1. Would I then need another interface (wlan1) to run hcxdumptool since I am already using wlan0 to host the fake AP?
Yes, because it is mandatory that hcxdumptool has full access to the hardware.
From help menu:
Code:
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not run hcxdumptool on virtual machines or emulators
do not run hcxdumptool in combination with tools (channel hopper), that take access to the interface (except: tshark,
2. Can I only use hcxdumptool to automate this attack? (host the fake AP AND capture M1M2 challenges with the required information for hcxpcapngtool) If so, what would be the full command so that it creates the AP and only targets that AP and clients authenticating to it exclusively?
Yes, because hcxdumptool is able to set up to 1024 rogue APs at the same time
Code:
$ sudo hcxdumptool -i INTERFACE -c 1 --disable_ap_attacks --disable_deauthentication --essidlist=essidlist.txt --active_beacon --stop_client_m2_attacks=1000 -o dump.pcapng --enable_status=31
Please notice:
Due to MAC randomization (every modern CLIENT is doing this) it is not possible to filter unwanted CLIENTs and hcxdumptool respond to every CLIENT that request an AUTHENTICATION!
c
channel should be a less crowded channel
disable_ap-attacks
do not attack APs - there are more (and better) ways to attack an AP than stupidly injecting DEAUTHENTICATION frames.
disable_deauthentication
do not disconnect connected CLIENTs from their APs - stealth mode to fool a DEAUTHENTICATION detector.
essidlist:
essidlist.txt should contain a list of target ESSIDs the CLIENT can connect to.
Additional hcxdumptool will respond to every PROBEREQUEST of a CLIENT.
active_beacon
enable beaconing
How many (different) challenges should be received can be controlled by stop_client_m2_attacks (hcxdumptool).
If you want to annoy a user, too (that he types a new PSK) >= 1000
So let me see if I understand, even though I hosted the AP and captured the packets within the EAPOL TIME GAP 20000 msec limit from the same computer hosting the AP, since tshark does not save this information, then there is absolutely no way to get a valid handshake?
Partly correct
After M1 was transmitted, M2 must be received before EAPOL TIMEOUT value reached and M1 and M2 REPLAY COUNT must match. Only than you get a valid MESSAGE PAIR.
tshark will get this values from AP (REPLAY COUNT and ANONCE) and from CLIENT (REPLAY COUNT and SNONCE). It is mandatory to receive both! Otherwise you will not get a valid MESSAGE PAIR.
While hcxdumptool acts as an AP and use own values (REPLAY COUNT and ANONCE) to which the CLIENT respond (REPLAY COUNT as requested and SNONCE as requested). We only need the values from the CLIENT, because all other vales are generated by hcxdumptool and stored to comment fields of the pcapng file.
The entire procedure of a 4way handshake, especially the formula to calculate the PTK
PTK = PRF (PMK + ANONCE + SNONCE + Mac (AP)+ Mac (CLIENT))
is explained here:
https://www.wifi-professionals.com/2019/...-handshake
If received ANONCE and SNONCE doesn't match (by REPLAY COUNT), it is not possible to calculate the PTK.
This can happen after a packet loss or if the AP renew all EAPOL values because it started a new AUTHENTICATION sequence (e.g. due to excessive injecting DEAUTHENTICATION frames).
An example from a test series:
Code:
EAPOL messages (total)...................: 14883
EAPOL RSN messages.......................: 14883
EAPOLTIME gap (measured maximum usec)....: 570083779
EAPOL ANONCE error corrections (NC)......: working
REPLAYCOUNT gap (suggested NC)...........: 8
EAPOL M1 messages (total)................: 11697
EAPOL M2 messages (total)................: 3026
EAPOL M3 messages (total)................: 51
EAPOL M4 messages (total)................: 109
EAPOL pairs (total)......................: 7420
EAPOL pairs (useful).....................: 7419
EAPOL ROGUE pairs........................: 7214
EAPOL M12E2 (challenge)..................: 7400
EAPOL M32E2 (authorized).................: 18
EAPOL M34E4 (authorized).................: 1
EAPOL M12E2 (challenge)..................: 7400
total challenges (interactive and passive)
EAPOL ROGUE pairs........................: 7214
interactive branch
M2 requested by hcxdumptool.
EAPOL M32E2 (authorized).................: 18
passive branch
The test CLIENTs connect to the test router (running in parallel for test purpose to get an idea about the packet loss inside the passive reception branch of hcxdumptool). Please notice that hcxdumptool is acting interactive with the target as well as a passive reception only tool (receive everything that is on the air).
EAPOL M34E4 (authorized).................: 1
passive branch
we got only one(!) single complete 4way handshake.
Now you can imagine how big the packet loss is if you try to get/receive matching values from the connection attempt of a CLIENT to its regular AP, passively
in contrast to active request them directly from the CLIENT.
This should make it clear:
EAPOL messages (total)...................: 14883
most of them are useless (to calculate a valid MESSAGE PAIR) and only this ones really matches
EAPOL M12E2 (challenge)..................: 7400
EAPOL M32E2 (authorized).................: 18
EAPOL M34E4 (authorized).................: 1
Will say, running hcxdumptool it is easy to get a challenge (M1M2) without fear of a packet loss
EAPOL ROGUE pairs........................: 7214
BTW:
First choice to setup a regular AP should be hostapd:
https://w1.fi/hostapd/
First choice to setup a regular CLIENT should be wpa_supplicant:
https://w1.fi/wpa_supplicant/
Both tools are widely used by routers, Linux, Android and other IoT devices.