Hi taxil.
tested your blacklist:
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -B blacklistO.txt
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: e80410a4b6d2 (rogue access point)
MAC_STA..: fcc233d8e21e (rogue client)
INFO.....: cha=7, rcv=598, err=0
and it seems to be ok.
Are you shure that the client is deauthenticated /disassociated or
does the client try to connect to the rogue access point.
If hcxdumptool retrieved a handshake for a network, it will stop sending deauthentications / disassociations.
There is no need to add all bssid+client+ssid pairs to the blacklist.
Only one combination is enough to stop deauthentications/disassociations on this network.
The client stores all attempts to connect to an ap and tries it again and again and again.
Does your client use randomized macs?
We can't stop the client trying to connect us because of "MAC randomization".
We use a randomized mac and most of the clients use a randomized mac.
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 00182534639c (rogue access point)
MAC_STA..: fcc2333c3cf1 (rogue client)
Take a look at this example:
We start hcxdumptool against an Android 6 test client
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -t 60 -c 11
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 00269f8920cf (rogue access point)
MAC_STA..: fcc23386b99d (rogue client)
[08:38:55] 00269f8920d0:f072cea7edfd:Testnetwork [HANDSHAKE]
terminated...
we used a randomized mac and the client used a randomized mac.
the client connected to us and we retrieved a handshake.
we stopped hcxtumptool.
Now we started hcxdumptool again.
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -t 60 -c 11
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 24bf747e299a (rogue access point)
MAC_STA..: fcc233144966 (rogue client)
[08:39:55] 00269f8920d0:a68e3357e491:Testnetwork [HANDSHAKE]
terminated...
as you can see, the client used a different mac
and tried to connect us with his the stored informations from the last attempt to connect us
Now we restart the client (turn off / turn on cell phone)
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -t 60 -c 11
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 0418b6d009f8 (rogue access point)
MAC_STA..: f0a2250bbd7b (rogue client)
[08:48:01] 0418b6d009f9:c35f72a6f9d3:Testnetwork [HANDSHAKE]
now we have complete new mac addresses.
If you use hcxdumptool in an allready discovered area (stationary at home), use Option -D and -t 15 to get only the new clients.
If you discover a new area run hcxdumptool -t 5 for a while to get handshakes from all AP's with connect clients in range.
Please keep in mind:
hcxtools are analysis tools. That means, we want the client to do something that he normally doesn't do (give us the content of his NVRAM for example).
Therefore we must be a little bit aggressive.
tested your blacklist:
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -B blacklistO.txt
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: e80410a4b6d2 (rogue access point)
MAC_STA..: fcc233d8e21e (rogue client)
INFO.....: cha=7, rcv=598, err=0
and it seems to be ok.
Are you shure that the client is deauthenticated /disassociated or
does the client try to connect to the rogue access point.
If hcxdumptool retrieved a handshake for a network, it will stop sending deauthentications / disassociations.
There is no need to add all bssid+client+ssid pairs to the blacklist.
Only one combination is enough to stop deauthentications/disassociations on this network.
The client stores all attempts to connect to an ap and tries it again and again and again.
Does your client use randomized macs?
We can't stop the client trying to connect us because of "MAC randomization".
We use a randomized mac and most of the clients use a randomized mac.
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 00182534639c (rogue access point)
MAC_STA..: fcc2333c3cf1 (rogue client)
Take a look at this example:
We start hcxdumptool against an Android 6 test client
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -t 60 -c 11
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 00269f8920cf (rogue access point)
MAC_STA..: fcc23386b99d (rogue client)
[08:38:55] 00269f8920d0:f072cea7edfd:Testnetwork [HANDSHAKE]
terminated...
we used a randomized mac and the client used a randomized mac.
the client connected to us and we retrieved a handshake.
we stopped hcxtumptool.
Now we started hcxdumptool again.
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -t 60 -c 11
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 24bf747e299a (rogue access point)
MAC_STA..: fcc233144966 (rogue client)
[08:39:55] 00269f8920d0:a68e3357e491:Testnetwork [HANDSHAKE]
terminated...
as you can see, the client used a different mac
and tried to connect us with his the stored informations from the last attempt to connect us
Now we restart the client (turn off / turn on cell phone)
$ sudo hcxdumptool -i wlp39s0f3u4u5 -o test.pcap -s -t 60 -c 11
start capturing (stop with ctrl+c)
INTERFACE: wlp39s0f3u4u5
MAC_AP...: 0418b6d009f8 (rogue access point)
MAC_STA..: f0a2250bbd7b (rogue client)
[08:48:01] 0418b6d009f9:c35f72a6f9d3:Testnetwork [HANDSHAKE]
now we have complete new mac addresses.
If you use hcxdumptool in an allready discovered area (stationary at home), use Option -D and -t 15 to get only the new clients.
If you discover a new area run hcxdumptool -t 5 for a while to get handshakes from all AP's with connect clients in range.
Please keep in mind:
hcxtools are analysis tools. That means, we want the client to do something that he normally doesn't do (give us the content of his NVRAM for example).
Therefore we must be a little bit aggressive.