Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AP List Table Explaination #338

Closed
marbletissue opened this issue Aug 24, 2023 · 4 comments
Closed

AP List Table Explaination #338

marbletissue opened this issue Aug 24, 2023 · 4 comments

Comments

@marbletissue
Copy link

Hello,
When running hcxdumptool it outputs a table which displays the APs its scanning.
Is there a guide that explains what the headers of the table mean?
For example, R 1 3 P S which are marked with a + - what does this mean?
Also, the lower table has E 2, what does that mean?
If I am targeting an AP, should I ensure that all + are marked for a successful crack of the hash?
Many thanks
@ZerBea
Copy link
Owner

ZerBea commented Aug 24, 2023
edited
Loading

The status is explained in legend of --help:
Legend

real time display:
 R = + AP display:     AP is in TX range or under attack
 S = + AP display:     AUTHENTICATION KEY MANAGEMENT PSK
 P = + AP display:     got PMKID hashcat / JtR can work on
 1 = + AP display:     got EAPOL M1 (CHALLENGE)
 3 = + AP display:     got EAPOL M1M2M3 (AUTHORIZATION) hashcat / JtR can work on
 E = + CLIENT display: got EAP-START MESSAGE
 2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on

If you target an AP, a successful ATTACK will show a + in column P and/or 3 of AP display.

@marbletissue
Copy link
Author

Thanks for the quick reply. I must have read the --help a dozen times and missed that lol..
I have been capturing for 2 days now, but still missing the PMKID on my target.
I will look at what I can do to make this happen - if anything?
I have successfully cracked the hash of other APs without the PMKID but I assume this makes the process quicker/more efficient for hashcat?

Thanks for adding the section on the workflow. I'm working to:
hcxdumptool - capture everything
hcxpcapngtool - convert everything (--all)
hcxhashtool - filter my target (--essid=xxxx)
At that point, I can attempt the crack the hash using the wordlist from hcxpcapngtool, or bruteforce it.
Do you have a post anywhere of how you would target an AP?
Thanks :)

@ZerBea
Copy link
Owner

ZerBea commented Aug 24, 2023

Running hashcat on a PMKID is a little bit faster than running hashcat on an EAPOL MESSAGEPAIR with --nonce-error-corrections=0. Using higher NC values will increase the task time.
Filtering the hash by ESSID is a good idea to get full benefit of reuse of PBKDF2. Slow PBKDF2 is doing once and than the PMK is compared to all PMKIDs /MESSAGEPAIRs using the same ESSID.

Targeting an AP via Berkeley Packet Filter is explained here:
#301
starting with comment:
#301 (comment)

@ZerBea
Copy link
Owner

ZerBea commented Aug 24, 2023

Closed this report, because it is rather a discussion
https://github.com/ZerBea/hcxdumptool/discussions
and not a bug.

@ZerBea ZerBea closed this as completed Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ZerBea @marbletissue