search

hashcat / hashcat-utils

Small utilities that are useful in advanced password cracking
MIT License
1.33k stars 353 forks source link

handle 4addr in IEEE80211 packets properly in cap2hccapx.c #45

Closed jamazi closed 6 years ago

jamazi commented 6 years ago

this will handle packets headers that contain 4 addr properly, seen this usually in RouterOS wireless sniffed packets that contains QoS header, this is example packet :

[
  {
    "_index": "packets-2018-06-18",
    "_type": "pcap_file",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.encap_type": "20",
          "frame.time": "Jun 17, 2018 17:42:27.669086000 EEST",
          "frame.offset_shift": "0.000000000",
          "frame.time_epoch": "1529246547.669086000",
          "frame.time_delta": "0.002050000",
          "frame.time_delta_displayed": "0.002057000",
          "frame.time_relative": "6.843061000",
          "frame.number": "8391",
          "frame.len": "195",
          "frame.cap_len": "195",
          "frame.marked": "0",
          "frame.ignored": "0",
          "frame.protocols": "wlan:llc:eapol"
        },
        "wlan": {
          "wlan.fc.type_subtype": "40",
          "wlan.fc": "0x00008803",
          "wlan.fc_tree": {
            "wlan.fc.version": "0",
            "wlan.fc.type": "2",
            "wlan.fc.subtype": "8",
            "wlan.flags": "0x00000003",
            "wlan.flags_tree": {
              "wlan.fc.ds": "0x00000003",
              "wlan.fc.tods": "1",
              "wlan.fc.fromds": "1",
              "wlan.fc.frag": "0",
              "wlan.fc.retry": "0",
              "wlan.fc.pwrmgt": "0",
              "wlan.fc.moredata": "0",
              "wlan.fc.protected": "0",
              "wlan.fc.order": "0"
            }
          },
          "wlan.duration": "60",
          "wlan.ra": "11:22:33:44:55:66",
          "wlan.da": "11:22:33:44:55:66",
          "wlan.ta": "aa:bb:cc:dd:ee:ff",
          "wlan.sa": "aa:bb:cc:dd:ee:ff",
          "wlan.bssid": "aa:bb:cc:dd:ee:ff",
          "wlan.frag": "0",
          "wlan.seq": "1",
          "wlan.addr": "11:22:33:44:55:66",
          "wlan.addr": "aa:bb:cc:dd:ee:ff",
          "wlan.addr": "aa:bb:cc:dd:ee:ff",
          "wlan.addr": "11:22:33:44:55:66",
          "wlan.addr": "aa:bb:cc:dd:ee:ff",
          "wlan.qos": "0x00000000",
          "wlan.qos_tree": {
            "wlan.qos.tid": "0",
            "wlan.qos.priority": "0",
            "wlan.qos.eosp": "0",
            "wlan.qos.ack": "0x00000000",
            "wlan.qos.amsdupresent": "0",
            "wlan.qos.ps_buf_state": "0x00000000",
            "wlan.qos.ps_buf_state_tree": {
              "wlan.qos.buf_state_indicated": "0"
            }
          }
        },
        "llc": {
          "llc.dsap": "0x000000aa",
          "llc.dsap_tree": {
            "llc.dsap.sap": "85",
            "llc.dsap.ig": "0"
          },
          "llc.ssap": "0x000000aa",
          "llc.ssap_tree": {
            "llc.ssap.sap": "85",
            "llc.ssap.cr": "0"
          },
          "llc.control": "0x00000003",
          "llc.control_tree": {
            "llc.control.u_modifier_cmd": "0x00000000",
            "llc.control.ftype": "0x00000003"
          },
          "llc.oui": "0x00000000",
          "llc.type": "0x0000888e"
        },
        "eapol": {
          "eapol.version": "1",
          "eapol.type": "3",
          "eapol.len": "151",
          "eapol.keydes.type": "2",
          "wlan_rsna_eapol.keydes.key_info": "0x000013ca",
          "wlan_rsna_eapol.keydes.key_info_tree": {
            "wlan_rsna_eapol.keydes.key_info.keydes_version": "2",
            "wlan_rsna_eapol.keydes.key_info.key_type": "1",
            "wlan_rsna_eapol.keydes.key_info.key_index": "0",
            "wlan_rsna_eapol.keydes.key_info.install": "1",
            "wlan_rsna_eapol.keydes.key_info.key_ack": "1",
            "wlan_rsna_eapol.keydes.key_info.key_mic": "1",
            "wlan_rsna_eapol.keydes.key_info.secure": "1",
            "wlan_rsna_eapol.keydes.key_info.error": "0",
            "wlan_rsna_eapol.keydes.key_info.request": "0",
            "wlan_rsna_eapol.keydes.key_info.encrypted_key_data": "1",
            "wlan_rsna_eapol.keydes.key_info.smk_message": "0"
          },
          "eapol.keydes.key_len": "16",
          "eapol.keydes.replay_counter": "2",
          "wlan_rsna_eapol.keydes.nonce": "0e:d9:a5:bc:12:79:10:05:e2:76:27:88:6c:d6:6e:00:c5:5f:fb:ce:66:71:a0:d3:ef:be:5b:98:98:df:b6:89",
          "eapol.keydes.key_iv": "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
          "wlan_rsna_eapol.keydes.rsc": "00:00:00:00:00:00:00:00",
          "wlan_rsna_eapol.keydes.id": "00:00:00:00:00:00:00:00",
          "wlan_rsna_eapol.keydes.mic": "97:b3:11:42:c7:4b:58:73:47:1c:aa:0a:22:a8:f9:a6",
          "wlan_rsna_eapol.keydes.data_len": "56",
          "wlan_rsna_eapol.keydes.data": "d2:36:f8:99:33:e1:ee:7e:5e:42:1a:3f:12:b7:ae:2c:ab:d2:30:18:a8:72:1b:32:d6:5b:3f:69:11:8d:6d:2f:22:e7:e0:bc:83:8b:5f:0b:b8:00:fa:b1:ea:1c:da:46:c2:88:11:63:00:60:4b:96"
        }
      }
    }
  }
]
jsteube commented 6 years ago

Thanks!

jamazi commented 6 years ago

Hello @ZerBea . Of course, here it is eapol_qos_4addr.pcap.gz

ZerBea commented 6 years ago

Great, thanks. I will add it to hcxtools, too: $ hcxpcaptool -o test.hccapx *.pcap start reading from eapol_qos_4addr.pcap

summary:
file name..............: eapol_qos_4addr.pcap file type..............: pcap 2.4 network type...........: DLT_IEEE802_11 (105) endianess..............: little endian read errors............: flawless packets inside.........: 13 skipped packets........: 0 packets with FCS.......: 0 WDS packets............: 13

Cheers

ZerBea commented 6 years ago

Added handling of WDS packets to hcxtools, too: $ hcxpcaptool -o test.hccapx out.cap start reading from out.cap

summary:
file name..............: out.cap file type..............: pcapng 1.0 network type...........: DLT_IEEE802_11 (105) endianess..............: little endian read errors............: flawless packets inside.........: 14 skipped packets........: 0 packets with FCS.......: 0 WDS packets............: 13 beacons................: 1 EAPOL packets..........: 13 best handshakes........: 1 (ap-less: 0)

1 handshake(s) written to test.hccapx

Again, thanks!

jamazi commented 6 years ago

Would be great if you guys add also support to work with tzsp encapsulated packets, currently I'm using bittwist tool to strip cap files from tzsp like this : bittwiste -M 1 -I input.cap -O out.cap -D 1-47 or (for wireless packets): bittwiste -M 105 -I input.cap -O out.cap -D 1-71

ZerBea commented 6 years ago

Please attach a cap/pcap with DLT_TZSP header to analyze it.

jamazi commented 6 years ago

tzsp.pcap.gz

ZerBea commented 6 years ago

Great, thanks. Analyzed them and saw that hcxtools are able to detect the first 3 header of this cap:

  1. ETHERNET II header (DLT_EN10MB)
  2. IPv4 header
  3. UDP header

$ hcxpcaptool -o test.hccapx tzsp.pcap start reading from tzsp.pcap

summary:
file name..............: tzsp.pcap file type..............: pcap 2.4 network type...........: DLT_EN10MB (1) endianess..............: little endian read errors............: flawless packets inside.........: 15 skipped packets........: 0 packets with FCS.......: 0 IPv4 packets...........: 15 UDP packets............: 15

Will now start to add header 4: TZSP to hcxtools That could take one or 2 days....

ZerBea commented 6 years ago

First step is done: detection of TaZmen Sniffer Protocol (TZSP) $ hcxpcaptool -V *.pcap start reading from tzsp.pcap

summary:
file name..............: tzsp.pcap file type..............: pcap 2.4 network type...........: DLT_EN10MB (1) endianess..............: little endian read errors............: flawless packets inside.........: 15 skipped packets........: 0 packets with FCS.......: 0 IPv4 packets...........: 15 UDP packets............: 15 TZSP packets...........: 15

ZerBea commented 6 years ago

Do we need all encapsulated protocols?

define TZSP_ENCAP_ETHERNET 1

define TZSP_ENCAP_TOKEN_RING 2

define TZSP_ENCAP_SLIP 3

define TZSP_ENCAP_PPP 4

define TZSP_ENCAP_FDDI 5

define TZSP_ENCAP_RAW 7

define TZSP_ENCAP_IEEE_802_11 18

define TZSP_ENCAP_IEEE_802_11_PRISM 119

define TZSP_ENCAP_IEEE_802_11_AVS 127

jamazi commented 6 years ago

Great work :+1: Currently I only see ethernet and ieee_802_11 used by mikrotik sniffer tools ..

ZerBea commented 6 years ago

Ok, than I'll add TZSP_ENCAP_IEEE_802_11 first. Maybe TZSP_ENCAP_IEEE_802_11_PRISM and TZSP_ENCAP_IEEE_802_11_AVS depend on the used chipset. Also a future implementation of TZSP_ENCAP_PPP and TZSP_ENCAP_ETHERNET shouldn't be a big problem, because hcxtools are able to detect and handle this packets, allready. TZSP looking very interesting for me: https://wikivisually.com/wiki/TZSP

ZerBea commented 6 years ago

Big thanks to Atom, that we can use this (his) thread.

ZerBea commented 6 years ago

During my analysis, I noticed that they use variable fields (and variable field len) in TZSP header and we must do a tagwalk through the complete header.

So that will not work on every case: ...currently I'm using bittwist tool to strip cap files from tzsp like this : bittwiste -M 1 -I input.cap -O out.cap -D 1-47 or (for wireless packets): bittwiste -M 105 -I input.cap -O out.cap -D 1-71

ZerBea commented 6 years ago

Done. Added full support for full support (icl. conversion to hccapx) for TaZmen Sniffer Protocol (TZSP):

$ hcxpcaptool -V tzsp.pcap start reading from tzsp.pcap

summary:
file name....................: tzsp.pcap file type....................: pcap 2.4 network type.................: DLT_EN10MB (1) endianess....................: little endian read errors..................: flawless packets inside...............: 15 skipped packets..............: 0 packets with FCS.............: 0 WDS packets..................: 15 EAPOL packets................: 15 IPv4 packets.................: 15 UDP packets..................: 15 TZSP (802.11) packets........: 15

ZerBea commented 6 years ago

@jamazi: Do you have a non-Qos cap file ? Unfortuanetly i haven't some examples. https://github.com/magnumripper/JohnTheRipper/issues/3282#issuecomment-400361578