hashcat Forum

Full Version: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
No, hcxdumptool running own monitor mode.
Just stop all tasks which take access to the device and than run hcxdumptool. If you forgot one task, hcxdumptool will tell you that.
airmon-ng running iw. Sometimes iw creates an interface (netlink), which hcxdumptool doesn't like. To get full advantage, hcxdumptool need full access to the physical device. It control the device running ioctl() commands. That is very fast.
Read more here:
https://www.quora.com/What-are-the-diffe...octl-calls
especially this parts here:
"Netlink messages can be lost for various reasons (e.g. out of memory), while ioctls are generally more reliable due to their immediate-processing nature."

"Control: ioctl should be your first choice, unless there’s an overriding reason, due to its immediacy and reliable delivery."

I fully agree with this!
When I try to start without airmon-ng, the command line says that interface is not up.
I use airmon-ng to check kill process too. Any other command alternatives?

Thanks
Is the interface detected by hcxdumptool?
$ hcxdumptool -I

What is the output of:
$ hcxdumptool -i <interface> -C
and
$ iw dev

To set monitor mode manually:
$ ip link set <interface> down
$ iw dev <interface> set type monitor
$ ip link set <interface> up
$ iw dev <interface> info

The last command (iw dev <interface> info) will show you the status of the interface.
It should look like that:
Interface wlp3s0
ifindex 5
wdev 0x200000001
addr wlp3s0
type monitor
wiphy 2
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm

If it doesn't look like that (type monitor), your device isn't able to run full monitor mode. In that case, get more info here:
https://wikidevi.com/wiki/Main_Page


For example 1:
$ hcxdumptool -I
wlan interfaces:
c83a35cb08e3 wlp3s0 (rtl8821ae)
warning: NetworkManager is running with pid 464
warning: wpa_supplicant is running with pid 509

You must stop this two tasks, because they have access to the device.
The run hcxdumptool again.


For example 2:
$ hcxdumptool -i wlp3s0 --enable_status=1 -o capture.pcapng
initialization...
warning: NetworkManager is running with pid 464
warning: wpa_supplicant is running with pid 509
interface is not up
failed to init socket

You must stop this two tasks, because they have access to the device.
The run hcxdumptool again.


For example 3:
You can blacklist the capture device in NetworkManager config. In that case you do not need to stop the tasks. Instead run hcxdumptool with option --ignore-warning

$ hcxdumptool --ignore_warning -i wlp3s0 --enable_status=1 -o capture.pcapng
those are the detailed results.. fails to start, but it does work after airmon-ng start wlan0.

root@raspberrypiB:/home/pi# hcxdumptool -I
wlan interfaces:
90f652e42668 wlan0 (ath9k_htc)
root@raspberrypiB:/home/pi# hcxdumptool -i wlan0 -C
initialization...
interface is not up
failed to init socket

root@raspberrypiB:/home/pi# ip link set wlan0 down
root@raspberrypiB:/home/pi# iw dev wlan0 set type monitor
root@raspberrypiB:/home/pi# ip link set wlan0 up
root@raspberrypiB:/home/pi# iw dev wlan0 info
Interface wlan0
ifindex 3
wdev 0x1
addr 90:f6:52:e4:26:68
type monitor
wiphy 0
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm

root@raspberrypiB:/home/pi# hcxdumptool -i wlan0 -o test.pcapng --enable_status=15
initialization...
interface is not up
failed to init socket
Ok, does this work?
hcxdumptool -i wlan0 -o test.pcapng --enable_status=15 --ignore_warning

Something within your installation is misconfigured or it blocks the device.

Normally it looks like this (TP-LINK TL-WN722):
$ lsusb
ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n

$ hcxdumptool -I
wlan interfaces:
f81a67077d0e wlp3s0f0u2 (ath9k_htc)

hcxdumptool -i wlp3s0f0u2 -C
initialization...
available channels:
 1 / 2412MHz (20 dBm)
 2 / 2417MHz (20 dBm)
 3 / 2422MHz (20 dBm)
 4 / 2427MHz (20 dBm)
 5 / 2432MHz (20 dBm)
 6 / 2437MHz (20 dBm)
 7 / 2442MHz (20 dBm)
 8 / 2447MHz (20 dBm)
 9 / 2452MHz (20 dBm)
10 / 2457MHz (20 dBm)
11 / 2462MHz (20 dBm)
12 / 2467MHz (20 dBm)
13 / 2472MHz (20 dBm)
14 / 2484MHz (20 dBm)
terminated...

and a --do_rcascan will show this results:

$ hcxdumptool -i wlp3s0f0u2 --do_rcascan
...
INFO: cha=6, rx=2825, rx(dropped)=0, tx=179, err=0, aps=23 (19 in range)
-----------------------------------------------------------------------------------

By commit:
https://github.com/ZerBea/hcxdumptool/co...0eed0b5a02
hcxdumptool ignore all warnings related to the current status of the interface. Interface may not work as expected.
Do not report issues related to this option!
root@raspberrypiB:/home/pi# hcxdumptool -i wlan0 -o test.pcapng --enable_status=15 --ignore_warning
initialization...
warning: wpa_supplicant is running with pid 416 351

start capturing (stop with ctrl+c)
INTERFACE................: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a2252d7d8c
MAC ACCESS POINT.........: 7ce4aa77a603 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 62040
ANONCE...................: 0a9ceaa82c7b721e6962a701ac22f0be2fd973f6ab0d31b32bac210de3c3326e
And then starts to capture packages.

and with:

root@raspberrypiB:/home/pi# hcxdumptool -i wlan0 -C --ignore_warning
initialization...
available channels:
1 / 2412MHz (20 dBm)
2 / 2417MHz (20 dBm)
3 / 2422MHz (20 dBm)
4 / 2427MHz (20 dBm)
5 / 2432MHz (20 dBm)
6 / 2437MHz (20 dBm)
7 / 2442MHz (20 dBm)
8 / 2447MHz (20 dBm)
9 / 2452MHz (20 dBm)
10 / 2457MHz (20 dBm)
11 / 2462MHz (20 dBm)
12 / 2467MHz (20 dBm)
13 / 2472MHz (20 dBm)
14 / 2484MHz (20 dBm)

terminated...

Im running Raspbian BTW

thanks a lot
Ok, Raspbian is a good choice! Easy to install and easy to use. Fine that it works, at least.
Now we know what prevent full access to the interface:
wpa_supplicant is running...
So. How could I solve it?
That can be done by systemctl:
systemctl start
systemctl stop
systemctl status
systemctl enable
systemctl disable

Some examples:

Get information about all running services:
$ systemctl | grep running

Get information about all enabled services:
$ systemctl list-unit-files | grep enabled

Get information about service:
$ systemctl status NetworkManager.service
$ systemctl status wpa_supplicant.service

To stop a service:
$ systemctl stop NetworkManager.service
$ systemctl stop wpa_supplicant.service

To start a service permanent:
$ systemctl enable NetworkManager.service

To disable a service permanent:
$ systemctl disable NetworkManager.service