hcxdumptool - Printable Version

hcxdumptool - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: hcxdumptool (/thread-11913.html)

Pages: 1 2

hcxdumptool - mrwho'sHE - 04-16-2024

Hello folks,
can somebody tell me how we can find hcxdumptool capture any handshake?
does it have any identifire or something?
for example in this:

CHA LAST R 1 3 P S MAC-AP ESSID (last seen on top) SCAN-FREQUENCY: 2437
-----------------------------------------------------------------------------------------
[ 11] 12:53:47 + 46a58d4560dd Mi 10T Lite
[ 11] 12:53:46 b6e7d329466d Electropack
[ 6] 12:53:46 + + d4a456ab46c4 camera_46c4
[ 2] 12:53:46 + 763d432151c0 POCO X5 Pro 5G
[ 1] 12:53:45 + + 46a2208ab29b MobinNet_E29A

RE: hcxdumptool - ZerBea - 04-16-2024

Explanation:

Code:
[ 11] 12:53:47        + 46a58d4560dd Mi 10T Lite -> AP not in range

[ 11] 12:53:46          b6e7d329466d Electropack -> AP doesn't use a PSK

[  6] 12:53:46 +      + d4a456ab46c4 camera_46c4 -> AP does not respond to hcxdumptool's ASSOCIATIONREQUEST 

[  2] 12:53:46        + 763d432151c0 POCO X5 Pro 5G -> AP not in Range

[  1] 12:53:45 +      + 46a2208ab29b MobinNet_E29A -> AP does not respond to hcxdumptool's ASSOCIATIONREQUEST

Solution:
Improve your antenna or get closer to the targets.

The columns are explained in help menu:

Code:
$ hcxdumptool -h

--rds=<digit>             : sort real time display

                             attack mode:

                              default: sort by time (last seen on top)

                               1 = sort by status (last PMKID/EAPOL on top)

                             scan mode:

                               1 = sort by PROBERESPONSE count

                             Columns:

                              R = + AP display     : AP is in TX range or under attack

                              S = + AP display     : AUTHENTICATION KEY MANAGEMENT PSK

                              P = + AP display     : got PMKID hashcat / JtR can work on

                              1 = + AP display     : got EAPOL M1 (CHALLENGE)

                              3 = + AP display     : got EAPOL M1M2M3 or EAPOL M1M2M3M4 (AUTHORIZATION) hashcat / JtR can work on

                              E = + CLIENT display : got EAP-START MESSAGE

                              2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on

RE: hcxdumptool - mrwho'sHE - 04-17-2024

(04-16-2024, 02:15 PM)ZerBea Wrote:

Thank you.

RE: hcxdumptool - ZerBea - 04-17-2024

You're welcome.

BTW:
Some more information is here:
https://github.com/ZerBea/hcxdumptool/discussions/432

To monitor the entire traffic, you can always run tshark or Wireshark in parallel with hcxdumptool.
e.g. monitor outgoing packets:
https://github.com/ZerBea/hcxdumptool/discussions/395

Some systems are described here:
https://github.com/ZerBea/hcxdumptool/wiki

Some adapters are tested here:
https://github.com/ZerBea/hcxdumptool/discussions/361

RE: hcxdumptool - customsspirit - 08-09-2024

When using hcxdumptool to capture WPA/WPA2 handshakes, the tool itself does not immediately tell you whether a handshake has been successfully captured during the process.

geometry dash

RE: hcxdumptool - ZerBea - 08-09-2024

Due to performance reasons, hcxdumptool is designed to run headless by default, e.g. on small systems like this one:
https://github.com/ZerBea/hcxdumptool/wiki/Penetration-testing-system-2
Everything that take much CPU cycles and slows hcxdumptool down is limited to an absolute minimum (form always follows function).
That include that only the most common channels (1a, 6a and 11a) are used.

To show retrieved PMKIDs and EAPOL MESSAGE PAIRS add --rds=1 to the command line (1 = sort by status (last PMKID/EAPOL on top)). Now the status display shows only retrieved PMKIDs, EAPOL MESSAGEPAIRs of connected CLIENTs and EAPOL MESSAGEs (M2) from CLIENTs connected to hcxdumptool.
To use all available frequencies, add -F to the command line-
All this (and the meaning of a + in the columms) is explained on -h and --help.

To see if the target is in range, do a rcascan first (-F scans all available frequencies):

Code:
$ sudo hcxumptool -i INTERFACE --rcascan=active -F

If everything is working as expected (driver is working as expected and target(s) are in range), the status display shows the last response time of an AP and a count how many times it has responded. If terminated, you'll get something like this:

Code:
^C

374 Packet(s) captured by kernel

22 Packet(s) dropped by kernel

71 PROBERESPONSE(s) captured

If something went wrong, RESPONSE column remains empty and the count is [0].
The exit status is something like this:

Code:
^C

0 Packet(s) captured by kernel

0 Packet(s) dropped by kernel

Warning: too less packets received (monitor mode may not work as expected)

Possible reasons:

 no transmitter in range

 frames are filtered out by BPF

 driver is broken

Warning: no PROBERESPONSES received (frame injection may not work as expected)

Possible reasons:

 no AP in range

 frames are filtered out by BPF

 driver is broken

 driver does not support frame injection

exit on sigterm

In that case, either no target is in range or the driver is broken (most likely) or your system is misconfigured (services that take access to the device are still running).

Make sure you're running latest version of hcxdumptool and hcxtools (6.3.4).

Due to massive driver issues make sure you're running the latest Linux Kernel. and not one of these ones as mentioned below:
https://github.com/ZerBea/hcxdumptool/discussions/465
https://github.com/ZerBea/hcxdumptool/discussions/454
This issues have been fixed since longterm kernel 6.6.44 and stable kernel 6.10.3.

Please note:
The requirements that must meet to show a PMKID or an EAPOL MESSAGEPAIR are much higher than the requirements of hcxpcapngtool.
hcxdumptool is on the fly and we need to ensure to capture a valid PMKID or a valid MESSAGEpAIR.
hcxpcapngtool does the conversion off-line and we have all the time we need to search for the best PMKID or the best EAPOL MESSAGEPAIR.

RE: hcxdumptool - v71221 - 08-10-2024

Kernel 6.6.44-3-lts works properly with latest hcxdumptool on my old intel notebook with buitin ath9k wifi.
With kernel 6.10.3-arch1-2 channels are not switching.

% hcxdumptool -v
hcxdumptool 6.3.4-41-g233b6e3 (C) 2024 ZeroBeat
running on Linux kernel 6.6.44-3-lts
running GNU libc version 2.40
compiled by gcc 14.2.1
compiled with Linux API headers 6.10.0
compiled with GNU libc headers 2.40
enabled REALTIME DISPLAY
disabled GPS support
disabled BPF compiler

RE: hcxdumptool - ZerBea - 08-10-2024

Thanks for that information, but after a test, I can't confirm this.

Running kernel 6.10.3-arch1-2 everything (monitor mode, frame injection and frequency change) is working as expected (except ALFA AWUS036AXM and AXML - but that's a completely different issue):

Code:
$ uname -r

6.10.3-arch1-2

$ hcxdumptool -v

hcxdumptool 6.3.4-41-g233b6e3 (C) 2024 ZeroBeat

running on Linux kernel 6.10.3-arch1-2

running GNU libc version 2.40

compiled by gcc 14.1.1

compiled with Linux API headers 6.10.0

compiled with GNU libc headers 2.40

enabled REALTIME DISPLAY

enabled GPS support

enabled BPF compiler

$ lsusb

0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n

$ hcxdumptool -l

  1      4    f81a6707731c    7ce4aa4bc8b8    +    wlp5s0f3u3          ath9k_htc    NETLINK

$ sudo hcxdumptool -i wlp5s0f3u3 -w test.pcapng --rds=1

...

^C

967 Packet(s) captured by kernel

0 Packet(s) dropped by kernel

1 SHB written to pcapng dumpfile

1 IDB written to pcapng dumpfile

1 ECB written to pcapng dumpfile

67 EPB written to pcapng dumpfile

Channel scan is working as expected, confirmed by real time display of hcxdumptool and Wireshark (radiotap header):

Code:
Channel frequency: 2412 [BG 1]

Channel frequency: 2462 [BG 11]

Which PCIe card and which driver do you use (hcxdumptool -L)?

RE: hcxdumptool - v71221 - 08-11-2024

Rechecked, same issue...
But based on REALTIME DISPLAY only.
With kernel 6.6.44-3-lts APs are visible on channels 1,5,6,11
With kernel 6.10.3-arch1-2 APs are visible on channel 1 only.

Code:
% lscpu

Architecture:            x86_64

  CPU op-mode(s):        32-bit, 64-bit

  Address sizes:          36 bits physical, 48 bits virtual

  Byte Order:            Little Endian

CPU(s):                  2

  On-line CPU(s) list:    0,1

Vendor ID:                GenuineIntel

  Model name:            Intel(R) Core(TM)2 Duo CPU    P9500  @ 2.53GHz

Code:
% lspci

06:00.0 Network controller: Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)

Code:
% hcxdumptool -L

Requesting physical interface capabilities. This may take some time.

Please be patient...

available wlan devices:

phy idx hw-mac      virtual-mac  m ifname          driver (protocol)

---------------------------------------------------------------------------------------------

  0  6 112233445566 1a1f54b073b4 * wlan0            ath9k (NETLINK)

* active monitor mode available (reported by driver - do not trust it)

+ monitor mode available (reported by driver)

- no monitor mode available

RE: hcxdumptool - ZerBea - 08-11-2024

Ok, thanks for the information. I see it's the older ath9k driver.

The only way to figure out what exactly happened is that you bisect the Linux kernel (between 6.11-rc2 and 6.6.44).
Once you have identified the patch that caused the trouble you can send an issue report directly to the Linux Wireless Mailing List.
https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html

Bisecting the Linux kernel running Arch Linux is very easy:
https://bbs.archlinux.org/viewtopic.php?id=271926
https://www.kernel.org/doc/html/latest/admin-guide/bug-bisect.html

If you need a modified pkgbuild and Arch Linux kernel config to do a bisect, please let me know.