Closed LLH-l closed 1 year ago
hcxdumptool finds that all the captured handshake packets are stored in a single file. What command do I need to use to store them separately in a single file by (SSID) name in batches ?
hcxdumptool has three level:
1) receive (capture) everything and transmit (send attack frames) everything.
2) receive (capture) everything and filter transmitted packets only (done on the fly by filtermode and filter list options).
3) filter incoming and outgoing traffic (done on the fly by a Berkeley Packet Filter BPF).
Here is the answer for level 3:
$ sudo hcxdumptool -i <interface> --do_rcascan
to get information about target MAC and operation channel of the target
$ sudo hcxdumptool -m <interface>
set interface to monitor mode
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
where 11:22:33:44:55:66 is your target MAC.
run hcxdumpttool:
$hcxdumptool -i <interface> -o dump.pcapng --enable_status=31 --bpfc=attack.bpf
Please notice:
When you convert this dump file you receive a warning, because broadcast frames are filtered out and you will loose some interesting frames.
To avoid this, you can expand the filter to:
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or WLAN addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
The filter options are described in --help:
--bpfc=<file> : input kernel space Berkeley Packet Filter (BPF) code
affected: incoming and outgoing traffic - that include rca scan
steps to create a BPF (it only has to be done once):
set hcxdumptool monitormode
$ hcxdumptool -m <interface>
create BPF to protect a MAC
$ tcpdump -i <interface> not wlan addr3 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
where addr3 protect ACCESS POINTs and addr2 protect CLIENTs
recommended to protect own devices
or create BPF to attack a MAC
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
see man pcap-filter for a list of all filter options
to use the BPF code
$ hcxdumptool -i <interface> --bpfc=attack.bpf ...
notice: this is a protect/attack, a capture and a display filter
--filtermode=<digit> : user space filter mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
affected: only outgoing traffic
notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because some useful frames could be filtered out
using a filter list doesn't have an affect on rca scan
only for testing useful - devices to be protected should be added to BPF
notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter
--filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_ap_vendor=<file> : ACCESS POINT VENDOR filter list by VENDOR
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC> : CLIENT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
--filterlist_client_VENDOR=<file> : CLIENT VENDOR filter list
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
Please notice: What is filtered out on the fly is gone for ever and you can't bring it back. Much better is to capture all(!) and to use an offline filter tool to get what you want. This is can be done by hcxhashtool. It is an offline filter tool that works on hc22000 files:
$ hcxhashtool --help
hcxhashtool 6.2.7-75-ge2e8609 (C) 2022 ZeroBeat
usage:
hcxhashtool <options>
options:
-i <file> : input PMKID/EAPOL hash file
-o <file> : output PMKID/EAPOL hash file
-E <file> : output ESSID list (autohex enabled)
-d : download https://standards-oui.ieee.org/oui.txt
and save to ~/.hcxtools/oui.txt
internet connection required
-h : show this help
-v : show version
--essid-group : convert to ESSID groups in working directory
full advantage of reuse of PBKDF2
not on old hash formats
--oui-group : convert to OUI groups in working directory
not on old hash formats
--mac-group-ap : convert APs to MAC groups in working directory
not on old hash formats
--mac-group-client : convert CLIENTs to MAC groups in working directory
not on old hash formats
--type=<digit> : filter by hash type
bitmask:
1 = PMKID
2 = EAPOL
default PMKID and EAPOL (1+2=3)
--hcx-min=<digit> : disregard hashes with occurrence lower than hcx-min/ESSID
--hcx-max=<digit> : disregard hashes with occurrence higher than hcx-max/ESSID
--essid-len : filter by ESSID length
default ESSID length: 0...32
--essid-min : filter by ESSID minimum length
default ESSID minimum length: 0
--essid-max : filter by ESSID maximum length
default ESSID maximum length: 32
--essid=<ESSID> : filter by ESSID
--essid-part=<part of ESSID> : filter by part of ESSID
--essid-list=<file> : filter by ESSID file
--mac-ap=<MAC> : filter AP by MAC
format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--mac-client=<MAC> : filter CLIENT by MAC
format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--mac-list=<file> : filter by MAC file
format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--mac-skiplist=<file> : exclude MAC from file
format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex)
--oui-ap=<OUI> : filter AP by OUI
format: 001122, 00:11:22, 00-11-22 (hex)
--oui-client=<OUI> : filter CLIENT by OUI
format: 001122, 00:11:22, 00-11-22 (hex)
--vendor=<VENDOR> : filter AP or CLIENT by (part of) VENDOR name
--vendor-ap=<VENDOR> : filter AP by (part of) VENDOR name
--vendor-client=<VENDOR> : filter CLIENT by (part of) VENDOR name
--authorized : filter EAPOL pairs by status authorized (M2M3, M3M4, M1M4)
--challenge : filter EAPOL pairs by status CHALLENGE (M1M2, M1M2ROGUE)
--rc : filter EAPOL pairs by replaycount status checked
--rc-not : filter EAPOL pairs by replaycount status not checked
--apless : filter EAPOL pairs by status M1M2ROGUE (M2 requested from CLIENT)
--info=<file> : output detailed information about content of hash file
no filter options available
--info=stdout : stdout output detailed information about content of hash file
no filter options available
--info-vendor=<file> : output detailed information about ACCESS POINT and CLIENT VENDORs
no filter options available
--info-vendor-ap=<file> : output detailed information about ACCESS POINT VENDORs
no filter options available
--info-vendor-client=<file> : output detailed information about ACCESS POINT VENDORs
no filter options available
--info-vendor=stdout : stdout output detailed information about ACCESS POINT and CLIENT VENDORs
no filter options available
--info-vendor-ap=stdout : stdout output detailed information about ACCESS POINT VENDORs
no filter options available
--info-vendor-client=stdout : stdout output detailed information about ACCESS POINT VENDORs
no filter options available
--psk=<PSK> : pre-shared key to test
due to PBKDF2 calculation this is a very slow process
no nonce error corrections
--pmk=<PMK> : plain master key to test
no nonce error corrections
--hccapx=<file> : output to deprecated hccapx file
--hccap=<file> : output to ancient hccap file
--hccap-single : output to ancient hccap single files (MAC + count)
--john=<file> : output to deprecated john file
--vendorlist : stdout output complete OUI list sorted by OUI
--help : show this help
--version : show version
example: you have an archive including all hashes and you want to filter all ESSIDs with name test:
$ hcxhashtool -i all.hc22000 --essid=test -o test.hc22000
OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 32782
total lines read..............: 2021496
valid hash lines..............: 2021496
PMKID hash lines..............: 760337
EAPOL hash lines..............: 1261159
filter by ESSID...............: test
PMKID written.................: 23
EAPOL written.................: 60
workflow: hcxdumptool (capture everything) -> hcxpcapngtool (convert everything) -> hcxhashtool (filter hashes) -> hashcat or hcxdumptool (capture everything) -> hcxpcapngtool (convert everything) -> hcxhashtool (filter hashes) hcxpsktool (get some default key spaces to be used as wordlist) -> hashcat
What command does hcxdumptool need to use to directly save the PCAP format ?
There is no command to store to (very limited PCAP) file format. hcxdumptool use PCAPNG only. Wireshark/tshark (leading analysis tools - that is the reference) use PCPANG as default, too, so there is absolutely no reason to use a limited CAP/PCAP format.
How can hcxdumptool capture some hidden AP handshake packets ?
That is mostly a problem of passive dumpers.
hcxdumptool is interactive and after a while it get the ESSID from the target as described here
https://github.com/ZerBea/hcxtools/pull/210#issuecomment-1107442783
You may have noticed that neither hcxpcapngtool nor hcxdumptool have an option to add an ESSID by user. That is not necessary.
BTW: All this tools are running in background of wpa-sec https://wpa-sec.stanev.org/?stats They are not easy to use (some experience is mandatory), but if you know what you're doing, this tools can do magic.
This is more a discussion than and issue report. Closed it here and opened discussions here: https://github.com/ZerBea/hcxdumptool/discussions
hcxdumptool -i wlan0 -o 1.pcapng --active_ beacon --enable_ status=15
I used this command to capture some handshake packets, but I found the following problems
hcxdumptool finds that all the captured handshake packets are stored in a single file. What command do I need to use to store them separately in a single file by (SSID) name in batches ?
What command does hcxdumptool need to use to directly save the PCAP format ?
How can hcxdumptool capture some hidden AP handshake packets ?
Where can I see examples of these commands? Reference commands are required ?