Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Undirected PROBE REQUEST and EAP REQUEST/RESPONSE ID frames missing #34

Open
xianclasen opened this issue Nov 20, 2021 · 5 comments
Open

Undirected PROBE REQUEST and EAP REQUEST/RESPONSE ID frames missing #34

xianclasen opened this issue Nov 20, 2021 · 5 comments

Comments

@xianclasen
Copy link

It seems packets may be filtered before they are written to disk and exclude frames that tools like Hashcat want to see when converting to useful file formats for cracking. This results in errors from hcxpcapngtools like this one:

Warning: missing frames!
This dump file contains no important frames like
authentication, association or reassociation.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file contains no undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
That makes it hard to recover the PSK.

I've not been able to get hcxpcaptools to accept the saved pcap files from Hash Monster due to this missing data.
@allmeatdies
Copy link

allmeatdies commented Nov 25, 2021
edited
Loading

I have had this same issue for quite some time. Additionally, while several .pcap files are written to disk, all of them are empty except for 0.pcap.

In my most recent test, running a freshly compiled installation for an hour generated 142 .pcap files - from 0.pcap to 141.pcap. 1-141 show a file size of 0 bytes.

Running hcxpcapngtool --all -o capture 0.pcap gives the following:


pcapngtool --all -o capture 0.pcap
hcxpcapngtool 6.2.4-96-gd8f56be reading from 0.pcap...

summary capture file
--------------------
file name................................: 0.pcap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 31.12.1969 18:00:00
timestamp maximum (GMT)..................: 31.12.1969 18:00:00
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianess (capture system)...............: little endian
EAPOL ANONCE error corrections (NC)......: not detected

Information: no hashes written to hash files

Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file does not contain important frames like
authentication, association or reassociation.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.


session summary
---------------
processed cap files...................: 1

EDIT: I've received similar results when using cap2hcxcap as well. The issue occurs both when uploaded via Arduino sketch, or when run as a binary from an SD card. Tested on M5Fire and M5Gray.

@tobozo
Copy link
Contributor

tobozo commented Nov 25, 2021

I recently read something like "don't echo to serial while in promisc mode" and this app seems to do exactly that.

Are there any improvement when all Serial.print** statements are commented out?

@xianclasen
Copy link
Author

I think this may be a part of a larger problem that the tool-chain in use by Hash Monster is a bit outdated. Aside from missing these packets, it outputs in pcap format (most tools now use pcapng), and hash modes 2500/2501, which have been deprecated for better formats for cracking (https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2).

If it can be updated to capture the packets mentioned in the title, in pcapng format, it would go a long way.

@tobozo
Copy link
Contributor

tobozo commented Nov 28, 2021

Oh this mean the WiFi Hash Monster needs a feature upgrade rather than a bugfix?

Compiling with the new espressif32-sdk (2.0.x) throws a few deprecation warnings, so there's a small technical debt to satisfy first.

After that wifi_sniffer_packet_type2str will need to be extended, and the logic of wifi_promiscuous should be rewritten e.g. to remove FastLed and Serial writes from the callback function.

However that's as far as I can speculate for the roadmap.
Can you point me out to a simple example using espressif sdk where these packets are captured?

@xianclasen
Copy link
Author

Oh this mean the WiFi Hash Monster needs a feature upgrade rather than a bugfix?

I think this is correct. I am able to get pcap files and convert them to 2500/2501 hash files (using the old hcxpcaptool), but this is an old way of going about cracking WPA2.

Can you point me out to a simple example using espressif sdk where these packets are captured?

This is getting outside of my knowledge of the subject, unfortunately. I believe that pwnagotchi have already implemented this and capture all 802.11 packets in pcapng without filtering or cleaning (which is what hcxpcapng prefers). I don't know if having a look at their codebase would help you.

Thank a ton for responding, btw.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tobozo @xianclasen @allmeatdies