Small set of tools to capture and convert packets from wlan devices (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch ( "bleeding-jumbo").
Support for hashcat hash-modes: 2500, 2501, 4800, 5500, 12000, 16100
Support for John the Ripper hash-modes: WPAPSK-PMK, PBKDF2-HMAC-SHA1, chap, netntlm, tacacs-plus
After capturing, upload the "uncleaned" cap here (http://wpa-sec.stanev.org/?submit) to see if your ap or the client is vulnerable by using common wordlists. Convert the cap to hccapx and check if wlan-key or plainmasterkey was transmitted unencrypted.
Multiple stand-alone binaries - designed to run on Raspberry Pi's.
All of these utils are designed to execute only one specific function.
Read this post: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (https://hashcat.net/forum/thread-6661.html)
| Tool | Description |
|---|---|
| wlandump-ng | Small, fast and powerfull deauthentication/authentication/response tool |
| hcxdumptool | raw socket version of wlandump-ng |
| wlanrcascan | Small, fast and simple passive WLAN channel assignment scanner (status output) |
| pioff | Turns Raspberry Pi off via GPIO switch |
| hcxpcaptool | Shows info of pcap / pcapng file |
| hcxhashcattool | Calculate PMKs from hashcat -m 2500 potfile |
| wlancap2hcx | Converts cap to hccapx and other formats (recommended for use with wlandump-ng) |
| wlanhcx2cap | Converts hccapx to cap |
| wlanhc2hcx | Converts hccap to hccapx |
| wlanwkp2hcx | Converts wpk (ELMCOMSOFT EWSA projectfile) to hccapx |
| wlanhcx2essid | Merges hccapx containing the same ESSID |
| wlanhcx2ssid | Strips BSSID, ESSID, OUI |
| wlanhcxinfo | Shows detailed info from contents of hccapxfile |
| wlanhcxmnc | Help to calculate hashcat's nonce-error-corrections value on byte number xx of an anonce |
| wlanhashhcx | Generate hashlist from hccapx hashfile (md5_64 hash:mac_ap:mac_sta:essid) |
| wlanhcxcat | Simple password recovery tool for WPA/WPA2/WPA2 SHA256 AES-128-CMAC (hash-modes 2500, 2501) |
| wlanpmk2hcx | Converts plainmasterkey and ESSID for use with hashcat hash-mode 12000 or john PBKDF2-HMAC-SHA1 |
| wlanjohn2hcx | Converts john wpapsk hashfiles for use with hashcat hash-modes 2500, 2501 |
| wlancow2hcxpmk | Converts pre-computed cowpatty hashfiles for use with hashcat hash-mode 2501 |
| wlanhcx2john | Converts hccapx to format expected by John the Ripper |
| wlanhcx2psk | Calculates candidates for hashcat based on the hccapx file |
| wlancap2wpasec | Upload multiple caps to http://wpa-sec.stanev.org |
| whoismac | Show vendor information and/or download oui reference list |
Simply run:
make
make install (as super user)
or (with GPIO support - hardware mods required)
make GPIOSUPPORT=on
make GPIOSUPPORT=on install (as super user)
-
Linux (recommended Arch, but other distros should work, too). Don't use Kernel 4.4 (rt2x00 driver regression)
-
libpcap and pcap-dev installed
-
libopenssl and openssl-dev installed
-
librt and librt-dev installed (should be installed by default)
-
zlib and zlib-dev installed (for gzip compressed cap/pcap/pcapng files)
-
libcurl and curl-dev installed (used by whoismac and wlancap2wpasec)
-
libpthread and pthread-dev installed (used by hcxhashcattool)
-
Raspberry Pi: additionally libwiringpi and wiringpi dev installed (Raspberry Pi GPIO support)
-
Chipset must be able to run in monitor mode. Recommended: RALINK chipset (good receiver sensitivity), rt2x00 driver (stable and fast)
-
Raspberry Pi (Recommended: A+ = very low power consumption or B+), but notebooks and desktops should work, too.
To install requirements on Kali use the following 'apt-get install libpcap-dev libcurl4-openssl-dev libssl-dev'
USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter
USB ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
PCIe RTL8821AE 802.11ac PCIe Wireless Network Adapter
| Script | Description |
|---|---|
| bash_profile | Autostart for Raspberry Pi (copy to /root/.bash_profile) |
| pireadcard | Back up a Pi SD card |
| piwritecard | Restore a Pi SD card |
| makemonnb | Example script to activate monitor mode |
| killmonnb | Example script to deactivate monitor mode |
Most output files will be appended to existing files (with the exception of .cap files).
LED flashes 5 times if wlandump-ng successfully started
LED flashes every 5 seconds if everything is fine
Press push button at least > 5 seconds until LED turns on (LED turns on if wlandump-ng terminates)
Green ACT LED flashes 10 times
Raspberry Pi turned off and can be disconnected from power supply
Do not use wlandump-ng and pioff together!
LED flashes every 30 seconds 2 times if pioff successfully started
Press push button at least > 5 seconds until LED turns on (pioff will shut down Raspberry Pi safely)
Green ACT LED flashes 10 times
Raspberry Pi turned off and can be disconnected from power supply
Do not use wlandump-ng or pioff together!
wlan host = filter all hosts using this mac
wlan dst = filter all destinations using this mac
wlan src = filter all sources using this mac
wlan ta = filter all transmitter addresses using this mac
wlan ta = filter all receiver addresses using this mac
write all filter entries into one single line !(filterenty1 || filterenty2 || filterenty2)
use ! (not) to filter entries out
!(wlan host 00:00:00:00:00:00 || wlan dst 00:00:00:00:00:00 || wlan src 00:00:00:00:00:00 || wlan ta 00:00:00:00:00:00 || wlan ra 00:00:00:00:00:00)
or allow only this entries
(wlan host 00:00:00:00:00:00 || wlan dst 00:00:00:00:00:00 || wlan src 00:00:00:00:00:00 || wlan ta 00:00:00:00:00:00 || wlan ra 00:00:00:00:00:00)
You must use wlandump-ng only on networks you have permission to do this, because
-
wlandump-ng is able to prevent complete wlan traffic
-
wlandump-ng is able to capture handshakes from not connected clients (only one single M2 from the client is required)
-
wlandump-ng is are able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required)
-
wlandump-ng is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS)
-
wlandump-ng is able to capture passwords from the wlan traffic
-
wlandump-ng is able to capture plainmasterkeys from the wlan traffic
-
wlandump-ng is able to capture usernames and identities from the wlan traffic