hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
Thank you for confirming the format / field order in 22000!  That makes me feel a lot better about the method I am using and confidence to remove the scripting I was doing with the older tools and formats.

(03-15-2020, 11:51 PM)ZerBea Wrote:
Also you should know, that hcxdumptool use randomized MACs as well as real MACs from received CLIENTs and received APs. It is a pretty good stealth feature to prevent counter measures against hcxdumptool, but will falsify the result of your count. Also keep in mind that filtering of CLIENTs is mostly useless if the CLIENT use randomized MACs.

I knew that hcxdumptool used random MACs but didn't know it would re-use captured MACs too, that is pretty great!  But I am extracting the MACS for EAPOL and PMKID separately, so I don't think that shouldn't be an issue right?  I'm sorting specifically for captured MACs on EAPOL and then for MACs on PMKID captures, so I should only be getting "genuine" MACs of attacked clients/aps.  To restate:
  • The WPA*01 lines are PMKID captures, so the AP MAC address in field 4 would be a genuine attack target, but the fifth field would either be a random one that hcxdumptool made up or be one from an AP that was captured earlier.  I'm not using the 5th field on these lines, so that's ok.
  • The WPA*02 lines are EAPOL captures, so the Client MAC address in field 5 would be a genuine attack target, but the fourth field would either be a random one that hcxdumptool made up or be one from a client that was captured earlier.  I'm not using the 4th field on these lines, so that's ok too.
  • There is a possibility that the captured Client (which would appear in WPA*02 field 5) could be generating it's own random MAC addresses (hello Android).  In which case, filtering/ignoring those client MACs previously captured wouldn't do much good because the client would just generate a new MAC on subsequent attacks anyway.  But other static MAC using devices would get filtered as desired.
(03-15-2020, 11:51 PM)ZerBea Wrote:
Additional hcxdumptool v6.0.2 has an option to run BPF code, which is much faster then the old filter modes.

I'm currently using 6.0.1 with both the "--filterlist_client" and "-filterlist_ap" switches. I know in older version BPF was used but I wasn't sure if I was formatting that right.  Looking at the changelog for 6.0.2, it looks like I would need to use tcpdump to create the new list. There is a 256 line limit on the current Client and AP filter lists.

  1. Any such restrictions or guidance when using BPF?
  2. Would I combine Client and AP macs into a single BPF?

Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by MrShannon - 03-17-2020, 01:48 AM