hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
(09-18-2019, 12:06 AM)ZerBea Wrote: $ git clone https://github.com/aircrack-ng/rtl8812au
$ cd rtl8812au
$ make
$ sudo insmod 88XXau.ko
The plug in the adapter and run hcxdumptool.

This is not persistent. If you need it persistent, use dkms as described here:
https://github.com/aircrack-ng/rtl8812au

Done. According to the attached image, it may happen that you do not capture due to lack of scope

.png   Screenshot from 2019-09-18 15-56-32.png (Size: 468.21 KB / Downloads: 4)
Reply
Looks like the interface wasn't set complete to monitor mode and / or packet injection isn't working like expected.
You can test packet injection running:
$ hcxpcaptool -i wlan1 --do_rcascan
-do_rcascan : show radio channel assignment (scan for target access points)
this can be used to test that ioctl() calls and packet injection is working
also it can be used to get information about the target
and to determine that the target is in range
use this mode to collect data for the filter list
run this mode at least for 2 minutes

If packet injection isn't working like expected, hcxdumptool will tell you this after 2 minutes otherwise you get an information how many access points are in attack range

Your command line isn't good. We are using a bitmask. That means you must add the values:

--enable_status=<digit> : enable real-time display (waterfall)
some messages ​​are shown only once at the first occurrence
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION/REASSOCIATION
16: BEACON

That means if your real time display should print EAPOL and AUTHENTICATIONS, the correct value is 5 (1+4)
--enable_status=5
If you would like to see EAPOL and PROBEREQUEST/PROBERESPONSE the correct value is 3 (1+2)
--enable_status=3
To print EAPOL and PROBEREQUEST/PROBERESPONSE and AUTHENTICATON use 7 (1+2+4)
--enable_status=7
Reply
(09-18-2019, 10:41 PM)ZerBea Wrote: Looks like the interface wasn't set complete to monitor mode and / or packet injection isn't working like expected.
You can test packet injection running:
$ hcxpcaptool -i wlan1 --do_rcascan
-do_rcascan                      : show radio channel assignment (scan for target access points)
                                    this can be used to test that ioctl() calls and packet injection is working
                                    also it can be used to get information about the target
                                    and to determine that the target is in range
                                    use this mode to collect data for the filter list
                                    run this mode at least for 2 minutes

If packet injection isn't working like expected, hcxdumptool will tell you this after 2 minutes otherwise you get an information how many access points are in attack range

Your command line isn't good. We are using a bitmask. That means you must add the values:

--enable_status=<digit>            : enable real-time display (waterfall)
                                    some messages are shown only once at the first occurrence
                                    bitmask:
                                      1: EAPOL
                                      2: PROBEREQUEST/PROBERESPONSE
                                      4: AUTHENTICATON
                                      8: ASSOCIATION/REASSOCIATION
                                    16: BEACON

That means if your real time display should print EAPOL and AUTHENTICATIONS, the correct value is 5 (1+4)
--enable_status=5
If you would like to see EAPOL and PROBEREQUEST/PROBERESPONSE the correct value is 3 (1+2)
--enable_status=3
To print EAPOL and PROBEREQUEST/PROBERESPONSE and  AUTHENTICATON use 7 (1+2+4)
--enable_status=7

Obviously, packet injection does not work.
What may be happening. I have an Edimax AC600


Attached Files
.png   Screenshot from 2019-09-18 17-29-38.png (Size: 327.95 KB / Downloads: 3)
Reply
Maybe dmesg will give us an answer. Here is an example for an EDIMAX EW-7711UAN (mt7601u)
ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi

[ 2592.678152] mt7601u 1-1:1.0: ASIC revision: 76010001 MAC revision: 76010500
[ 2592.692959] mt7601u 1-1:1.0: Firmware Version: 0.1.00 Build: 7640 Build time: 201302052146____
[ 2593.103803] mt7601u 1-1:1.0: EEPROM ver:0d fae:00
[ 2593.104131] mt7601u 1-1:1.0: EEPROM country region 01 (channels 1-13)
[ 2593.309426] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[ 2593.309714] usbcore: registered new interface driver mt7601u
[ 2593.348899] mt7601u 1-1:1.0 wlp0s20f0u1: renamed from wlan0
...
here we started $ sudo hcxdumptool --check_driver -i wlp0s20f0u1
[ 2730.270596] device wlp0s20f0u1 entered promiscuous mode
here we terminated it
[ 2730.290500] device wlp0s20f0u1 left promiscuous mode

If everything's fine, your dmesg should look like this after the device was plugged in and hcxdumptool's driver check was started.

BTW:
The AC600 is running an old chipset
EDIMAX AC600: EW-7811UAC (RTL8811AU)
ID 7392:a812 Edimax Technology Co., Ltd
"The 8811 chipset uses 8821au, and both that and 8814au uses an old HAL (from v5.1.5) and will never be as good as 8812au has until realtek releases newer HAL's"
https://github.com/aircrack-ng/rtl8812au...-522223735

This device doesn't work well if plugged into an USB 3.x port (xhci issue).
Reply
Now I plugged in the same device into an USB 3.0 port and was hit by the kernel xhci issue in a very hard way:
[ 4651.606170] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606203] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606242] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606281] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606361] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606441] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606521] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606601] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.606681] mt7601u 1-1:1.0: rx urb failed: -71
[ 4651.625556] mt7601u 1-1:1.0: Warning: TX DMA did not stop!
[ 4654.958505] mt7601u 1-1:1.0: Warning: MAC TX did not stop!
[ 4656.958502] mt7601u 1-1:1.0: Warning: MAC RX did not stop!
[ 4656.958509] mt7601u 1-1:1.0: Warning: RX DMA did not stop!
Reply
Helllo ZerBea and everybody that may be arround.
It has been a long time since I last conected (I was ill and couldnt. now Im getting better).
Just telling you that the secuence you sugested in pg45 worked very well.
So, I want to post a new question derived from there.
Once you have the WPA2, is there an easy way to get the WPS pin of that router?
Thanks in advance.

PS: I imagine that perhaps this is scarcely the appropiate threath for this Question. But I think that is a good Idea, once you have the WPA key to get the PIN cause it use not to be change so frecuently.
Reply
I forgot to say that once you have the WPS pin you can get the new WPA key quite easyly, in case it has been changed.
For instance using Dumper from windows OS
Reply
No, there is no easy way to retrieve the WPS pin and nearly all up to date router models are hardened against pixie dust.
You can try hydra if you have access to the network:
https://github.com/vanhauser-thc/thc-hydra
Reply
Hi ZerBea.
Man... You are a deep and full Well of Knowledge.
Im going to try this 'hydra'. For sure it works for some cases. I dont need it to work always.
So... Thanks again man
Reply
Hello. ZerBea, how activate gps in new hcxdumptool

sudo hcxdumptool -o 30oct.pcapng -i  wlx00156d72f392 --enable_status=1 --gps=/dev/ttyUSB0

interface is already in monitor mode
waiting up to 2 minutes seconds to get GPS fix

and nothing .......
Reply