hcxdumptool

[Khodiev979]

I'm just learning, and I can't figure out what the problem is?

(kali㉿kali)-[~]
└─$ sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=15
hcxdumptool: invalid option -- 'o'
hcxdumptool 6.3.1-61-g67d3e68 (C) 2023 by ZeroBeat

[ZerBea]

First step is to run
$ hcxdumptool -h
to get an overview of all options

Output looks like this:

$ hcxdumptool -h
hcxdumptool 6.3.1-61-g67d3e68  (C) 2023 ZeroBeat
usage: hcxdumptool <options>
        first stop all services that take access to the interface, e.g.:
        $ sudo systemctl stop NetworkManager.service
        $ sudo systemctl stop wpa_supplicant.service
        run hcxdumptool
        press ctrl+c to terminate
        press GPIO button to terminate
         hardware modification is necessary, read more:
         https://github.com/ZerBea/hcxdumptool/tree/master/docs
        stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
        do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
        do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
        do not use virtual machines or emulators
        do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
        do not use tools to change MAC (like macchanger)
        do not merge (pcapng) dump files, because this destroys assigned hash values!

short options:
-i <INTERFACE> : name of INTERFACE to be used
                  default: first suitable INTERFACE
                  warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile>   : write packets to a pcapng-format file named <outfile>
                  default outfile name: yyyyddmmhhmmss-interfacename.pcapng
                  get more information: https://pcapng.com/
-c <digit>     : set channel (1a,2a,36b...)
                  default: 1a,6a,11a
                  important notice: channel numbers are not unique
                  it is mandatory to add band information to the channel number (e.g. 12a)
                   band a: NL80211_BAND_2GHZ
                   band b: NL80211_BAND_5GHZ
                   band c: NL80211_BAND_6GHZ
                   band d: NL80211_BAND_60GHZ
                   band e: NL80211_BAND_S1GHZ (902 MHz)
                  to disable frequency management, set this option to a single frequency/channel
-f <digit>     : set frequency (2412,2417,5180,...)
-F             : use available frequencies from INTERFACE
-t <second>    : minimum stay time (will increase on new stations and/or authentications)
                  default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-p             : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC)
                 default monitor mode: active (ACK all incoming frames addressed to the device MAC)
-L             : show INTERFACE list
-l             : show INTERFACE list (tabulator separated and greppable)
-I <INTERFACE> : show detailed information about INTERFACE
-h             : show this help
-v             : show version

long options:
--bpf=<file>                   : input kernel space Berkeley Packet Filter (BPF) code
                                  steps to create a BPF (it only has to be done once):
                                  $ hcxdumptool -m <interface>
                                  create BPF to protect MACs
                                  $ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                  recommended to protect own devices
                                  create BPF to attack a MAC
                                  $ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
                                  it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
                                  $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
                                  see man pcap-filter for a list of all filter options
                                  add BPF code: 
                                  $ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon               : do not transmit BEACON frames
--disable_deauthentication     : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest         : do not transmit PROBEREQUEST frames
--disable_association          : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation        : do not REASSOCIATE a CLIENT
--beacontx=<digit>             : transmit BEACON of first n entries of ESSID list
                                  default: 10
--proberesponsetx=<digit>      : transmit PROBERESPONSEs of first n entries of ESSID list
                                 default: 10
--essidlist=<file>             : initialize ESSID list with these ESSIDs
--errormax=<digit>             : set maximum allowed ERRORs
                                  default: 100 ERRORs
--watchdogmax=<seconds>        : set maximum TIMEOUT when no packets received
                                  default: 600 seconds
--attemptclientmax=<digit>     : set maximum of attempts to request an EAPOL M2
                                  default: 10 attempts
                                  to disable CLIENT attacks set 0
--attemptapmax=<digit>         : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
                                  default: stop after 4 received BEACONs
                                  attemptapmax=0 include this options:
                                   disable_deauthentication: do not transmit DEAUTHENTICATION/DISASSOCIATION frames
                                   disable_proberequest    : do not transmit PROBEREQUEST frames
                                   disable_association     : do not AUTHENTICATE/ASSOCIATE
                                   disable_reassociation   : do not REASSOCIATE a CLIENT
--tot=<digit>                  : enable timeout timer in minutes
--exitoneapol=<type>           : exit on first EAPOL occurrence:
                                  bitmask:
                                   1 = PMKID
                                   2 = EAPOL M2
                                   4 = EAPOL M3
                                  target BPF filter is recommended
--onsigterm=<action>           : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--ongpiobutton=<action>        : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--ontot=<action>               : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--onwatchdog=<action>          : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--onerror=<action>             : action when the program has been terminated (poweroff, reboot)
                                  poweroff: power off system
                                  reboot:   reboot system
--gpio_button=<digit>          : Raspberry Pi GPIO pin number of button (2...27)
                                  push GPIO button (> 10 seconds) to terminate program
                                  default: 0 (GPIO not in use)
--gpio_statusled=<digit>       : Raspberry Pi GPIO number of status LED (2...27)
                                  default: 0 (GPIO not in use)
--nmea_dev=<NMEA device>       : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
                                  baudrate = BD9600
--gpsd                         : use gpsd to get position
                                  gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile>           : write GPS information to a nmea-format file named <outfile>
                                  default outfile name: yyyymmddhhmmss.nmea
                                  output: NMEA 0183 standard messages:
                                          $GPRMC: Position, velocity, time and date
                                          $GPGGA: Position, orthometric height, fix related data, time
                                          $GPWPL: Position and MAC AP
                                          $GPTXT: ESSID in HEX ASCII
                                  use gpsbabel to convert to other formats:
                                   gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx
                                   gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
                                  get more information: https://en.wikipedia.org/wiki/NMEA_0183
--nmea_pcapng                  : write GPS information to pcapng dump file
--rcascan=<character>          : do (R)adio (C)hannel (A)ssignment scan
                                  default = passive scan
                                  a = active scan
                                  p = passive scan
--rds=<digit>                  : sort real time display
                                  default: sort by time (last seen on top)
                                  1 = sort by status (last PMKID/EAPOL on top)
--help                         : show this help
--version                      : show version

Legend
real time display:
 R = + AP display     : AP is in TX range or under attack
 S = + AP display     : AUTHENTICATION KEY MANAGEMENT PSK
 P = + AP display     : got PMKID hashcat / JtR can work on
 1 = + AP display     : got EAPOL M1 (CHALLENGE)
 3 = + AP display     : got EAPOL M1M2M3 (AUTHORIZATION) hashcat / JtR can work on
 E = + CLIENT display : got EAP-START MESSAGE
 2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on

Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel

If you take look at this option list you'll see that there is no option "-o", no option "--active_beacon" and no option "--active_beacon --enable_status=15" any longer. This options are removed since hcxdumptool v6.3.0.

To get the same result on hcxdumptool >= v6.3.0 run this command:
$ hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1

Please also notice that it is mandatory to stop all services that take access to device wlan0 before you run hcxdumptool.

[Khodiev979]

Good day! I used hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1. Excellent tools! Please tell me how to write a command correctly if I want to attack one specific mac address Пн, 2 окт. 2023 г. в 16:44, ZerBea ***@***.***>:

…

First step is to run $ hcxdumptool -h to get an overview of all options Output looks like this: $ hcxdumptool -h hcxdumptool 6.3.1-61-g67d3e68 (C) 2023 ZeroBeat usage: hcxdumptool <options> first stop all services that take access to the interface, e.g.: $ sudo systemctl stop NetworkManager.service $ sudo systemctl stop wpa_supplicant.service run hcxdumptool press ctrl+c to terminate press GPIO button to terminate hardware modification is necessary, read more: https://github.com/ZerBea/hcxdumptool/tree/master/docs stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface do not set monitor mode by third party tools (iwconfig, iw, airmon-ng) do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw do not use virtual machines or emulators do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump) do not use tools to change MAC (like macchanger) do not merge (pcapng) dump files, because this destroys assigned hash values! short options: -i <INTERFACE> : name of INTERFACE to be used default: first suitable INTERFACE warning: hcxdumptool changes the virtual MAC address of the INTERFACE -w <outfile> : write packets to a pcapng-format file named <outfile> default outfile name: yyyyddmmhhmmss-interfacename.pcapng get more information: https://pcapng.com/ -c <https://pcapng.com/-c> <digit> : set channel (1a,2a,36b...) default: 1a,6a,11a important notice: channel numbers are not unique it is mandatory to add band information to the channel number (e.g. 12a) band a: NL80211_BAND_2GHZ band b: NL80211_BAND_5GHZ band c: NL80211_BAND_6GHZ band d: NL80211_BAND_60GHZ band e: NL80211_BAND_S1GHZ (902 MHz) to disable frequency management, set this option to a single frequency/channel -f <digit> : set frequency (2412,2417,5180,...) -F : use available frequencies from INTERFACE -t <second> : minimum stay time (will increase on new stations and/or authentications) default 1 seconds -m <INTERFACE> : set monitor mode and terminate -p : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC) default monitor mode: active (ACK all incoming frames addressed to the device MAC) -L : show INTERFACE list -l : show INTERFACE list (tabulator separated and greppable) -I <INTERFACE> : show detailed information about INTERFACE -h : show this help -v : show version long options: --bpf=<file> : input kernel space Berkeley Packet Filter (BPF) code steps to create a BPF (it only has to be done once): $ hcxdumptool -m <interface> create BPF to protect MACs $ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf recommended to protect own devices create BPF to attack a MAC $ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req) $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf see man pcap-filter for a list of all filter options add BPF code: $ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ... --disable_beacon : do not transmit BEACON frames --disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames --disable_proberequest : do not transmit PROBEREQUEST frames --disable_association : do not AUTHENTICATE/ASSOCIATE --disable_reassociation : do not REASSOCIATE a CLIENT --beacontx=<digit> : transmit BEACON of first n entries of ESSID list default: 10 --proberesponsetx=<digit> : transmit PROBERESPONSEs of first n entries of ESSID list default: 10 --essidlist=<file> : initialize ESSID list with these ESSIDs --errormax=<digit> : set maximum allowed ERRORs default: 100 ERRORs --watchdogmax=<seconds> : set maximum TIMEOUT when no packets received default: 600 seconds --attemptclientmax=<digit> : set maximum of attempts to request an EAPOL M2 default: 10 attempts to disable CLIENT attacks set 0 --attemptapmax=<digit> : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake default: stop after 4 received BEACONs attemptapmax=0 include this options: disable_deauthentication: do not transmit DEAUTHENTICATION/DISASSOCIATION frames disable_proberequest : do not transmit PROBEREQUEST frames disable_association : do not AUTHENTICATE/ASSOCIATE disable_reassociation : do not REASSOCIATE a CLIENT --tot=<digit> : enable timeout timer in minutes --exitoneapol=<type> : exit on first EAPOL occurrence: bitmask: 1 = PMKID 2 = EAPOL M2 4 = EAPOL M3 target BPF filter is recommended --onsigterm=<action> : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --ontot=<action> : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --onwatchdog=<action> : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --onerror=<action> : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27) push GPIO button (> 10 seconds) to terminate program default: 0 (GPIO not in use) --gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27) default: 0 (GPIO not in use) --nmea_dev=<NMEA device> : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...) baudrate = BD9600 --gpsd : use gpsd to get position gpsd will be switched to NMEA0183 mode --nmea_out=<outfile> : write GPS information to a nmea-format file named <outfile> default outfile name: yyyymmddhhmmss.nmea output: NMEA 0183 standard messages: $GPRMC: Position, velocity, time and date $GPGGA: Position, orthometric height, fix related data, time $GPWPL: Position and MAC AP $GPTXT: ESSID in HEX ASCII use gpsbabel to convert to other formats: gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml get more information: https://en.wikipedia.org/wiki/NMEA_0183 --nmea_pcapng <https://en.wikipedia.org/wiki/NMEA_0183--nmea_pcapng> : write GPS information to pcapng dump file --rcascan=<character> : do (R)adio (C)hannel (A)ssignment scan default = passive scan a = active scan p = passive scan --rds=<digit> : sort real time display default: sort by time (last seen on top) 1 = sort by status (last PMKID/EAPOL on top) --help : show this help --version : show version Legend real time display: R = + AP display : AP is in TX range or under attack S = + AP display : AUTHENTICATION KEY MANAGEMENT PSK P = + AP display : got PMKID hashcat / JtR can work on 1 = + AP display : got EAPOL M1 (CHALLENGE) 3 = + AP display : got EAPOL M1M2M3 (AUTHORIZATION) hashcat / JtR can work on E = + CLIENT display : got EAP-START MESSAGE 2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on Notice: This is a penetration testing tool! It is made to detect vulnerabilities in your NETWORK mercilessly! To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel If you take look at this option list you'll see that there is no option "-o", no option "--active_beacon" and no option "--active_beacon --enable_status=15" any longer. This options are removed since hcxdumptool v6.3.0. To get the same result on hcxdumptool >= v6.3.0 run this command: $ hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1 Please also notice that it is mandatory to stop all services that take access to device wlan0 before you run hcxdumptool. — Reply to this email directly, view it on GitHub <#348 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AECBLRK4Z7OYLJDDHHRO3DTX5LAKLAVCNFSM6AAAAAA5PNE7ZOVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TCNRVGMYTM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[ZerBea]

Jus create a Berkeley Packet Filter and add it to hcxdumptool.

Steps to create a simple filter:
set monitor mode
$ hcxdumptool -m INTERFACENAME

create the filter (this example use 11:22:33:44:55:66 as target address)
$ sudo tcpdump -i INTERFACENAME wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf

run hcxdumptool with the filter:
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng -F --rds=1 --bpf=attack.bpf

More information is here:
#343

[Schreg1976]

Hi there,
one question: is it possible to have 2 or more target MAC addresses and if yes: what is the correct syntax?

[ZerBea]

Yes it is possible.
basic BPF example for two target APs:
AP1 = 11:12:13:14:15:16
AP2 = 21:22:23:24:25:26

"wlan addr3 11:12:13:14:15:16 or wlan addr3 21:22:23:24:25:26"

[LLH-l]

`Can allow create a lot AP and a lot client MAC ?

AP MAC
aa:aa:aa:aa:aa:aa
bb:bb:bb:bb:bb:bb

Client MAC
dd:dd:dd:dd:dd:dd
ee:ee:ee:ee:ee:ee

create
tcpdump -i INTERFACENAME wlan addr1 dd:dd:dd:dd:dd:dd or wlan addr2 ee:ee:ee:ee:ee:ee or wlan addr3 aa:aa:aa:aa:aa:aa or wlan addr3 aa:aa:aa:aa:aa:aa -ddd > attack.bpf

[ZerBea]

Command line is wrong, because it build tcpdump default snaplen of 65535 bytes while hcxdumptool's snaplen is 1024
Attack filter on CLIENTs mostly do not work as expected due to MAC randomization by nearly all CLIENTs.

$ tcpdump -s 1024 -y IEEE802_11_RADIO wlan addr3 aaaaaaaaaaaa or wlan addr3 bbbbbbbbbbbb or wlan addr1 dddddddddddd or wlan addr2 dddddddddddd or wlan addr1 eeeeeeeeeeee or wlan addr2 eeeeeeeeeeee -ddd > filter.bpf

explanation:

wlan addr1 = receiver of the frame (dd:dd:dd:dd:dd:dd or ee:ee:ee:ee:ee:ee) 
wlan addr2 = transmitter of the frame  (dd:dd:dd:dd:dd:dd or ee:ee:ee:ee:ee:ee)
wlan addr3 = BSSID (aa:aa:aa:aa:aa:aa or bb:bb:bb:bb:bb:bb)

[LLH-l]

wlan addr1 = receiver of the frame (dd:dd:dd:dd:dd:dd or ee:ee:ee:ee:ee:ee)
wlan addr2 = transmitter of the frame (dd:dd:dd:dd:dd:dd or ee:ee:ee:ee:ee:ee)
wlan addr3 = BSSID (aa:aa:aa:aa:aa:aa or bb:bb:bb:bb:bb:bb)
Yeah,understand

But still have some cannot be understood
Create BPF to attack single MAC
Which of following is correct creation

tcpdump -i wlan0 wlan addr3 aa:aa:aa:aa:aa:aa -ddd > protect.bpf
tcpdump -i wlan0 wlan addr1 aa:aa:aa:aa:aa:aa or wlan addr2 aa:aa:aa:aa:aa:aa or wlan addr3 aa:aa:aa:aa:aa:aa -ddd > protect.bpf
If all is correct, between them, have what difference

like this, if need create attack single MAC, not simpler ?
tcpdump -i wlan0 wlan addr3 aa:aa:aa:aa:aa:aa -ddd > protect.bpf

But why same MAC, why need do continuity create

tcpdump -i wlan0 wlan addr1 aa:aa:aa:aa:aa:aa or wlan addr2 aa:aa:aa:aa:aa:aa or wlan addr3 aa:aa:aa:aa:aa:aa -ddd > protect.bpf

[ZerBea]

Most of the frames we need include the MAC of the BSSID at address 3.
To attack a single AP (mac:112233445566) the BPF syntax is "wlan addr 3 112233445566"
That will attack all CLIENTs, associated to this AP, too

BTW:
This command lines to create a BPF are wrong, because you have not set the correct snaplen of 1024 (tcpdump use a greater snaplen 65535 by default)

tcpdump -i wlan0 wlan addr3 aa:aa:aa:aa:aa:aa -ddd > protect.bpf
tcpdump -i wlan0 wlan addr1 aa:aa:aa:aa:aa:aa or wlan addr2 aa:aa:aa:aa:aa:aa or wlan addr3 aa:aa:aa:aa:aa:aa -ddd > protect.bpf

To answer your question:
Both lines doing nearly the same.
First one filters all frames which contain the BSSID mac in address 3
Second one filters all frames which contain frames to the BSSID and frames coming from the BSSID and frames which contain the BSSID mac in address 3. This filters more frames (e.g. ACK, BLOCKACK and some other frames which do not have an address 3) than the first filter.
1 Some frames only have address 1
2 Some frames have address 1 and address 2
3 Some frames have address 1 and address 2 and address 3
3 Some frames have address 1 and address 2 and address 3 and address 4

If you set filter to address 3, you will not get type 1 and type 2 frames.

https://www.geeksforgeeks.org/ieee-802-11-mac-frame/

[LLH-l]

@ZerBea
Hmm, understood, thanks, for capture handshake,
use this command create BPF is best
tcpdump -i wlan0 wlan addr3 aa:aa:aa:aa:aa:aa -ddd > attack.bpf

[ZerBea]

That will not include undirected PROBEREQUEST frames and hcxpcapngtool print a warning that these frames are missing in the dump file.
Also it will create a filter with a wrong snaplen of 65535 bytes while hcxdumptool use a snaplen of 1024.

[LLH-l]

Is this such right
tcpdump -s 1024 -y IEEE802_11_RADIO -i wlan0 wlan addr3 aa:aa:aa:aa:aa:aa or wlan addr3 ff:ff:ff:ff:ff:ff -ddd >attack.bpf

[ZerBea]

You got it.