"In other words, if I were to do the hostapd method of setting up a fake AP based on a client's probe and run hcxdumptool in another process, it would be better in getting half handshakes as it would interact with the target instead of just running tcpdump/wireshark?"
Depending on options (like active_beacon and essidlist) and filters in transmission branch hcxdumptool will interact with all CLIENTs.
Do not run hcxdumptool in combination with other tools (except Wireshark or tshark).
"If I specify --disable_client_attacks, this option is affected correct?"
Yes
"If I do not specify --disable_client_attacks, is this the default behavior or is it --all_m2?"
In that case hcxdumptool will stop attacks against CLIENTS after 10 M2 frames received
"Nice, so my assumption is most likely correct that the client constantly sending half handshakes is using a wrong/expired PSK on the AP."
Yes, but you need an attack vector whch is fast enough to respond to all requests.
"I tried hcxdumptool a couple of days ago with the following flags and somehow it still disconnected my machine from the network:
--disable_deauthentication --disable_client_attacks"
For sure, hcxdumptool will do that. Stupid injecting DEAUTHENTICATION frames is an old school attack vector and you can disable it by --disable_deauthentication
Hcxdumptool provide some new sophisticated and intelligent attacks to retrieve a 4way handshake and/or a PMKID. This attacks are not disabled by --disable_deauthentication --disable_client_attacks.
They are very effective, working against Protected Management Frames (PMF), too and are difficult to detect.
In case of this attack vector it is not hcxdumptool that disconnect all CLIENTs. It is the AP itself!!!
"I wanted AP attacks on to capture PMKID, but I still have no reason as to why my machine got disconnected. If you could bring me some more insight as to what might have happened I would appreciate it very much. Is there something besides PMKID attack that occurs when AP attacks are enabled?"
Looks like the target APs are vulnerable against this sophisticated attack vector as mentioned above
"Lastly I wanted to ask you if by specifying "--silent", hxcdumptool would act exactly as tcpdump/wireshark, and if I still have to specify the other flags like "--disable_deauthentication --disable_client_attacks --disable_ap_attacks" when using --silent?"
Running silent hcxdumptool will act like a passive dumper (e.g. Wireshark, tshark). It include all options that partly disable transmissions.
Please also take a look at the options which tell hcxdumptool when to stop an attack and when to resume it.
Also please take a look at the two filter methods:
1) filtermode in combination with filter lists which are working in transmission branch only
2) berkeley packet filter code which is working in receive and/or transmission branch - MACs can be specified as well as all kind of frame types on which hcxdumptool should act.
Depending on options (like active_beacon and essidlist) and filters in transmission branch hcxdumptool will interact with all CLIENTs.
Do not run hcxdumptool in combination with other tools (except Wireshark or tshark).
"If I specify --disable_client_attacks, this option is affected correct?"
Yes
"If I do not specify --disable_client_attacks, is this the default behavior or is it --all_m2?"
In that case hcxdumptool will stop attacks against CLIENTS after 10 M2 frames received
"Nice, so my assumption is most likely correct that the client constantly sending half handshakes is using a wrong/expired PSK on the AP."
Yes, but you need an attack vector whch is fast enough to respond to all requests.
"I tried hcxdumptool a couple of days ago with the following flags and somehow it still disconnected my machine from the network:
--disable_deauthentication --disable_client_attacks"
For sure, hcxdumptool will do that. Stupid injecting DEAUTHENTICATION frames is an old school attack vector and you can disable it by --disable_deauthentication
Hcxdumptool provide some new sophisticated and intelligent attacks to retrieve a 4way handshake and/or a PMKID. This attacks are not disabled by --disable_deauthentication --disable_client_attacks.
They are very effective, working against Protected Management Frames (PMF), too and are difficult to detect.
In case of this attack vector it is not hcxdumptool that disconnect all CLIENTs. It is the AP itself!!!
"I wanted AP attacks on to capture PMKID, but I still have no reason as to why my machine got disconnected. If you could bring me some more insight as to what might have happened I would appreciate it very much. Is there something besides PMKID attack that occurs when AP attacks are enabled?"
Looks like the target APs are vulnerable against this sophisticated attack vector as mentioned above
"Lastly I wanted to ask you if by specifying "--silent", hxcdumptool would act exactly as tcpdump/wireshark, and if I still have to specify the other flags like "--disable_deauthentication --disable_client_attacks --disable_ap_attacks" when using --silent?"
Running silent hcxdumptool will act like a passive dumper (e.g. Wireshark, tshark). It include all options that partly disable transmissions.
Please also take a look at the options which tell hcxdumptool when to stop an attack and when to resume it.
Also please take a look at the two filter methods:
1) filtermode in combination with filter lists which are working in transmission branch only
2) berkeley packet filter code which is working in receive and/or transmission branch - MACs can be specified as well as all kind of frame types on which hcxdumptool should act.