite: 00:50:f2 (Microsoft Corp.) TKIP
            Unicast Cipher Suite OUI: 00:50:f2 (Microsoft Corp.)
            Unicast Cipher Suite type: TKIP (2)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:50:f2 (Microsoft Corp.) PSK
        Auth Key Management (AKM) Suite: 00:50:f2 (Microsoft Corp.) PSK
            Auth Key Management (AKM) OUI: 00:50:f2 (Microsoft Corp.)
            Auth Key Management (AKM) type: PSK (2)
LLH-l commented 5 months ago

Thanks ..

ZerBea commented 5 months ago

You're welcome.

I have to thank. This dump file shows in an impressive way that hcxpcapngtool is working as expected.

LLH-l commented 5 months ago

Yeah,hcxtool very good

ZerBea commented 5 months ago

this broken dump files helps to improve/test hcxpcapngtool.