What to use it in 2024?

[Aggelos11]

All of the tutorial I saw use some arguments such as active_beacon etc but I noticed that it does not work in the latest version . What is its replacement in the latest version ?

[ZerBea]

All options are explained in help menu (-h) and here:
#368
#348
#343
#423

Filtering is explained in help menu (--help) and here:
#420
#412
#388
The high level syntax for the capture filter is the same syntax that tshark/Wireshark and tcpdump use.

There is no standard solution, because all options depend on task and target.
This is the simplest command line:
$ sudo hcxdumptool --rds=1

Some examples (Linux stock kernel drivers) are here:
#361
and here (out of Linux kernel tree driver):
https://hashcat.net/forum/thread-11855-post-60312.html#pid60312

A wiki is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

[notPrivate-care]

This is the simplest command line:
$ sudo hcxdumptool --rds=1

Maybe its also good to mention -F in the most simple command as then people will say they cant see their AP if it's not on channel 1a, 6a or 11a.

For targeting a specific AP:
You have said before that 75% of the capabilities of the tool is gone if you filter. So a trick I used is- On my Android I used an app called WifiAnalyzer to know the frequency of the target AP, and then remove the -F and use -f to target that frequency, example -f 2432. The problem here is it will attack all the APs in and near this frequency, and if you only have permission to attack a single AP, you have to use filters.
I have started using -f most of the time because: When I was testing with -F, the tool successfully made my phone disconnect and reconnect with my wifi, but failed to capture the packet because I think it was monitoring and jumping to other frequencies.
If you have suggestion for a better approach, I would love to hear it!
My current usage with the tool:
(Most commands with root privileges)
First time on the system, do this: iw reg set (your country)
Every time before starting the tool: on systemd, Systemctl stop NetworkManager and wpa_supplicant.
Tool: hcxdumptool -i INTERFACE_NAME -w dump.pcapng -F --rds=1 (I replace -F with -f to target a specific frequency. and add --disable_deauthentication if I don't want to deauthenticate clients, to run the tool passively and not disrupt users.)
While running the tool: I look if there is no + in S, that means there is no password on AP, and if there is + on either 3, P or 2, that means I can crack AP.
After successful session, I upload the pcapng file to https://wpa-sec.stanev.org/ as hashcat for some reason gives me error on my system (arch with drivers installed), and my system is weak for password cracking.
But if I wanted to, I can: Convert for hashcat:
hcxpcapngtool dump.pcapng -o dump.hc22000
and if I wanted to crack only a particular AP, I can extract the hash by:
hcxhashtool -i dump.hc22000 --essid="Target_AP_Name" -o target_ap_name.hc22000
And then finally, hashcat:
hashcat -a 3 -m 22000 /path/to/target.hc22000 ?d?d?d?d?d?d?d?d

If you think I could do any of this better, I would love to know!!

#301 (comment)
How did you crack such a complex password so quickly???!!!! And what extra information does hcxdumptool store that others don't? (I have no knowledge about all this, just want to know on a high level if you have the time!)

And finally, do you recommend using other tools or techniques if one fails with either hcxdumptool or cracking password? Like I imagine WPS is not worth wasting time in 2024 as every AP just timeouts after 3 tries. And to anyone reading, you could try a phishing page for eg if you are testing a corporate client, as at least one employee might enter the password (of course have written permission from the company).

EDIT: THANK you so MUCH, I really respect all the work you have done and shared for free!!!

[ZerBea]

Thanks for explaining your workflow. That is really helpful for new users of hcxdumptool/hcxtools.

I admit that neither hcxdumptool nor hcxtools are easy to use (because we are not on beginner level), so please let me add some additional information:
it is mandatory that you analyze the target before(!) you start an attack (hcxdumptool rcascan, tshark, Wireshark)
get frequency/channel
get MAC and ESSID of the AP
get MACs of all CLIENTs assigned to the target
set hcxdumptool to the target frequency/channel and add all MACs to the BPF
and feed hcxdumptool with the essidlist, retrieved from hcxpcapngtool (-E)
run hcxdumptool for as long as necessary to get all possible information from all CLIENTs (--attemptclientmax=10000)

To get an overview of crowded channels, running rcascan in combination with -F is a good idea.
I have really good reasons, to set default scan channels to 1a, 6a and 11a:
these are the most used frequencies/channels
it takes 15 seconds only to scan this frequencies/channels

hcxdumptool does the standard attacks against APs to get a 4way handshake and it does attacks to retrieve a PMKID.
But a "hardened" AP is not the main target. Instead hcxdumptool is designed to get all informations from "weak" CLIENTs.
Therefore it requests all entries of the wpa_supplicant.conf from a CLIENT. If the PSK is stored in a wrong way (e.g. in the ESSID field),
hcxdumptool will get it. That include complex PSKs too.

BTW:
Soon, I'm going to replace hcxdumptool by a new version (v7.0.0). This version (called hcxlabtool) can be tested:
https://github.com/ZerBea/wifi_laboratory
Attack modes against CLIENTs have been improved. That applies to the real time display (rds=1, rds=2), too.
There are still some missing functions like rcascan.
GPS has been removed due to performance reasons. I'll ad it to hcxpcapngtool.
From now on you can use your favorite tool (e.g. gpsd) or hardware (Garmin eTrex) to record a GPS track.
Later on (off-line) this track should be converted by gpsbabel to NMEA0183 and loaded together with the dump file
(and the time offset between GPS receiver and machine on which hcxdumptool is running) to hcxpcapngtool (which joins this information).
A Raspberry Pi Zero is definitely a way too slow to handle this (capture traffic, respond to requests evaluate GPS information and store all to SD-card).

To figure out, which information hcxdumptool retrieves, just run it for a while and convert the dump file by hcxpcapngtool.
Than do the same, running a passive dumper. I'm sure, hcxpcapngtool will tell you what kind of frames are missing.

[notPrivate-care]

Thanks a lot for your reply.
You have said a lot of things, and honestly, I did not understand a lot of things as I am a newbie. I always thought of attacking the AP, but realizing that this tool is focused on taking advantage of the CLIENTs, and that more APs nowadays come with better security practices but CLIENTs like IoT devices are weak most of the times, has opened my mind! The problem for me is (I assume) that modern devices (CLIENTs) like phones (android, ios) and laptops might not be vulnerable, but older and IoT devices might be. But I don't live in a developed country where people use IoT devices. Most people only connect phone and laptop to wifi, at most TV, but not microwave, fridge, lights, cameras, etc.
You said that some CLIENTs send PSK in ESSID fields (but I don't think modern android, ios, linux, windows have faulty wifi implementation, but only IoT devices.)

it is mandatory that you analyze the target before(!) you start an attack (hcxdumptool rcascan, tshark, Wireshark)

You have said that sudo nmcli dev wifi is much better, so just leaving it here for others.

set hcxdumptool to the target frequency/channel and add all MACs to the BPF
and feed hcxdumptool with the essidlist, retrieved from hcxpcapngtool (-E)
run hcxdumptool for as long as necessary to get all possible information from all CLIENTs (--attemptclientmax=10000)

I understood most of this in theory, but dont know the commands. If I am using MAC filter with BPF, why do I need to give the essid list? (and if I use filters, you said that 75% capabilities of the tool are not used. May I know which attack types are not used?).

And what is the use of GPS? wardriving?

Clearly I have close to 0 knowledge. Is there a knowledge base or a list of resources so that users can at least understand the wifi security/tool, its capabilities, and how to approach and use it so that the success rate will be much higher.

Approx what percent of networks have weak clients? And do they ever include modern devices?

[ZerBea]

If a user types the PSK into the ESSID field and the ESSID into the PSK field of the device, the device is vulnerable.
Two examples:
20 digit PSK - impossible to recover the PSK by brute force
but with the help of hcxdumptool/hcxlabtool:
https://wpa-sec.stanev.org/?search=00269f7fd581
$ whoismac -m 00269f7fd581
VENDOR: Private (UAA), unicast

$ whoismac -m 48760412d6e9
VENDOR: Private (UAA), unicast
https://wpa-sec.stanev.org/?search=48760412d6e9

There are a lot more. Please check:
https://wpa-sec.stanev.org/dict/cracked.txt.gz

One single "weak" CLIENT will compromise an entire enterprise network.
While old school tools set focus on the enterprise network AP(s), hcxlabtool/hcxdumptool hunts for this CLIENTs.
Once they are identified, the admin of the NETWORK can reset them.

The essid list is not a filter list. This list is used to respond to undirected PROBEREQUESTs.
To understand this process, I recommend to:
add some ESSIDs to essid.list (inclusive your ESSID)
run hcxlabtool -i INTERFACE --disable_disassociation -c 3a --rds=2 --essidlist=essid.list --associationmax=1000
run Wireshark in parallel on the same interface to monitor the traffic and to see how hcxlabtool interacts with the CLIENTs

If a CLIENT receive its assigned ESSID, it will try to connect. If that happens, hcxlabtool respond and request the CLIENTs M2.
The result is a valid EAPOL MESSAGEPAIR (M1M2) hashcat or jtr can work on.
All my test CLIENTs (Linux machine, Android phone and tablet, iPhone and iPad) respond to hcxlabtool.

If you filter by MAC AP, all CLIENTs are not allowed to connect to hcxlabtool/hcxdumptool! Unfortunately hcxlabtool/hcxdumptool is focused on this attacks, which are now permitted.

Some users requested GPS support, e.g. to upload the position to wigle.
https://www.wigle.net/
I'm not a friend of this, because it takes (too) many CPU cycles when doing it on the fly on the same machine.

[ZerBea]

A good starting point is this:
https://www.oreilly.com/library/view/80211-wireless-networks/0596100523/index.html

The frames types are explained here, too:
https://mrncciew.com/
e.g.:
https://mrncciew.com/2014/10/28/802-11-mgmt-association-reqresponse/

Recommended network analyzing tools to reproduce all lessons (run in parallel with hcxlabtool/hcxdumptool):
tshark, Wireshark

[notPrivate-care]

Thank you!

Are there any home routers that support packet injection and monitor mode?
Regardless of the above point, which router do you recommend? And which firmware? openwrt? (I am looking for the cheapest option you would recommend. I don't want high speed, nor would I connect many devices.) Currently using DIR 615 .

Currently I use hcxdumptool on my laptop with this adapter This Leoxsys I think. What is the cheapest adapter you would recommend, or is this fine?

From what I understand from your wiki is, only MTU drivers support active monitor mode, which is like monitor mode but 7 times faster. and my adapter has 3dbi which might be considered very weak by you. I don't want to buy antenna because they are not portable, and require external power. I like adapters because they are portable, and don't need external power.

[ZerBea]

Unfortunately, I can't give a recommendation. Major reason is that VENDORS often change the chipset (rev 1, rev 2, rev A, rev X) , but use the old case and the old packaging. Often the seller will not be informed about this.
A good example is your link. Absolutely no information about chipset and revision.

Luckily the wiki of OpenWRT is very good (regarding the firmware):
https://openwrt.org/supported_devices

Luckily the wiki (chipsets) is very good (regarding monitor mode and packet injection):
https://wikidevi.wi-cat.ru/Main_Page
Monitor mode and packet injection highly depend on the driver and the Linux kernel.
The newer the kernel the better driver support of monitor mode.
But that's just a guideline, because several drivers have been backported to older kernels.
This drivers are well know to provide monitor mode and packet injection:
ath9k_htc
ra2800USB
mt76
rt8xxxu (> kernel 6.4)

Now you have to find the right combination of (hardware supported by OpenWRT) and chipset with monitor mode capabilities.
(My test system is a Raspberry Pi Zero 1 (no W, no WH) & OpenWRT & mt76 or rt2800usb or ath9k_htc
The cheapest device (running kernel 6.8) is a TP-LINK TL-WN722N v2/v3 [Realtek RTL8188EUS] or TP-LINK TL-WN722N (v1) on older kernels.
The TL-WN722N is a good example for what I wrote above (same case, same packaging but different revisions).
And absolutely no information about chipset/revision by the seller:
https://www.amazon.co.uk/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=TL-WN722N

BTW:
Don't trust the values reported by the driver. Neither TX power nor RSSI is real!

If you decide to run OpenWRT (recommended on small systems like a Raspberry Pi or a router) you should know that a standard image will not work as expected.
It is mandatory to install the toolchain:
https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem
and to build an image (no LuCI, removal of everything superfluous) tailored to hcxdumptool/hcxlabtool task.

hcxlabtool/hcxdumptool will work fine:
if the driver support monitor mode/full packet injection and
if you know what services are running on your system and how to stop them if they interfere with monitor mode/packet injection.

The same thing I wrote about OpenWRT, but also applies Linux. A standard installation include several running services you don't need/want.

[notPrivate-care]

Thanks a lot for the reply.
I wanted to learn the workflow like how to approach wifi testing, and use hcxdumptool. But I found no videos or blogs. Whatever I found was both old, and did not focus on attacking clients, which is the main purpose of this tool. Unfortunately, the wiki is is very old too. Your comments on issues were really helpful, but sorry to say, they were all over the place, messy and not complete (as one bit of information was on one thread, some other information was on another thread). I think it would be very helpful and save a lot of time for both you and users if there was a single place which had most of the information. I'll contribute on the current wiki, if you want me to write it in a certain way, do let me know!

[ZerBea]

The wiki page was not created by me and you're absolutely right: It is outdated and I have removed it.
Thanks for your offer. If you think it is helpful, please feel free to add your workflow to the current wiki.
Please note, however, that we are not on beginner level. It is assumed the reader is familiar with the fundamentals of this technique (Linux and 802.11 as mentioned in the requirements section of README.md). A successful installation of Linux via pre-defined GUI installer is far away from this.