PreSharedKeys, IMEIs, EAP-IDs in plain text transmitted by CLIENTs

[ZerBea]

👋 Welcome!

We’re using Discussions as a place to connect with other members of our community. We hope that you:

• Ask questions you’re wondering about.
• Share ideas.
• Engage with other community members.
• Welcome others and are open-minded. Remember that this is a community we
  build together 💪.

To get started, comment below with an introduction of yourself and tell us about what you do with this community.

[dannemits]

Hello ZerBea:
I have to say that the hctools/hcxdumptool programs are impressive, but even more impressive is your deep knowledge of the 802.11 standards. I've only scratched the surface. We appreciate your ongoing encouragement to learn as much as we can!
My first question relates to the capture of clear text during a hcxtooldump session. I am very interested in any devices on my network that might be broadcasting strings in clear text. However, whenever I have run the hcxtooldump and studied the output from hcxpcapngtool -E, the only strings appear to be ESSIDs. I have run fairly lengthy tests in the presence of many network clients. Is is safe to say the the broadcast of strings other than the ESSID is a very rare occurrence? Very grateful for your thoughts.

[ZerBea]

Receiving e.g. a plain PreSharedKey on WiFi traffic is a rare case. But it is more common than you might think.
evilsocket/pwnagotchi#835 (comment)

There are several (MANAGEMENT and EAP frames) from which we get this information.

On CLIENT side:
PROBEREQUEST frame (undirected to BROADCAST MAC or directed to ACCESSPOINT MAC)
ASSOCIATION REQUEST frame
REASSOCIATION REQUEST frame
EAP frame
ACTION frame (Neighbor Report Request)
unencrypted IPv4 and IPv6 frame

On ACCESSPOINT side:
BEACON frame
PROBERESPONSE frame
EAP frame

ACCESSPOINTs are more static. Once everything is configured, they do their job more or less than expected.
Only their ESSID will be broadcasted.

CLIENTs are more interesting, because they probe all entries of their wpa-supplicant.conf.
If a user typed the PSK instead of the ESSID, this information will be probed as long as the entry is present
in wpa-supplicant.conf.

Depending on the type of frame, hcxpcapngtool store the plain text received/requested by hcxdumptool to files:

-E <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker
            retrieved from every frame that contain an ESSID
-R <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker
            retrieved from PROBEREQUEST frames only
-I <file> : output unsorted identity list to use as input wordlist for cracker
-U <file> : output unsorted username list to use as input wordlist for cracker

This files can be used directly via hashcat/JtR or preprocessed by hcxeiutool in combination with hashcat/JtR and rules/masks.
evilsocket/pwnagotchi#835 (comment)

Compared to other common tools, hcxdumptool (hcxtools, too) is not focused on ACCESSPOINTs. Main target are EAPOL M2 frames,
undirected PROBEREQUEST frames and EAP-IDs.
Just run hcxdumptool a couple of hours. Than get -R and -I output by hcxpcapngtool and look for common PSKs, IMEIs
or user names.