Protocol attacks (e.g. known beacons attack OPN)

[s0i37]

How can I use --essidlist with --beaconparams for announcing OPN network?

[ZerBea]

That will not work as expected. Because all responses depend on AKM and Cypher suite. Even if you set OPN beacon params to announce such type of NETWORK, hcxdumptool will send this Beacon, but that's all. It does not respond to the following requests of the CLIENT, because Open Network attacks are unsupported and there is no underlying code to perform a protocol attack.
That is the playground of other tools (e.g. eaphammer, airbase-ng, ...) which can do that much better.

[s0i37]

But client will send Auth and Assoc request for OPN network. The hcxdumptool can detect it.

[ZerBea]

No, hcxdumptool only accept AKM: PSK or PSKSHA256
if(((tags.akm &TAK_PSK) == TAK_PSK) || ((tags.akm &TAK_PSKSHA256) == TAK_PSKSHA256))
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L4797
and cipyher suite:
WPA2 and WPA2 kv 3
if((tags.kdversion &KV_RSNIE) == KV_RSNIE)
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L4799
or WPA1
else if((tags.kdversion &KV_WPAIE) == KV_WPAIE)
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L4807

the same applies to REASSOCIATION REQUESTS
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L4644
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L4646
https://github.com/ZerBea/hcxdumptool/blob/master/hcxdumptool.c#L4654

[ZerBea]

hcxpcapngtool is able to detect, show and convert this information, because we're offline and have all the time of thee world to dive deeper into the protocol (some examples below):

$ hcxpcapngtool /home/zerobeat/WLAN/Passphrasen/Sonderformen/ipv4.cap
hcxpcapngtool 6.2.7-92-g5ceb0cf reading from ipv4.cap...

summary capture file
--------------------
file name................................: ipv4.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 19.10.2005 14:14:56
timestamp maximum (GMT)..................: 19.10.2005 14:16:21
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianess (capture system)...............: little endian
packets inside...........................: 11
IPv4 (total).............................: 11
TCP (total)..............................: 6
UDP (total)..............................: 5

or

$ hcxpcapngtool /home/zerobeat/WLAN/Passphrasen/Sonderformen/leap.dump
hcxpcapngtool 6.2.7-92-g5ceb0cf reading from leap.dump...

summary capture file
--------------------
file name................................: leap.dump
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 20.06.2003 16:22:10
timestamp maximum (GMT)..................: 20.06.2003 16:22:10
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianess (capture system)...............: little endian
packets inside...........................: 872
WIRELESS DISTRIBUTION SYSTEM.............: 4
ESSID (total unique).....................: 7
BEACON (total)...........................: 649
BEACON on 2.4 GHz channel (from IE_TAG)..: 6 11 
BEACON (SSID zeroed).....................: 152
ACTION (total)...........................: 1
PROBEREQUEST.............................: 44
PROBEREQUEST (directed)..................: 3
PROBERESPONSE (total)....................: 18
DEAUTHENTICATION (total).................: 1
AUTHENTICATION (total)...................: 2
AUTHENTICATION (NETWORK EAP).............: 2
ASSOCIATIONREQUEST (total)...............: 1
RESERVED MANAGEMENT frame................: 1
WPA encrypted............................: 1
WEP encrypted............................: 40
IDENTITIES...............................: 4
EAP (total)..............................: 9
EAP CODE request.........................: 4
EAP CODE response........................: 4
EAP ID...................................: 4
EAP-LEAP messages........................: 4
EAPOL RC4 messages.......................: 2

or

$ hcxpcapngtool /home/zerobeat/WLAN/Passphrasen/Sonderformen/mschapv2.pcapng
hcxpcapngtool 6.2.7-92-g5ceb0cf reading from mschapv2.pcapng...

summary capture file
--------------------
file name................................: mschapv2.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 5.4.0-48-generic
application..............................: hcxdumptool 6.1.2-32-g824fb90
interface name...........................: wlan2
interface vendor.........................: 000000
openSSL version..........................: 1.0
weak candidate...........................: N/A
MAC ACCESS POINT.........................: 000000000000 (incremented on every new client)
MAC CLIENT...............................: 000000000000
REPLAYCOUNT..............................: 0
ANONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
SNONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
timestamp minimum (GMT)..................: 12.10.2020 16:09:34
timestamp maximum (GMT)..................: 12.10.2020 16:09:42
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianess (capture system)...............: little endian
packets inside...........................: 9
packets received on 2.4 GHz..............: 8
ESSID (total unique).....................: 1
PROBEREQUEST.............................: 1
AUTHENTICATION (total)...................: 1
AUTHENTICATION (OPEN SYSTEM).............: 1
ASSOCIATIONREQUEST (total)...............: 1
IDENTITIES...............................: 2
EAP (total)..............................: 6
EAP CODE request.........................: 1
EAP CODE response........................: 5
EAP ID...................................: 2
EAP-PEAP.................................: 2
EAP-MSCHAPV2 messages....................: 2

Doing this on the fly by hcxdumptool the situation is different. We have to stay a "relative" long time on the channel and have to evaluate the protocol (read header, identify protocol, create response using the same protocol). That will slow us down and take a lot of CPU cycles.
So hcxdumptool is working only on layer 2 frames. If RSN-IE or WPA-IE is missing in BEACON, PROBEREQUEST, PROBERESPONSE, ASSOCIATIONREQUEST or REASSOCIATIONREQUEST hcxdumptool ignore all frames pointing to a high level protocol. This applies to every packet that is forwarded from an ACCESSPOINT to an AUTHENTICATION server or back.

[ZerBea]

But anyway, this discussion lead me to add detection of RADIUS AUTHENTICATION via UDP port 1812 to hcxpcapngtool.
Done by this commit:
ZerBea/hcxtools@e58c507
hcxpcapngtool show an information:

$ hcxpcapngtool /home/zerobeat/WLAN/Passphrasen/Sonderformen/MD5_testing123.pcapng
hcxpcapngtool 6.2.7-93-g098ac4a reading from MD5_testing123.pcapng...

summary capture file
--------------------
file name................................: MD5_testing123.pcapng
version (pcapng).........................: 1.0
operating system.........................: N/A
application..............................: N/A
interface name...........................: lo0
interface vendor.........................: 000000
openSSL version..........................: 1.0
weak candidate...........................: N/A
MAC ACCESS POINT.........................: 000000000000 (incremented on every new client)
MAC CLIENT...............................: 000000000000
REPLAYCOUNT..............................: 0
ANONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
SNONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
timestamp minimum (GMT)..................: 24.08.2015 22:23:59
timestamp maximum (GMT)..................: 24.08.2015 22:23:59
used capture interfaces..................: 1
link layer header type...................: DLT_NULL (BSD LO) (0)
endianess (capture system)...............: little endian
packets inside...........................: 4
IPv4 (total).............................: 4
UDP (total)..............................: 4
RADIUS AUTHENTICATION (total)............: 2

[ZerBea]

Pushed some improvements to hcxpcapngtool:

$ hcxpcapngtool /home/zerobeat/WLAN/Passphrasen/Sonderformen/MD5_testing123.pcapng
hcxpcapngtool 6.2.7-94-ge58c507 reading from MD5_testing123.pcapng...

summary capture file
--------------------
file name................................: MD5_testing123.pcapng
version (pcapng).........................: 1.0
operating system.........................: N/A
application..............................: N/A
interface name...........................: lo0
interface vendor.........................: 000000
openSSL version..........................: 1.0
weak candidate...........................: N/A
MAC ACCESS POINT.........................: 000000000000 (incremented on every new client)
MAC CLIENT...............................: 000000000000
REPLAYCOUNT..............................: 0
ANONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
SNONCE...................................: 0000000000000000000000000000000000000000000000000000000000000000
timestamp minimum (GMT)..................: 24.08.2015 22:23:59
timestamp maximum (GMT)..................: 24.08.2015 22:23:59
used capture interfaces..................: 1
link layer header type...................: DLT_NULL (BSD LO) (0)
endianess (capture system)...............: little endian
packets inside...........................: 4
IPv4 (total).............................: 4
UDP (total)..............................: 4
RADIUS AUTHENTICATION (REQUEST)..........: 2
RADIUS AUTHENTICATION (CHALLENGE)........: 1
RADIUS AUTHENTICATION (ACCEPT)...........: 1

Now we got detailed information.

Please take a look at the changes of the code and you'll see that we have left the MAC layer, entered IPv4 protocol, followed by UDP protocol to retrieve finally the information from RADIUS protocol.

[ZerBea]

I took a closer look at eaphammer and noticed that it is running a modified hostapd in background to perform the protocol attacks:
"EAPHammer leverages a modified version of hostapd-wpe"
Doing this is far beyond the scope of hcxdumptool's and no option for me.

[ZerBea]

Here is a good explanation about eaphammer"Known Beacon Attack" attack mode:
https://posts.specterops.io/modern-wireless-attacks-pt-ii-mana-and-known-beacon-attacks-97a359d385f9?gi=cef2af924e0b

As previously assumed, eaphammer use hostapd to setup a full ASSECC POINT via hostapd, where hostapdt is an user space daemon for access point and authentication servers.
https://w1.fi/hostapd/

To perform such kind of an attack we have to stay a (relative) long time on the channel
EAP-Identity-Request Timeout:
This timer affects how long you wait between EAP Identity Requests. By default, this is one second (4.1 and lower) and 30 seconds (4.2 and greater). The reason for this change was because some clients, hand helds, phones, scanners etc, had a hard time responding fast enough. Devices like laptops, usually do not require a manipulation of these values. Available value is from 1 to 120.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69730-eap-auth-wlc.html

The EAPOL key time out (e.g. to retrieve a M2) is much lower:
EAPOL-Key Timeout:
For the EAPOL-Key Timeout value, the default is 1 second or 1000 milliseconds
Exactly this is the default time, we stay on a channel.
Please notice that mostly the the average timeout values are much lower (--enable_status=15 will confirm this).

The price tag to setup an entire ACCESS POINT to perform this attacks (performed by tools like eaphammer) is a way too high for me.
You may have noticed that the requirements (and the knowledge) to run hcxdumptool are at a high level (that include WiFi adapters, drivers and the Linux Kernel). That will keep the price tag small. Unfortunately I added several feature requests (like a beautiful status display and EAP-TLS) which have a price tag, too. Compared to hcxlabtool (wifi_laboratoy), hcxdumptool become an old toothless tiger.

[ZerBea]

Some background information about WiFi layers:
Layer 1 = physical layer
Layer 2 = data layer
Layer 3 = network layer
Layer 4 = transport layer

hcxdumptool lives in layers 1 (modified firmware mandatory) and 2 (monitor mode and packet injection by driver mandatory) only.
The physical layer (1) the layer where data gets transmitted / received into bits, 0's and 1's using complex coding and modulations.
The data layer (2) is where upper layer information (>= layer 3) is encapsulated into a frame. This is also where the MAC address information is added.

More information about the types is here:
https://blogs.arubanetworks.com/industries/layer-1-and-layer-2-wifi-basics/