possible that a certain lib is interfering with the awus036achm mt7610u drivers

[dontholdmyhand]

version: 6.5.0-kali3-amd64
lsusb: Bus 001 Device 002: ID 0e8d:7610 MediaTek Inc. WiFi

hcxdumptool -l : available wlan devices:

phy idx hw-mac virtual-mac m ifname driver (protocol)

0 3 00c0cab4623a 00c0cab4623a * wlan0 mt76x0u (NETLINK)
1 4 40ed007efa41 9ee7ecaba507 + wlan1 rtl8821au (NETLINK)

└─$ sudo hcxdumptool -I wlan0

Requesting interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac virtual-mac m ifname driver (protocol)

0 3 00c0cab4623a 00c0cab4623a * wlan0 mt76x0u (NETLINK)

available frequencies: frequency [channel] tx-power of Regulatory Domain: 00

2412 [ 1] 3.0 dBm 2417 [ 2] 3.0 dBm 2422 [ 3] 3.0 dBm 2427 [ 4] 3.0 dBm
2432 [ 5] 3.0 dBm 2437 [ 6] 3.0 dBm 2442 [ 7] 3.0 dBm 2447 [ 8] 3.0 dBm
2452 [ 9] 3.0 dBm 2457 [ 10] 3.0 dBm 2462 [ 11] 3.0 dBm 2467 [ 12] 3.0 dBm
2472 [ 13] 3.0 dBm 2484 [ 14] 3.0 dBm 5180 [ 36] 18.0 dBm 5200 [ 40] 18.0 dBm
5220 [ 44] 18.0 dBm 5240 [ 48] 18.0 dBm 5260 [ 52] 18.0 dBm 5280 [ 56] 17.0 dBm
5300 [ 60] 17.0 dBm 5320 [ 64] 17.0 dBm 5500 [100] 14.0 dBm 5520 [104] 14.0 dBm
5540 [108] 14.0 dBm 5560 [112] 14.0 dBm 5580 [116] 13.0 dBm 5600 [120] 13.0 dBm
5620 [124] 13.0 dBm 5640 [128] 13.0 dBm 5660 [132] 13.0 dBm 5680 [136] 14.0 dBm
5700 [140] 14.0 dBm 5720 [144] 14.0 dBm 5745 [149] 14.0 dBm 5765 [153] 14.0 dBm
5785 [157] 14.0 dBm 5805 [161] 14.0 dBm 5825 [165] 15.0 dBm 5845 [169] disabled
5865 [173] disabled

bye-bye

└─$ sudo hcxdumptool -v
hcxdumptool 6.3.1 (C) 2023 ZeroBeat

Let me preface this by saying that i know that i shouldnt be attempting this stuff if im a noob, but im trying to collect as many documentation maybe it helps someone in the future or you to probably find whats wrong.

Basically the journey started with wifite, it would always crash after i try to capture a pmkid or do a pmkid attack it crashes my stuff, sudo would not work anymore with commands and the vm will not reboot or turn off unless i force shutdown.

after some more investigation, i couldnt find anything other than that the wifi adapter drivers mt7610u are having an issue with something and crashing

i tried manually finding the drivers for the mt7610u and replacing the one i had and that did nothing at all, and surprisingly even when i hadent added the driver after deleting the old set the adapter it still ran normally

i downloaded a fresh image of kali weekly and tried wifite without installing hcxdumptool or hcxtools and it seemed to not crash my vm at all

after got the dependencies and libs needed for hcxdumptool and hcxtools wifite started doing the same.

so i thought id try airgeddon instead maybe its just a wifite issue right?

everything worked until the point of trying to capture a pmkid and it did the same thing wifite would do.

i am running another wifi adapter (not at the same time) TP-Link Archer T2U PLUS [RTL8821AU] and that seems to work normally.

i will provide a journalctl -e and a dmesg in case those provide any help, whatever i can do to fix my post or info to provide i would really love to help fix this issue or at least troubleshoot it

please do let me know if i should just copy/paste the text of the dmesg and journalctl instead in the comments or here, i just didnt want to clutter it more than it is
dmesg airgeddon hcxdumptool.txt
journalctl -e.txt

please let me know if theres something else i can help with, sorry im still a noob and i do need some hand holding but id really love to help.

[ZerBea]

First of all: Your wireless regulatory domain is unset 00!

available frequencies: frequency [channel] tx-power of Regulatory Domain: 00

That limits the capability of the device. To avoid this it is mandatory to set a valid regulatory domain, e.g.

$ sudo iw reg set
$ sudo iw reg set US
$ iw reg get
global
country US: DFS-FCC
	(902 - 904 @ 2), (N/A, 30), (N/A)
	(904 - 920 @ 16), (N/A, 30), (N/A)
	(920 - 928 @ 8), (N/A, 30), (N/A)
	(2400 - 2472 @ 40), (N/A, 30), (N/A)
	(5150 - 5250 @ 80), (N/A, 23), (N/A), AUTO-BW
	(5250 - 5350 @ 80), (N/A, 24), (0 ms), DFS, AUTO-BW
	(5470 - 5730 @ 160), (N/A, 24), (0 ms), DFS
	(5730 - 5850 @ 80), (N/A, 30), (N/A), AUTO-BW
	(5850 - 5895 @ 40), (N/A, 27), (N/A), NO-OUTDOOR, AUTO-BW, PASSIVE-SCAN
	(5925 - 7125 @ 320), (N/A, 12), (N/A), NO-OUTDOOR, PASSIVE-SCAN
	(57240 - 71000 @ 2160), (N/A, 40), (N/A)

From now on hcxdumptool use this settings:

available frequencies: frequency [channel] tx-power of Regulatory Domain: US

This setting (via iw) is not persistent. To make it persistent it is mandatory to uncomment the domain in the config file.

A few days ago I ran several tests on several interfaces.
#361

One of them an ALFA AWUS036ACHM:
#361 (comment)
And everything is working as expected and dmesg log confirm that:

[44542.787098] usb 1-9.3: new high-speed USB device number 8 using xhci_hcd
[44542.940504] usb 1-9.3: New USB device found, idVendor=0e8d, idProduct=7610, bcdDevice= 1.00
[44542.940509] usb 1-9.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[44542.940512] usb 1-9.3: Product: WiFi
[44542.940514] usb 1-9.3: Manufacturer: MediaTek
[44542.940516] usb 1-9.3: SerialNumber: 1.0
[44543.086957] usb 1-9.3: reset high-speed USB device number 8 using xhci_hcd
[44543.226505] mt76x0u 1-9.3:1.0: ASIC revision: 76100002 MAC revision: 76502000
[44546.818464] mt76x0u 1-9.3:1.0: EEPROM ver:02 fae:04
[44547.074553] ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
[44547.092444] mt76x0u 1-9.3:1.0 wlp22s0f0u9u3: renamed from wlan0
[44907.787065] mt76x0u 1-9.3:1.0 wlp22s0f0u9u3: entered promiscuous mode
hcxdumptool is running....
hcxdumptool is terminated by ctrl+c
[44922.323768] mt76x0u 1-9.3:1.0 wlp22s0f0u9u3: left promiscuous mode

The ERROR you mentioned above always appear if the device is disconnected:

[45041.212682] mt76x0u 1-9.3:1.0: vendor request req:07 off:1134 failed:-71
[45041.292360] usb 1-9.3: USB disconnect, device number 8
[45041.298018] mt76x0u 1-9.3:1.0: MAC error detected
[45041.518186] mt76x0u 1-9.3:1.0: MAC stop failed

This should happen only if the device is disconnected:

[45440.131372] usb 5-2.4: new high-speed USB device number 7 using xhci_hcd
[45440.238662] usb 5-2.4: New USB device found, idVendor=0e8d, idProduct=7610, bcdDevice= 1.00
[45440.238666] usb 5-2.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[45440.238668] usb 5-2.4: Product: WiFi
[45440.238669] usb 5-2.4: Manufacturer: MediaTek
[45440.238670] usb 5-2.4: SerialNumber: 1.0
[45440.328165] usb 5-2.4: reset high-speed USB device number 7 using xhci_hcd
[45440.425786] mt76x0u 5-2.4:1.0: ASIC revision: 76100002 MAC revision: 76502000
[45441.645411] mt76x0u 5-2.4:1.0: EEPROM ver:02 fae:04
[45441.685125] ieee80211 phy3: Selected rate control algorithm 'minstrel_ht'
[45441.695093] mt76x0u 5-2.4:1.0 wlp48s0f4u2u4: renamed from wlan0
[45457.833535] mt76x0u 5-2.4:1.0 wlp48s0f4u2u4: entered promiscuous mode
hcxdumptool is running....
hcxdumptool is terminated by ctrl+c
[45466.638355] mt76x0u 5-2.4:1.0 wlp48s0f4u2u4: left promiscuous mode
device has been disconnected
[45560.159052] mt76x0u 5-2.4:1.0: vendor request req:07 off:1134 failed:-71
[45560.258333] usb 5-2.4: USB disconnect, device number 7
[45560.262669] mt76x0u 5-2.4:1.0: MAC error detected
[45560.481955] mt76x0u 5-2.4:1.0: MAC stop failed

In your case you got more than one ERROR. I suggest to check your cable connection.
I use a cable with two ferrite cores!

All attack modes are working as expected and the ERROR appears only after the device has been disconnected.
Looks like it take awhile until the driver noticed that the devices has been plugged out.

I moved this report to discussions, because it is not caused by hcxdumptool.
To confirm that it is not related to hcxdumptool:

connect device:
[46307.736035] usb 5-2.4: New USB device found, idVendor=0e8d, idProduct=7610, bcdDevice= 1.00
[46307.736040] usb 5-2.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[46307.736043] usb 5-2.4: Product: WiFi
[46307.736045] usb 5-2.4: Manufacturer: MediaTek
[46307.736047] usb 5-2.4: SerialNumber: 1.0
[46307.825485] usb 5-2.4: reset high-speed USB device number 9 using xhci_hcd
[46307.923264] mt76x0u 5-2.4:1.0: ASIC revision: 76100002 MAC revision: 76502000
[46309.149387] mt76x0u 5-2.4:1.0: EEPROM ver:02 fae:04
[46309.188102] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[46309.198398] mt76x0u 5-2.4:1.0 wlp48s0f4u2u4: renamed from wlan0
set interface up
$ sudo ip link set wlp48s0f4u2u4 up
disconnect device
[46345.594005] usb 5-2.4: USB disconnect, device number 9
[46345.600007] mt76x0u 5-2.4:1.0: MAC error detected
[46345.822493] mt76x0u 5-2.4:1.0: MAC stop failed

[ZerBea]

Now the funny part:

[47419.984727] usb 1-9.3: New USB device found, idVendor=0e8d, idProduct=7610, bcdDevice= 1.00
[47419.984732] usb 1-9.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[47419.984735] usb 1-9.3: Product: WiFi
[47419.984737] usb 1-9.3: Manufacturer: MediaTek
[47419.984739] usb 1-9.3: SerialNumber: 1.0
[47420.131148] usb 1-9.3: reset high-speed USB device number 9 using xhci_hcd
[47420.270724] mt76x0u 1-9.3:1.0: ASIC revision: 76100002 MAC revision: 76502000
[47423.862695] mt76x0u 1-9.3:1.0: EEPROM ver:02 fae:04
[47424.118787] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[47424.128493] mt76x0u 1-9.3:1.0 wlp22s0f0u9u3: renamed from wlan0
set interface up
$ sudo ip link set wlp22s0f0u9u3 up
$ sudo ip link set wlp22s0f0u9u3 down
[47466.352252] usb 1-9.3: USB disconnect, device number 9

Once the device is down, it can be plugged out without causing an ERROR in dmesg log.

[dontholdmyhand]

i set the regulatory domain on the adapter, and ive changed the usb slot, but i dont think that changed everything.

first off sorry im running my test in wifite, im really new and its the only thing ive like focused on to sorta learn already, im not very good at debugging with linux im still very fresh, i just happen to be learning cybersecurity and kali was the suggested distro for this type of stuff as youd imagine, but i keep running into this issue and i keep going down rabbit holes to fix it and i cant get anywhere, so im sorry if im annoying with this.

Basically the crash im getting which consists of my entire system not responding to sudo commands or rebooting or shutting down without being forced, the only reason im getting this is because of pmkid attacks that wifite and airgeddon use, which both utilize hcxdumptool and hcxtools, if i run wifite without a pmkid attack in this command using

sudo wifite -ic --kill --dict /usr/share/wordlists/rockyou.txt --random-mac --wpa --no-pmkid --new-hs

no crashy stuff happens and everything works fine with it, when do anything pmkid related my system goes haywire
this is a screenshot of what happened and a dmesg

this error message doesnt always show up, usually the system just freezes, and idk if macchanger is related but this used to happen to me before i started using macchanger with wifite (ive read macchanger messes things up sometimes thats why im bringing it up)

running a command after with sudo

running the same command without sudo (it never does anything cause the vm is frozen)

[ 71.754343] usb 1-1: new high-speed USB device number 2 using ehci-pci
[ 72.139001] usb 1-1: New USB device found, idVendor=0e8d, idProduct=7610, bcdDevice= 1.00
[ 72.139018] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 72.139023] usb 1-1: Product: WiFi
[ 72.139028] usb 1-1: Manufacturer: MediaTek
[ 72.139031] usb 1-1: SerialNumber: 1.0
[ 72.393670] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 72.393805] Loaded X.509 cert 'benh@debian.org: 577e021cb980e0e820821ba7b54b4961b8b4fadf'
[ 72.393938] Loaded X.509 cert 'romain.perier@gmail.com: 3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'
[ 72.394057] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 72.429539] platform regulatory.0: firmware: direct-loading firmware regulatory.db
[ 72.441999] platform regulatory.0: firmware: direct-loading firmware regulatory.db.p7s
[ 72.881303] usb 1-1: reset high-speed USB device number 2 using ehci-pci
[ 73.269958] mt76x0u 1-1:1.0: ASIC revision: 76100002 MAC revision: 76502000
[ 76.543797] mt76x0u 1-1:1.0: EEPROM ver:02 fae:04
[ 77.860131] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 77.865464] usbcore: registered new interface driver mt76x0u
[ 94.673310] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 95.556117] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 95.562411] wlan0: authenticated
[ 95.565654] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 95.573112] wlan0: RX AssocResp from c0:25:e9:40:b4:a4 (capab=0x431 status=0 aid=1)
[ 95.793146] wlan0: associated
[ 331.187514] wlan0: deauthenticating from c0:25:e9:40:b4:a4 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 333.908588] mt76x0u 1-1:1.0 wlan0: entered promiscuous mode
[ 371.782121] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 371.782139] wlan0: 80 MHz not supported, disabling VHT
[ 372.697713] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 373.498387] wlan0: authenticated
[ 373.498624] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 374.478466] wlan0: associate with c0:25:e9:40:b4:a4 (try 2/3)
[ 374.492963] wlan0: associate with c0:25:e9:40:b4:a4 (try 3/3)
[ 375.705792] wlan0: association with c0:25:e9:40:b4:a4 timed out
[ 391.102056] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 391.102068] wlan0: 80 MHz not supported, disabling VHT
[ 391.927479] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 392.809276] wlan0: send auth to c0:25:e9:40:b4:a4 (try 2/3)
[ 393.685006] wlan0: send auth to c0:25:e9:40:b4:a4 (try 3/3)
[ 393.690281] wlan0: authenticated
[ 393.692553] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 393.700533] wlan0: RX AssocResp from c0:25:e9:40:b4:a4 (capab=0x431 status=0 aid=5)
[ 393.937383] wlan0: associated
[ 412.277057] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 412.277068] wlan0: 80 MHz not supported, disabling VHT
[ 413.117378] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 413.895290] wlan0: authenticated
[ 413.898585] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 414.390973] wlan0: associate with c0:25:e9:40:b4:a4 (try 2/3)
[ 414.406375] wlan0: associate with c0:25:e9:40:b4:a4 (try 3/3)
[ 416.172270] wlan0: association with c0:25:e9:40:b4:a4 timed out
[ 431.077973] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 431.077985] wlan0: 80 MHz not supported, disabling VHT
[ 431.980418] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 432.728497] wlan0: authenticated
[ 432.729550] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 433.660071] wlan0: associate with c0:25:e9:40:b4:a4 (try 2/3)
[ 433.669509] wlan0: RX AssocResp from c0:25:e9:40:b4:a4 (capab=0x431 status=0 aid=5)
[ 433.870228] wlan0: associated
[ 458.401168] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 458.401198] wlan0: 80 MHz not supported, disabling VHT
[ 459.306236] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 460.081664] wlan0: authenticated
[ 460.084139] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 460.903753] wlan0: associate with c0:25:e9:40:b4:a4 (try 2/3)
[ 460.924094] wlan0: associate with c0:25:e9:40:b4:a4 (try 3/3)
[ 461.263278] wlan0: association with c0:25:e9:40:b4:a4 timed out
[ 475.349300] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 475.349314] wlan0: 80 MHz not supported, disabling VHT
[ 476.206173] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 476.975567] wlan0: authenticated
[ 476.979175] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 477.829751] wlan0: RX AssocResp from c0:25:e9:40:b4:a4 (capab=0x431 status=0 aid=5)
[ 478.043196] wlan0: associated
[ 481.004638] wlan0: disassociated from c0:25:e9:40:b4:a4 (Reason: 2=PREV_AUTH_NOT_VALID)
[ 492.863601] mt76x0u 1-1:1.0 wlan0: left promiscuous mode
[ 495.005670] wlan0: authenticate with c0:25:e9:40:b4:a4
[ 495.005708] wlan0: 80 MHz not supported, disabling VHT
[ 496.330559] wlan0: send auth to c0:25:e9:40:b4:a4 (try 1/3)
[ 496.334633] wlan0: authenticated
[ 496.341254] wlan0: associate with c0:25:e9:40:b4:a4 (try 1/3)
[ 496.347884] wlan0: RX AssocResp from c0:25:e9:40:b4:a4 (capab=0x431 status=0 aid=5)
[ 496.563262] wlan0: associated
[ 542.715262] warning: `iwconfig' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
[ 542.858267] wlan0: deauthenticating from c0:25:e9:40:b4:a4 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 549.072292] mt76x0u 1-1:1.0 wlan0mon: entered promiscuous mode
[ 549.072296] mt76x0u 1-1:1.0 wlan0mon: entered allmulticast mode
[ 714.791921] BUG: kernel NULL pointer dereference, address: 0000000000000018
[ 714.791936] #PF: supervisor write access in kernel mode
[ 714.791943] #PF: error_code(0x0002) - not-present page
[ 714.791948] PGD 0 P4D 0
[ 714.791957] Oops: 0002 [#1] PREEMPT SMP PTI
[ 714.791965] CPU: 0 PID: 11497 Comm: hcxdumptool Not tainted 6.5.0-kali3-amd64 #1 Debian 6.5.6-1kali1
[ 714.791975] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 714.791980] RIP: 0010:mt76x02_add_interface+0x14c/0x1a0 [mt76x02_lib]
[ 714.792069] Code: 00 48 89 83 58 05 00 00 48 c7 83 68 05 00 00 00 00 00 00 b8 fe 00 00 00 83 e2 07 29 d0 48 05 0c 06 00 00 48 89 74 c5 08 31 c0 <66> 89 4f 18 5b 5d c3 cc cc cc cc 32 8d 78 02 00 00 c0 e9 02 83 e1
[ 714.792079] RSP: 0018:ffffa3dd864ef7c8 EFLAGS: 00010246
[ 714.792089] RAX: 0000000000000000 RBX: ffff88a7cc9bdc58 RCX: 00000000000000fe
[ 714.792096] RDX: 0000000000000000 RSI: ffff88a7cc9be080 RDI: 0000000000000000
[ 714.792102] RBP: ffff88a7d0aa2080 R08: 0000000000000000 R09: 0000000000038040
[ 714.792109] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88a7d0aa0900
[ 714.792115] R13: 00000000ffffffff R14: ffff88a7cc9bc9c0 R15: 0000000000000000
[ 714.792121] FS: 00007f95ab0a2740(0000) GS:ffff88a7dbc00000(0000) knlGS:0000000000000000
[ 714.792130] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 714.792137] CR2: 0000000000000018 CR3: 0000000105f32002 CR4: 00000000000706f0
[ 714.792152] Call Trace:
[ 714.792161]
[ 714.792168] ? __die+0x23/0x70
[ 714.792201] ? page_fault_oops+0x171/0x4f0
[ 714.792221] ? exc_page_fault+0x7f/0x180
[ 714.792234] ? asm_exc_page_fault+0x26/0x30
[ 714.792254] ? mt76x02_add_interface+0x14c/0x1a0 [mt76x02_lib]
[ 714.792286] ? mt76x02_add_interface+0x56/0x1a0 [mt76x02_lib]
[ 714.792316] drv_add_interface+0x4d/0x130 [mac80211]
[ 714.792462] ieee80211_do_open+0x71c/0x7e0 [mac80211]
[ 714.792633] ieee80211_open+0x6a/0x90 [mac80211]
[ 714.792794] __dev_open+0xf4/0x1a0
[ 714.792820] __dev_change_flags+0x1d5/0x240
[ 714.792835] ? kmem_cache_alloc_node+0x17d/0x380
[ 714.792849] dev_change_flags+0x26/0x70
[ 714.792864] do_setlink+0x39c/0x12d0
[ 714.792880] ? _raw_spin_unlock_irqrestore+0x27/0x50
[ 714.792889] ? __wake_up_common_lock+0x8f/0xd0
[ 714.792904] ? __nla_validate_parse+0x61/0xce0
[ 714.792917] ? netlink_broadcast+0x13c/0x470
[ 714.792933] ? __rtnl_unlock+0x37/0x60
[ 714.792994] __rtnl_newlink+0x651/0xa10
[ 714.793014] ? __kmem_cache_alloc_node+0x176/0x310
[ 714.793024] ? rtnl_newlink+0x2e/0x70
[ 714.793042] rtnl_newlink+0x47/0x70
[ 714.793055] rtnetlink_rcv_msg+0x152/0x3c0
[ 714.793069] ? copyout+0x20/0x30
[ 714.793077] ? _copy_to_iter+0x5e/0x4a0
[ 714.793088] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 714.793100] netlink_rcv_skb+0x5b/0x110
[ 714.793123] netlink_unicast+0x1a6/0x290
[ 714.793138] netlink_sendmsg+0x254/0x4d0
[ 714.793156] sock_write_iter+0x175/0x180
[ 714.793178] vfs_write+0x39a/0x440
[ 714.793239] ksys_write+0xbb/0xf0
[ 714.793253] do_syscall_64+0x60/0xc0
[ 714.793263] ? syscall_exit_to_user_mode+0x2b/0x40
[ 714.793275] ? do_syscall_64+0x6c/0xc0
[ 714.793284] ? exit_to_user_mode_prepare+0x40/0x1d0
[ 714.793299] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 714.793311] RIP: 0033:0x7f95ab19cb00
[ 714.793321] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
[ 714.793329] RSP: 002b:00007ffd7b4ed248 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 714.793340] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f95ab19cb00
[ 714.793347] RDX: 0000000000000020 RSI: 000055e7a9611640 RDI: 0000000000000003
[ 714.793353] RBP: 000055e7a9601640 R08: 0000000000000000 R09: 0000000000000000
[ 714.793358] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 714.793364] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 714.793379]
[ 714.793384] Modules linked in: ctr ccm mt76x0u mt76x0_common mt76x02_usb mt76_usb mt76x02_lib mt76 mac80211 libarc4 cfg80211 snd_seq_dummy snd_hrtimer snd_seq snd_seq_device rfkill qrtr vboxsf snd_intel8x0 snd_ac97_codec intel_rapl_msr ac97_bus intel_rapl_common snd_pcm intel_pmc_core snd_timer snd rapl joydev sg soundcore vboxguest pcspkr serio_raw evdev ac sunrpc binfmt_misc fuse dm_mod loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid crc32_pclmul crc32c_intel sd_mod t10_pi crc64_rocksoft_generic ghash_clmulni_intel crc64_rocksoft crc_t10dif sha512_ssse3 crct10dif_generic crct10dif_pclmul crc64 crct10dif_common sr_mod cdrom ata_generic sha512_generic ahci ata_piix libahci vmwgfx drm_ttm_helper ttm aesni_intel drm_kms_helper libata ohci_pci crypto_simd scsi_mod cryptd ohci_hcd ehci_pci psmouse ehci_hcd scsi_common drm usbcore usb_common e1000 i2c_piix4 video wmi button
[ 714.793626] CR2: 0000000000000018
[ 714.793657] ---[ end trace 0000000000000000 ]---
[ 714.793664] RIP: 0010:mt76x02_add_interface+0x14c/0x1a0 [mt76x02_lib]
[ 714.793697] Code: 00 48 89 83 58 05 00 00 48 c7 83 68 05 00 00 00 00 00 00 b8 fe 00 00 00 83 e2 07 29 d0 48 05 0c 06 00 00 48 89 74 c5 08 31 c0 <66> 89 4f 18 5b 5d c3 cc cc cc cc 32 8d 78 02 00 00 c0 e9 02 83 e1
[ 714.793704] RSP: 0018:ffffa3dd864ef7c8 EFLAGS: 00010246
[ 714.793713] RAX: 0000000000000000 RBX: ffff88a7cc9bdc58 RCX: 00000000000000fe
[ 714.793719] RDX: 0000000000000000 RSI: ffff88a7cc9be080 RDI: 0000000000000000
[ 714.793725] RBP: ffff88a7d0aa2080 R08: 0000000000000000 R09: 0000000000038040
[ 714.793730] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88a7d0aa0900
[ 714.793736] R13: 00000000ffffffff R14: ffff88a7cc9bc9c0 R15: 0000000000000000
[ 714.793742] FS: 00007f95ab0a2740(0000) GS:ffff88a7dbc00000(0000) knlGS:0000000000000000
[ 714.793750] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 714.793756] CR2: 0000000000000018 CR3: 0000000105f32002 CR4: 00000000000706f0

last but not least im sorry if this is annoying and if you want me to stop just let me know lol thank you

[ZerBea]

No, you don't annoy me and there is no need to feel sorry, but I can't help you due to several reasons:

First reason:
Let's take a look at the screenshot. It shows an ERROR in the python code of wifite.
I don't use wifite, so I can't help you in that case. Maybe you should report it / ask for help here:
https://github.com/kimocoder/wifite2/issues

Second reason:
Regarding hcxdumptool, please take a look at its help function:

$ hcxdumptool --help
hcxdumptool 6.3.2-18-g1266cf2  (C) 2023 ZeroBeat
Additional information:
-----------------------
first stop all services that take access to the interface, e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
 hardware modification is necessary, read more:
 https://github.com/ZerBea/hcxdumptool/tree/master/docs
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
do not merge (pcapng) dump files, because this destroys assigned hash values!
to store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel on the same interface

Have you stopped all services that take access to the physical interface as mentioned in help?
first stop all services that take access to the interface

get information about running services:
$ sudo systemctl --type=service --state=running
and stop them, e.g.:

$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service

But this are the real important parts as mentioned in help:

do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
you use a third party tool (iw or airmon-ng) that set monitor

do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
you run hcxdumptool on a virtual interface named wlan0mon

[ 549.072292] mt76x0u 1-1:1.0 wlan0mon: entered promiscuous mode
[ 549.072296] mt76x0u 1-1:1.0 wlan0mon: entered allmulticast mode

looks like one of your scripts tried to set monitor mode via iwconfig:
[ 542.715262] warning: iwconfig' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211`
iwconfig is a lovely, but outdated wireless extension (WEXT) dinosaur that should not be used any longer

this is done by wifite (that possible run airmon-ng that possible run iw)
from wifite2 python code:

wifite/tools/airmon.py:from .iw import Iw
wifite/tools/airmon.py:    use_ipiw = False
wifite/tools/airmon.py:            Process(['iwconfig', interface, 'mode', 'monitor']).stdout()
wifite/tools/airmon.py:        # if it fails, try to use ip/iw
wifite/tools/airmon.py:            cls.use_ipiw = True
wifite/tools/airmon.py:        if cls.use_ipiw:
wifite/tools/dependency.py:        from .iw import Iw
wifite/tools/iw.py:    dependency_name = 'iw'
wifite/tools/iw.py:    dependency_url = 'apt install iw'
wifite/tools/iw.py:            return Process.call(f'iw {iface} set monitor control')
wifite/tools/iw.py:            return Process.call(f'iw {iface} type {mode_name}')
wifite/tools/iw.py:        (out, err) = Process.call('iw dev')

do not use virtual machines or emulators
you run hcxdumptool inside a virtual machine

do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
make sure that there are no tools running in parallel to hcxdumptool (e.g. airodump-ng)

do not use tools to change MAC (like macchanger)
you run macchanger instead of using hcxdumptool's internal randomized mac address pool
hcxdumptool info mode:
1 4 00c0cab10a87 00c0cab10a87 * wlp22s0f0u9u3 mt76x0u (NETLINK)
hcxdumptool attack mode:
1 4 00c0cab10a87 f04f7ccf3825 * wlp22s0f0u9u3 mt76x0u (NETLINK)
the virtual-mac has been changed by hcxdumptool

I'll say there are too many screws to turn for it to work (or to analyze what went wrong).

[ZerBea]

To discover what went wrong, I suggest
to set up a Linux distribution (not inside a VM)
to manually configure the distribution so that you know what services are running
to stop all services that take access to the device
and to run hcxdumptool an a fresh plugged-in device

Everything else is like reading from chicken bones.

[ZerBea]

from dmesg.airgeddon.hcxdumptool:

[  707.776219] warning: `iwconfig' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
[  747.542374] wlan0: deauthenticating from c0:25:e9:40:b4:a4 by local choice (Reason: 3=DEAUTH_LEAVING)
[  833.723472] mt76x0u 1-1:1.0 wlan0mon: entered promiscuous mode
[  833.723480] mt76x0u 1-1:1.0 wlan0mon: entered allmulticast mode

exactly the same:
monitor mode by outdated tool that still uses WEXT
virtual monitor interface wlan0mon

[ZerBea]

BTW:
I am running another wifi adapter (not at the same time) TP-Link Archer T2U PLUS [RTL8821AU] and that seems to work normally.
For sure it will do.

MediaTek mt76 devices provide a new mode called "active monitor mode".

0 3 00c0cab4623a 00c0cab4623a * wlan0 mt76x0u (NETLINK)
1 4 40ed007efa41 9ee7ecaba507 + wlan1 rtl8821au (NETLINK)

* active monitor mode available (reported by driver)
+ monitor mode available (reported by driver)
- no monitor mode available

To perform ultra fast PMKID attacks, hcxdumptool use this mode (as of today, hcxdumptool is the only tool that use this mode)
Once started, hcxdumptool set active monitor mode if the device support that. Unfortunately this interferes with the WEXT dinosaurs.
That is not the case, if the device (e.g.: rtl8821au) does not support active monitor mode.

To identify this WEXT dinosaurs, run (on Linux kernel >= 6.3):
$ sudo dmesg | grep "stop working for Wi-Fi"

Straight after the release of version 6.2.9 hcxdumptool moved from WEXT to RTNETLINK and NL80211 (see changelog):

06.04.2023
==========
release v6.2.9
several bug fixes

This is the last version:
that use WIRELESS EXTENSIONS
that use ETHTOOL to get/set virtual MAC address
that use old style status output
that use soft coded filter lists
that use msec timestamp
that use crypto stuff
that use server/client mode to display status

Next version will go back to the roots:
set focus on WPA PSK (WPA1, WPA2, WPA2 key version 3)
set bandwidth to 20MHz to increase range
set bitrate to lowest values to increase range
use active monitor mode
use NL80211 stack
use RTNETLINK
band a, b, c, d, e support
use NMEA messages:
 $GPRMC: Position, velocity, time and date
 $GPGGA: Position, orthometric height, fix related data, time
 $GPWPL: Position and MAC AP
 $GPTXT: ESSID in HEX ASCII
remove options that slow hcxdumptool down

Since version 6.2.3 WEXT has been retired (see changelog):

05.05.2023
==========
release v6.3.0

Since kernel 6.3 Kernel developer decided to print a dmesg warning if tools are detected that use deprecated WEXT:
[ 2770.939021] warning: `hcxdumptool' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
hcxdumptool used ioctl(SIOCGIWNAME) to detect presence of WEXT. That was the last remnant of WEXT code.
To get rid of this dmesg warning, this detection has been removed by latest commit.

[dontholdmyhand]

do not use virtual machines or emulators
you run hcxdumptool inside a virtual machine

i didnt think too much about it honestly my bad

as for setting up logical interfaces for wlan0 i never have before i started using macchanger with wifite today, thats whats changing it to wlan0mon, usually wifite without macchanger would just keep it wlan0 but on monitor mode

$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service

as for this, with wifite the --kill functions does these for and when i usually want to just kill these functions and not run wifite, ill run sudo wifite --kill and terminate it after and keep them down before using a different wifi attacker script

do not use tools to change MAC (like macchanger)
you run macchanger instead of using hcxdumptool's internal randomized mac address pool
hcxdumptool info mode:
1 4 00c0cab10a87 00c0cab10a87 * wlp22s0f0u9u3 mt76x0u (NETLINK)
hcxdumptool attack mode:
1 4 00c0cab10a87 f04f7ccf3825 * wlp22s0f0u9u3 mt76x0u (NETLINK)
the virtual-mac has been changed by hcxdumptool

i know i just realized that i messed up by doing all that stuff while troubleshooting, i shoulda left things how i originally used it, i never used macchanger before yesterday honestly.

BTW:
I am running another wifi adapter (not at the same time) TP-Link Archer T2U PLUS [RTL8821AU] and that seems to work normally.
For sure it will do.

MediaTek mt76 devices provide a new mode called "active monitor mode".

0 3 00c0cab4623a 00c0cab4623a * wlan0 mt76x0u (NETLINK)
1 4 40ed007efa41 9ee7ecaba507 + wlan1 rtl8821au (NETLINK)

at the time of that i was running them at the same time to mess around with mitm stuff but i didnt get anywhere i was testing all of this before plugging in another wifi adapter, i was only running the alfa mt76x0u

To perform ultra fast PMKID attacks, hcxdumptool use this mode (as of today, hcxdumptool is the only tool that use this mode)
Once started, hcxdumptool set active monitor mode if the device support that. Unfortunately this interferes with the WEXT dinosaurs.
That is not the case, if the device (e.g.: rtl8821au) does not support active monitor mode.

To identify this WEXT dinosaurs, run (on Linux kernel >= 6.3):
$ sudo dmesg | grep "stop working for Wi-Fi"
Straight after the release of version 6.2.9 hcxdumptool moved from WEXT to RTNETLINK and NL80211 (see changelog):

sorry for the dumb/beginner questions, but are you saying that other programs like wifite are using still wext which is probably whats crashing me, versus hcxdumptools moving to rtnetlink and nl80211 which isnt depreciated and doesnt crash me?

also is this something i can configure the other programs to do or is it something the program dev sets up

this is what im getting and perhaps a stupider question but i can switch to nl80211 through a bash command or something lol

one last question cause im feeling like im stepping into a zone where im not qualified to like keep asking, i need a couple of years of this stuff before i can fully get a grasp on all this stuff but i especially need to learn more about BPF and just filters in general

available frequencies: frequency [channel] tx-power of Regulatory Domain: US
This setting (via iw) is not persistent. To make it persistent it is mandatory to uncomment the domain in the config file.

you mentioned this earlier, is there an easy way to find the config file? and say i do edit it and mess something up, what could it break lol

thank you so much for all the help and guidance i know its not easy to be answering random questions all day lol

[ZerBea]

hcxdumptool may work inside a VM, but that depend on the configuration of the VM. It is mandatory that the VM pass everything through.
If the VM still has access to the device, hcxdumptool may not work as expected.

NL80211 is the successor of WEXT.
https://wireless.wiki.kernel.org/en/developers/Documentation/Wireless-Extensions
That is a decision of the Linux kernel developers. It's up to the coders of the tools to use NL80211 or not. If the don't use it, a warning in dmesg log is printed. You can do nothing.

iwconfig is outdated and it has been replaced by iw
https://wireless.wiki.kernel.org/en/users/Documentation/iw/replace-iwconfig
https://www.tecmint.com/deprecated-linux-networking-commands-and-their-replacements/

wifite2 and airgeddon are scripts. This scripts manage other tools (e.g. iw or iwconfig, ip link or ifconfig) that set monitor mode and do the attacks (e.g. aireplay-ng or hcxdumptool) or dump the traffic (e.g. airodump-ng or tshark).

There is no easy way to find the config files, because that depend on the distribution, e.g. running Arch Linux the config file is here:

$ cat /etc/conf.d/wireless-regdom
#
# Wireless regulatory domain configuration
#

#WIRELESS_REGDOM="00"
#WIRELESS_REGDOM="AD"
#WIRELESS_REGDOM="AE"
...
#WIRELESS_REGDOM="YT"
#WIRELESS_REGDOM="ZA"
#WIRELESS_REGDOM="ZW"

Instead of filtering the entire traffic itself, hcxdumptool attach a piece of code /Berkeley Packet Filter Code) to the Linux kernel that contain the filter. Once attached, the kernel does the entire filtering. That is ultra fast.
Filter everything out except frames from/to a BSSID: "wlan addr3"
the assembler filter code looks like this:

$ sudo tcpdump -i wlp48s0f4u2u4 wlan addr3 11:22:33:44:55:66 -d
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[0]
(006) tax      
(007) ldb      [x + 0]
(008) and      #0xc
(009) jeq      #0x4             jt 15	jf 10
(010) ld       [x + 18]
(011) jeq      #0x33445566      jt 12	jf 15
(012) ldh      [x + 16]
(013) jeq      #0x1122          jt 14	jf 15
(014) ret      #262144
(015) ret      #0

the c code looks like this:

$ sudo tcpdump -i wlp48s0f4u2u4 wlan addr3 11:22:33:44:55:66 -dd
{ 0x30, 0, 0, 0x00000003 },
{ 0x64, 0, 0, 0x00000008 },
{ 0x7, 0, 0, 0x00000000 },
{ 0x30, 0, 0, 0x00000002 },
{ 0x4c, 0, 0, 0x00000000 },
{ 0x2, 0, 0, 0x00000000 },
{ 0x7, 0, 0, 0x00000000 },
{ 0x50, 0, 0, 0x00000000 },
{ 0x54, 0, 0, 0x0000000c },
{ 0x15, 5, 0, 0x00000004 },
{ 0x40, 0, 0, 0x00000012 },
{ 0x15, 0, 3, 0x33445566 },
{ 0x48, 0, 0, 0x00000010 },
{ 0x15, 0, 1, 0x00001122 },
{ 0x6, 0, 0, 0x00040000 },
{ 0x6, 0, 0, 0x00000000 },

and the code, accepted by hcxdumptool looks like this:
$ sudo tcpdump -i wlp48s0f4u2u4 wlan addr3 11:22:33:44:55:66 -ddd

16
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 860116326
72 0 0 16
21 0 1 4386
6 0 0 262144
6 0 0 0

That is all the same code, but different formats.

There are several ways to code the filter:
by hand as assembler code (assembler source)
by hand as c source code (c struct)
ready compiled (and accepted by hcxdumptool beacause it doesn't have a built in vcompiler)
There are several tools /compilers you can use, e,g, tcpdump (high level language, easy for beginners, dumpcap, bpf tools)
https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
https://www.kernel.org/doc/html/latest/bpf/index.html

An explanation of the high level language is here:
https://tshark.dev/capture/capture_filters/
https://www.wireshark.org/docs/dfref/w/wlan.html

[ZerBea]

start-mon.sh, airmon-ng, wifite2, airgeddon and others are really good scripts to be used by beginners.
But if you really like to learn the stuff, I recommend to set up a Linux distribution "by hand" (do not use a GUI installer). If you have done this and the distribution starts for the first time, you'll know the locations of all configs and all running services.

Start all tools by hand (not via a script of which you do not know what it is doing) and check log files and output of the tools to figure out what went wrong.
In parallel learn 802.11 stuff so that you have an idea about the output of this tools.

[dontholdmyhand]

i just wanna start off by saying thank you so much for being amazing and providing alot of info and alot of content for me to read up on.

and thats exactly where im at, im trying to not be a script kiddie and learn how the tools that wifite and airgeddon use, i do not have a networking background or any experience with linux systems at all, kali is the thing im learning on and and working without guis is so hard but i lowkey love it, i just wish i could compare between clis and guis versions of that stuff on kali, but other than wireshark i dont think theres anything that has a gui (from what ive used), as for setting up a linux distro by hand, are you talking about setting it up without a hypervisor?

all in all im getting more into understand how every type of attack works in the network through the tools that use those and not wifite or whatever just like you said, the way to actually figure out whats going on is to use the proper tool for something and be able to understand the output

[ZerBea]

On the bright side: All the scripts mentioned above are excellent. But unfortunately you'll learn nothing.

Correct, I'm talking about a set up without a hypervisor, only by reading some installation instructions.

A first step could be playing around with a live distribution to learn the basic steps, e.g.:
https://archlinux.org/download/

Next is step to read the installation guide:
https://wiki.archlinux.org/title/Installation_guide

BTW:
hcxdumptool is part of this distribution:
https://archlinux.org/packages/extra/x86_64/hcxdumptool/
as well as hcxtools:
https://archlinux.org/packages/extra/x86_64/hcxtools/

If you prefer a penetration testing distribution, this could be a solution, too;
https://www.blackarch.org/

hcxdumptool/hcxtools are part of this distribution, too:
https://www.blackarch.org/tools.html

That will work on other distributions, too, e.g.:
Debian
Raspberry Pi OS Lite (Raspperry Pi)

[dontholdmyhand]

ive heard about archlinux but never really tried it as it seems like way above what i understand, and kali was recommended by the google cert im doing for cybersecurity/pen testing thats why, buttt i would love to dive deeper into other distros, blackarch even sounds alot cooler than kali so theres that lol

how different is arch from debian, i know thats such a wide silly question that can be googled but im tryna gauge like how realistically different it is if that makes sense lol

one last question:

how can i use use nl80211 to turn monitor mode on, if i shouldnt be using iw or stuff like that

[ZerBea]

How can i use use nl80211 to turn monitor mode on, if i should'nt be using iw or stuff like that?

First of all please take a look at iw to set monitor mode:
get device information:

$ iw dev
phy#5
	Interface wlp48s0f4u2u4
		ifindex 9
		wdev 0x500000001
		addr 50:3e:aa:92:e3:26
		type managed
		txpower 0.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

set interface down:
$ sudo ip link set wlp48s0f4u2u4 down

set active monitor mode:
$ sudo iw dev wlp48s0f4u2u4 set monitor active

set interface up:
$ sudo ip link set wlp48s0f4u2u4 up

check that interface is in monitor mode:

$ iw dev
phy#5
	Interface wlp48s0f4u2u4
		ifindex 9
		wdev 0x500000001
		addr 50:3e:aa:92:e3:26
		type monitor
		channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
		txpower 14.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

The physical device has been turned into a physical monitor interface.

Now hcxdumptool's way.
get interface information:

$ hcxdumptool -L

Requesting physical interface capabilities. This may take some time.
Please be patient...

available wlan devices:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  6  10 503eaa92e326 503eaa92e326 * wlp48s0f4u2u4    mt76x0u (NETLINK)

* active monitor mode available (reported by driver)
+ monitor mode available (reported by driver)
- no monitor mode available

bye-bye

set monitor mode, set interface up and make it operational:

$ sudo hcxdumptool -m wlp48s0f4u2u4

Requesting physical interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  6  10 503eaa92e326 503eaa92e326 * wlp48s0f4u2u4    mt76x0u (NETLINK)


available frequencies: frequency [channel] tx-power of Regulatory Domain: DE

  2412 [  1] 14.0 dBm	  2417 [  2] 14.0 dBm	  2422 [  3] 14.0 dBm	  2427 [  4] 14.0 dBm
  2432 [  5] 14.0 dBm	  2437 [  6] 14.0 dBm	  2442 [  7] 14.0 dBm	  2447 [  8] 14.0 dBm
  2452 [  9] 14.0 dBm	  2457 [ 10] 14.0 dBm	  2462 [ 11] 14.0 dBm	  2467 [ 12] 14.0 dBm
  2472 [ 13] 14.0 dBm	  2484 [ 14] disabled	  5180 [ 36] 17.0 dBm	  5200 [ 40] 17.0 dBm
  5220 [ 44] 17.0 dBm	  5240 [ 48] 17.0 dBm	  5260 [ 52] 17.0 dBm	  5280 [ 56] 17.0 dBm
  5300 [ 60] 17.0 dBm	  5320 [ 64] 17.0 dBm	  5500 [100] 17.0 dBm	  5520 [104] 17.0 dBm
  5540 [108] 17.0 dBm	  5560 [112] 17.0 dBm	  5580 [116] 17.0 dBm	  5600 [120] 17.0 dBm
  5620 [124] 17.0 dBm	  5640 [128] 17.0 dBm	  5660 [132] 17.0 dBm	  5680 [136] 17.0 dBm
  5700 [140] 17.0 dBm	  5720 [144] 13.0 dBm	  5745 [149] 13.0 dBm	  5765 [153] 13.0 dBm
  5785 [157] 13.0 dBm	  5805 [161] 13.0 dBm	  5825 [165] 13.0 dBm	  5845 [169] 13.0 dBm
  5865 [173] 13.0 dBm	  5885 [177] disabled


monitor mode is active...

bye-bye

This step is not necessary, but useful for educational purpose.
Check device by iw:

$ iw dev
phy#6
	Interface wlp48s0f4u2u4
		ifindex 10
		wdev 0x600000001
		addr 50:3e:aa:92:e3:26
		type monitor
		channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
		txpower 14.00 dBm
		multicast TXQ:
			qsz-byt	qsz-pkt	flows	drops	marks	overlmt	hashcol	tx-bytes	tx-packets
			0	0	0	0	0	0	0	0		0

capture some packet to discover that it is really operational:

$ tshark -i wlp48s0f4u2u4
Capturing on 'wlp48s0f4u2u4'
23 packets captured

[ZerBea]

ifconfig is outdated and has been replaced by ip link
iwconfig is outdated and has been replaced by iw

hcxdumptool use RTNETLINK and NL80211 only.
you can monitor hcxdumptool's RTNETLINK and NL80211 communication with the kernel if you run a NETLINK monitor interface:

$ sudo ip link add  nlmon0 type nlmon
$ sudo ip link set dev nlmon0 up

run tshark to monitor RTNETLINK / NETLINK traffic and in parallel hcxdumptool -m INTERFACENAME

$ tshark -i nlmon0
Capturing on 'nlmon0'
    1 18:43:19,765207880              →              Netlink route 36  
    2 18:43:19,765284202              →              Netlink route 2916  
    3 18:43:19,765312114              →              Netlink route 2900  
    4 18:43:19,765317975              →              Netlink 36  
    5 18:43:19,765321892              →              Netlink route 36  
    6 18:43:19,765328795              →              Netlink route 180  
    7 18:43:19,765334656              →              Netlink route 240  
    8 18:43:19,765338724              →              Netlink 36  
    9 18:43:20,775170199              →              Netlink generic 48  
   10 18:43:20,775227276              →              Netlink generic 2512  
   11 18:43:20,775231894              →              Netlink 52  
   12 18:43:20,775252903              →              nl80211 36  
   13 18:43:20,775267811              →              nl80211 476  
   14 18:43:20,775270857              →              Netlink 52  
   15 18:43:20,775277790              →              nl80211 40  
   16 18:43:20,775334465              →              nl80211 4584  
   17 18:43:20,775342901              →              Netlink 36  
   18 18:43:20,775691350              →              nl80211 36  
   19 18:43:20,775700768              →              nl80211 204  

[dontholdmyhand]

this is gonna send me down the rtnetlink and NL80211 rabbit hole, i feel like im reading stuff i need a bunch of previous information to understand though and that hinders me alot, would it be smart to ask chatgpt to eli5 these things so i can just have a basic idea of whats going on?

also after i setup nlmon0 do i need a different device for it or is it showing up as deviceless cause my device is currently on wlan0 with monitor mode

[ZerBea]

nlmon0 is an additional interface that monitor the entire RTNETLINK and NETLINK traffic between the kernel and the user space.
You can store the traffic via tshark -w or you can see the content of the packets directly via Wireshark
An example:
set nlmon0
connect a WiFi device
run Wireshakr on nlmon0
set interface up
$ sudo ip link set wlp48s0f4u2u4 up
run a network scan
$ sudo iw dev wlp48s0f4u2u4 scan
and analyze the NL80211 packets shown by Wireshark

[dontholdmyhand]

is this what im supposed to be looking at? im clueless to what they mean honestly, if i understand correctly im listening into the communications between the kernel of the linux machine and myself or what im doing on the machine? in what instance would this be needed for?

just to make sure radiotap means monitor mode right?

[ZerBea]

Correct, these are the packets between kernel and user space. You can store them via tshark -w option and take a look at the content later on via Wireshark or you can monitor them via Wireshark and take a look at the content directly.

Radiotap does not mean monitor mode. It is a header which is added by the driver to a packet.
This is an entire frame:

Frame 1: 113 bytes on wire (904 bits), 113 bytes captured (904 bits)
Radiotap Header v0, Length 18
802.11 radio information
IEEE 802.11 Association Request, Flags: ........
IEEE 802.11 Wireless Management

This is the content of the radiotap header:

Radiotap Header v0, Length 18
    Header revision: 0
    Header pad: 0
    Header length: 18
    Present flags
        Present flags word: 0x0000482e
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..1. = Flags: Present
            .... .... .... .... .... .... .... .1.. = Rate: Present
            .... .... .... .... .... .... .... 1... = Channel: Present
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 1... .... .... = Antenna: Present
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .1.. .... .... .... = RX flags: Present
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..0. .... .... .... .... .... .... .... = Radiotap NS next: False
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            0... .... .... .... .... .... .... .... = Ext: Absent
    Flags: 0x00
        .... ...0 = CFP: False
        .... ..0. = Preamble: Long
        .... .0.. = WEP: False
        .... 0... = Fragmentation: False
        ...0 .... = FCS at end: False
        ..0. .... = Data Pad: False
        .0.. .... = Bad FCS: False
        0... .... = Short GI: False
    Data Rate: 1,0 Mb/s
    Channel frequency: 2432 [BG 5]
    Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
        .... .... .... ...0 = 700 MHz spectrum: False
        .... .... .... ..0. = 800 MHz spectrum: False
        .... .... .... .0.. = 900 MHz spectrum: False
        .... .... ...0 .... = Turbo: False
        .... .... ..1. .... = Complementary Code Keying (CCK): True
        .... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
        .... .... 1... .... = 2 GHz spectrum: True
        .... ...0 .... .... = 5 GHz spectrum: False
        .... ..0. .... .... = Passive: False
        .... .0.. .... .... = Dynamic CCK-OFDM: False
        .... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
        ...0 .... .... .... = GSM (900MHz): False
        ..0. .... .... .... = Static Turbo: False
        .0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
        0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
    Antenna signal: -27 dBm
    Antenna: 1
    RX flags: 0x0000
        .... .... .... .... .... ..0. = Bad PLCP: False

It contain information collected by the device, e.g. used antenna, signal strength, frequency and a lot more.

[ZerBea]

Basically all distributions are Linux. If you get it (Linux kernel) it doesn't matter what distribution you use.
But only if you install it from scratch, you'll know what's going on (which services are running, location of the configuration files, package manager). That is not the case if you use the default configuration.

An example.
My running services (coding/testing machine running Arch Linux):

$ sudo systemctl --type=service --state=running
  UNIT                     LOAD   ACTIVE SUB     DESCRIPTION                                   
  accounts-daemon.service  loaded active running Accounts Service
  acpid.service            loaded active running ACPI event daemon
  colord.service           loaded active running Manage, Install and Generate Color Profiles
  cups.service             loaded active running CUPS Scheduler
  dbus.service             loaded active running D-Bus System Message Bus
  lightdm.service          loaded active running Light Display Manager
  ntpd.service             loaded active running Network Time Service
  polkit.service           loaded active running Authorization Manager
  rtkit-daemon.service     loaded active running RealtimeKit Scheduling Policy Service
  systemd-journald.service loaded active running Journal Service
  systemd-logind.service   loaded active running User Login Management
  systemd-networkd.service loaded active running Network Configuration
  systemd-resolved.service loaded active running Network Name Resolution
  systemd-udevd.service    loaded active running Rule-based Manager for Device Events and Files
  udisks2.service          loaded active running Disk Manager
  upower.service           loaded active running Daemon for power management
  user@1000.service        loaded active running User Manager for UID 1000

My running services (Raspberry running Raspbian OS lite):

$ systemctl --type=service --state=running
  UNIT                         LOAD   ACTIVE SUB     DESCRIPTION                                   
  autologin@tty1.service       loaded active running Getty on tty1
  dbus.service                 loaded active running D-Bus System Message Bus
  systemd-journald.service     loaded active running Journal Service
  systemd-logind.service       loaded active running User Login Management
  systemd-timesyncd.service    loaded active running Network Time Synchronization
  systemd-udevd.service        loaded active running Rule-based Manager for Device Events and Files
  user@0.service               loaded active running User Manager for UID 0
  watchdog.service             loaded active running watchdog daemon

On both machines (especially on the penetration testing machine Raspberry) absolutely nothing that interfere with my workflow / procedures

How about yours?

[dontholdmyhand]

But only if you install it from scratch, you'll know what's going on (which services are running, location of the configuration files, package manager). That is not the case if you use the default configuration.

thats whats gonna be my next project so i can properly learn linux systems without having to depend on a prebuilt image, linux is fascinating as hell, but ive been sucha windows user my entire life its kind of a struggle and im still in my first year of this and im pretty slow lol so it takes some time

im only running 1 virtual machine that i only basically use to test out the things im learning about throughout the course + whatever a question send me down a rabbit hole to lol or something piques my interest

[ZerBea]

Do you need cron, the ModemManager or the random generator (haveged)?

[dontholdmyhand]

i have personally never used cron but i was planning to some time in the future (lol)

as for modemManager or haveged ive never really paid attention to them and just assumed modemManager is something required for me to run my wifi/eth to get internet, and before googling now i never would have thought that haveged is something related to RNG

but no i havent actually, why did you point those 3 out is it something specific or just for example

[ZerBea]

No, you can stop them and/or disable them.

[dontholdmyhand]

just a quick update that i havent encountered any lag since ive started using ip link and iw to switch to monitor mode, ive been tryna learn hcxdumptools & co and mess around with it, the fact that activebeacon and enablestatus i guess those became rcascan? also the the change from -o to -w all the guides are kinda throwing me off lol, reading -h multiple times a day have lowkey helped though lol

ive been running this to do a full scan, based on your recommendation earlier, but ive been changing the reg domain on my own every boot lol (still havent gotten to finding the reg file)

$ sudo hcxdumptool -i wlan0 available frequencies: frequency [channel] tx-power of Regulatory Domain: US -w scannyfile.pcapng

do you think its missing anything important also is it using active or passive mode in that ? if i add --rcascan the pcapng wont save the file for some reason

[ZerBea]

activebeacon and enablestatus i guess those became rcascan
No.

For performance reasons enable status has been move to Makefile. On headless operation you can compile out the entire status display(or the GPS handling if not needed) by comment this line in Makefile:
DEFS += -DSTATUSOUT -DNMEAOUT

activebeacon changed to beacoontx

rcascan now can be done active or passive.
RCA == Radio Channel Assignment

So a command line that include scan mode and attack mode will not work as expected!
You can either run hcxdumptool in scan mode (active or passive) or you can run hcxdumptool in attack mode.
I added some additional information to -h and --help to make this clear:

$ hcxdumptool -h
hcxdumptool 6.3.2-36-g5629bb7  (C) 2023 ZeroBeat
...
--rcascan=<character>     : do (R)adio (C)hannel (A)ssignment scan only
                             default = passive scan
                             a = active scan
                             p = passive scan
                            not in combination with attack modes

and

$ hcxdumptool --help
hcxdumptool 6.3.2-36-g5629bb7  (C) 2023 ZeroBeat
Additional information:
-----------------------
get information about running services that have access to the device:
 $ sudo systemctl --type=service --state=running
stop all services that have access to the interface, e.g.:
 $ sudo systemctl stop NetworkManager.service
 $ sudo systemctl stop wpa_supplicant.service
run hcxdumptool
 scan for ACCESS POINTS in range (not in combination with attack modes)
  $ hcxdumptool -i INTERFACENAME -F --rcascan=active
 attack target(s) (not in combination with rcascan)
  $ hcxdumptool -i INTERFACENAME -w dumpfile.pcapng -F --rds=1
   i     : name of the interface to be used
   w     : name of file to which packets are written
   F     : use all available channels
   rds=1 : sort real time display by status (last PMKID/EAPOL on top)
press ctrl+c to terminate
press GPIO button to terminate
 hardware modification is necessary, read more:
 https://github.com/ZerBea/hcxdumptool/tree/master/docs
to store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel on the same interface
Important:
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use virtual interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
do not merge (pcapng) dump files, because this destroys assigned hash values!

[dontholdmyhand]

thank you so much, i actually am starting to like understand the syntax more and more, types of hashes and stuff like that its so cool lol.

[ZerBea]

No problem, you're welcome.
Feel free to ask if you have more questions.

[dontholdmyhand]

only if you insist lol

1 - how long do i have to attack mode scan for if im targeting 1 single bssid vs a range scan of all the bssids?

103315 packet(s) captured
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
388 EPB written to pcapng dumpfile

exit on sigterm
bye-bye

i run for around 30 mins and it gets alot of essids but ive only managed to crack 2 of them cause im using a wordlist on hashcat instead of alphanumeric thingies, i wanna get into that some more but so far its been very fun, the hardest part is learning the up to date syntax to run stuff without having to go through -h a couple of times, i might be a little lazy but sometimes piecing out parts from -h doesnt get me very far, and outdated guides throw me off even more

is there a common best practice for cracking hc22000 hashes with hashcat like filters and stuff (i know its not the best place to ask sorry)

2 - would i need to run a rcascan before i do attack mode if im just gonna attack everything i can reach? rcascan is just for pinpointing ever essid and bssid right?

3 - isps in the country i live in provide old shitty routers with wps enabled on them, i feel like pixie dust attacks have carried me alot so far, handshake capture attacks have lowkey sucked for me cause ive only done that with wifite and its ability to do that is very hit or miss, but from the reading ive been doing it seems like pmkid attacks are the way to go, what would you rank pmkid at (ofcourse each one is situational but i mean in a situation where theyre all options to attack a specific network)

sorry if the last question is dumb and out of place

[ZerBea]

Usually it takes a few seconds to attack a target, e.g. 8 seconds here:
#361 (comment)

But that depends on a lot of factors:
Target in RANGE.
Does Target use PMKIDs.
Are CLIENTs connected to the TARGET.
Are CLIENTs in RANGE.

The entire test environment is described here:
#361

You can upload your dump file to wpa-sec to discover it is vulnerable on common word lists (free service):
https://wpa-sec.stanev.org/?nets
See the stats:
https://wpa-sec.stanev.org/?stats

A rcascan is useful to discover if the target is in RANGE, to get its MAC (to build the Filer Code) and to get its operating channel (use hcxdumptool -c xx to set the channel). That's all.

Pixie Dust should be the first choice. If that failed try to get a PMKID. If that failed (not all routers use PMKIDs) try to get an M2M3. If that failed try to get an M2 from a CLIENT associated to the target NETWORK. The best is if you get all. Due to hashcat's reuse of PBKDF you will no waste GPPU time.

Questions regarding hashcat should be asked here:
https://hashcat.net/forum/

[dontholdmyhand]

thank you so much always

[dontholdmyhand]

where can i find the most updated doc on all hcxdumptool options ive looked everywhere but im so bad

[ZerBea]

The entire history since Atom (hashcat) has advised me to go open source is here:
https://hashcat.net/forum/thread-6661.html
The name of the tools have changed and some options have changed, too, but the basics and the environment is still the same.

Information about the PMKID attack is here:
https://hashcat.net/forum/thread-7717.html

Information about NC is here:
https://hashcat.net/forum/thread-6361.html

Information how to recover a PSK using hashcat is here (entire basic work flow):
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Information about the Linux kernel is here (hard core stuff):
https://www.kernel.org/doc/html/latest/

Information about the Berkeley Packet Filter is here (hard core stuff):
https://www.kernel.org/doc/html/latest/bpf/index.html

Information about Linux basics is here (basic stuff):
https://www.freecodecamp.org/news/the-linux-commands-handbook/

Information about WPA is here (basics):
https://en.wikipedia.org/wiki/Wpa2
https://en.wikipedia.org/wiki/802.11_Frame_Types
https://en.wikipedia.org/wiki/IEEE_802.11i-2004

Information about Arch Linux is here:
https://bbs.archlinux.org/viewforum.php?id=23

[dontholdmyhand]

-hi, quick question, does the regulatory domain setup mess with my packet cap, finding networks on certain freqs? im not in the US but im setting it to US, the device in question was purchased from the US but i reside in the middle east, do i have to set it up to my countries reg domain or am i good with the US settings?

• i keep getting:
  "This dump file does not contain undirected proberequest frames. An undirected proberequest may contain information about the PSK."
  how do i ensure that proberequest frames are intercepted, this is what im using after making an attack bpf

sudo hcxdumptool -i wlan0 --bpf=attack.bpf -w werwer.pcapng -F

is it because of the lack of "3"?

-also if im trying to target a client and not an ap in hcxdumptools should i use the same setting to setup a bpf ?

sudo tcpdump -i wlan0 wlan addr1 04a151cdfb8e or wlan addr2 04a151cdfb8e or wlan addr3 04a151cdfb8e or wlan addr3 04a151cdfb8e -ddd > attack.bpf

i try that but no bueno

-sudo tcpdump -i wlan0 wlan addr1 8ce74833cbb7 -ddd > attack.bpf can i set a bpf like this if i want to attack only 1 target or do the or wlan addr1+2+3 have to be there?

-also should i be deleting the attack.bpf every time i add a new client or do they just stack up if i dont delete it, or is it bad to rewrite that file.

[ZerBea]

You should use the regulatory matching to your country and you should look at the allowed frequencies.
If active scan is not allowed , hcxdumptool will not transmit on these frequencies.
If a RADAR signal is detected, hcxdumptool will not transmit on these frequencies.

Targeting a CLIENT is different:
wlan addr1 CLIENT_MAC or wlan addr2 CLIENT_MAC
Please notice that these days nearly every CLIENT run MAC randomization as default. In that case a BPF is useless.
https://cujo.com/blog/mac-address-randomization/

To recover a PSK you need frames coming from an AP and you need frames coming from a CLIENT.
If you set e.g. wlan addr2 MAC_AP you will get only frames from this AP. The rest is missing!
If you set e.g. wlan addr2 MAC_CLIENT you will get only frames from this CLIENT. The rest is missing!
If you set e.g. wlan addr3 MAC_AP you will get frames from an AP and from the CLIENTs.

In every case I recommend to add the BROADCAST MAC ffffffffffffto wlan addr3, too.
Please try this example and you know what I mean.
evilsocket/pwnagotchi#835 (comment)

You could create a BPF on each target AP:
target1.bpf (wlan addr3 111111111111 or wlan addr3 ffffffffffff)
target2.bpf (wlan addr3 222222222222 or wlan addr3 ffffffffffff)
target3.bpf (wlan addr3 333333333333 or wlan addr3 ffffffffffff)
than run hcxdumptool with the target filter and exitoneapol=7

this can be done by a script:

#!/bin/bash
$ hcxdumptool --bpf=target1.bpf --exitoneapol=7 -w target1.pcpang
$ hcxdumptool --bpf=target2.bpf --exitoneapol=7 -w target2.pcpang
$ hcxdumptool --bpf=target3.bpf --exitoneapol=7 -w target3.pcpang

[dontholdmyhand]

i just updated my comment while you typed this but it took me an hour lol sorry

"If you set e.g. wlan addr3 MAC_AP you will get frames from an AP and from the CLIENTs."

so with this i wouldnt need to target a specific client from a mac right? itll automatically target the ap and client, which skips the need to add wlan addr2 right?

so my filter can be sudo tcpdump -i wlan0 wlan addr3 8416f92c1ed6 -ddd > attack.bpf and itll achieve the goal of attacking the target and the client?

i know this is a very amateur question but how do i find the broadcast mac so i can add another wlan addr3, maybe snooping in wireshark? but does hcxdumptools list them anywhere along the ap mac?

[ZerBea]

You've probably wondered why BPF FAQ doesn't exist here.
Instead, there is a reference to other sites, e.g.:
https://www.wireshark.org/docs/man-pages/pcap-filter.html
https://www.tcpdump.org/manpages/pcap-filter.7.html
https://www.kernel.org/doc/html/latest/networking/filter.html

The reason is simple: There are thousands of possible different ways to create a BPF that give the same result.

$ tcpdump -y IEEE802_11_RADIO "wlan addr3 112233445566 or wlan addr3 ffffffffffff -ddd > filter.bpf
filter the AP and all(!) associated CLIENTs of this NETWORK - it also include undirected PROBEREQUESTs of (randomized) CLIENTs
simply we can say:

wlan addr1 == filter all frames to this MAC
wlan addr2 == filter all frames from this MAC
wlan addr3 == filter all frames in this network

And now I'm going to confuse you.
I mentioned above that there are several ways to code a filter and to get the same result:

$ tcpdump -y IEEE802_11_RADIO "wlan addr3 MAC_AP" -ddd > filter.bpf
is the same as
$ tcpdump -y IEEE802_11_RADIO "wlan addr1 MAC_AP or wlan addr2 MAC_AP" -ddd > filter.bpf

I suggest to play around with these filters and to take a look at the status display what they are doing.

And now I'm going to confuse you more.
$ tcpdump -y IEEE802_11_RADIO "wlan addr3 MAC_AP" -ddd > filter.bpf
is the same as
$ tcpdump --monitor-mode "wlan addr3 MAC_AP" -ddd > filter.bpf
is the same as
$ sudo tcpdump i wlan0 "wlan addr3 MAC_AP" -ddd > filter.bpf

[dontholdmyhand]

The reason is simple: There are thousands of possible different ways to create a BPF that give the same result.

i see, ive been tunnel visioning so hard on having the correct exact syntax for everything, i didnt realize you can freestyle like this lol.

i was wondering btw, what do you use to randomize mac in hcxdumptool, ive been trying other things too but they all have the issue where they dont use nl80211, and they crash my driver lol.

ive been setting up my monitor with hcx dump tool or if and iw when im not too lazy but but mac randomization programs also crash my device, except for hcxdumptools it works perfectly

[ZerBea]

hcxdumptool set the virtual device MAC to a randomized MAC. This MAC is used to attack ACCESS POINTs.
Additional it create thousands of randomized MACs if it is acting as an AP,
The MACs are taken from an internal MAC pool.

hcxdumptool use RTNETLINK to set the randomized MAC while old school tools running old school ioctl() system calls.

hcxdumptool and hcxtools allow "hard core freestyle" - especially in combination with the big GPU weapons hashcat and JtR.

[dontholdmyhand]

ok this might be a silly question but when hcxdumptools wants to change my mac, does it input a code in the system? something i can replicate manually to randomize my mac without having to run hcxdumptools?

like monitor mode for instance sudo hcxdumptool -m wlan0
anything like that but for macchanger?

sorry im not very familiar with system calls or scripts

[ZerBea]

It send a RTNETLINK message to the Linux kernel: "hey kernel please change the virtual MAC of the device".

Just run hcxdumptool in rcascan mode or in attack mode:

$ hcxdumptool -l
  9	 12	503eaa92e326	503eaa92e326	*	wlp48s0f4u2u4   	mt76x0u	NETLINK

$ sudo hcxdumptool --rcascan=active

$ hcxdumptool -l
  9	 12	503eaa92e326	b0ece185f393	*	wlp48s0f4u2u4   	mt76x0u	NETLINK

and it will change the virtual MAC of the device (if the device allow that).