hcxdumptool - missing frames w/ filtering
#2
do_targetscan does exactly the same as do_rca_scan but it will not probe all APs in range It only probes the target.
$ sudo hcxdumptool -i INTERFACE --do_rca_scan
you'll get a long list of APs and you'll see if they are in range (respond to our request) or not.

$ sudo hcxdumptool -i INTERFACE --do_target_scan
You'll get only responds from the target APs and you'll see if it is in range (respond to our request) or not.
The target will not be under attack and all other frames than its BEACON and PROBERESONSE frames are ignored.

Both modes are designed to get an overview about possible targets and that they are in transmit rang. They are also very helpful to direct the antenna.


If you want to filter, you have either to use BPFC or filter_list_ap/client in combination with filter_mode and attack modes.
Code:
--bpfc=<file>                      : input kernel space Berkeley Packet Filter (BPF) code
                                     affected: incoming and outgoing traffic - that include rca scan
                                     steps to create a BPF (it only has to be done once):
                                      set hcxdumptool monitormode
                                       $ hcxdumptool -m <interface>
                                      create BPF to protect a MAC
                                       $ tcpdump -i <interface> not wlan addr3 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                       where addr3 protect ACCESS POINTs and addr2 protect CLIENTs
                                       recommended to protect own devices
                                      or create BPF to attack a MAC
                                       $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
                                       it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
                                       or undirected frames
                                       $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
                                       see man pcap-filter for a list of all filter options
                                      to use the BPF code
                                       $ hcxdumptool -i <interface> --bpfc=attack.bpf ...
                                     notice: this is a protect/attack, a capture and a display filter
--filtermode=<digit>               : user space filter mode for filter list
                                     mandatory in combination with --filterlist_ap and/or --filterlist_client
                                     affected: only outgoing traffic
                                     notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
                                     0: ignore filter list (default)
                                     1: use filter list as protection list
                                        do not interact with ACCESS POINTs and CLIENTs from this list
                                     2: use filter list as target list
                                        only interact with ACCESS POINTs and CLIENTs from this list
                                        not recommended, because some useful frames could be filtered out
                                     using a filter list doesn't have an affect on rca scan
                                     only for testing useful - devices to be protected should be added to BPF
                                     notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter
--filterlist_ap=<file or MAC>      : ACCESS POINT MAC or MAC filter list
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target
--filterlist_ap_vendor=<file>      : ACCESS POINT VENDOR  filter list by VENDOR
                                     format: 112233, 11:22:33, 11-22-33 # comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC>  : CLIENT MAC or MAC filter list
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
                                     maximum entries 256
                                     due to MAC randomization of the CLIENT, it does not always work!
--filterlist_client_VENDOR=<file>  : CLIENT VENDOR filter list
                                     format: 112233, 11:22:33, 11-22-33 # comment
                                     maximum entries 256
                                     due to MAC randomization of the CLIENT, it does not always work!


--do_targetscan=<MAC_AP>           : same as do_rcascan - hide all networks, except target
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66

Please notice that modern CLIENTs use MAC randomization. That makes it unfeasible to filter them. If you set an AP filter (AP as target), it will not have an effect on CLIENTs that try to connect to hcxdumptool. You'll get M1M2ROGUE of them too (as long as you have not disabled CLIENT attacks).
It is not mandatory to attack an AP. Instead you can attack its CLIENTs, only. Most of them are weak (weaker than a hardened AP).



BTW:
That is an information of hcxpcapngtool that the dump file is missing some frames - it is not an ERROR.
Reply


Messages In This Thread
RE: hcxdumptool - missing frames w/ filtering - by ZerBea - 12-24-2022, 04:46 PM