Plugins 2500/2501 and 16800/16801 are deprecated
#81
hi devs, I am now in the command

hcxdumptool -i INTERFACENAME -w dumpfile.pcapng -F --rds=1

and it shows my network, I have no idea how to attack my network, what should I do next? Also, after I stopped the above command, I tried the command

tshark -i <interface> -w allframes.pcapng

I changed <interface> to <wlan0>, but it says an error of

Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlan0'
tshark: The file to which the capture would be saved ("allframes.pcapng") could not be opened: Permission denied.

edit, I just exit root mode, and tshark now works
Reply
#82
To attack your network, it is mandatory to build a BPF.
First get the MAC address of your AP. This can be done by
Code:
$ hcxdumptool --rcascan=active


build the filter:
Code:
$ hcxdumptool --bpfc="wlan addr3 112233445566 or wlan addr3 ffffffffffff" > attack.bpfc

do the attack:
Code:
$ hcxdumptool -i INTERFACENAME -w dumpfile.pcapng -F --rds=1 --bpf=attack.bpfc

If the AP does PMKID caching or if a CLIENT is connected to the AP, the attack should be successful in a couple of seconds.
e.g.: attack using an ALFA AWSU035ACM took 0m8,334s:
https://github.com/ZerBea/hcxdumptool/di...nt-7550759

e.g.: attack using an ALFA AWSU035ACHM took 0m7,512s:
https://github.com/ZerBea/hcxdumptool/di...nt-7553512

BTW:
There is no need to run tshark as super user and it is not recommended to do so. But if you run it as super user, a normal user can't open the dump file.
Reply
#83
I forgot to mention:
Don't count on it that you are able to decrypt the entire traffic recorded by tshark during an attack.
Therefore you need a session key that belongs to the same session as the encrypted traffic.
If you miss the begin of such a sequence (e.g. hcxdumptool does channel hopping) the decryption will fail (epically).
Reply
#84
Hi devs, I tried the command

$ hcxdumptool --bpfc="wlan addr3 112233445566 or wlan addr3 ffffffffffff" > attack.bpfc

i changed wlan to wlan0 because it dont work first and mac to the mac visible when rcascan, when I hit enter it says

unrecognized option '--bpfc=wlan0 addr3 a87484c8d49a'

edit: so I successfully run the command by adding space at -- bpfc
Reply
#85
If the internal BPF compiler is available depend on how hcxdumptool has been compiled (see Makefile).
My version (development system running Arch Linux) is compiled with BPF compiler:
Code:
$ hcxdumptool -v
hcxdumptool 6.3.2-70-gdf8f2e6 (C) 2023 ZeroBeat
running on Linux kernel 6.6.3-arch1-1
running GNU libc version 2.38
compiled by gcc 13.2.1
compiled with Linux API headers 6.4.0
compiled with GNU libc headers 2.38
enabled REALTIME DISPLAY
enabled GPS support
enabled BPF compiler
If the internal BPF compiler is disabled, you have to use a third party tool (e.g. tcpdump) to build a filter.
Reply
#86
this is what shows on my end

─$ hcxdumptool --version                                      
hcxdumptool 6.3.2-70-gdf8f2e6 (C) 2023 ZeroBeat
running on Linux kernel 6.5.0-kali3-amd64
running GNU libc version 2.37
compiled by gcc 13.2.0
compiled with Linux API headers 6.5.6
compiled with GNU libc headers 2.37
enabled REALTIME DISPLAY
enabled GPS support
disabled BPF compiler
Reply
#87
I tried creating a filter with the help of hcxdumptool --help

tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > filter.bpf

I only changed 112233445566 to my mac address then hit enter

then still BPC is unset
Reply
#88
What happens after hcxdumptool has been started:

it requests the regulatory domain settings (to figure out what is allowed)
it requests the the capabilities of the attack device
it sets monitor mode (active monitor mode if possible)
it sets lowest bit rate and smallest bandwidth (to increase range)
it scans for the target(s)

upper display:
if a target is in range an under attack a + appears in the R column
it requests the PMKID from the target - a + appears in the 1 column
if the target support PMKID caching a + P appears in the P column
it reconnects to the target connected CLIENTs (if that fails tries to disconnect them)
if it got a 4way handshake a + appears in the 3 column
a plus in the S column show that the AP uses a WPA-PSK mode

lower display:
if the CLIENT respond to an EAP request, a + appears in the E column
if the CLIENT connects to hcxdumptool a + appears in the 2 column

If you got a plus in the P, 3 or 2 column you can stop hcxdumptool and convert the pcapng file to hashcat's hc22000 format.
Either you can use hashcat's online converter (that runs hcxpcapngtool):
https://hashcat.net/cap2hashcat/

or you can use hcpcapngtool
https://github.com/ZerBea/hcxtools
Code:
$ hcxpcapngtool -o test.hc22000 dumpfile.pcang

Now you can start your offline attacks running hashcat's different attack modes as described here:
https://hashcat.net/wiki/

e.g. word list attack:
Code:
$ hascat -m 22000 test.hc22000 wordlist
If the PSK is inside the word list, hashcat will show it.

An up to date word list (c-nets) is here:
https://wpa-sec.stanev.org/?dicts
or here
https://hashmob.net/resources/hashmob
Reply
#89
(12-05-2023, 12:55 PM)yuXfar Wrote: I tried creating a filter with the help of hcxdumptool --help

tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > filter.bpf

I only changed 112233445566 to my mac address then hit enter

then still BPC is unset

Something is wrong with your work flow. Please check the command lines.
Added cat filter.bpf to see that has been really compiled.
Code:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 112233445566 -ddd > filter.bpf
$ cat filter.bpf
$ hcxdumptool -i INTERFACE --bpf=filter.bpf -F -rds=1
Reply
#90
Linux does not forgive mistakes/typos on the command line level.
Reply