hcxdumptool - missing frames w/ filtering
Additional it is important how the filters are working:
filter_mode in combination with filter_list_ap/client is working in transmission branch, only. It does not affect the reception branch. If a CLIENT tried to connect to an AP, hcxdumptool receive the eg. the PMKID and show/store it (PMKID).
If the PMKID is a response to hcxdumptool's attack you'll see PMKIDROGUE.
The same applies to the 4way handshake:
M1M2ROGUE = hcxdumptool got an EAPOL M2 from the CLIENT (CLIENT respond to hcxdumptool M1)
M1M2 = hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge)
M1M2M3 = hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge) and authorization from AP
M1M2M3M4 =hcxdumptool received an EAPOL M1 from AP and M2 from CLIENT (challenge) and authorization from AP and authorization from CLIENT.

--filtermode=2 --filtelist_ap=aptargetmaclist.txt
only the target AP with its MAC in is under attack, but if a different AP is transmitting its PMKID to a connect attempt of its CLIENT, hcxdumptool will receive this, too (both of them are not under attack - but if the CLIENT tries to connect to hcxdumptool, it will answer and request the M2 of the CLIENT.
To prevent this you have to add --disable_client_attacks
or set stop CLIENT attacks to 1 or 2. In that case, the CLIENT will not notice that it was under attack.

If you don't want that the attack on an AP can be detected by tools like kismet, just set --disable_deauthentication and hcxdumptool will use the REASSOCIATION attack only. A tool that count DEAUTHENTICATIONs will now fail to detect an attack.

There is no simple way or proof of concept how to perform an attack, because it varies from AP to AP and from CLIENT to CLIENT and from VENDOR to VENDOR.
I suggest to run Wireshark in parallel and see what's going on on the channel. Than play with the options and combinations of options to find out which is the best one working against this target. If it works against this target,don't be sure it will work on a different target, too.
My testing environment:
low power WiFI device (10mW) powered into a dummy load antenna
target router and target target client close to the device
additional WiFi adapter to receive traffic on the channel by Wireshark

It's also interesting to see what's happening if you turned of the router and put the target ESSID in --essidlist and set --active_beacon (just look for M1M2ROGUE).

Running hcxdumptool it is counterproductive to use a high power WiFi device. A lower power device in combination with a panel antenna is the far better option.

Messages In This Thread
RE: hcxdumptool - missing frames w/ filtering - by ZerBea - 12-24-2022, 06:50 PM