hcxdumptool - missing frames w/ filtering
#1
Hello!

I'm newby, so please forgive my ignorance.

Using: 
Code:
hcxdumptool -i wlan0 -o dump.pcapng --enable_status=31 
i could get PMKID and EAPOL from all my and my neighbours routers.

But i need only to scan for my own one, so next l did filtering with 2.4 GHz wifi MAC address:
Code:
hcxdumptool -i wlan0 -o dump.pcapng --enable_status=31 --do_targetscan=XX:XX:XX:XX:XX:XX
and after i run hcxpcapngtool i got error:

Information: missing frames!

This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.

I read that filtering could cause some info lost, but how could i scan my own router only, without interfering my neighbours?

Please advice.
Reply
#2
do_targetscan does exactly the same as do_rca_scan but it will not probe all APs in range It only probes the target.
$ sudo hcxdumptool -i INTERFACE --do_rca_scan
you'll get a long list of APs and you'll see if they are in range (respond to our request) or not.

$ sudo hcxdumptool -i INTERFACE --do_target_scan
You'll get only responds from the target APs and you'll see if it is in range (respond to our request) or not.
The target will not be under attack and all other frames than its BEACON and PROBERESONSE frames are ignored.

Both modes are designed to get an overview about possible targets and that they are in transmit rang. They are also very helpful to direct the antenna.


If you want to filter, you have either to use BPFC or filter_list_ap/client in combination with filter_mode and attack modes.
Code:
--bpfc=<file>                      : input kernel space Berkeley Packet Filter (BPF) code
                                     affected: incoming and outgoing traffic - that include rca scan
                                     steps to create a BPF (it only has to be done once):
                                      set hcxdumptool monitormode
                                       $ hcxdumptool -m <interface>
                                      create BPF to protect a MAC
                                       $ tcpdump -i <interface> not wlan addr3 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                       where addr3 protect ACCESS POINTs and addr2 protect CLIENTs
                                       recommended to protect own devices
                                      or create BPF to attack a MAC
                                       $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
                                       it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
                                       or undirected frames
                                       $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
                                       see man pcap-filter for a list of all filter options
                                      to use the BPF code
                                       $ hcxdumptool -i <interface> --bpfc=attack.bpf ...
                                     notice: this is a protect/attack, a capture and a display filter
--filtermode=<digit>               : user space filter mode for filter list
                                     mandatory in combination with --filterlist_ap and/or --filterlist_client
                                     affected: only outgoing traffic
                                     notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
                                     0: ignore filter list (default)
                                     1: use filter list as protection list
                                        do not interact with ACCESS POINTs and CLIENTs from this list
                                     2: use filter list as target list
                                        only interact with ACCESS POINTs and CLIENTs from this list
                                        not recommended, because some useful frames could be filtered out
                                     using a filter list doesn't have an affect on rca scan
                                     only for testing useful - devices to be protected should be added to BPF
                                     notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter
--filterlist_ap=<file or MAC>      : ACCESS POINT MAC or MAC filter list
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target
--filterlist_ap_vendor=<file>      : ACCESS POINT VENDOR  filter list by VENDOR
                                     format: 112233, 11:22:33, 11-22-33 # comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC>  : CLIENT MAC or MAC filter list
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
                                     maximum entries 256
                                     due to MAC randomization of the CLIENT, it does not always work!
--filterlist_client_VENDOR=<file>  : CLIENT VENDOR filter list
                                     format: 112233, 11:22:33, 11-22-33 # comment
                                     maximum entries 256
                                     due to MAC randomization of the CLIENT, it does not always work!


--do_targetscan=<MAC_AP>           : same as do_rcascan - hide all networks, except target
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66

Please notice that modern CLIENTs use MAC randomization. That makes it unfeasible to filter them. If you set an AP filter (AP as target), it will not have an effect on CLIENTs that try to connect to hcxdumptool. You'll get M1M2ROGUE of them too (as long as you have not disabled CLIENT attacks).
It is not mandatory to attack an AP. Instead you can attack its CLIENTs, only. Most of them are weak (weaker than a hardened AP).



BTW:
That is an information of hcxpcapngtool that the dump file is missing some frames - it is not an ERROR.
Reply
#3
To make it more clear. To get a PSK (by hashcat) you can:
attack AP and get a PMKID - AP must be in range
attack connection between an AP and a connected CLIENT and get 4way handshake (M1M2M3M4) - AP and CLIENT must be in range
attack CLIENT only and get M1M2ROGUE - only CLIENT must be in range (the AP can be located on a different continent )
hcxdumptool provide all three attack modes by default. But the most important mode is the last one (attack a CLIENT), because you can get a lot of useful information from it (undirected PROBEREQUEST, EAP identity, username and an EAPOL M2) to feed hashcat. Due to MAC randomization it is nearly impossible to use a filter on this mode.
Reply
#4
Thank you so much for your quick reply.

Indeed the whole strategy is more clear now. I could get and see 02*EAPOL (not PMKID) from my router (02*EAPOL or 01*PMKID from my neighbors too Smile)

So because of MAC randomization, is there any way to filter out and attack my router’s AP clients only, w/o interfering my neighbors?

In case if i need to attack some other particular AP (with PMKID) and that particular AP clients only, is there any way to filter that particular AP and they clients only?

Or attack is always for all CLIENTS of all AP in range?
Reply
#5
Additional it is important how the filters are working:
filter_mode in combination with filter_list_ap/client is working in transmission branch, only. It does not affect the reception branch. If a CLIENT tried to connect to an AP, hcxdumptool receive the eg. the PMKID and show/store it (PMKID).
If the PMKID is a response to hcxdumptool's attack you'll see PMKIDROGUE.
The same applies to the 4way handshake:
M1M2ROGUE = hcxdumptool got an EAPOL M2 from the CLIENT (CLIENT respond to hcxdumptool M1)
M1M2 = hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge)
M1M2M3 = hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge) and authorization from AP
M1M2M3M4 =hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge) and authorization from AP and authorization from CLIENT.

--filtermode=2 --filtelist_ap=aptargetmaclist.txt
only the target AP with its MAC in is under attack, but if a different AP is transmitting its PMKID to a connect attempt of its CLIENT, hcxdumptool will receive this, too (both of them are not under attack - but if the CLIENT tries to connect to hcxdumptool, it will answer and request the M2 of the CLIENT.
To prevent this you have to add --disable_client_attacks
or set stop CLIENT attacks to 1 or 2. In that case, the CLIENT will not notice that it was under attack.
--stop_client_m2_attacks=1

If you don't want that the attack on an AP can be detected by tools like kismet, just set --disable_deauthentication and hcxdumptool will use the REASSOCIATION attack only. A tool that count DEAUTHENTICATIONs will now fail to detect an attack.

There is no simple way or proof of concept how to perform an attack, because it varies from AP to AP and from CLIENT to CLIENT and from VENDOR to VENDOR.
I suggest to run Wireshark in parallel and see what's going on on the channel. Than play with the options and combinations of options to find out which is the best one working against this target. If it works against this target,don't be sure it will work on a different target, too.
My testing environment:
low power WiFI device (10mW) powered into a dummy load antenna
target router and target target client close to the device
additional WiFi adapter to receive traffic on the channel by Wireshark

It's also interesting to see what's happening if you turned of the router and put the target ESSID in --essidlist and set --active_beacon (just look for M1M2ROGUE).

Running hcxdumptool it is counterproductive to use a high power WiFi device. A lower power device in combination with a panel antenna is the far better option.
Reply
#6
Sir, I very much appreciate your time and effort to thoroughly explain quite complicated things to a newby like me. I’ll try all your suggestions. Thank you again.
Reply
#7
No problem, you're welcome.
I know that the biggest shortcoming of hcxdumptool/hcxtools is that this tools are not easy to use. And to make matters worse, they are also completely different to other tools even though some options may look similar.
Reply
#8
I did attack my AP only in --filtermode=2  and i tried to connect and disconnect CLIENTS (my phones and tablets) to provide extra traffic for about 5-10 minutes.


.png   Screen Shot 2022-12-28 at 18.41.34.png (Size: 278.82 KB / Downloads: 15)
.png   Screen Shot 2022-12-28 at 18.42.22.png (Size: 175.47 KB / Downloads: 11)

Results are missing frames. But my AP's PMKID was shown during the scan.

If i do attack w/o filtering (on my and all neighbour's AP's and clients), i could catch 18 hashes including my AP's hash in about one hour.

Should i keep monitoring in filtermode more time to capture my AP's hash? Another observation that my AP's MAC  has two different addresses. Little confused here. Thank you.
Reply
#9
A single received EAPOL M1 or M3 message is not enough to calculate if nonce-error-corrections is possible. Therefor you need at least 2 M1 or M3 messages from the same AP as explained here:
https://hashcat.net/forum/thread-6361.html
In a case if you got of a PMKID you can ignore the warning of hcxdumptool.

"Another observation that my AP's MAC has two different addresses."
That is correct:
One MAC is the MAC transmitted by the AP
The second one is the MAC calculated and transmitted by hcxdumptool to retrieve its M2.
You'll see EAPOL: M1M2 or M2M3 or M3M4 if the CLIENT connected to your AP
You'll see EAPOL: M1M2ROGUE if the CLIENT connected to the MAC transmitted from hcxdumptool

Filtermode and filterlists do not have an impact on monitoring. Whether this filter options are in use or not does not have any influence on the reception. The filter is active only in transmission branch.
Reply
#10
I have two usb adapters, one with rtl8814au chip. This works ok with filtermode2, a could get my router AP hash w/o bothering my neighbors now. But this adapter doesn’t work in beacon mode, it shows tx power 0 dBm and PROTOCOL unassociated. I read about this issue in other forum thread. I tried to put it manually in to monitor mode, but this improves PROTOCOL only, it shos now 801.11b, but power is still 0dBm. My other adapter has mt7921u chip, it shows PROTOCOL 802.11 and power 3 dBm in beacon mode, but….. error driver is busy: failed to transmit.

Looks like both of this chips are not that good for hcxdumptool. Could you please advice some reliable two band 2.4/5 usb adapter. Thank you.
Reply