Posts: 35
Threads: 3
Joined: Dec 2022
Using BPF, as per your own recommendations, which i read somewhere in Github discussions:
1.
Quote:If you know the AP MAC and the CLIENT MAC you can use a BPF. But be warned, all additional information from CLIENTs running MAC RANDOMIZATION is filtered out:
2.
Quote:Please notice:
Running your BPF will prevent that you see and capture undirected proberequests from CLIENTS using MAC randomization.
You will loose this information:
evilsocket/pwnagotchi#835 (comment)
3.
Quote:I recommend to use the BPF as protection list to protect own APs, CLIENTs.
https://github.com/ZerBea/hcxdumptool/is...-717196085
Based on above information obligatory use of BPF will reduce power of dump/lab tools.
Maybe better introduce kind of user agreement, that before using the tools user acknowledges that he understands all standards and … etc. After that, user will need to type “yes” to continue.
Obviously this will not completely prevent misusing the tools, but at least provide warning information of misusing the tools, which could lead to local laws violations. But the same time this will keep door open for seasoned researchers to use full power of tools.
Posts: 1,012
Threads: 2
Joined: Jun 2017
Good point. Thanks.
Now I did it this way:
Code:
$ sudo hcxdumptool -i wlp39s0f3u1u1u1 -c 1
initialization of hcxdumptool 6.2.7-44-g0fb0148 (depending on the capabilities of the device, this may take some time)...
BPF is unset. Make sure hcxdumptool is running in a 100% controlled environment!
start capturing (stop with ctrl+c)
...
Posts: 35
Threads: 3
Joined: Dec 2022
Very nice, as users tend not to read readme.files.
As next step, may be some time in future the tools may have run in two modes only:
1. standard (recommend for most users). BPF is always on and user must provide MAC addresses. Program will calculate and apply BPF automatically, which helps less experienced users from jamming all neighborhood Wi-Fi.
2. advanced (for experienced users only). Full throttle, no limits
Posts: 1,012
Threads: 2
Joined: Jun 2017
"BPF is always on" is a little bit out of scope. To add this I have to code a complete BPF compile. Right now, I use the compiler from tcpdump.
Posts: 35
Threads: 3
Joined: Dec 2022
Today have done testing for two scenarios:
1)"Office" - AP was
on and all CLIENT's (corporate level printer, Android 8 and 9 phones, 2x iPhones and iPad) were already connected to AP. CLIENT's are within 1 meter around AP.
2)"Safari" - everything was located as at Office, but AP was
off.
Scanner (VMware+_Kali+ACM+hcxlabgetmallpr) was located in the next room, about 3.5 meters away from AP behind double wall.
Results:
1)"Office" got hash from printer only. No hashes from other connected CLIENT's.
2)"Safari" got hashes from all CLIENT's and real MAC from printer and Android phones only.
Next step: build system-1/2 to compare with current setup. Hopefully speed will help to get hashes from all CLIENT's in "Office" environment too
Posts: 1,012
Threads: 2
Joined: Jun 2017
Thanks for this additional information.
BTW:
Is the target ESSID in essidlist (--essidlist=) and is essidmax greater than entries in essidlist (e.g. --essidmax=essidlist_entreis +1)?
Additional you can add more ESSIDs to this list (e.g. from NETWORKs which are stored in known NETWORK list of your devices) to figure out if the CLIENTs try to cennect on this ESSIDs, too.
What is your AP (router) model?
Is it vulnerable on REASSOCIATION attack?
I got this bug report:
https://github.com/ZerBea/hcxdumptool/issues/246
It looks like this TP-Link Archer C6 disconnect all CLIENTs regardless if the are on ethernet or wireless. Than it became inaccessible for at least 2 minutes. I've never seen such a behavior before.
Posts: 35
Threads: 3
Joined: Dec 2022
Quote:Is the target ESSID in essidlist (--essidlist=) and is essidmax greater than entries in essidlist (e.g. --essidmax=essidlist_entreis +1)?
yes. one entry in essidlist only and essidmax=100
Quote:Additional you can add more ESSIDs to this list (e.g. from NETWORKs which are stored in known NETWORK list of your devices) to figure out if the CLIENTs try to cennect on this ESSIDs, too.
Will try, thank you for the tip.
Quote:What is your AP (router) model?
Linksys E8450 AX3200
Quote:Is it vulnerable on REASSOCIATION attack?
I don't know, please advise how and i will check it.
Quote:I got this bug report:
https://github.com/ZerBea/hcxdumptool/issues/246
It looks like this TP-Link Archer C6 disconnect all CLIENTs regardless if the are on ethernet or wireless. Than it became inaccessible for at least 2 minutes. I've never seen such a behavior before.
My iphone couldn't connect to AP after attacked already finished, even if my AP and correct password were shown in the iphone menu. I did "forget" network and retyped password to connect, after that everything works ok.
Posts: 1,012
Threads: 2
Joined: Jun 2017
01-20-2023, 06:01 PM
(This post was last modified: 01-20-2023, 06:02 PM by ZerBea.)
The router itself become inaccessible for up 2 two minutes and ping on ethernet clients failed with "request timeout" or "destination unreachable/network unreachable".
Looks like only Archer's are affected and hcxdumptool forced this by injecting a standard REASSOCIATION packet (like a CLIENT will do after it left the ACCESS POINT for a short duration and want to rejoin it again).
I noticed several reports facing the same/similar problem:
https://github.com/ZerBea/hcxdumptool/is...1398580308
Posts: 1,012
Threads: 2
Joined: Jun 2017
"My iphone couldn't connect to AP after attacked already finished, even if my AP and correct password were shown in the iphone menu. I did "forget" network and retyped password to connect, after that everything works ok."
This depend on value of option m2attempt (m2attempt=2 should allow the CLIENT to reconnect to the router after hcxlabtool got 2 different EAPOL M2 MICs - starting with the third EAPOL M2 MIC, hcxdumptool ignore this CLIENT).
Posts: 35
Threads: 3
Joined: Dec 2022
Today i’ve tested RPi4 w/_Kali-32bit+ACM36+ powebank 10000 mAh. Onboard HDMI, Bluetooth and Wifi are disabled on boot, scanning time 5 minutes:
1) “Office” (AP was ON), got hashlines from printer, Android 8 and MS Surface 6. Obvious improvement over VMware setup, when i got hashline from printer only.
2) “Safari” (AP was OFF), got all hashlines from all CLIENTs.
Observations:
1) When AP is OFF, scanning channel must be exactly the same, as before leaving (or switching off) AP. Otherwise no traffic captured. Looks like CLIENTs don’t want to connect back to hcxtools AP by essid only, also last known connected channel from real AP must be the same.
2) Difficultness to get hashline from easiest to most difficult: corporate class printer, Android 8, MS Surface 6, Android 9, MacBook Pro M1. No hasline from iPhone/iPad’s.
3) Most delicate was iPhone SEiii, to reconnect it back to AP after attack, (when scanner was already off), needed to restart, switch on and of WiFi, retype password many times. But no hashline was captured.
Trying now play with Archlinux, but compared to _Kali, Arch installation on RPi looks like real hardcore. They don’t have ready image to flash to SD. Is there any step by step instructions to install Arch on RPi for hcxtools? Please advise, thank you.
