Hcxdumptools Not Picking Up Data

[ZerBea]

There are EAPOL messages from REASSOCIATION attack 20:48:05 2417/2 EAPOL:M1M2
There are EAPOL messages from attacks against CLIENT: 20:48:15 2427/4 EAPOL:M1M2ROGUE
There are PMKIDs 20:50:33 2412/1 PMKIDROGUE
There are PROBERESONSEs on 5Ghz band

We can assume that all attacks are working as expected (however I recommend to add --active_beacon option).

Unfortunately you received this ERROR message,

Code:

failed to read packet: Network is down

because hcxdumptool detected a broken socket.
That can be caused if another tool has access to the interface (in your case NetworkManager and wpa_supplicant).
That also can be caused when running in a VM:
https://github.com/ZerBea/hcxdumptool/issues/196

As ciccio17 mentioned above, you have make sure that hcxdumptool has full access to the device. You have to stop all services that take access to the interface. That include all services of the HOST (in case if running within a VM - which is not recommended), too.

To get more information, use --enable_status=95

Code:

-enable_status=<digit>            : enable real-time display (waterfall)
                                     only incoming traffic
                                     each message is displayed only once at the first occurrence to avoid spamming the real-time display
                                     bitmask:
                                         0: no status (default)
                                         1: EAPOL
                                         2: ASSOCIATION and REASSOCIATION
                                         4: AUTHENTICATION
                                         8: BEACON and PROBERESPONSE
                                        16: ROGUE AP
                                        64: internal status (once a minute)

From --help:

Code:

$ hcxdumptool -h
hcxdumptool 6.2.5-5-gb29b655  (C) 2021 ZeroBeat
usage  : hcxdumptool <options>
         press ctrl+c to terminate hcxdumptool
         press GPIO button to terminate hcxdumptool
         hardware modification is necessary, read more:
         https://github.com/ZerBea/hcxdumptool/tree/master/docs
         do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
         do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
         do not run hcxdumtool on virtual machines or emulators
         do not run hcxdumptool in combination with tools (channel hopper), that take access to the interface (except: tshark, wireshark, tcpdump)
         do not use tools like machcanger, because hcxdumptool run its own MAC space and will ignore this changes
         stop all this services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface

BTW:
To allow packet injection on 5GHz band it is mandatory to set the wireless regulatory domain to a country code which allow this!
The default setting on most distributions will not allow it:

Code:

$ sudo iw reg get
global
country 00: DFS-UNSET
    (2402 - 2472 @ 40), (N/A, 20), (N/A)
    (2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
    (2474 - 2494 @ 20), (N/A, 20), (N/A), NO-OFDM, PASSIVE-SCAN
    (5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
    (5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
    (5490 - 5730 @ 160), (N/A, 20), (0 ms), DFS, PASSIVE-SCAN
    (5735 - 5835 @ 80), (N/A, 20), (N/A), PASSIVE-SCAN
    (57240 - 63720 @ 2160), (N/A, 0), (N/A)

versus, e.g.:

Code:

$ sudo iw reg set US
$ sudo iw reg get
global
country US: DFS-FCC
    (2400 - 2472 @ 40), (N/A, 30), (N/A)
    (5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
    (5250 - 5350 @ 80), (N/A, 23), (0 ms), DFS, AUTO-BW
    (5470 - 5730 @ 160), (N/A, 23), (0 ms), DFS
    (5730 - 5850 @ 80), (N/A, 30), (N/A), AUTO-BW
    (5850 - 5895 @ 40), (N/A, 27), (N/A), NO-OUTDOOR, AUTO-BW, PASSIVE-SCAN
    (57240 - 71000 @ 2160), (N/A, 40), (N/A)

Please read more here:
https://wiki.archlinux.org/title/Network...and_tricks