hcxdumptool #348
Replies: 6 comments 7 replies
-
First step is to run Output looks like this:
If you take look at this option list you'll see that there is no option "-o", no option "--active_beacon" and no option "--active_beacon --enable_status=15" any longer. This options are removed since hcxdumptool v6.3.0. To get the same result on hcxdumptool >= v6.3.0 run this command: Please also notice that it is mandatory to stop all services that take access to device wlan0 before you run hcxdumptool. |
Beta Was this translation helpful? Give feedback.
-
Good day!
I used hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1. Excellent tools!
Please tell me how to write a command correctly if I want to attack one
specific mac address
Пн, 2 окт. 2023 г. в 16:44, ZerBea ***@***.***>:
… First step is to run
$ hcxdumptool -h
to get an overview of all options
Output looks like this:
$ hcxdumptool -h
hcxdumptool 6.3.1-61-g67d3e68 (C) 2023 ZeroBeat
usage: hcxdumptool <options>
first stop all services that take access to the interface, e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
do not merge (pcapng) dump files, because this destroys assigned hash values!
short options:
-i <INTERFACE> : name of INTERFACE to be used
default: first suitable INTERFACE
warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile> : write packets to a pcapng-format file named <outfile>
default outfile name: yyyyddmmhhmmss-interfacename.pcapng
get more information: https://pcapng.com/
-c <https://pcapng.com/-c> <digit> : set channel (1a,2a,36b...)
default: 1a,6a,11a
important notice: channel numbers are not unique
it is mandatory to add band information to the channel number (e.g. 12a)
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz)
to disable frequency management, set this option to a single frequency/channel
-f <digit> : set frequency (2412,2417,5180,...)
-F : use available frequencies from INTERFACE
-t <second> : minimum stay time (will increase on new stations and/or authentications)
default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-p : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC)
default monitor mode: active (ACK all incoming frames addressed to the device MAC)
-L : show INTERFACE list
-l : show INTERFACE list (tabulator separated and greppable)
-I <INTERFACE> : show detailed information about INTERFACE
-h : show this help
-v : show version
long options:
--bpf=<file> : input kernel space Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
$ hcxdumptool -m <interface>
create BPF to protect MACs
$ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
create BPF to attack a MAC
$ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
see man pcap-filter for a list of all filter options
add BPF code:
$ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon : do not transmit BEACON frames
--disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest : do not transmit PROBEREQUEST frames
--disable_association : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation : do not REASSOCIATE a CLIENT
--beacontx=<digit> : transmit BEACON of first n entries of ESSID list
default: 10
--proberesponsetx=<digit> : transmit PROBERESPONSEs of first n entries of ESSID list
default: 10
--essidlist=<file> : initialize ESSID list with these ESSIDs
--errormax=<digit> : set maximum allowed ERRORs
default: 100 ERRORs
--watchdogmax=<seconds> : set maximum TIMEOUT when no packets received
default: 600 seconds
--attemptclientmax=<digit> : set maximum of attempts to request an EAPOL M2
default: 10 attempts
to disable CLIENT attacks set 0
--attemptapmax=<digit> : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
default: stop after 4 received BEACONs
attemptapmax=0 include this options:
disable_deauthentication: do not transmit DEAUTHENTICATION/DISASSOCIATION frames
disable_proberequest : do not transmit PROBEREQUEST frames
disable_association : do not AUTHENTICATE/ASSOCIATE
disable_reassociation : do not REASSOCIATE a CLIENT
--tot=<digit> : enable timeout timer in minutes
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID
2 = EAPOL M2
4 = EAPOL M3
target BPF filter is recommended
--onsigterm=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ontot=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onwatchdog=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onerror=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
push GPIO button (> 10 seconds) to terminate program
default: 0 (GPIO not in use)
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default: 0 (GPIO not in use)
--nmea_dev=<NMEA device> : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
baudrate = BD9600
--gpsd : use gpsd to get position
gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile> : write GPS information to a nmea-format file named <outfile>
default outfile name: yyyymmddhhmmss.nmea
output: NMEA 0183 standard messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
use gpsbabel to convert to other formats:
gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx
gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
get more information: https://en.wikipedia.org/wiki/NMEA_0183
--nmea_pcapng <https://en.wikipedia.org/wiki/NMEA_0183--nmea_pcapng> : write GPS information to pcapng dump file
--rcascan=<character> : do (R)adio (C)hannel (A)ssignment scan
default = passive scan
a = active scan
p = passive scan
--rds=<digit> : sort real time display
default: sort by time (last seen on top)
1 = sort by status (last PMKID/EAPOL on top)
--help : show this help
--version : show version
Legend
real time display:
R = + AP display : AP is in TX range or under attack
S = + AP display : AUTHENTICATION KEY MANAGEMENT PSK
P = + AP display : got PMKID hashcat / JtR can work on
1 = + AP display : got EAPOL M1 (CHALLENGE)
3 = + AP display : got EAPOL M1M2M3 (AUTHORIZATION) hashcat / JtR can work on
E = + CLIENT display : got EAP-START MESSAGE
2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on
Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel
If you take look at this option list you'll see that there is no option
"-o", no option "--active_beacon" and no option "--active_beacon
--enable_status=15" any longer. This options are removed since hcxdumptool
v6.3.0.
To get the same result on hcxdumptool >= v6.3.0 run this command:
$ hcxdumptool -i wlan0 -w dumpfile.pcapng -F --rds=1
Please also notice that it is mandatory to stop all services that take
access to device wlan0 before you run hcxdumptool.
—
Reply to this email directly, view it on GitHub
<#348 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AECBLRK4Z7OYLJDDHHRO3DTX5LAKLAVCNFSM6AAAAAA5PNE7ZOVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TCNRVGMYTM>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Jus create a Berkeley Packet Filter and add it to hcxdumptool. Steps to create a simple filter: create the filter (this example use 11:22:33:44:55:66 as target address) run hcxdumptool with the filter: More information is here: |
Beta Was this translation helpful? Give feedback.
-
`Can allow create a lot AP and a lot client MAC ? AP MAC Client MAC create |
Beta Was this translation helpful? Give feedback.
-
But still have some cannot be understood
like this, if need create attack single MAC, not simpler ? But why same MAC, why need do continuity create
|
Beta Was this translation helpful? Give feedback.
-
@ZerBea |
Beta Was this translation helpful? Give feedback.
-
I'm just learning, and I can't figure out what the problem is?
(kali㉿kali)-[~]
└─$ sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=15
hcxdumptool: invalid option -- 'o'
hcxdumptool 6.3.1-61-g67d3e68 (C) 2023 by ZeroBeat
Beta Was this translation helpful? Give feedback.
All reactions