hcxdumptool - missing frames w/ filtering - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Support (https://hashcat.net/forum/forum-3.html) +--- Forum: hashcat (https://hashcat.net/forum/forum-45.html) +--- Thread: hcxdumptool - missing frames w/ filtering (/thread-11212.html) |
hcxdumptool - missing frames w/ filtering - pipss - 12-24-2022 Hello! I'm newby, so please forgive my ignorance. Using: Code: hcxdumptool -i wlan0 -o dump.pcapng --enable_status=31 But i need only to scan for my own one, so next l did filtering with 2.4 GHz wifi MAC address: Code: hcxdumptool -i wlan0 -o dump.pcapng --enable_status=31 --do_targetscan=XX:XX:XX:XX:XX:XX Information: missing frames! This dump file does not contain enough EAPOL M1 frames. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it impossible to calculate nonce-error-correction values. I read that filtering could cause some info lost, but how could i scan my own router only, without interfering my neighbours? Please advice. RE: hcxdumptool - missing frames w/ filtering - ZerBea - 12-24-2022 do_targetscan does exactly the same as do_rca_scan but it will not probe all APs in range It only probes the target. $ sudo hcxdumptool -i INTERFACE --do_rca_scan you'll get a long list of APs and you'll see if they are in range (respond to our request) or not. $ sudo hcxdumptool -i INTERFACE --do_target_scan You'll get only responds from the target APs and you'll see if it is in range (respond to our request) or not. The target will not be under attack and all other frames than its BEACON and PROBERESONSE frames are ignored. Both modes are designed to get an overview about possible targets and that they are in transmit rang. They are also very helpful to direct the antenna. If you want to filter, you have either to use BPFC or filter_list_ap/client in combination with filter_mode and attack modes. Code: --bpfc=<file> : input kernel space Berkeley Packet Filter (BPF) code Please notice that modern CLIENTs use MAC randomization. That makes it unfeasible to filter them. If you set an AP filter (AP as target), it will not have an effect on CLIENTs that try to connect to hcxdumptool. You'll get M1M2ROGUE of them too (as long as you have not disabled CLIENT attacks). It is not mandatory to attack an AP. Instead you can attack its CLIENTs, only. Most of them are weak (weaker than a hardened AP). BTW: That is an information of hcxpcapngtool that the dump file is missing some frames - it is not an ERROR. RE: hcxdumptool - missing frames w/ filtering - ZerBea - 12-24-2022 To make it more clear. To get a PSK (by hashcat) you can: attack AP and get a PMKID - AP must be in range attack connection between an AP and a connected CLIENT and get 4way handshake (M1M2M3M4) - AP and CLIENT must be in range attack CLIENT only and get M1M2ROGUE - only CLIENT must be in range (the AP can be located on a different continent ) hcxdumptool provide all three attack modes by default. But the most important mode is the last one (attack a CLIENT), because you can get a lot of useful information from it (undirected PROBEREQUEST, EAP identity, username and an EAPOL M2) to feed hashcat. Due to MAC randomization it is nearly impossible to use a filter on this mode. RE: hcxdumptool - missing frames w/ filtering - pipss - 12-24-2022 Thank you so much for your quick reply. Indeed the whole strategy is more clear now. I could get and see 02*EAPOL (not PMKID) from my router (02*EAPOL or 01*PMKID from my neighbors too ) So because of MAC randomization, is there any way to filter out and attack my router’s AP clients only, w/o interfering my neighbors? In case if i need to attack some other particular AP (with PMKID) and that particular AP clients only, is there any way to filter that particular AP and they clients only? Or attack is always for all CLIENTS of all AP in range? RE: hcxdumptool - missing frames w/ filtering - ZerBea - 12-24-2022 Additional it is important how the filters are working: filter_mode in combination with filter_list_ap/client is working in transmission branch, only. It does not affect the reception branch. If a CLIENT tried to connect to an AP, hcxdumptool receive the eg. the PMKID and show/store it (PMKID). If the PMKID is a response to hcxdumptool's attack you'll see PMKIDROGUE. The same applies to the 4way handshake: M1M2ROGUE = hcxdumptool got an EAPOL M2 from the CLIENT (CLIENT respond to hcxdumptool M1) M1M2 = hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge) M1M2M3 = hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge) and authorization from AP M1M2M3M4 =hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge) and authorization from AP and authorization from CLIENT. --filtermode=2 --filtelist_ap=aptargetmaclist.txt only the target AP with its MAC in is under attack, but if a different AP is transmitting its PMKID to a connect attempt of its CLIENT, hcxdumptool will receive this, too (both of them are not under attack - but if the CLIENT tries to connect to hcxdumptool, it will answer and request the M2 of the CLIENT. To prevent this you have to add --disable_client_attacks or set stop CLIENT attacks to 1 or 2. In that case, the CLIENT will not notice that it was under attack. --stop_client_m2_attacks=1 If you don't want that the attack on an AP can be detected by tools like kismet, just set --disable_deauthentication and hcxdumptool will use the REASSOCIATION attack only. A tool that count DEAUTHENTICATIONs will now fail to detect an attack. There is no simple way or proof of concept how to perform an attack, because it varies from AP to AP and from CLIENT to CLIENT and from VENDOR to VENDOR. I suggest to run Wireshark in parallel and see what's going on on the channel. Than play with the options and combinations of options to find out which is the best one working against this target. If it works against this target,don't be sure it will work on a different target, too. My testing environment: low power WiFI device (10mW) powered into a dummy load antenna target router and target target client close to the device additional WiFi adapter to receive traffic on the channel by Wireshark It's also interesting to see what's happening if you turned of the router and put the target ESSID in --essidlist and set --active_beacon (just look for M1M2ROGUE). Running hcxdumptool it is counterproductive to use a high power WiFi device. A lower power device in combination with a panel antenna is the far better option. RE: hcxdumptool - missing frames w/ filtering - pipss - 12-25-2022 Sir, I very much appreciate your time and effort to thoroughly explain quite complicated things to a newby like me. I’ll try all your suggestions. Thank you again. RE: hcxdumptool - missing frames w/ filtering - ZerBea - 12-25-2022 No problem, you're welcome. I know that the biggest shortcoming of hcxdumptool/hcxtools is that this tools are not easy to use. And to make matters worse, they are also completely different to other tools even though some options may look similar. RE: hcxdumptool - missing frames w/ filtering - pipss - 12-28-2022 I did attack my AP only in --filtermode=2 and i tried to connect and disconnect CLIENTS (my phones and tablets) to provide extra traffic for about 5-10 minutes. Screen Shot 2022-12-28 at 18.41.34.png (Size: 278.82 KB / Downloads: 15) Screen Shot 2022-12-28 at 18.42.22.png (Size: 175.47 KB / Downloads: 11) Results are missing frames. But my AP's PMKID was shown during the scan. If i do attack w/o filtering (on my and all neighbour's AP's and clients), i could catch 18 hashes including my AP's hash in about one hour. Should i keep monitoring in filtermode more time to capture my AP's hash? Another observation that my AP's MAC has two different addresses. Little confused here. Thank you. RE: hcxdumptool - missing frames w/ filtering - ZerBea - 12-28-2022 A single received EAPOL M1 or M3 message is not enough to calculate if nonce-error-corrections is possible. Therefor you need at least 2 M1 or M3 messages from the same AP as explained here: https://hashcat.net/forum/thread-6361.html In a case if you got of a PMKID you can ignore the warning of hcxdumptool. "Another observation that my AP's MAC has two different addresses." That is correct: One MAC is the MAC transmitted by the AP The second one is the MAC calculated and transmitted by hcxdumptool to retrieve its M2. You'll see EAPOL: M1M2 or M2M3 or M3M4 if the CLIENT connected to your AP You'll see EAPOL: M1M2ROGUE if the CLIENT connected to the MAC transmitted from hcxdumptool Filtermode and filterlists do not have an impact on monitoring. Whether this filter options are in use or not does not have any influence on the reception. The filter is active only in transmission branch. RE: hcxdumptool - missing frames w/ filtering - pipss - 12-31-2022 I have two usb adapters, one with rtl8814au chip. This works ok with filtermode2, a could get my router AP hash w/o bothering my neighbors now. But this adapter doesn’t work in beacon mode, it shows tx power 0 dBm and PROTOCOL unassociated. I read about this issue in other forum thread. I tried to put it manually in to monitor mode, but this improves PROTOCOL only, it shos now 801.11b, but power is still 0dBm. My other adapter has mt7921u chip, it shows PROTOCOL 802.11 and power 3 dBm in beacon mode, but….. error driver is busy: failed to transmit. Looks like both of this chips are not that good for hcxdumptool. Could you please advice some reliable two band 2.4/5 usb adapter. Thank you. |