01-11-2022, 12:35 AM
Thank you both for your inputs evets97 and ZerBea. I am still learning much about this topic and would like to ask you more questions regarding hcxdumptool.
In other words, if I were to do the hostapd method of setting up a fake AP based on a client's probe and run hcxdumptool in another process, it would be better in getting half handshakes as it would interact with the target instead of just running tcpdump/wireshark?
If I specify --disable_client_attacks, this option is affected correct?
If I do not specify --disable_client_attacks, is this the default behavior or is it --all_m2?
Nice, so my assumption is most likely correct that the client constantly sending half handshakes is using a wrong/expired PSK on the AP.
Understandable, thank you for the clarification.
Yes and that is why I have been avoiding using hcxdumptool and instead rely on more "newbie" passive dumpers like airodump-ng and bettercap.
I tried hcxdumptool a couple of days ago with the following flags and somehow it still disconnected my machine from the network:
--disable_deauthentication --disable_client_attacks
I wanted AP attacks on to capture PMKID, but I still have no reason as to why my machine got disconnected. If you could bring me some more insight as to what might have happened I would appreciate it very much. Is there something besides PMKID attack that occurs when AP attacks are enabled?
Lastly I wanted to ask you if by specifying "--silent", hxcdumptool would act exactly as tcpdump/wireshark, and if I still have to specify the other flags like "--disable_deauthentication --disable_client_attacks --disable_ap_attacks" when using --silent?
(01-10-2022, 11:16 AM)ZerBea Wrote: airodump-ng is a passive dumper (like tcpdump) that doesn't include any active attack vector.
hcxdumptool is an interactive tool that respond to the target and request missing frames.
In other words, if I were to do the hostapd method of setting up a fake AP based on a client's probe and run hcxdumptool in another process, it would be better in getting half handshakes as it would interact with the target instead of just running tcpdump/wireshark?
(01-10-2022, 11:16 AM)ZerBea Wrote: --stop_client_m2_attacks=<digit> : stop attacks against CLIENTS after 10 M2 frames received
affected: ap-less (EAPOL 2/4 - M2) attack
require hcxpcangtool --all option
If I specify --disable_client_attacks, this option is affected correct?
If I do not specify --disable_client_attacks, is this the default behavior or is it --all_m2?
(01-10-2022, 11:16 AM)ZerBea Wrote: By option --all hcxpcapngtool will convert all this tries to a hc22000 hash file accepted by hashcat.
e.g.: If the PSK of the target is rosebud2021 and the user tried rosebud1, rosebud2, rosebud1900, rosebud2022, ... all this hashes are converted to the hash file.
This attack will only work if the target is a CLIENT.
Nice, so my assumption is most likely correct that the client constantly sending half handshakes is using a wrong/expired PSK on the AP.
(01-10-2022, 11:16 AM)ZerBea Wrote: hcxmactool (deprecated and will be removed, soon, because I have good reasons to remove it) will do the conversion from hccapx to hc22000 but I do not recommend this. The quality of the hccapx file depend on the quality of the attack tool and the conversion tool. If one of this tools failed, you will waste your time.
It is much better restart the attack and to re-capture the traffic.
Understandable, thank you for the clarification.
(01-10-2022, 11:16 AM)ZerBea Wrote: By default, hcxdumptool is aggressive as hell and nothing is filtered: "Take what you can, give nothing back! (Jack Sparrow)"
Filtering must be done by additional options and/or later on, offline by hcxhashtool (which provide various filter options) after conversion to a hc22000 by hcxpcapngtool (--all).
Please also notice that in principle, hcxdumptool/hcxtools do the same thing as the other WiFi tools, but the philosophy and the underlying engine is totally different.
This tools are designed to be analysis tools and it takes a lot of experience (much more than running a simple script) to use them.
Yes and that is why I have been avoiding using hcxdumptool and instead rely on more "newbie" passive dumpers like airodump-ng and bettercap.
I tried hcxdumptool a couple of days ago with the following flags and somehow it still disconnected my machine from the network:
--disable_deauthentication --disable_client_attacks
I wanted AP attacks on to capture PMKID, but I still have no reason as to why my machine got disconnected. If you could bring me some more insight as to what might have happened I would appreciate it very much. Is there something besides PMKID attack that occurs when AP attacks are enabled?
Lastly I wanted to ask you if by specifying "--silent", hxcdumptool would act exactly as tcpdump/wireshark, and if I still have to specify the other flags like "--disable_deauthentication --disable_client_attacks --disable_ap_attacks" when using --silent?