New attack on WPA/WPA2 using PMKID
Hi slyexe.
Do you you use the latest commit? I did a complete refactoring. The Raspberry PI A+, B+ is able to handle 4096 access points and/or 4096 clients simultaneously in a very fast way.
"This thing is so fast it can pick up car AP;s before they are out of range if your not careful"
I'll do some more tests, maybe we can increase this value.
I got also some feature requests to handle beacons and networks using beacons with hidden ESSIDs and implemented this it. Also the refactoring was necessary to handle WPA3 in future times. Next step is to handle Protected Management Frames (PMF). They are part of WPA3. Deauthentication attacks against this networks are useless so we have to add a new attack vector. The disassociation attack vector (EAPOL 4/4) will still work, because it's done before the access point activate PMF. (BTW: If we run this attack continuously, the client is no longer able to connect to his access point).
Also I added a feature to mask our authentication request. Now you can choose a VENDOR information which hcxdumptool adds to the authentication.

New features:
improved rcascan (show time and access points which hide their ESSID)
prepare detection of PMF
refactored access point handling
handle 4096 access points simultaneously
refactored client handling
handle 4096 clients simultaneously
speed up retrieving PMKIDs (< 1 minute)
attack access points which hide their ESSID
increased filter list line length
increased filter list maximum entries
added option to show beacons in status output:
--enable_status=<digit>: enable status messages

added option to choose station VENDOR information:
--station_vendor=<digit>: use this VENDOR information for station
0: transmit no VENDOR information (default)
1: Broadcom
2: Apple-Broadcom
3: Sonos

Do not wonder about many authentication frames in your capture file. We store all frames with length greater than default payload (6 bytes) to retrieve more VENDOR informations.
You can identify them with wireshark (filter: wlan.fc.type_subtype == 0x0b)
We are not interested in the default value:
Fixed parameters (6 bytes)
But we are interested in additional VENDOR informations. So please right klick on this field:
Tag: Vendor Specific: Broadcom
and do a "copy as a Hex Stream"

If you got some new VENDOR informations, please post them here. I'll add them to hcxdumptool.
Please upload your uncleaned pcapng (cap, pcap, .gz) files also to They are useful for an analyze. You can compress them with gzip; hcxtools support gzip compressed files. As a nice gift, you will receive the PSK, if wpa-sec is able to recover it (service is free and results will be included in hcxtools/hcxdumptool and hashcat. nonce-error-corrections, hashmode 2501, PMKID attack vector are some examples for that procedure, a.k.a Intellingece Cycle).
(09-03-2018, 06:10 PM)diegodieguex Wrote: maybe this help

whoismac -p 69d4ec91a19657d64d4ccc869c229bbe*9e3dcf272236*f0a225dab76d*53696c7665724d61676e6f6c6961

ESSID..: SilverMagnolia
MAC_AP.: 9e3dcf272236
VENDOR.: unknown
MAC_STA: f0a225dab76d
VENDOR.: Private


for i in $(cat 16800.txt ); do whoismac -p $i; done

ESSID..: Fibertel WiFi1
MAC_AP.: 8c10d4fc55xx
VENDOR.: Sagemcom Broadband SAS
MAC_STA: 58c5cbe342xx
VENDOR.: Samsung Electronics Co.,Ltd

ESSID..: Fibertel WiFi2
MAC_AP.: 0025f1859exx
VENDOR.: ARRIS Group, Inc.
MAC_STA: a49a5846aaxx
VENDOR.: Samsung Electronics Co.,Ltd

ESSID..: Fibertel WiFi3
MAC_AP.: 4c72b952fexx
MAC_STA: 60427fa493xx
I appreciate it thanks.
I think i do something wrong. I get no pmkid. are my steps correct?:

echo "1234567890">filter.txt
hxcdumptool -o hash -i wlan0mon --filterlist=filter.txt --filtermode=2 -- enable_status=2

But i run and run and nothing found. My router is not far away, only few steps from the desk. Tried other routers too. Nothing.

Info line shows: cha=2, rx=25657, rx(dropped)=1541, tx=634, powned=0, err=0
Hi Superninja
wlan0mon is a typical  logical  interface type, created by airmon-ng for broadcom devices.
Do you use a broadcom interface?
read more here:
"You are using the Broadcom STA (wl) official driver; this does not support monitor or promiscuous modes (regardless of whatever airmon-ng tells you.)"

How do you set monitor mode? hcxdumptool doesn't like logical interfaces while the physical interface is leaving managed. So, do not set monitor mode by airmon-ng!
I added this to the help menu on latest commit:
do not run hcxdumptool on logical interfaces (monx, wlanxmon)
do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface
Read more why I did it that way here:

Is the interface really in monitor mode?
$ sudo iw dev <your physical interface>  info
Interface wlp3s0f0u2
ifindex 3
wdev 0x1
addr c8:3a:35:xx:xx:xx
type monitor
wiphy 0
channel 3 (2422 MHz), width: 20 MHz (no HT), center1: 2422 MHz
txpower 20.00 dBm

--enable_status=2 doesn't show EAPOL messages!
--enable_status=<digit>            : enable status messages
                                     1: EAPOL
                                     2: PROBEREQUEST/PROBERESPONSE
                                     4: AUTHENTICATON
                                     8: ASSOCIATION
                                    16: BEACON

So if you like to see EAPOL messages (this includes PMKIDs) and PROBEREQUEST/PROBERESPONSE messages use:
--enable_status=3  ( 1 + 2)

Is the target access point in transmit range?
hcxdumtool -i <physical interface> --do_rcascan -t 5

[18:26:00] xxxxxxxxxxxx networkname [CHANNEL 1, AP IN RANGE]

If you still don't get a PMKID, the access point might not be vulnerable.
Hi Zerbea,

I've captured one PMKID and run hashcat -m 16800 82445.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' without success cracking it. What do you suggest for this?

Thank you

file name....................: target2.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.9.0-7-amd64
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 23
skipped packets..............: 0
packets with FCS.............: 24
beacons (with ESSID inside)..: 9
probe requests...............: 2
probe responses..............: 2
authentications (OPEN SYSTEM): 4
authentications (BROADCOM)...: 3
EAPOL packets................: 5
EAPOL PMKIDs.................: 1

1 PMKID(s) written to 82445.16800
"hashcat -m 16800 82445.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' "
Change the mask, or use wordlist.
Hi marcou3000.
Mem5 gave you a good advice and I recommend to follow his advice!

hashcat -m 16800 -w 3 82445.16800 -a 3 ?l?l?l?l?l?lt!
should do the job

It's also important to check your attacking/capturing procedure.
Run the attack a little bit longer (> 24h , better a week) to get all(!) clients connected to this network. Try to annoy the clients. Then check if unencrypted PSKs or parts of PSKs are inside the traffic.
1. Use this output in combination with a mask and feed hashcat.
2. Try some week password candidates.
3. Get informations about the VENDOR and discover the default key space. Run this key space as a mask
Alright thank you !
Hi ZerBea,

I start capturing my target using Hcxdumptool and it keep crashing everytime after 15min or near rx=21000.
What can cause that ?
(09-22-2018, 01:49 AM)marcou3000 Wrote: Hi ZerBea,

I start capturing my target using Hcxdumptool and it keep crashing everytime after 15min or near rx=21000.
What can cause that ?

what adaptor and distro are you using?, might be chipset driver issue.
for me rtl3072 is the most stable, follow by rtl3070, rtl8812au not stable, rtl8811au the worst