hcxdumptool - missing frames w/ filtering - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: hcxdumptool - missing frames w/ filtering (/thread-11212.html) |
RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-17-2023 Running inside a VM often result in latency problems. I got a lot of bug reports regarding this configuration (VM), but I can't reproduce that because I'm running Arch and Debian (bookworm), only. Test target devices: several Samsung Phones (Android 13), a Samsung Tablet, some older LG phones, an iPad, an older iPhone, a notebook (Arch Linux - wpa_supplicant). All of them try to connect to hcxdumptool Test target routers: a new FRITZBOX, some old FRITZBOXEs an old Arcadyan Speedport, several TP-LINKs and hostapd (Arch notebook). distance between CLIENT and AP <= 5m distance to attack device 1 .. 20m encryption type WPA2 (mostly), WPA2/WPA1 mixed mode, WPA1 and WPA2/WPA3 transition mode It is mandatory that hcxdumptool/hcxlabtool respond faster(!) to a CLIENT than its designated AP. Please try hcxlabtool series. This tools are a lot faster: Code: $ hcxlabgetmallpr --onsigterm=exit --essidlist=targetessid.list --essidmax=100 --m2attempt=10 -c 13,1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,1,12,1,6,11 Code: $ hcxlabgetmallpr --onsigterm=exit --essidlist=targetessid.list --essidmax=100 --m2attempt=10 -c xx If the AP is state of the art, it will notice the presence of several new APs (coming from hcxlabtool) and move to another channel. RE: hcxdumptool - missing frames w/ filtering - pipss - 01-18-2023 I cheched https://github.com/ZerBea/wifi_laboratory Could you please advise how to install labtools? I couldn't find the way to install them. Thank you. RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023 After going open source, I got several feature requests and pull requests and added them to hcxdumptool. But every feature and every option has a price tag and hcxdumptool became a Dinosaur: A beautiful real time display will take CPU cycles. On the fly decoding calculating a PSK/PMK (weak candidate) will take CPU cycles. Remote connection to a CLIENT will take CPU cycles. Easy to use filter lists (options filter mode and filter list will take CPU cycles. EAP attack (TLS) will take CPU cycles. WiFi laboratory (hcxlabtool series) is highly experimental and ultra fast. It is designed to test new attack modes (which are later on added to hcxdumptool). It is designed to run completely headless. There are no CPU cycle expensive options. Instead of using options, we compile the features directly into the tool. That result in several different tools, made by a single source file: Code: hcxlabgetm1 = request PMKID This tools are designed to test new features (to be added to hcxdumptool). They are designed to run headless on systems like this ones: https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-1 https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-2 Operation system is a minimalist Debian (bookworm - unfortunately Arch stopped supporting armv6): No GUI No unwanted tasks. No unwanted services. No unwanted tools. Everything uninstalled what we don't need. No monitor. No keyboard (Raspberry is controlled via GPIO). Onboard chips (HDMI, BT and Broadcaom WiFI disabled. Onboard LED disabled. It will run on other systems, too. But it will slowed down. Installation is very simple: Code: $ git clone https://github.com/ZerBea/wifi_laboratory Now you're ready to go. Example of command lines: Code: $ hcxlabgetmallpr --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=50 --m2attempt=4 -c 13,1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,1,12,1,6,11 & This options should be used in combination with a hardware modified (GPIO LED and GPIO button) Raspberry Pi), only: Code: --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 The simplest command line (and the most aggressive) is: Code: $ sudo hcxlabgetmall -i wlp39s0f3u1u1u1 --bpfc=protect.bpfc -c 1,6,11 make uninstall will remove them: Code: $ sudo make uninstall BTW: "I couldn't find the way to install them." This is deliberate. Detailed knowledge is mandatory: Code: * knowledge of radio technology RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023 If you compare such a system: MAC -> VM Fusion -> K A L I (overloaded due to serval started services and mostly not well configured by default, as well as unsuitable drivers like rtl8812au) to this highly optimized systems: https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-1 https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-2 I'm sure you'll understand my recommendations and you correctly interpret my results. RE: hcxdumptool - missing frames w/ filtering - pipss - 01-18-2023 Done testing with labtools. My channels are 7 and 10, scanning around 10 minutes. Code: sudo hcxlabgetmallpr --onsigterm=exit --essidlist=essid --essidmax=100 --m2attempt=10 -c 7,10 Code: hcxhashtool --info=stdout -i test.22000 Are results from labtool scan are more informative compare to previous hcxdumptool scan? I'm curious about system-1 and system-2. I use Raspberry Pi for Mac Time machine and torrent files, but keen to built another one for pentesting. Are system-1/2 "open source" or strictly private projects? RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023 Completely open source: Raspberry Pi Zero modification as mentioned here: https://github.com/ZerBea/hcxdumptool/blob/master/docs/gpiowait.odg config file as mentioned here: https://github.com/ZerBea/hcxdumptool/blob/master/docs/config.txt MediaTek or Ralink device (currently I'm testing some cheap Realtek devices running new upstream driver https://github.com/kimocoder/realtek_rtwifi) Raspberry Pi OS Lite (changed to SID, removed unwanted services) on old Raspberry Pi systems: https://www.raspberrypi.com/software/operating-systems/ or Arch Linux arm7 on newer Raspberry Pi systems: http://dk.mirror.archlinuxarm.org/os/ Are results from labtool scan are more informative compare to previous hcxdumptool scan? Less informative regarding status display, but retrieving more information from target within less time. M1M2ROGUE = successful attack against CLIENT RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023 While hcxlabgetmallpr is running open the Network Settings (WiFi) of your smart phone, do a WiFi scan, choose a NETWORK from the list and type a Password, when requested. You should see MM1M2ROGUE on hcxlabgetmallpr. Stop hcxlabgetmallpr and convert the pcapng fily by hcxpacapngtool & option --all Run hashcat (to speed up this demonstration, the PSK should be inside the word list you'll running to feed hashcat). RE: hcxdumptool - missing frames w/ filtering - pipss - 01-19-2023 I typed in AP wifi password (not real one, just 8 digits) on Android 9 phone, got M1M2ROGUE and I could recover those 8 digits later w/ hashcat. But this didn't work with latest iphone. Looks like iphone's are very rigid. Also while hcxlabgetmallpr was scanning i couldn't connect to my AP, even if i stand close to my AP and scanning laptop was in another room, behind the double wall. I got my wifi printer M1M2ROGUE and M1M2M3M4 in less than 10 seconds of scanning, while my printer was located 1 meter away from AP, but my _kali on fusion laptop was in the next room, behind the double wall about 4 meters away from that AP. Quite impressive to attack weak CLIENT's with fast scanner. And this in just scanner running on VMware, i could only imagine dedicated Raspberry performance Questions: 1) my AP was in essid list (one name only), but scanner also attack CLIENT which was connected to another AP, that AP wasn't in the essid list. Why? 2) about --all flag, it makes huge list of the same hashes of the same AP, but with different MIC's, are any advantages of this output? RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-19-2023 "Also while hcxlabgetmallpr was scanning i couldn't connect to my AP, even if i stand close to my AP and scanning laptop was in another room, behind the double wall." [code] That is noticed in README.md of hcxdumptool: Warning section * hcxdumptool is able to prevent complete wlan traffic (depend on selected options) [code] This (interception of EAPOL M2 frames) can be controlled via m2attempt option --m2attempt=<digit> : reject CLIENT request after n received M2 frames "My AP was in essid list (one name only), but scanner also attack CLIENT which was connected to another AP, that AP wasn't in the essid list. Why?" Can only be controlled via BPF (set attack or protect BPF code) hcxlabtool series and hcxdumptool is interactive. Both tools take every ESSID they can find in the traffic and put them together with the user defined ESSIDs into a list. While hcxdumptool only respond to a CLIENT using the requested ESSID, hcxlabtool pr series respond 10 ESSIDs from the list at the same time. "About --all flag, it makes huge list of the same hashes of the same AP, but with different MIC's, are any advantages of this output?" Analysis purpose to e.g. determine how many PSKs an attacker typed to get ACCESS to a NETWORK hcxlabgetmallpr --m2attempts=1000 A possible attacker is 1000 times asked to type a PSK (user typed password1, password2, password3.....pasword1000 hcxpcapngtool --all We convert all 1000 (instead of the best one) to find out what he typed. This gives us information about the word list the attacker have used to get access to "our" network. BTW: "Looks like iphone's are very rigid. " I'm working on it. As all hcxtools (that include hcxdumptool, too) this tools are (interactive) analysis tools. Main purpose is to detect as fast as possible what other tools can't detect and to discover weak points. All tools should only be used in in a 100% controlled environment(!). If you can't control the environment it is absolutely mandatory to set the BPF. To prevent disturbing other participants of the WiFi spectrum it is also mandatory to reduce TX power and to use directional antennas. RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-19-2023 What do you think: Shall a add a verification to hcxdumptool / WiFi laboratory that check the presence of a BPF (and remove filterlist and filtermode completely). If BPF is not present, the tools will not start. This could prevent unexperienced users from using the tools. |