Easy-HCX: Making Wifi Attacks Easy
Last year a new attack on WPA2 was announced by the creators of hashcat - one that didn't require capturing the 4-way handshake, any client interaction or any kind of client even connected. With a vulnerable access point, you can try to associate with the access point, capture a PMKID packet and crack that.
This new attack uses hcxdumptool to capture and hcxtools to convert the capture file to a format hashcat can use. The process would look something like this:
hcxdumptool -i wlan1 -o capture.pcapng --enable_status=1
hcxpcaptool -z capture.16800 -o capture.hccapx capture.pcapng
(converting a pcapng to hccapx and/or 16800 formats)
hashcat -m 2500 -a 0 capture.pcapng <wordlist>
(for a WPA2 handshake)
or
hashcat -m 16800 -a 0 capture.pcapng <wordlist>
(for a PMKID)
By default, hcxdumptool only scans 2.4Ghz networks so if you want to it to scan both 2.4Ghz and 5Ghz networks, you'd have to type something like:
hcxdumptool -i wlan1 -o capture.pcapng --enable_status=1 -c 1,2,3,4,5,6,7,8,9,10,11,12,13,14,36,38,<crapton of channels>,161
That got old really quick so I wrote a script to simplify things and make it more user-friendly. The goal was not to automate everything, just to make basic functions easier to use without having to remember or type out long commands. A menu driven interface was easiest for me to work with so that's what I did.
At the moment Easy-HCX only has hashcat doing dictionary attacks. I may try to incorporate other attacks in the future.
Instead of explaining everything with a wall of text, I made a demo video instead. Check it out:
Be very careful if you choose to enable deauthentications - hcxdumptool is quite aggressive with this and will boot off pretty much everything nearby if you aren't doing a targeted attack.