+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Hcxdumptool - How to capture one network data only? (/thread-11121.html)
Hcxdumptool - How to capture one network data only? - darkside - 11-15-2022
I read help for hcxdumptool, tried to find something online. But no luck.
I assume that I don't understand something in hcxdumptool --help
If I have network called randomnet
How Can I use hcxdumptool only against this network?
RE: Hcxdumptool - How to capture one network data only? - ZerBea - 11-15-2022
hcxdumptool doesn't use network names (because this names are not unique).
Instead it use the BSSID (MAC) of teh AP.
How to get the MAC is descriped in --help:
Code:
--filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filtermode=<digit> : user space filter mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
affected: only outgoing traffic
notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because some useful frames could be filtered out
using a filter list doesn't have an affect on rca scan
only for testing useful - devices to be protected should be added to BPF
notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filteradd the MAC to a list (e.g. name it filter.list
run hcxdumptool with option --filtermode=2 and --filterlist_ap=filter.list
Additional information is here:
https://www.youtube.com/watch?v=Usw0IlGbkC4
RE: Hcxdumptool - How to capture one network data only? - darkside - 11-20-2022
(11-15-2022, 09:58 PM)ZerBea Wrote: hcxdumptool doesn't use network names (because this names are not unique).
Instead it use the BSSID (MAC) of teh AP.
How to get the MAC is descriped in --help:
Code:--filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filtermode=<digit> : user space filter mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
affected: only outgoing traffic
notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because some useful frames could be filtered out
using a filter list doesn't have an affect on rca scan
only for testing useful - devices to be protected should be added to BPF
notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter
add the MAC to a list (e.g. name it filter.list
run hcxdumptool with option --filtermode=2 and --filterlist_ap=filter.list
Additional information is here:
https://www.youtube.com/watch?v=Usw0IlGbkC4
Thank you.
I tried with --filterlist_ap but no luck.
I tried this:
hcxdumptool -i wlp0 --filterlist_ap=XXXXXXXXXXXX -o dump.pcapng --enable_status=31 --filtermode=2
I tried with --filterlist_ap=list.txt too
No luck.
The difference between filter and no filter is that without the --filterlist_ap= hcxdumptool is gathereing everything.
With the hcxdumptool --filterlist_ap= it gathers less targets.
MAC I want to target is on the list but it shows after some time.
This MAC is my home router.
RE: Hcxdumptool - How to capture one network data only? - ZerBea - 11-21-2022
Ok, that makes it a little bit more clear.
hcxdumptool has three level:
1) receive (capture) everything and transmit (send attack frames) everything.
2) receive (capture) everything and filter transmitted packets only (done by filtermode and filter list options).
3) filter incoming and outgoing traffic - this is done by a Berkeley Packet Filter BPF.
My first answer belongs to level 2.
Here is the answer for level 3:
Code:
$ sudo hcxdumptool -i <interface> --do_rcascan
to get information about target MAC and operation channel of the target
$ sudo hcxdumptool -m <interface>
set interface to monitor mode
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
where 11:22:33:44:55:66 is your target MAC.
run hcxdumpttool:
$hcxdumptool -i <interface> -o dump.pcapng --enable_status=31 --bpfc=attack.bpfPlease notice:
When you convert this dump file you receive a warning, because broadcast frames are filtered out and you will loose some interesting frames.
To avoid this, you can expand the filter to:
Code:
$ sudo tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or WLAN addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf