do_targetscan does exactly the same as do_rca_scan but it will not probe all APs in range It only probes the target.
$ sudo hcxdumptool -i INTERFACE --do_rca_scan
you'll get a long list of APs and you'll see if they are in range (respond to our request) or not.
$ sudo hcxdumptool -i INTERFACE --do_target_scan
You'll get only responds from the target APs and you'll see if it is in range (respond to our request) or not.
The target will not be under attack and all other frames than its BEACON and PROBERESONSE frames are ignored.
Both modes are designed to get an overview about possible targets and that they are in transmit rang. They are also very helpful to direct the antenna.
If you want to filter, you have either to use BPFC or filter_list_ap/client in combination with filter_mode and attack modes.
Please notice that modern CLIENTs use MAC randomization. That makes it unfeasible to filter them. If you set an AP filter (AP as target), it will not have an effect on CLIENTs that try to connect to hcxdumptool. You'll get M1M2ROGUE of them too (as long as you have not disabled CLIENT attacks).
It is not mandatory to attack an AP. Instead you can attack its CLIENTs, only. Most of them are weak (weaker than a hardened AP).
BTW:
That is an information of hcxpcapngtool that the dump file is missing some frames - it is not an ERROR.
$ sudo hcxdumptool -i INTERFACE --do_rca_scan
you'll get a long list of APs and you'll see if they are in range (respond to our request) or not.
$ sudo hcxdumptool -i INTERFACE --do_target_scan
You'll get only responds from the target APs and you'll see if it is in range (respond to our request) or not.
The target will not be under attack and all other frames than its BEACON and PROBERESONSE frames are ignored.
Both modes are designed to get an overview about possible targets and that they are in transmit rang. They are also very helpful to direct the antenna.
If you want to filter, you have either to use BPFC or filter_list_ap/client in combination with filter_mode and attack modes.
Code:
--bpfc=<file> : input kernel space Berkeley Packet Filter (BPF) code
affected: incoming and outgoing traffic - that include rca scan
steps to create a BPF (it only has to be done once):
set hcxdumptool monitormode
$ hcxdumptool -m <interface>
create BPF to protect a MAC
$ tcpdump -i <interface> not wlan addr3 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
where addr3 protect ACCESS POINTs and addr2 protect CLIENTs
recommended to protect own devices
or create BPF to attack a MAC
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
or undirected frames
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
see man pcap-filter for a list of all filter options
to use the BPF code
$ hcxdumptool -i <interface> --bpfc=attack.bpf ...
notice: this is a protect/attack, a capture and a display filter
--filtermode=<digit> : user space filter mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
affected: only outgoing traffic
notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because some useful frames could be filtered out
using a filter list doesn't have an affect on rca scan
only for testing useful - devices to be protected should be added to BPF
notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter
--filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_ap_vendor=<file> : ACCESS POINT VENDOR filter list by VENDOR
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC> : CLIENT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
--filterlist_client_VENDOR=<file> : CLIENT VENDOR filter list
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
--do_targetscan=<MAC_AP> : same as do_rcascan - hide all networks, except target
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66
Please notice that modern CLIENTs use MAC randomization. That makes it unfeasible to filter them. If you set an AP filter (AP as target), it will not have an effect on CLIENTs that try to connect to hcxdumptool. You'll get M1M2ROGUE of them too (as long as you have not disabled CLIENT attacks).
It is not mandatory to attack an AP. Instead you can attack its CLIENTs, only. Most of them are weak (weaker than a hardened AP).
BTW:
That is an information of hcxpcapngtool that the dump file is missing some frames - it is not an ERROR.