Please keep in mind: hcxdumptool/hcxtools are designed as analysis tools. They are not designed to attack a single network!
Example:
For a penetration tester, it is important to be able to estimate the success rate of a rogue CLIENT!
If a CLIENT tries to connect to a network (network_name), we are able to (will) discover all his attempts:
MIC:MAC_AP:rogue_MAC_STA:network_name:password
MIC:MAC_AP:rogue_MAC_STA:network_name:12345678
MIC:MAC_AP:rogue_MAC_STA:network_name:123456789
MIC:MAC_AP:rogue_MAC_STA:network_name:password123
MIC:MAC_AP:rogue_MAC_STA:network_name:trialpassword_x
MIC:MAC_AP:rogue_MAC_STA:network_name:trialpassword_n
Another example:
A CLIENT tries to connect to a network using an outdated PSK. We captured a PMKID and his M2 (not authorized):
MIC:MAC_AP:MAC_STA:network_name:password_outdated
PMKID:MAC_AP:MAC_STA:network_name:password_new
For a penetration tester, this information is very useful, too. He is able to identify this CLIENT, who has left the company and tries to get access to the NETWORK running an old PSK or has stolen an old PSK.
And my favorite example:
The CLIENT maked a typo (hit ENTER too early)
MIC:MAC_AP:MAC_STA:network_name:password12
PMKID:MAC_AP:MAC_STA:network_name:password1234
Incomplete PSK found via wordlist - random hit.
Real PSK found after thinking about the random hit and running hashcat -i -a 3 password12?d?d?d?d
That is, what I call, the magic of an unauthorized M2.
Maybe this examples help to understand the goal of hcxtools a little bit better.
BTW:
Latest hcxpcapngtool check the absence of such informative frames and inform you:
$ hcxpcapngtool test.cap
reading from test.cap...
summary capture file
file name................................: test.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 01.02.2020 09:11:32
timestamp maximum (GMT)..................: 01.02.2020 09:11:32
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 3
BEACON (total)...........................: 1
PMK (zeroed).............................: 1
EAPOL messages (total)...................: 2
EAPOL RSN messages.......................: 2
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 1006
EAPOL M1 messages........................: 1
EAPOL M2 messages........................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL M12E2..............................: 1
PMKID (total)............................: 1
Warning:
This dump file contains no important frames like
proberequest, authentication, association or reassociation.
That makes it hard to recover the PSK!
Example:
For a penetration tester, it is important to be able to estimate the success rate of a rogue CLIENT!
If a CLIENT tries to connect to a network (network_name), we are able to (will) discover all his attempts:
MIC:MAC_AP:rogue_MAC_STA:network_name:password
MIC:MAC_AP:rogue_MAC_STA:network_name:12345678
MIC:MAC_AP:rogue_MAC_STA:network_name:123456789
MIC:MAC_AP:rogue_MAC_STA:network_name:password123
MIC:MAC_AP:rogue_MAC_STA:network_name:trialpassword_x
MIC:MAC_AP:rogue_MAC_STA:network_name:trialpassword_n
Another example:
A CLIENT tries to connect to a network using an outdated PSK. We captured a PMKID and his M2 (not authorized):
MIC:MAC_AP:MAC_STA:network_name:password_outdated
PMKID:MAC_AP:MAC_STA:network_name:password_new
For a penetration tester, this information is very useful, too. He is able to identify this CLIENT, who has left the company and tries to get access to the NETWORK running an old PSK or has stolen an old PSK.
And my favorite example:
The CLIENT maked a typo (hit ENTER too early)
MIC:MAC_AP:MAC_STA:network_name:password12
PMKID:MAC_AP:MAC_STA:network_name:password1234
Incomplete PSK found via wordlist - random hit.
Real PSK found after thinking about the random hit and running hashcat -i -a 3 password12?d?d?d?d
That is, what I call, the magic of an unauthorized M2.
Maybe this examples help to understand the goal of hcxtools a little bit better.
BTW:
Latest hcxpcapngtool check the absence of such informative frames and inform you:
$ hcxpcapngtool test.cap
reading from test.cap...
summary capture file
file name................................: test.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 01.02.2020 09:11:32
timestamp maximum (GMT)..................: 01.02.2020 09:11:32
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 3
BEACON (total)...........................: 1
PMK (zeroed).............................: 1
EAPOL messages (total)...................: 2
EAPOL RSN messages.......................: 2
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 1006
EAPOL M1 messages........................: 1
EAPOL M2 messages........................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL M12E2..............................: 1
PMKID (total)............................: 1
Warning:
This dump file contains no important frames like
proberequest, authentication, association or reassociation.
That makes it hard to recover the PSK!