"Running the hcxdumptool in default settings is pretty big violation against everyone around you (and i'm not even talking about the law here)."
I fully agree. In every thread, in every comment in every post, in --help and in README.md I mention that this tools are not designed to be used by beginners!
and:
If you decide to use hcxdumptool or hcxtools it is mandatory that you know what you are doing and to learn 802.11.
Also it is mandatory to read (and understand) README.md and --help before(!) you use hcxdumptool.
Unfortunately, no one seems to be reading this.
Everything is explained, e.g. the hardware modification (from help menu):
It is not "the usual networkmanager wpa_supplicant + if on raspbi conf etc".
This also is mentioned in README.md
If you choose option "--disable_deauthentication" hcxdumptool will not transmit DEAUTHENTICATION or DISASSOCIATION frames, because it is a stupid old school attack. To verify this, run Wireshark in parallel to monitor the traffic.
Please notice:
This option only disable injecting (stupid) DEAUTHENTICATION frames. There are better (and more effective ways) attack vectors.
DEAUTHENTICATION attack us useless if MFP is activated. It is also useless if DATA frames are transmitted and ACKed.
And it can be detected by e.g. hcxpcapngtool
or
If you do not want to attack APs:
If you don't want to attack CLIENTs:
Run as passive dumper:
will not throw off everyone
Get information about the target:
will not throw off everyone
Various filter options to select the target or to protect devices:
An example is here:
https://hashcat.net/forum/thread-10805-p...l#pid55471
The pcapng file is attached to the comment. You'll notice that only the target was attacked and nothing else.
I strongly recommend everyone who decide to use hcxdumptool to learn 802.11 and to learn the options.
By latest commit I added additional information (It is mandatory to set options tailored to the target!) to --help:
The book is from 2002 and a good reference to learn 802.11.
Last but not least (to mention it again):
If someone is a beginner or if he/she doesn't know what he/she is doing, it is not a good idea to run hcxdumptool/hcxtools, because hcxdumptool is an area weapon. Running it unconfigured it is acting like a jammer (similar to mdk3/mdk4).
I fully agree. In every thread, in every comment in every post, in --help and in README.md I mention that this tools are not designed to be used by beginners!
Code:
Warning
--------------
hcxdumptool is designed to be an analysis tool. This means that everything is requested/stored by default. Unwanted information must be filtered out later on, offline!
You must use hcxdumptool only on networks you have permission to do this, because:
* hcxdumptool is able to prevent complete wlan traffic
(depend on selected options)
* hcxdumptool is able to capture PMKIDs from access points (only one single PMKID from an access point required)
(use hcxpcapngtool to convert them to a format hashcat and/Or JtR understand)
* hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required)
(use hcxpcapngtool to convert them to a format hashcat and/Or JtR understand)
* hcxdumptool is able to capture handshakes from 5/6GHz clients on 2.4GHz (only one single M2 from the client is required)
(use hcxpcapngtool to to a format hashcat and/Or JtR understand)
* hcxdumptool is able to capture passwords from the wlan traffic
(use hcxpcapngtool -E to save them to file, together with networknames)
* hcxdumptool is able to request and capture extended EAPOL (RADIUS, GSM-SIM, WPS)
(hcxpcapngtool will show you information about them)
* hcxdumptool is able to capture identities from the wlan traffic
(for example: request IMSI numbers from mobile phones - use hcxpcapngtool -I to save them to file)
* hcxdumptool is able to capture usernames from the wlan traffic
(for example: user name of a server authentication - use hcxpcapngtool -U to save them to file)
* Do not use a logical interface and leave the physical interface in managed mode
* Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which take access to the interface
* Stop all services which take access to the physical interface (NetworkManager, wpa_supplicant,...)
* Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space
and:
Code:
Requirements
--------------
* knowledge of radio technology
* knowledge of electromagnetic-wave engineering
* detailed knowledge of 802.11 protocol
* detailed knowledge of key derivation functions
* detailed knowledge of Linux
If you decide to use hcxdumptool or hcxtools it is mandatory that you know what you are doing and to learn 802.11.
Also it is mandatory to read (and understand) README.md and --help before(!) you use hcxdumptool.
Unfortunately, no one seems to be reading this.
Everything is explained, e.g. the hardware modification (from help menu):
Code:
press GPIO button to terminate hcxdumptool
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
This also is mentioned in README.md
Code:
GPIO hardware mod recommended (push button and LED) on Raspberry Pi
If you choose option "--disable_deauthentication" hcxdumptool will not transmit DEAUTHENTICATION or DISASSOCIATION frames, because it is a stupid old school attack. To verify this, run Wireshark in parallel to monitor the traffic.
Please notice:
This option only disable injecting (stupid) DEAUTHENTICATION frames. There are better (and more effective ways) attack vectors.
DEAUTHENTICATION attack us useless if MFP is activated. It is also useless if DATA frames are transmitted and ACKed.
And it can be detected by e.g. hcxpcapngtool
Code:
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.
Code:
Warning: excessive number of deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.
If you do not want to attack APs:
Code:
--disable_ap_attacks: do not attack access points
affected: connected clients and client-less (PMKID) attack
If you don't want to attack CLIENTs:
Code:
--disable_client_attacks: do not attack clients
affected: ap-less (EAPOL 2/4 - M2) attack
Run as passive dumper:
Code:
$ hcxdumptool -i INTERFACE --enable_status=95 --silent
Get information about the target:
Code:
$ hcxdumptool -i INTERFACE --do_rcascan
Various filter options to select the target or to protect devices:
Code:
--bpfc=<file> : input kernel space Berkeley Packet Filter (BPF) code
affected: incoming and outgoing traffic - that include rca scan
steps to create a BPF (it only has to be done once):
set hcxdumptool monitormode
$ hcxdumptool -m <interface>
create BPF to protect a MAC
$ tcpdump -i <interface> not wlan addr3 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
where addr3 protect ACCESS POINTs and addr2 protect CLIENTs
recommended to protect own devices
or create BPF to attack a MAC
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
see man pcap-filter for a list of all filter options
to use the BPF code
$ hcxdumptool -i <interface> --bpfc=attack.bpf ...
notice: this is a protect/attack, a capture and a display filter
--filtermode=<digit> : user space filter mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
affected: only outgoing traffic
notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because some useful frames could be filtered out
using a filter list doesn't have an affect on rca scan
only for testing useful - devices to be protected should be added to BPF
notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter
--filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_ap_vendor=<file> : ACCESS POINT VENDOR filter list by VENDOR
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC> : CLIENT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
--filterlist_client_VENDOR=<file> : CLIENT VENDOR filter list
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
An example is here:
https://hashcat.net/forum/thread-10805-p...l#pid55471
The pcapng file is attached to the comment. You'll notice that only the target was attacked and nothing else.
I strongly recommend everyone who decide to use hcxdumptool to learn 802.11 and to learn the options.
By latest commit I added additional information (It is mandatory to set options tailored to the target!) to --help:
Code:
Run hcxdumptool -i interface --do_rcascan for at least 30 seconds, to get information about the target!
It is mandatory to set options tailored to the target!
The book is from 2002 and a good reference to learn 802.11.
Last but not least (to mention it again):
If someone is a beginner or if he/she doesn't know what he/she is doing, it is not a good idea to run hcxdumptool/hcxtools, because hcxdumptool is an area weapon. Running it unconfigured it is acting like a jammer (similar to mdk3/mdk4).