04.03.2024 ========== README.md: removed entire instructions how to compile hcxtools on different distributions check the distribution's page how to update the ditribution, how to install missing dependencies and missing header files 25.02.2024 ========== release v6.3.4 26.01.2024 ========== hcxpcapngtool: added option to store a BSSID file to syn with external GPS data --lts= : output BSSID list to sync with external GPS data format: LINUX timestamp MAC_AP ESSID 14.12.2023 ========== hcxhashtool: added new option to import ancient hccap file --hccap-in= : inputput ancient hccap file 13.12.2023 ========== hcxhashtool: changed options hccapx and hccap --hccapx-out= : output to deprecated hccapx file --hccap-out= : output to ancient hccap file hcxhashtool: added new option to import deprecated hccapx file --hccapx-in= : inputput deprecated hccapx file 01.11.2023 ========== release v6.3.2 26.09.2023 ========== hcxpsktool: added simple pattern generator based on analysis of wpa-sec --simple : include simple pattern 04.07.2023 ========== added -Wpedantic to compiler flags and fixed all warnings 30.06.2023 ========== release v6.3.1 13.05.2023 ========== hcxhashtool: allow to print ESSID list to stdout -E : output ESSID list (autohex enabled) -E stdout : output ESSID list to stdout (autohex enabled) 10.05.2023 ========== hcxpcapngtool: added new option store PMKIDs coming from a CLIENT to a separate hash file. --pmkid-client= : output WPA-(MESH/REPEATER)-PMKID hash file (hashcat -m 22000) to sucessfully recover the PSK from this PMKIDs, it is mandatory to store all PMKIDs coming from a CLIENT to this file added information about source to the end of WPA*01 hash line: PMKID from ACCESS POINT: WPA*01*PMKID*MAC_AP*MAC_CLIENT*ESSID***01 PMKID from CLIENT : WPA*01*PMKID*MAC_AP*MAC_CLIENT*ESSID***10 05.05.2023 ========== release v6.3.0 hcxhashtool/whoismac: do not overwrite oui.txt in case of download ERROR 10.03.2023 ========== release v6.2.9 hcxpcapngtool moved default timestamp from usec to nsec (timeval to timespec) 10.03.2023 ========== release v6.2.8 moved to EVP API 3.0 (from now on OpenSSL >= 3.0 is mandatory) hcxpcapngtool: handle nsec timestamps 24.12.2022 ========== hcxpcapngtool: added detection of entire RADIUS detection RADIUS AUTHENTICATION (REQUEST)..........: 2 RADIUS AUTHENTICATION (CHALLENGE)........: 1 RADIUS AUTHENTICATION (ACCEPT)...........: 1 23.12.2022 ========== wlancap2wpasec: moved to curl_mime_xxx from now on curl >= 7.56 is mandatory 14.12.2022 ========== hcxhashtool: added new option -L to write unfiltered and unsorted ESSID list (usefull for hashcat -a9 option) 25.11.2022 ========== hcxhashtool: added new option --essid-partx to filter case insensitive more information here: https://hashcat.net/forum/thread-6661-post-56782.html#pid56782 17.11.2022 ========== hcxpcapngtool: added detection of TACAS plus v2 and v3 13.11.2022 ========== removed deprecated tools: | deprecated | obsolete and - no longer under maintenance - will be removed, when OpenSSL switching to version 3.0.0 | | -------------- | ---------------------------------------------------------------------------------------------------------------------- | | hcxmactool | Various MAC based filter operations on HCCAPX and PMKID files - convert hccapx and/or PMKID to new hashline format | | hcxpmkidtool | CPU based tools to verify a PMKID | | hcxessidtool | Various ESSID based filter operations on HCCAPX and PMKID files | | hcxhashcattool | Convert old hashcat (<= 5.1.0) separate potfile (2500 and/or 16800) to new potfile format | improved hcxpmktool (tool to verify a single hc22000 hash): $ hcxpmktool --help hcxpmktool 6.2.7-51-g60b1801 (C) 2022 ZeroBeat usage : hcxpmktool short options: -l : input hashcat hash line (-m 22000) -e : input Network Name (ESSID) -p : input Pre Shared Key (PSK) or Plain Master Key (PMK) -p - : read Pre Shared Key (PSK) from stdin : small lists only long options: --help : show this help --version : show version exit codes: 0 = PSK/PMK confirmed 1 = ERROR occurred 2 = PSK/PMK unconfirmed examples: get 22000 hashes from here: https://hashcat.net/wiki/doku.php?id=example_hashes verify PMKID hash (WPA*01) by PSK $ hcxpmktool -l WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -p hashcat! HASH FORMAT.: PMKID (WPA*01) ESSID.......: hashcat-essid MAC_AP......: fc690c158264 MAC_CLIENT..: f4747f87f9f4 PSK.........: hashcat! PMK.........: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc (calculated) PMKID.......: 4d4fe7aac3a2cecab195321ceb99a7d0 (confirmed) verify PMKID hash (WPA*01) by PMK $ hcxpmktool -l WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -p 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc HASH FORMAT.: PMKID (WPA*01) ESSID.......: hashcat-essid MAC_AP......: fc690c158264 MAC_CLIENT..: f4747f87f9f4 PMK.........: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc PMKID.......: 4d4fe7aac3a2cecab195321ceb99a7d0 (confirmed) verify EAPOL hash (WPA*02) by PSK $ hcxpmktool -l WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2 -p hashcat! HASH FORMAT.: EAPOL (WPA*02) ESSID.......: TP-LINK_HASHCAT_TEST MAC_AP......: 6466b38ec3fc MAC_CLIENT..: 225edc49b7aa PSK.........: hashcat! PMK.........: 0857172bd4d3ebb34cf00f3619726008d27558926d963a547332fab033023b82 (calculated) KEY VERSION.: WPA2 NONCE AP....: 10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e NONCE CLIENT: 48ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171 KCK.........: 57d0f2ff5faef56f9b94390aebf4474d (calculated) KEK.........: 9913af266f6e00225edc49b7aa6466b3 (calculated) TK..........: 8ec3fc10e3be3b005a629e89de088d6a (calculated) TKIP TX MIC.: 2fdc489db83ad476 (calculated) TKIP RX MIC.: 4f2d186b9cde1544 (calculated) MIC.........: 024022795224bffca545276c3762686f (confirmed) verify EAPOL hash (WPA*02) by PMK $ hcxpmktool -l WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2 -p 0857172bd4d3ebb34cf00f3619726008d27558926d963a547332fab033023b82 HASH FORMAT.: EAPOL (WPA*02) ESSID.......: TP-LINK_HASHCAT_TEST MAC_AP......: 6466b38ec3fc MAC_CLIENT..: 225edc49b7aa PMK.........: 0857172bd4d3ebb34cf00f3619726008d27558926d963a547332fab033023b82 KEY VERSION.: WPA2 NONCE AP....: 10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e NONCE CLIENT: 48ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171 KCK.........: 57d0f2ff5faef56f9b94390aebf4474d (calculated) KEK.........: 9913af266f6e00225edc49b7aa6466b3 (calculated) TK..........: 8ec3fc10e3be3b005a629e89de088d6a (calculated) TKIP TX MIC.: 2fdc489db83ad476 (calculated) TKIP RX MIC.: 4f2d186b9cde1544 (calculated) MIC.........: 024022795224bffca545276c3762686f (confirmed) if either PMKID or MIC is confirmed, exit code is 2 $ echo $? 2 12.11.2022 ========== start moving to OpenSSL 3.0 EVP API this is a huge step forward an will break backward compatibility https://wiki.openssl.org/index.php/OpenSSL_3.0 10.07.2022 ========== hcxpcapngtool: added option to add a timestamp to the converted 22000 hash line --add-timestamp : add date/time to hash line this must be filtered out before feeding hashcat with the hash, e.g. by awk: cat hash.hc22000 | awk '{print $1}' > hashremovedtimestamp.hc22000 Warning: hashcat doesn't accept this hash line - the time stamp must be removed before running hashcat on it 01.06.2022 ========== hcxpsktool: added new option --asus : include weak ASUS RT-AC58U candidates (ASUS_XX) 26.04.2022 ========== hcxpsktool: fixed stdout bug release v6.2.7 22.04.2022 ========== release v6.2.6 still supporting OpenSSL 1.1 09.04.2022 ========== hcxpsktool: added new option --alticeoptimum : include weak Altice/Optimum candidates (MyAltice) 01.12.2021 ========== release v6.2.5 still supporting OpenSSL 1.1 23.10.2021 ========== added generic hcxtools.1 man page 22.10.2021 ========== removed manpages, because they are only a duplicate of the help menu moved installation path from /usr/local/bin to /usr/bin 14.10.2021 ========== hcxpsktool: renamed option --askeyarris to --spectrum 25.09.2021 ========== hcxhashtool: added new option to filter by replay count not checked (nonce-error-corrections mandatory) --rc-not : filter EAPOL pairs by replaycount status not checked 17.09.2021 ========== hcxhashtool: renamed option --notauthorized to --challenge added additional information about filtered MESSAGE PAIRS for this options 14.09.2021 ========== release v6.2.4 This is the last version, supporting OpenSSL 1.1 Next version 6.3.0 will need OpenSSL 3.0.0 01.09.2021 ========== hcxpcapngtool: added new option to retrieve information about the ACCESS POINT As initial start, if transmitted, MAC_AP, MANUFACTURER, MODELNAME, SERIALNUMBER and DEVICENAME are stored (delimited by tab). -D : output device information list format MAC MANUFACTURER MODELNAME SERIALNUMBER DEVICENAME UUID E 28.08.2021 ========== wlancap2wpasec: added upload progress information whoismac: added download progress information hcxhashtool: added download progress information hcxhashtool: added more info options (https://github.com/ZerBea/hcxtools/issues/195) --info= : output detailed information about content of hash file not in combination with --vendor, --vendor-ap or --vendor-client --info=stdout : stdout output detailed information about content of hash file not in combination with --vendor, --vendor-ap or --vendor-client --info-vendor= : output detailed information about ACCESS POINT and CLIENT VENDORs not in combination with --vendor, --vendor-ap or --vendor-client --info-vendor-ap= : output detailed information about ACCESS POINT VENDORs not in combination with --vendor, --vendor-ap or --vendor-client --info-vendor-client= : output detailed information about ACCESS POINT VENDORs not in combination with --vendor, --vendor-ap or --vendor-client --info-vendor=stdout : stdout output detailed information about ACCESS POINT and CLIENT VENDORs not in combination with --vendor, --vendor-ap or --vendor-client --info-vendor-ap=stdout : stdout output detailed information about ACCESS POINT VENDORs not in combination with --vendor, --vendor-ap or --vendor-client --info-vendor-client=stdout : stdout output detailed information about ACCESS POINT VENDORs not in combination with --vendor, --vendor-ap or --vendor-client 27.08.2021 ========== hcxhashtool: VENDOR search is not longer case sensitive (https://github.com/ZerBea/hcxtools/issues/195) hcxhashtool: improved filtering by VENDOR --vendor= : filter AP or CLIENT by (part of) VENDOR name --vendor-ap= : filter AP by (part of) VENDOR name --vendor-client= : filter CLIENT by (part of) VENDOR name 25.08.2021 ========== hcxpcapngtool: advanced handling of BEACON and PROBERESPOSNE frames distinguish between SSID set, SSID unset and SSID zeroed 20.06.2021 ========== Makefile: added compiler flag to disable zlib support 04.06.2021 ========== hcxpcapngtool: improved CSV output: --csv= : output ACCESS POINT information in CSV format delimiter: tabulator (0x08) columns: YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI GPS(DM.m) GPS(D.d) GPSFIX to convert it to other formats, use bash tools or scripting languages GPS FIX: 0 = fix not available or invalid 1 = fix valid (GPS SPS mode) 2 = fix valid (differential GPS SPS Mode) 3 = not supported 4 = not supported 5 = not supported 6 = fix valid (Dead Reckoning Mode) 28.05.2021 ========== hcxpsktool: added new option to use an exclude ESSID combinations --noessidcombination: exclude ESSID combinations 17.05.2021 ========== release v 6.2.0 get ready for gcc 11.1.0 fixed CVE-2021-32286 12.05.2021 ========== hcxpsktool: added new option to print only candidates based on ACCESS POINT MAC --maconly : print only candidates based on ACCESS POINT MAC 17.03.2021 ========== hcxhashtool: added new option to use an exclude MAC filter list --mac-skiplist= : exclude MAC from file format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) 09.03.2021 ========== release v 6.1.5 get ready for OpenSSL 3.0 28.02.2021 ========== added new tool to calculate a PMK and verify a 22000 hashline hcxpmktool 6.1.5-72-g585fe37 (C) 2021 ZeroBeat usage : hcxpmktool short options: -i : input hashcat hash line (-m 22000) -e : input ESSID default: use ESSID from hash line -p : input Pre Shared Key -m : input Plain Master KEY long options: --help : show this help --version : show version 09.02.2021 ========== started to prepare to use openssl 3.0 Many structures have been made opaque in OpenSSL 3.0 since OpenSSL 1.0.2 https://wiki.openssl.org/index.php/OpenSSL_3.0 it is recommended to upgrade to at least OpenSSL 1.1 04.02.2021 ========== hcxpcapngtool: fixed handling of BE pcapng files on BE systems 14.01.2021 ========== release v 6.1.5 02.01.2021 ========== hcxhashtool: added new option --mac-list --mac-list= : filter by MAC file : format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) 31.12.2020 ========== hcxpcapngtool: added new option --csv --csv= : output ACCESS POINT information in CSV format delimiter: tabulator (0x08) columns: YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI LATITUDE QUADRANT LONGITUDE QUADRANT 10.12.2020 ========== Makefile: make use of pkg-config 02.12.2020 ========== release v 6.1.4 21.11.2020 ========== hcxhashtool: added new option to filter by ESSID list --essid-list= : filter by ESSID file hcxpcapngtool: show openSSL version in status 27.10.2020 ========== hcxeiutool: new tool to prepare -E -I -U output of hcxpcapngtool for use by hashcat + rule $ hcxeiutool -h hcxeiutool 6.1.3-37-gbdc5a67 (C) 2020 ZeroBeat usage: hcxeiutool options: -i : input wordlist -d : output digit wordlist -x : output xdigit wordlist -c : output character wordlist (A-Za-z - other characters removed) -s : output character wordlist (A-Za-z - other characters replaced by 0x0d) -h : show this help -v : show version --help : show this help --version : show version example: $ hcxdumptool -i -o dump.pcapng --enable_status=31 $ hcxpcapngtool -o test.22000 -E elist dump.pcapng $ hcxeiutool -i elist -d digitlist -x xdigitlist -c charlist -s sclist $ cat elist digitlist xdigitlist charlist sclist > wordlisttmp $ hashcat --stdout -r charlist >> wordlisttmp $ hashcat --stdout -r sclist >> wordlisttmp $ cat wordlisttmp | sort | uniq > wordlist $ hashcat -m 22000 dump.pcapng wordlist 15.10.2020 ========== hcxpcapngtool: added handling of BSD loopback header (DLT_NULL) 13.10.2020 ========== hcxpcapngtool: added new option --tacacs-plus --tacacs-plus= : output TACACS+ (hashcat -m 16100, john tacacs-plus) hcxpcapngtool: merged options --eapleap and --eapmschapv2 to --eapleap due to same hash format --eapleap= : output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) --prefix= : convert everything to lists using this prefix (overrides single options): -o : output PMKID/EAPOL hash file -E : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker -I : output unsorted identity list to use as input wordlist for cracker -U : output unsorted username list to use as input wordlist for cracker --eapmd5= : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapleap= : output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) --nmea= : output GPS data in NMEA format 12.10.2020 ========== hcxpcapngtool: added new option --eapmschapv2 --eapmschapv2= : output EAP MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) 11.10.2020 ========== hcxpsktool: added new option --ee --ee : include weak EE BrightBox candidates 09.10.2020 ========== release v 6.1.3 05.10.2020 ========== refactored weak candidate list based on wpa-sec analysis 28.09.2020 ========== removed deprecated wlanpmk2hcx 18.09.2020 ========== hcxpcapngtool: added new option -R -R : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker retrieved from PROBEREQUEST frames only 17.09.2020 ========== release v 6.1.2 10.09.2020 ========== removed deprecated wlanhcx2ssid, wlanhcxinfo aand wlanhcxcat 07.09.2020 ========== removed deprecated wlanhcx2john, wlanjohn2hcx and wlanwkp2hcx 04.09.2020 ========== removed deprecated hcxpcaptool - use hcxpcapngtool instead 19.08.2020 ========== hcxpsktool: added new option: --egn : include Bulgarian EGN 06.08.2020 ========== release v 6.1.1 improved warnings fixed handling of short options added several new weak candidates 29.06.2020 ========== release v 6.1.0 27.07.2020 ========== hcxhashtool: added new options to get full benefit aof reuse of PBKDF2 --hcx-min= : disregard hashes with occurrence lower than hcx-min/ESSID --hcx-max= : disregard hashes with occurrence higher than hcx-min/ESSID 19.06.2020 ========== hcxpsktool: splitted NETGEAR and ASKEY/ARRIS weak candidate list --netgear : include weak NETGEAR / ORBI candidates --askeyarris : include weak MySpectrumWiFI / SpectrumSetup / MyCharterWiFI candidates 15.06.2020 ========== release v 6.0.3 27.05.2020 ========== hcxpcapngtool: added counter for AKM defined EAPOL messages ASSOCIATIONREQUEST (SAE SHA256)..........: 1 ... EAPOL M1 messages........................: 44361 EAPOL M1 messages (AKM defined)..........: 2 EAPOL M2 messages........................: 1631 EAPOL M2 messages (AKM defined)..........: 3 20.05.2020 ========== hcxpcapngtool: print warning if out of sequence time stamps detected hcxdumptool < 6.0.5 was affected, too and hcxpcapngtool will show you this warning hcxdumptool 6.0.6 is fixed improved conversion speed 18.05.2020 ========== hcxpcapngtool: handle wrong time stamps in pwnagotchi cap files on --nonce-error-corrections > 0 In that case we can't rely on EAPOL TIME OUT 01.05.2020 ========== hcxpcapngtool: handle vendor defined action frames (eg: AWDL) 06.04.2020 ========== release v 6.0.2 hcxpcapngtool: improved NC speed and more bug fixes 03.04.2020 ========== release v 6.0.1 hcxpcapngtool: improved NC speed and some bug fixes removed deprecated wlanhc2hcx removed deprecated wlancow2hcxpmk 02.04.2020 ========== release v 6.0.0 30.03.2020 ========== hcxhash2cap: added new option to convert PMKID&EAPOL (hashcat -m 22000) to cap file --pmkid-eapol= : input PMKID EAPOL combi hash file 14.03.2020 ========== moved to v 6.0.0 complete rewrite from scratch full support of new hashline PMKID+EAPOL (hashcat -m 22000 and JtR) https://github.com/hashcat/hashcat/issues/1816 https://github.com/magnumripper/JohnTheRipper/issues/4183 support EAP-LEAP support EAP-MD5 several bug fixes improved summary improved detection of cipher and AKM suites improved detection of malformed frames (caused by device, driver or monitor mode) read more about monitor mode caused bit errors here: http://www.ict-optimix.eu/images/a/ad/WiFiBitError.pdf In monitor mode the adapter does not check to see if the cyclic redundancy check (CRC) values are correct for packets captured, so some captured packets may be corrupted. hcxpsktool: added new weak candidates hcxpcapngtool: new tool $ hcxpcapngtool -h hcxpcapngtool 6.0.0 (C) 2020 ZeroBeat usage: hcxpcapngtool hcxpcapngtool input.pcapng hcxpcapngtool *.pcapng hcxpcapngtool *.pcap hcxpcapngtool *.cap hcxpcapngtool *.* short options: -o : output PMKID/EAPOL hash file hashcat -m 22000/22001 and JtR wpapsk-opencl/wpapsk-pmk-opencl -E : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker -I : output unsorted identity list to use as input wordlist for cracker -U : output unsorted username list to use as input wordlist for cracker -h : show this help -v : show version long options: --all : convert all possible hashes instead of only the best one that can lead to much overhead hashes use hcxhashtool to filter hashes need hashcat --nonce-error-corrections >= 8 --eapoltimeout= : set EAPOL TIMEOUT (milliseconds) : default: 5000 ms --nonce-error-corrections= : set nonce error correction warning: values > 0 can lead to uncrackable handshakes : default: 0 --ignore-ie : do not use CIPHER and AKM information this will convert all frames regadless of CIPHER and/OR AKM information, and can lead to uncrackable hashes --max-essids= : maximum allowed ESSIDs default: 1 ESSID disregard ESSID changes and take ESSID with highest ranking --eapmd5= : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapmd5-john= : output EAP MD5 CHALLENGE (john chap) --eapleap= : output EAP LEAP CHALLENGE (hashcat -m 5500, john netntlm) --nmea= : output GPS data in NMEA format format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx to display the track, open file.gpx with viking --log= : output logfile --raw-out= : output frames in HEX ASCII : format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM --raw-in= : input frames in HEX ASCII : format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM --pmkid= : output deprecated PMKID file (delimter *) --hccapx= : output deprecated hccapx v4 file --hccap= : output deprecated hccap file --john= : output deprecated PMKID/EAPOL (JtR wpapsk-opencl/wpapsk-pmk-opencl) --prefix= : convert everything to lists using this prefix (overrides single options): -o : output PMKID/EAPOL hash file -E : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker -I : output unsorted identity list to use as input wordlist for cracker -U : output unsorted username list to use as input wordlist for cracker --eapmd5= : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapleap= : output EAP LEAP CHALLENGE (hashcat -m 5500, john netntlm) --nmea= : output GPS data in NMEA format --help : show this help --version : show version bitmask for message pair field: 0: MP info (https://hashcat.net/wiki/doku.php?id=hccapx) 1: MP info (https://hashcat.net/wiki/doku.php?id=hccapx) 2: MP info (https://hashcat.net/wiki/doku.php?id=hccapx) 3: x (unused) 4: ap-less attack (set to 1) - no nonce-error-corrections necessary 5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary 6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary Do not edit, merge or convert pcapng files! This will remove optional comment fields! Detection of bit errors does not work on cleaned dump files! Do not use hcxpcapngtool in combination with third party cap/pcap/pcapng cleaning tools (except: tshark and/or Wireshark)! It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this. hcxhashtool: new tool $ hcxhashtool -h hcxhashtool 6.0.0 (C) 2020 ZeroBeat usage: hcxhashtool options: -i : input PMKID/EAPOL hash file -o : output PMKID/EAPOL hash file -E : output ESSID list (autohex enabled) -d : download http://standards-oui.ieee.org/oui.txt : and save to ~/.hcxtools/oui.txt : internet connection required -h : show this help -v : show version --essid-group : convert to ESSID groups in working directory full advantage of reuse of PBKDF2 not on old hash formats --oui-group : convert to OUI groups in working directory not on old hash formats --mac-group-ap : convert APs to MAC groups in working directory not on old hash formats --mac-group-client : convert CLIENTs to MAC groups in working directory not on old hash formats --type : filter by hash type : default PMKID (1) and EAPOL (2) --essid-len : filter by ESSID length : default ESSID length: 0...32 --essid-min : filter by ESSID minimum length : default ESSID minimum length: 0 --essid-max : filter by ESSID maximum length : default ESSID maximum length: 32 --essid= : filter by ESSID --essid-part= : filter by part of ESSID --mac-ap= : filter AP by MAC : format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) --mac-client= : filter CLIENT by MAC : format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) --oui-ap= : filter AP by OUI : format: 001122, 00:11:22, 00-11-22 (hex) --oui-client= : filter CLIENT by OUI : format: 001122, 00:11:22, 00-11-22 (hex) --vendor= : filter by (part of) VENDOR name --authorized : filter EAPOL pairs by status authorized --notauthorized : filter EAPOL pairs by status not authorized --rc : filter EAPOL pairs by replaycount status checked --apless : filter EAPOL pairs by status M2 requested from client --info= : output detailed information about content of hash file --info=stdout : stdout output detailed information about content of hash file --vendorlist : stdout output VENDOR list sorted by OUI --psk= : pre-shared key to test : due to PBKDF2 calculation this is a very slow process : no nonce error corrections --pmk= : plain master key to test : no nonce error corrections --hccapx= : output to deprecated hccapx file --hccap= : output to ancient hccap file --hccap-single : output to ancient hccap single files (MAC + count) --john= : output to deprecated john file --help : show this help --version : show version | deprecated | obsolete when hashcat and JtR moved to new PMKID/EAPOL hash line - no longer under maintenance | | -------------- | -------------------------------------------------------------------------------------------------------------------- | | whoismac | Show vendor information and/or download oui reference list | | hcxmactool | Various MAC based filter operations on HCCAPX and PMKID files - convert hccapx and/or PMKID to new hashline format | | hcxpcaptool | Shows info of pcap/pcapng file and convert it to other hashformats accepted by hashcat and John the Ripper | | hcxpmkidtool | CPU based tools to verfiy a PMKID | | hcxessidtool | Various ESSID based filter operations on HCCAPX and PMKID files | | hcxhashcattool | Convert old hashcat (<= 5.1.0) separate potfile (2500 and/or 16800) to new potfile format | | wlanhc2hcx | Converts hccap to hccapx | | wlanwkp2hcx | Converts wpk (ELMCOMSOFT EWSA projectfile) to hccapx | | wlanhcx2ssid | Strips BSSID, ESSID, OUI | | wlanhcxinfo | Shows detailed info from contents of hccapxfile | | wlanhcxcat | Simple password recovery tool for WPA/WPA2/WPA2 SHA256 AES-128-CMAC (hash-modes 2500, 2501) | | wlanpmk2hcx | Converts plainmasterkey and ESSID for use with hashcat hash-mode 12000 or john PBKDF2-HMAC-SHA1 | | wlanjohn2hcx | Converts john wpapsk hashfiles for use with hashcat hash-modes 2500, 2501 | | wlancow2hcxpmk | Converts pre-computed cowpatty hashfiles for use with hashcat hash-mode 2501 | | wlanhcx2john | Converts hccapx to format expected by John the Ripper | 05.01.2020 ========== hcxhashtool: added new options -d : download http://standards-oui.ieee.org/oui.txt : and save to ~/.hcxtools/oui.txt : internet connection required --info= : output detailed information about content of hash file --info=stdout : stdout output detailed information about content of hash file 03.01.2020 ========== started to remove deprecated tools wlanhcxmnc: removed 19.12.2019 ========== hacxhashtool: added new tool initial this tool will work on new PMKID EAPOL hash line and replace all older hcxtools when all functions implemented. 19.12.2019 ========== hcxpcapngtool: move -j to --john because format is deprecated and JtR will move to new format, too https://github.com/hashcat/hashcat/issues/1816#issuecomment-567423392 17.12.2019 ========== hcxpsktool: added support for hashcat 22000 (crossover PMKID - EAPOL hashline) -c : input PMKID/EAPOL hash file (hashcat -m 22000) 16.12.2019 ========== prepare new tool hcxpcapngtool for hashcat hashmode 22000 (crossover PMKID - EAPOL hashline) highly experemental not all features build in format of hashmode 22000 may change on hashcat and hcxpcapngtool until final release hcxpcaptool will replaced by hcxpcapngtool if everything is working like expected only testing purpose to verify hashcat's new hash mode 22000 09.12.2019 ========== hcxpsktool : added new weak candidates --phome : include PEGATRON HOME candidates 08.12.2019 ========== move to v5.3.0 29.09.2019 ========== hcxpmkidtool: added new tool to verify a PMKID (CPU based) options: -p : input PMKID PMKID:MAC_AP:MAC_STA:ESSID(XDIGIT) PMKID*MAC_AP*MAC_STA*ESSID(XDIGIT) -w : input wordlist (8...63 characters) output: PMK:ESSID (XDIGIT):password -W : input single word (8...63 characters) output: PMK:ESSID (XDIGIT):password -K : input single PMK output: PMK:ESSID (XDIGIT) format: -h : show this help -v : show version --help : show this help --version : show version hcxpmkidtool is designed to verify an existing PSK or and existing PMK. It is not designed to run big wordlists! 25.09.2019 ========== wlanhashhcx: removed hcxmactool: added new tool (MAC based counterpart to ESSID based hcxessidtool) options: -o : filter access point by OUI -n : filter access point by NIC -m : filter access point by MAC -a : filter access point by VENDOR name -O : filter client by OUI -N : filter client point by NIC -M : filter client point by MAC -A : filter client by VENDOR name -h : show this help -v : show version --pmkidin= : input PMKID file 1 --pmkidout= : output PMKID file 1 --hccapxin= : input HCCAPX file --hccapxout= : output HCCAPX file --help : show this help --version : show version 24.09.2019 ========== hcxessidtool: added new options and improved help --pmkidgroupout= : output ESSID groups from ESSIDs present in PMKID1 --hccapxgroupout=: output ESSID groups from ESSIDs present in HCCAPX1 15.09.2019 ========== hcxpcaptool: added new option and improved help --ignore-mac : do not check MAC addresses this will allow to use ESSIDs from frames with damaged broadcast MAC address 14.09.2019 ========== hcxpcaptool : improved detection of damaged ESSIDs 13.09.2019 ========== hcxessidtool: added new options --essidout= : output ESSID list --essidmacapout= : output MAC_AP:ESSID list 12.09.2019 ========== removed : wlanhcx2essid (deprecated) added : hcxessidtool options: -e : filter by ESSID -E : filter by part of ESSID -l : filter by ESSID length -h : show this help -v : show version --pmkid1= : input PMKID file 1 --pmkid2= : input PMKID file 2 --pmkidout12= : output only lines present in both PMKID file 1 and PMKID file 2 --pmkidout1= : output only lines present in PMKID file 1 --pmkidout2= : output only lines present in PMKID file 2 --pmkidout= : output only ESSID filtered lines present in PMKID file 1 --hccapx1= : input HCCAPX file 1 --hccapx2= : input HCCAPX file 2 --hccapxout12= : output only lines present in both HCCAPX file 1 and HCCAPX file 2 --hccapxout1= : output only lines present in HCCAPX file1 --hccapxout2= : output only lines present in HCCAPX file 2 --hccapxout= : output only ESSID filtered lines present in HCCAPX file 1 --help : show this help --version : show version Main purpose is to get full adcantage or reuse of PBKDF2 while merging (only) the same ESSIDs from different hash files examples: hcxessidtool --pmkid1=file1.16800 --pmkid2=file2.16800 --pmkidout12=joint.16800 hcxessidtool --pmkid1=file1.16800 -l 10 --pmkidout=filtered.16800 03.09.2019 ========== move to v5.2.2 fixed bug in damaged ESSID handling 01.09.2019 ========== hcxpcaptool: show capture device vendor 28.08.2019 ========== moved to v5.2.1 hcxpsktool : added new weak candidates hcxdumptool: added additional warnings about handling of pcapng files ( im imrpoved status out: count zeroed PMKIDs 19.08.2019 ========== move to v5.2.0 11.08.2019 ========== hcxpcaptool: print time of first packet and time of last packet this will not work on cap files with zeroed time stamps 10.08.2019 ========== hcxpcaptool: removed option --replaycountcheck added option --ignore-replaycount to allow conversion of not replaycount checked handshakes if we have no replaycount matching handshake - in that case nc must be used! Remarks: total best handshakes and total best PMKIDs can be different to realy written ones: best handshakes (total)..........: 190 (ap-less: 122) best PMKIDs (total)..............: 30 summary output file(s): ----------------------- 175 handshake(s) written to /tmp/test.hccapx message pair M12E2...............: 157 message pair M32E2...............: 16 message pair M34E4...............: 2 29 PMKID(s) written to /tmp/test.16800 That depend on this additional options and the quality of the cap file: --ignore-fake-frames : do not convert fake frames --ignore-zeroed-pmks : do not convert frames which use a zeroed plainmasterkey (PMK) --ignore-replaycount : allow not replaycount checked best handshakes --time-error-corrections= : maximum time gap between EAPOL frames - EAPOL TIMEOUT (default: 600s) --nonce-error-corrections= : maximum replycount/nonce gap to be converted (default: 8) example: --nonce-error-corrections=60 convert handshakes up to a possible packetloss of 59 packets hashcat nonce-error-corrections should be twice as much as hcxpcaptool value --max-essid-changes= : allow maximum ESSID changes (default: 1 - no ESSID change is allowed) 09.08.2019 ========== hcxpcaptool: added summary (replaycount check) and print warning if result is not replaycount checked (in this case nc is necessary) added warning if an ESSID change is detected. this can be handled by increase the value of option --max-essid-changes added new option --replaycountcheck --replaycountcheck : convert only replaycount checked frames 26.06.2019 ========== hcxpcaptool: added new option --max-essid-changes --max-essid-changes= : allow maximum ESSID changes (default: 8) useful on merged cap files with many ESSID changes for a single mac_ap or on damaged ESSIDs 23.06.2019 ========== hcxpcaptool: fixed several big endian issues show information about handshakes and PMKIDs calculated by a zeroed PMK added new options --ignore-zeroed-pmks and --prefix-out= --ignore-zeroed-pmks : do not convert frames which use a zeroed plainmasterkey (PMK) This option is useful to reduce the commandline length if all lists are requested: --prefix-out= : convert everything to lists using this prefix (overrides single options): hccapx (-o) file.hccapx PMKID (-k) file.16800 netntlm (--netntlm-out) file.5500 md5 (--md5-out) file.4800 tacacsplus (--tacacsplus) file.16100 wordlist (-E) file.essidlist identitylist (-I) file.identitylist usernamelist (-U) file.userlist imsilist (-M) file.imsilist networklist (-network-out) file.networklist trafficlist (-T) file.networklist clientlist (-X) file.clientlist deviceinfolist (-D) file.deviceinfolist 20.06.2019 ========== hcxpcaptool: complete refactoring of pcapng engine 19.06.2019 ========== hcxpcaptool: added new option -D -D : output unsorted device information list format = MAC:DEVICEINFO string 16.06.2019 ========== hcxpcaptool: refactored complete tag walk engine due to several stack smashing issues (fsanitize=address) added new option to detect known fake frames --ignore-fake-frames : do not convert fake frames 14.06.2019 ========== hcxpcaptool: complete rewrite of RSN-IE PMKID detection within association frames and reassociation frames 07.06.2019 ========== hcxpcaptool: added new option to filter output by a single MAC address all packets which doesn't contain this MAC in address 1, address 2 or address 3 are ignored. --filtermac= : filter output by MAC address format: 112233445566 07.06.2019 ========== hcxpcaptool: detect and convert PMKIDs from clients read more here: https://hashcat.net/forum/thread-6661-post-44869.html#pid44869 30.05.2019 ========== hcxtools moved to v5.1.6 due to a bug in v5.1.5 hcxpcaptool: added 2 new options to convert raw PMKIDs -K : output raw PMKID file (hashcat hashmode -m 16801 new format) -Z : output raw PMKID file (hashcat hashmode -m 16801 old format and john) use this options if you would like to verify a PMKID and yo don't have an ESSID read more here: https://github.com/ZerBea/hcxtools/issues/92#issuecomment-497128717 19.05.2019 ========== added new useful script: hcxgrep.py Works like grep, but for hccapx/pmkid hashfiles - those are detected automagically. It also can read from stdin and writes on stdout. It tries to be as close to grep commandline options, this is -h: usage: hcxgrep.py [-h] [-f FILE] [-v] [-t {essid,mac_ap,mac_sta}] [PATTERNS] [infile] Extract records from hccapx/pmkid file based on regexp positional arguments: PATTERNS RegExp pattern infile hccapx/pmkid file to process optional arguments: -h, --help show this help message and exit -f FILE, --file FILE Obtain patterns from FILE, one per line. -v, --invert-match Invert the sense of matching, to select non-matching nets -t {essid,mac_ap,mac_sta}, --type {essid,mac_ap,mac_sta} Field to apply matching, default essid By default it greps by essid, but you can choose with -t also to grep over mac_ap or mac_sta, passed as lowercase hex strings. It also can read multiple patterns from external file, like those attached. It's composed from routerkeygen and matches essids with _ or - in them. Of course this have many false positives and the default PSK can be changed, but one can easy get those nets he needs to try custom wordlists or etc. 16.04.2019 ========== finally removed wlanhcx2psk in favor of hcxpsktool 08.04.2019 ========== hcxpcaptool: from now on only PBKDF2 based hashes (EAPOL and PMKID) are converted running options -k -z and -o raw option -O will convert all EAPOL handshakes. 02.04.2019 ========== Due to hashcat changes: "WPA/WPA2 cracking: In the potfile, replace password with PMK in order to detect already cracked networks across all WPA modes" https://github.com/hashcat/hashcat/commit/b8d609ba1604f4fed62198ae5000e205dcc87f70 hcxpcaptool: added new option -k to convert dumpfile to new hashcat PMKID format -k : output PMKID file (hashcat hashmode -m 16800 new format) -z : output PMKID file (hashcat hashmode -m 16800 old format and john) use hcxhashcattool to convert old 2500 and old 16800 potfile to new hashcat potfile Format: -p : input old hashcat potfile accepted potfiles: 2500 or 16800 -P : output new potfile file (PMK:ESSID:PSK) hcxhashcattool -p oldhashcat.2500.pot -P newhashcat.potfile hcxhashcattool -p oldhashcat.16800.pot -P newhashcat.potfile 30.03.2019 ========== hcxpcaptool: retrieve IMSI from UMTS Authentication and Key Agreement (EAP-AKA) and EAP-SIM (GSM Subscriber Modules) Authentication 19.03.2019 ========== wlanhcx2ssid: use systemwide oui.txt (/usr/share/ieee-data/oui.txt), if exist whoismac: use systemwide oui.txt (/usr/share/ieee-data/oui.txt), if exist 18.03.2019 ========== wlancap2wpasec: added man 1 page hcxpcaptool: added new option -M to collect IMSI numbers -M : output unsorted IMSI number list 17.03.2019 ========== hcxpcaptool: added man 1 page hcxpsktool: added man 1 page hcxhash2cap: added man 1 page 09.03.2019 ========== hcxtools moved to version 5.1.3 due to change of pcapng comment field 07.03.2019 ========== hcxpcaptool added GPX comment field for GPS time from GPS device test3.gpx dntest.pcapng 129.500000 1af87c9124a3 GPS-TIME:2019-03-06T22:28:00Z 26.02.2019 ========== hcxtools moved to version 5.1.3 due to several bug fixes 18.02.2019 ========== hcxtools moved to version 5.1.2 due to implementation of serveral new options 14.02.2019 ========== wlancap2wpasec: added new option -e -e : set email address, if requiered 13.02.2019 ========== hcxpsktool added full support (option -j) for john -i : input EAPOL hash file (hashcat) -j : input EAPOL hash file (john) -z : input PMKID hash file (hashcat and john) 12.02.2019 ========== hcxpcaptool: added new option -X -X : output client probelist : format: mac_sta:probed ESSID (autohex enabled) added new tool: hcxwltool while hcxpsktool is designed to run on hcxpcaptool -o and -z output, hcxwltool is designed to run on hcapcaptool -E, -I and -U output $ hcxwltool -h hcxwltool 5.1.1 (C) 2019 ZeroBeat usage: hcxwltool options: -i : input worlist -o : output wordlist to file -h : show this help -v : show version --straight : output format untouched --digit : output format only digits --xdigit : output format only xdigits --lower : output format only lower --upper : output format only upper --capital : output format only capital --length= : password lenght (8...32) --help : show this help --version : show version examples: hcxwltool -i wordlist --straight | sort | uniq | | sort | uniq | hashcat -m 2500 hashfile.hccapx hcxwltool -i wordlist --gigit --length=10 | sort | uniq | | sort | uniq | hashcat -m 2500 hashfile.hccapx hcxwltool -i wordlist --digit | sort | uniq | hashcat -m 16800 hashfile.16800 hcxwltool -i wordlist --xdigit | sort | uniq | john --stdin --format=wpapsk-opencl hashfile.16800 11.02.2019 ========== whoismac: added two new options to convert ESSID HEX to ASCII or ESSID ASCII to HEX -e : input ESSID -x : input ESSID in hex example: $ whoismac -e default 64656661756c74 now search for this essid, running simple bash commands: cat hashfile.16800 | grep 64656661756c74 02.02.2019 ========== release hcxtools v 5.1.1 removed....: wlanhcx2psk replaced by: hcxpsktool removed....: wlanhcx2cap replaced by: hcxhash2cap no more libcap dependency! 01.02.2019 ========== hcxhash2cap: added new option to canvert john WPAPSK has file to cap hcxhash2cap will replace wlanhcx2cap, soon $ hcxhash2cap -h hcxhash2cap 5.1.0 (C) 2019 ZeroBeat usage: hcxhash2cap options: -c : output cap file if no cap file is selected, output will be written to single cap files format: mac_sta.cap (mac_sta.cap_x) --pmkid= : input PMKID hash file --hccapx= : input hashcat hccapx file --hccap= : input hashcat hccap file --john= : input John the Ripper WPAPSK hash file --help : show this help --version : show version 31.01.2019 ========== hcxhash2cap: added new options to convert hccapx to cap and hccap to cap 29.01.2019 ========== aded new tool: hcxhash2cap 22.01.2019 ========== hcxpcaptool: in preparation of hccapx successor, hcxpcaptool now count oversized (>0xff) EAPOLframes EAPOL packets (oversized)....: xx read more here: https://github.com/hashcat/hashcat/issues/1816 13.12.2018 ========== hcxpcaptool: removed options -x and -X (old hccap format) hcxpcaptool: added options --hccap-out and --hccap-raw-out (old hccap format) --hccap-out= : output old hccap file (hashcat -m 2500) --hccap-raw-out= : output raw old hccap file (hashcat -m 2500) 09.12.2018 ========== hcxpcaptool: detect EAPOL GROUP KEYs hcxpcaptool: move option -H to --hexdump-out hcxpcaptool: added new options (--eapol-out, --network-out) --eapol-out= : output EAPOL packets in hex format = mac_ap:mac_sta:eapol --network-out= : output network information format = mac_ap:ESSID --hexdump-out= : output dump raw packets in hex 05.12.2018 ========== moved to v 5.1.0 (according to hashcat) hcxpcaptool: detect EAPOL RC4 KEYs 04.12.2018 ========== hcxpcaptool: fixed bug in FCS on BE systems hcxpcaptool: detect MESH-IDs 26.11.2018 ========== several big endian fixes switched to version 5.0.1 19.11.2018 ========== hcxpcaptool: improved detection of ESSID changes in merged capfiles 30.10.2018 ========== hcxtools moved to version 5.0.0 hcxpsktool: added NETGEARxx list --netgear : include NETGEAR candidates 03.10.2018 ========== hcxpcaptool: use GMT time 30.09.2018 ========== hcxhashcattool: accept 16800 potfiles 29.09.2018 ========== hcxpcaptool: removed option -Z Allow hashfile for -m 16800 to be used with -m 16801 https://github.com/hashcat/hashcat/commit/1b980cf01000c81dfd0ca085593f8c1d66d43188 added new option -g -g : output GPS file\n" format = GPX (accepted for example by Viking and GPSBabel)\n" 24.09.2018 ========== whoismac new option to get VENDOR information from a hashcat 2500 potfile line -P : input EAPOL hashline from potfile 20.09.2018 ========== prepare new tool (experimental): hcxpsktool (supports hccapx and 16800 hashfile) hcxpsktool will replace wlanhcx2psk, when all wlanhcx2psk functions are added 15.09.2018 ========== hcxpcaptool: added detection of Cisco Systems, Inc VENDOR information in authentication 06.09.2018 ========== hcxpcaptool: added detection of Netgear VENDOR information in authentication 04.09.2018 ========== hcxpcaptool: try to detect and remove damaged ESSIDs 26.08.2018 ========== whoismac added new option -p to get information about VENDOR and print ESSID in ASCII "-p : input PMKID hashline\n" 17.08.2018 ========== hcxpcaptool skip unknown option (thanks to magnumripper) hcxpcaptool detect Wilibox Delibrant Group LLC authentication hcxpcaptool detect NETWORK EAP authentication system 07.08.2018 ========== added communication between hcxdumtool and hcxpcaptool via pcapng option fields: 62108 for REPLAYCOUNT uint64_t 62109 for ANONCE uint8_t[32] 03.08.2018 ========== hcxtools release 4.2.0 Todo: hcxdumptool 4.2.0 will randomize ap-less attacks. hcxpcaptool will convert this handshakes correctly, but will not detect them as ap-less attack This feature will be added in hcxtools 4.2.1 01.08.2018 ========== moved raspberry pi stuff and dumper stuff to hcxdumptool repository from now on hcxtools only includes conversion tools 25.07.2018 ========== hcxtools moved to 4.2.0 rc1 hcxpcaptool: added hashmodes -m 16800 and -m 16801 and new options: -z : output PMKID file (hashcat hashmode -m 16800 - WPA*-PMKID-PBKDF2) -Z : output PMKID file (hashcat hashmode -m 16801 - WPA*-PMKID-PMK) use hcxpcaptool as dumper/attacker, convert with hcxpcaptool, retrieve PSK using hashcat removed wlandump-ng (old scool, deprecated) removed wlancap2hcx (old scool, deprecated) 17.07.2018 ========== hcxpcaptool: show detailed file stats on pcapng files - go in sync with (upcomming) hcxdumptool 4.2.0 17.07.2018 ========== hcxpcaptool: added detection of all EAP types: EAP_PACKET EAPOL_START EAPOL_LOGOFF EAPOL_KEY EAPOL_ASF EAPOL_MKA 15.07.2018 ========== wlanhcx2psk: added more weak candidates based on OSINT from wpa-sec 07.07.2018 ========== hcxpcaptool: added detection of BROADCOM specific authentication 01.07.2018 ========== hcxpcaptool: added detection of FILS authentication algorithm 27.06.2018 ========== hcxpcaptool: added detection of authentication algorithms 23.06.2018 ========== hcxpcaptool: added full support for AVS header (DLT_IEEE802_11_RADIO_AVS) 22.06.2018 ========== hcxpcaptool: added full support for TaZmen Sniffer Protocol (TZSP) 21.06.2018 ========== hcxpcaptool: added detection of TaZmen Sniffer Protocol (TZSP) 20.06.2018 ========== hcxpcaptool: added conversion of WDS packets 19.06.2018 ========== hcxpcaptool: added detection of RADIUS authentication with Ethernet II header 05.05.2018 ========== hcxpcaptool: improved detection of broken ESSIDs improved detection of broken EAPOL frames wlanhcx2ssid (option -F): improved detection of broken ESSIDs omproved detection of broken EAPOL frames 12.03.2018 ========== moved to v 4.1.5 added new options wlancap2wpasec $ wlancap2wpasec -h wlancap2wpasec 4.1.5 (C) 2018 ZeroBeat usage: wlancap2wpasec [input.cap] [input.cap] ... wlancap2wpasec *.cap wlancap2wpasec *.* options: -k : wpa-sec user key -u : set user defined URL default = https://wpa-sec.stanev.org -t : set connection timeout default = 30 seconds -R : remove cap if upload was successful -h : this help 25.02.2018 ========== split repository! moved hcxdumptool to https://github.com/ZerBea/hcxdumptool move pioff to https://github.com/ZerBea/hcxdumptool/hcxpioff from now on, hcxtools will be the mostly "portable part" 17.02.2018 ========== hcxpcaptool added nonce fuzzing logic for john and old hashcat (hccap) according to bitmask: 0: MP info 1: MP info 2: MP inf 3: x (unused) 4: ap-less attack (set to 1) - no nonce-error-corrections neccessary 5: LE router detected (set to 1) - nonce-error-corrections only for LE neccessary 6: BE router detected (set to 1) - nonce-error-corrections only for BE neccessary 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely neccessary 15.02.2018 ========== hcxpcaptool added detection of router endianess and ap-less attacks: bitmask for message_pair file: 0: MP info 1: MP info 2: MP inf 3: x (unused) 4: ap-less attack (set to 1) - no nonce-error-corrections neccessary 5: LE router detected (set to 1) - nonce-error-corrections only for LE neccessary 6: BE router detected (set to 1) - nonce-error-corrections only for BE neccessary 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely neccessary using bit 4 to 7, hcxtools are able to interact with hascat - that will increase speed for hashcat. 09.02.2018 ========== hcxpcaptool added full implementation of PPP-CHAP authentication added detection of RADIUS (UDP destination 1812) new dependency: libopenssl 07.02.2018 ========== hcxpcaptool added full implementation of TACACS+ --tacacsplus-out= : output TACACS+ authentication file (hashcat -m 16100, john tacacs-plus) 05.02.2018 ========== hcxpcaptool improved help menu ignore empty usernames added new option --md5-john-out= : output MD5 challenge file (john chap) 04.02.2018 ========== hcxpcaptool continued implementation of EAP (RADIUS): netNTLMv1, MD5 challenge added new options -U : output username list (unsorted) --netntlm-out= : output netNTLMv1 file (hashcat -m 5500, john netntlm) --md5-out= : output MD5 challenge file (hashcat -m 4800, john chap) 03.02.2018 ========== added hcxphashcattool (calculate PMKs from hashcat -m 2500 potfile) $ hcxhashcattool -h hcxhashcattool 4.1.0 (C) 2018 ZeroBeat usage: hcxhashcattool options: -p : input hashcat -m 2500 potfile -P : output PMK file (PMK:ESSID:PSK) -h : show this help -v : show version 01.02.2018 ========== hcxpcaptool added detection of TCP and UDP network protocol neccessary for IP based authentications 31.01.2018 ========== hcxtools moved to v 4.1.0 and starts into the 3. generation with - hcxdumptool (will replace wlandump-ng) and - hcxpcaptool (will replace wlancap2hcx) 29.01.2018 ========== hcxpcaptool improved detection of handshakes removed options -A -S ( will improve them and add them later again) 17.01.2018 ========== hcxpcaptool added new options -O : output raw hccapx file -x : output hccap file -X : output raw hccap file -j : output john WPAPSK-PMK file -J : output raw john WPAPSK-PMK file --time-error-corrections : maximum allowed time gap (default: 10000ms) --nonce-error-corrections : maximum allowed nonce gap (default: 8) : should be the same value as in hashcat option -O is designed for third party tools which like to strip handshakes by themselves options -x and -X are designed for use on older systems and old hashcat version 16.01.2018 ========== hcxpcaptool added new option -o -o : output hccapx file convert cap/pcap/pcapng to hccapx 15.01.2018 ========== hcxpcaptool added new option -V -V : verbose (but slow) status output Running hcxpcaptool without options on cap/pcap/pcapng files shows only limited stauts output If you need detailed informations, use -V 14.01.2018 ========== hcxpcaptool added suport for gzip compressed cap/pcap/pcapng files new dependency: zlib 14.01.2018 ========== hcxpcaptool added new options -P -I -I : output identities list -P : output possible WPA/WPA2 plainmasterkey list 13.01.2018 ========== hcxpcaptool added new option -S : output station EAPOL information list date::timestamp:mac_sta:mac_ap:epol_len:eapol moved internal to tv_usec timestamp 12.01.2018 ========== hcxdumptool added new option -C : comma separated scanlist (1,3,5,7...) support for scanlist hcxpcaptool added new option -A : output access point anonce information list (forensics purpose) date:mac_sta:mac_ap:keyver(1=M1, 2=M3, 3=M1+M3):replaycount(in hex):anonce 11.01.2018 ========== hcxpcaptool added new options -E : output wordlist (autohex enabled) to use as wordlist -T : output traffic information list 10.01.2018 ========== hcxpcaptool added option -H -H : dump raw packets in hex 09.01.2018 ========== - move hcxtools to v 4.0.2 - renamed wlandump-rs to hcxdumptool - removed wlancapinfo -> replaced by hcxpcaptool +get rid of libpcap dependency) +added full pcapng support $ hcxpcaptool -h hcxpcaptool 4.0.2 (C) 2017 ZeroBeat usage: hcxpcaptool hcxpcaptool [input.pcap] [input.pcap] ... hcxpcaptool *.cap hcxpcaptool *.* options: -h : show this help -v : show version 07.01.2018 ========== wlandump-rs added option -l -l : enable capture of IPv4/IPv6 packets 06.01.2018 ========== wlandump-ng added option -l -l : enable capture of IPv4/IPv6 packets 21.12.2017 ========== wlancap2hcx removed option -x now wlancap2hcx looks first for association/re-associationrequests or for directed proberequests or for proberesponseses and at last (if no other frames found in the cap) for a beacon 21.12.2017 ========== wlancap2hcx added new option to remove handshakes that that belong to the same authentication sequence -D : remove handshakes that belong to the same authentication sequence : you must use nonce-error-corrections on that file! wlanhcx2ssid added new option to remove handshakes that that belong to the same authentication sequence -D : remove handshakes that belong to the same authentication sequence : you must use nonce-error-corrections on that file! 17.12.2017 ========== moved to version 4.0.1 added wlandump-rs - use raw sockets instead of libpcap - faster and more aggressive than wlandump-ng - able to capture more handchakes than wlandump-ng - automatic use channel 14 and 5GHz channels if driver supports this - improvements on scan engine - improvements on authentication engine - use ap blacklist instead of BPF $ wlandump-rs -h wlandump-rs 4.0.1 (C) 2017 ZeroBeat usage: wlandump-rs options: -i : interface -o : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -c : set channel (default = channel 1) -t : stay time on channel before hopping to the next channel : default = 5 seconds -B : blacklist (do not deauthenticate clients from this hosts - format: xxxxxxxxxxxx) -I : show suitable wlan interfaces and quit -T : terminate after maximal errors : default: 1000000 -D : enable to transmit deauthentication- and disassociation-frames -P : enable poweroff -s : enable status messages -h : show this help -v : show version 16.12.2017 ========== wlancap2wpasec ----------- added option to remove cap file if upload was successful -R : remove cap if upload was successful 05.12.2017 ========== wlanhcx2ssid ----------- added option to strip damaged records from hccapx file -F : strip bad records and write only flawless records to hccapx file Detected errors (more follows later): - bad keytype in EAPOL frame 21.11.2017 ========== wlancap2hcx ----------- added detection and conversation of TACACS+ Authentication -t : output TACACS+ file (hashcat -m 16100, john tacacs-plus) 21.11.2017 ========== wlandump-ng ----------- added new option -P for use with hard coded GPIO switch -P : terminate program and poweroff raspberry pi by GPIO switch : default: terminate program and do not power off 20.11.2017 ========== wlandump-ng ----------- do not terminate wlandum-ng if channel set failed instead reset channel back to 1 31.10.2017 ========== wlandump-ng ----------- improved status: added beacons, proberequests, proberesponses, associationrequests and reassociationrequests warning in help mennu that driver must support 5GHz 29.10.2017 ========== wlanrcascan ----------- added option -l (loopcount) wlandump-ng ----------- added detection of fast BSS transition (fast roaming) wlancap2hcx ----------- added detection of fast BSS transition (fast roaming) 28.10.2017 ========== - added changelog - merged wlanresponse and wlandump-ng bash_profile ------------ adapted to new wlandump-ng wlanresponse ------------ - removed wlandump-ng ----------- - waterfall status - improved deauthentication stop when retrieved one complete handshake (M1-M4) from ap <-> client - improved disassociation stop when retrieved one complete handshake (M1-M4) from ap <-> client - send one undirected proberequest to broadcast after channel change - improved expanded EAPOL handling - improved authentication - improved beaconing on proberequests - now wlandump-ng is passive by default (only receive) - transmit must be enabled - changed / new options: -R : enable to respond to all requests -D : enable deauthentications -d : enable disassociations -E : stop deauthentications and disassociations if xx complete handshakes received : default = 1 complete handshake (M1-M4) -U : send one undirected proberequest to broadcast after channel change -B : enable beaconing on last proberequest "-s : enable status messages\n" localtime, channel, mac_ap, mac_sta, information 11:02:52 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (forced) 11:01:45 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (forced-retransmission) 11:03:57 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M1M2 handshake (not verified) 11:03:57 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M2M3 handshake (verified) 11:03:57 11 xxxxxxxxxxxx <-> xxxxxxxxxxxx M3M4 handshake (established) 16:36:13 1 xxxxxxxxxxxx --> xxxxxxxxxxxx identity request: hello 16:36:13 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx identity response: WFA-SimpleConfig-Registrar-1-0 16:36:14 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M1 message 16:36:14 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M2 message 16:36:16 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M3 message 16:36:16 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M4 message 16:36:16 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M5 message 16:36:16 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M6 message 16:36:16 1 xxxxxxxxxxxx --> xxxxxxxxxxxx WPS-M7 message 16:36:16 1 xxxxxxxxxxxx <-- xxxxxxxxxxxx WPS-M8 message