hcxtools and "cleaned caps"
First of all: It's a good idea to take a look into a wlandump-ng / wlanresponse cap to learn about 802.11x and the authentication process.
But it's not a good idea to use wpaclean or simple wireshark filters on this caps.
Unless you do not know what you are doing, that will fail.
hcxtools aren't stupid deauth tools. Instead of sending tons of deauth frames, they will go direct into the authentication process by sending their own proberesponses, associationresponses, re-associationresponses, anonces and ack frames.
And they are doing this faster than the regular access point (ap).
If you decide to clean the cap by hand, you must know which packets belongs to wlandump-ng association and which packets belongs to ap association. They are totally mixed in the cap!
Using the wrong wireshark filter, you will not be able to see this!
Do not trust beacons and proberesponses in hcxtools caps!
hcxtools captures beacons and proberesponses, redirects them or transmits fake beacons and proberesponses, transmits fake mac's using fake or captured original mac's. hcxtools also use real or fake vendor identifications (oui).
Trust only in associationrequests - responses, re-associationrequests - responses, followed by ack frames and anonces / snonces followed by ack frames! Nevertheless, a captured wlandump-ng forced handshake is valid and 100% crackable!
Also you can trust proberequests from the clients (directed to mac_ap - or undirected to broadcast). They often contain passwords and / or plainmasterkeys. But keep in mind that some devices will transmit their passwords / plainmasterkeys only once a day or once a week (mainly S.M.A.R.T devices).
Do not trust timestamps between packets!
hcxtools disables all eapol-timers. That means a wlandump-ng forced message pair
M1 transmited at 07:00 pm
M2 received at 07:10 pm
is valid and 100% crackable!
First of all: It's a good idea to take a look into a wlandump-ng / wlanresponse cap to learn about 802.11x and the authentication process.
But it's not a good idea to use wpaclean or simple wireshark filters on this caps.
Unless you do not know what you are doing, that will fail.
hcxtools aren't stupid deauth tools. Instead of sending tons of deauth frames, they will go direct into the authentication process by sending their own proberesponses, associationresponses, re-associationresponses, anonces and ack frames.
And they are doing this faster than the regular access point (ap).
If you decide to clean the cap by hand, you must know which packets belongs to wlandump-ng association and which packets belongs to ap association. They are totally mixed in the cap!
Using the wrong wireshark filter, you will not be able to see this!
Do not trust beacons and proberesponses in hcxtools caps!
hcxtools captures beacons and proberesponses, redirects them or transmits fake beacons and proberesponses, transmits fake mac's using fake or captured original mac's. hcxtools also use real or fake vendor identifications (oui).
Trust only in associationrequests - responses, re-associationrequests - responses, followed by ack frames and anonces / snonces followed by ack frames! Nevertheless, a captured wlandump-ng forced handshake is valid and 100% crackable!
Also you can trust proberequests from the clients (directed to mac_ap - or undirected to broadcast). They often contain passwords and / or plainmasterkeys. But keep in mind that some devices will transmit their passwords / plainmasterkeys only once a day or once a week (mainly S.M.A.R.T devices).
Do not trust timestamps between packets!
hcxtools disables all eapol-timers. That means a wlandump-ng forced message pair
M1 transmited at 07:00 pm
M2 received at 07:10 pm
is valid and 100% crackable!