hcxdumptool

[mrwho'sHE]

Hello folks,
can somebody tell me how we can find hcxdumptool capture any handshake?
does it have any identifire or something?
for example in this:

  CHA    LAST  R 1 3 P S    MAC-AP    ESSID (last seen on top)  SCAN-FREQUENCY:  2437
-----------------------------------------------------------------------------------------
[ 11] 12:53:47        + 46a58d4560dd Mi 10T Lite
[ 11] 12:53:46          b6e7d329466d Electropack
[  6] 12:53:46 +      + d4a456ab46c4 camera_46c4
[  2] 12:53:46        + 763d432151c0 POCO X5 Pro 5G
[  1] 12:53:45 +      + 46a2208ab29b MobinNet_E29A

[ZerBea]

Explanation:

Code:

[ 11] 12:53:47        + 46a58d4560dd Mi 10T Lite -> AP not in range
[ 11] 12:53:46          b6e7d329466d Electropack -> AP doesn't use a PSK
[  6] 12:53:46 +      + d4a456ab46c4 camera_46c4 -> AP does not respond to hcxdumptool's ASSOCIATIONREQUEST
[  2] 12:53:46        + 763d432151c0 POCO X5 Pro 5G -> AP not in Range
[  1] 12:53:45 +      + 46a2208ab29b MobinNet_E29A -> AP does not respond to hcxdumptool's ASSOCIATIONREQUEST

Solution:
Improve your antenna or get closer to the targets.

The columns are explained in help menu:

Code:

$ hcxdumptool -h

--rds=<digit>             : sort real time display
                             attack mode:
                              default: sort by time (last seen on top)
                               1 = sort by status (last PMKID/EAPOL on top)
                             scan mode:
                               1 = sort by PROBERESPONSE count
                             Columns:
                              R = + AP display     : AP is in TX range or under attack
                              S = + AP display     : AUTHENTICATION KEY MANAGEMENT PSK
                              P = + AP display     : got PMKID hashcat / JtR can work on
                              1 = + AP display     : got EAPOL M1 (CHALLENGE)
                              3 = + AP display     : got EAPOL M1M2M3 or EAPOL M1M2M3M4 (AUTHORIZATION) hashcat / JtR can work on
                              E = + CLIENT display : got EAP-START MESSAGE
                              2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on

[mrwho'sHE]

Thank you.

[ZerBea]

You're welcome.

BTW:
Some more information is here:
https://github.com/ZerBea/hcxdumptool/discussions/432

To monitor the entire traffic, you can always run tshark or Wireshark in parallel with hcxdumptool.
e.g. monitor outgoing packets:
https://github.com/ZerBea/hcxdumptool/discussions/395

Some systems are described here:
https://github.com/ZerBea/hcxdumptool/wiki

Some adapters are tested here:
https://github.com/ZerBea/hcxdumptool/discussions/361

[customsspirit]

When using hcxdumptool to capture WPA/WPA2 handshakes, the tool itself does not immediately tell you whether a handshake has been successfully captured during the process.

geometry dash

[ZerBea]

Due to performance reasons, hcxdumptool is designed to run headless by default, e.g. on small systems like this one:
https://github.com/ZerBea/hcxdumptool/wi...g-system-2
Everything that take much CPU cycles and slows hcxdumptool down is limited to an absolute minimum (form always follows function).
That include that only the most common channels (1a, 6a and 11a) are used.

To show retrieved PMKIDs and EAPOL MESSAGE PAIRS add --rds=1 to the command line (1 = sort by status (last PMKID/EAPOL on top)). Now the status display shows only retrieved PMKIDs, EAPOL MESSAGEPAIRs of connected CLIENTs and EAPOL MESSAGEs (M2) from CLIENTs connected to hcxdumptool.
To use all available frequencies, add -F to the command line-
All this (and the meaning of a + in the columms) is explained on -h and --help.

To see if the target is in range, do a rcascan first (-F scans all available frequencies):

Code:

$ sudo hcxumptool -i INTERFACE --rcascan=active -F

If everything is working as expected (driver is working as expected and target(s) are in range), the status display shows the last response time of an AP and a count how many times it has responded. If terminated, you'll get something like this:

Code:

^C
374 Packet(s) captured by kernel
22 Packet(s) dropped by kernel
71 PROBERESPONSE(s) captured

If something went wrong, RESPONSE column remains empty and the count is [0].
The exit status is something like this:

Code:

^C
0 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
Warning: too less packets received (monitor mode may not work as expected)
Possible reasons:
no transmitter in range
frames are filtered out by BPF
driver is broken
Warning: no PROBERESPONSES received (frame injection may not work as expected)
Possible reasons:
no AP in range
frames are filtered out by BPF
driver is broken
driver does not support frame injection

exit on sigterm

In that case, either no target is in range or the driver is broken (most likely) or your system is misconfigured (services that take access to the device are still running).

Make sure you're running latest version of hcxdumptool and hcxtools (6.3.4).

Due to massive driver issues make sure you're running the latest Linux Kernel. and not one of these ones as mentioned below:
https://github.com/ZerBea/hcxdumptool/discussions/465
https://github.com/ZerBea/hcxdumptool/discussions/454
This issues have been fixed since longterm kernel 6.6.44 and stable kernel 6.10.3.

Please note:
The requirements that must meet to show a PMKID or an EAPOL MESSAGEPAIR are much higher than the requirements of hcxpcapngtool.
hcxdumptool is on the fly and we need to ensure to capture a valid PMKID or a valid MESSAGEpAIR.
hcxpcapngtool does the conversion off-line and we have all the time we need to search for the best PMKID or the best EAPOL MESSAGEPAIR.

[v71221]

Kernel 6.6.44-3-lts works properly with latest hcxdumptool on my old intel notebook with buitin ath9k wifi.
With kernel 6.10.3-arch1-2 channels are not switching.

% hcxdumptool -v
hcxdumptool 6.3.4-41-g233b6e3 (C) 2024 ZeroBeat
running on Linux kernel 6.6.44-3-lts
running GNU libc version 2.40
compiled by gcc 14.2.1
compiled with Linux API headers 6.10.0
compiled with GNU libc headers 2.40
enabled REALTIME DISPLAY
disabled GPS support
disabled BPF compiler

[ZerBea]

Thanks for that information, but after a test, I can't confirm this.

Running kernel 6.10.3-arch1-2 everything (monitor mode, frame injection and frequency change) is working as expected (except ALFA AWUS036AXM and AXML - but that's a completely different issue):

Code:

$ uname -r
6.10.3-arch1-2

$ hcxdumptool -v
hcxdumptool 6.3.4-41-g233b6e3 (C) 2024 ZeroBeat
running on Linux kernel 6.10.3-arch1-2
running GNU libc version 2.40
compiled by gcc 14.1.1
compiled with Linux API headers 6.10.0
compiled with GNU libc headers 2.40
enabled REALTIME DISPLAY
enabled GPS support
enabled BPF compiler

$ lsusb
0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n

$ hcxdumptool -l
  1      4    f81a6707731c    7ce4aa4bc8b8    +    wlp5s0f3u3          ath9k_htc    NETLINK

$ sudo hcxdumptool -i wlp5s0f3u3 -w test.pcapng --rds=1
...
^C
967 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
67 EPB written to pcapng dumpfile

Channel scan is working as expected, confirmed by real time display of hcxdumptool and Wireshark (radiotap header):

Code:

Channel frequency: 2412 [BG 1]
Channel frequency: 2462 [BG 11]

Which PCIe card and which driver do you use (hcxdumptool -L)?

[v71221]

Rechecked, same issue...
But based on REALTIME DISPLAY only.
With kernel 6.6.44-3-lts APs are visible on channels 1,5,6,11
With kernel 6.10.3-arch1-2 APs are visible on channel 1 only.

Code:

% lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:          36 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  2
  On-line CPU(s) list:    0,1
Vendor ID:                GenuineIntel
  Model name:            Intel(R) Core(TM)2 Duo CPU    P9500  @ 2.53GHz

Code:

% lspci
06:00.0 Network controller: Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)

Code:

% hcxdumptool -L

Requesting physical interface capabilities. This may take some time.
Please be patient...

available wlan devices:

phy idx hw-mac      virtual-mac  m ifname          driver (protocol)
---------------------------------------------------------------------------------------------
  0  6 112233445566 1a1f54b073b4 * wlan0            ath9k (NETLINK)

* active monitor mode available (reported by driver - do not trust it)
+ monitor mode available (reported by driver)
- no monitor mode available

[ZerBea]

Ok, thanks for the information. I see it's the older ath9k driver.

The only way to figure out what exactly happened is that you bisect the Linux kernel (between 6.11-rc2 and 6.6.44).
Once you have identified the patch that caused the trouble you can send an issue report directly to the Linux Wireless Mailing List.
https://www.kernel.org/doc/html/latest/a...ssues.html

Bisecting the Linux kernel running Arch Linux is very easy:
https://bbs.archlinux.org/viewtopic.php?id=271926
https://www.kernel.org/doc/html/latest/a...isect.html

If you need a modified pkgbuild and Arch Linux kernel config to do a bisect, please let me know.