Hcxdump syntax change

[KristoferBe]

Some of the documentation hasn't kept up with the latest syntex for example
~# hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status=1

Is no longer a valid command in 6.3.1

-o i believe has been replaced with a -w and --enable_status=1 is no longer valid

--filterlist_ap=targetBSSID isn't valid but what is?
--filtermode=2 is not valid either.

So if i wanted to perform a PMKID attack, how would I capture the needed traffic from a specific basestation MAC? THat way I can use hashcat?

Also I thought that if did sudo hcxdumptool -i wlan1 -w test.22000 test.pcapng, that it would attempt to collect all traffic from the "seen" ssids, but I have never seen a timestamp or

PMKID found:XXXXXX (SSID) output line in 6.3.1 like i did in earlier versions.

[ZerBea]

First of all, this command line
$ hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status=1 has never been recommended.
From --help:
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw

Since 6.3.0 the entire real time display changed from water fall to split screen (AP status above, CLIENT status below).
The columns are explained in --help:

Legend
real time display:
 R = + AP display:     AP is in TX range or under attack
 S = + AP display:     AUTHENTICATION KEY MANAGEMENT PSK
 P = + AP display:     got PMKID hashcat / JtR can work on
 1 = + AP display:     got EAPOL M1 (CHALLENGE)
 3 = + AP display:     got EAPOL M1M2M3 (AUTHORIZATION) hashcat / JtR can work on
 E = + CLIENT display: got EAP-START MESSAGE
 2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on

Due to performance reasons, all soft coded filter lists has been removed, because they are slow.
If you want to filter something, it is mandatory to create a Berkeley Packet Filter and to add this filter by option "--bpf="

example to perform an EAPOL (PMKID) attack on a single AP:
target BSSID is 11:22:33:44:55:66

$ sudo hcxdumptool -m INTERFACE

$ tcpdump -i INTERFACE wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack112233445566.bpf

$ sudo hcxdumptool -i INTERFACE -w dump.pcapng --bpf=attack112233445566.bpf --rds=1

Watch the AP Display:
If you got a "+" in S column, the AP use WPA, WPA2, WPA2 key version 3 and the PSK can be recovered by hashcat.
If you got a "+" in R column, you are in RANGE of the target. Empty column = not in RANGE and attack will fail.
If you got a "+" in 1 column you got an EAPOL M1 message from the target AP. EAPOL M1 include PMKIDs, if supported by the AP.
If you got a "+" in P column, you got a PMKID and you can stop hcxdumptool.
Notice: a "+" in 1 column but no "+" in P column tell you that the AP do not use PMKIDs.
If you got a "+" in 3 column, you cot an entire M1M2M3 handshake.

Please notice:
This example use a strict filter to EAPOL only, you will not get or ROGUE EAPOL M2 or undirected PROBEREQUESTs from a CLIENT, which may contain a PSK.

Please read this comments, starting with:
#301 (comment)

BTW:
As on all other versions, it is still not recommended to use hcxdumptool on a virtual interface.
And it is not recommended to use third party tools to set monitor mode.
If the driver (e,g, mt76 driver) support active monitor mode, hcxdumptool will set this mode and you get benefit of hardware ACK!

[ZerBea]

I forgot to mention:
By default hcxdumptool scan channels 1a, 6a, 11a only, because this are the most common used (default) channels.
To scan the entire possible frequency range supported by driver add option -F
-F : use available frequencies from INTERFACE

Please notice that frequency and power settings highly depend on wireless regulatory domain settings and hcxdumptool respect/use this settings. If the regulatory domain is unset, you have the highest restrictions:

$ iw reg get
global
country 00: DFS-UNSET
	(755 - 928 @ 2), (N/A, 20), (N/A), PASSIVE-SCAN
	(2402 - 2472 @ 40), (N/A, 20), (N/A)
	(2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
	(2474 - 2494 @ 20), (N/A, 20), (N/A), NO-OFDM, PASSIVE-SCAN
	(5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
	(5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
	(5490 - 5730 @ 160), (N/A, 20), (0 ms), DFS, PASSIVE-SCAN
	(5735 - 5835 @ 80), (N/A, 20), (N/A), PASSIVE-SCAN
	(57240 - 63720 @ 2160), (N/A, 0), (N/A)

Option -I show you the regulatory domain settings in use and its restrictions (e.g sudo iw reg set US):

$ hcxdumptool -I wlp22s0f0u4

Requesting interface capabilities. This may take some time.
Please be patient...


interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 74da38eb451c 74da38eb451c * wlp22s0f0u4      mt7601u (NETLINK)

available frequencies: frequency [channel] tx-power of Regulatory Domain: US

  2412 [  1] 30.0 dBm	  2417 [  2] 30.0 dBm	  2422 [  3] 30.0 dBm	  2427 [  4] 30.0 dBm
  2432 [  5] 30.0 dBm	  2437 [  6] 30.0 dBm	  2442 [  7] 30.0 dBm	  2447 [  8] 30.0 dBm
  2452 [  9] 30.0 dBm	  2457 [ 10] 30.0 dBm	  2462 [ 11] 30.0 dBm	  2467 [ 12] disabled
  2472 [ 13] disabled

bye-bye

The impact of this settings is huge (e.g sudo iw reg set IN):

$ hcxdumptool -I wlp22s0f0u4

Requesting interface capabilities. This may take some time.
Please be patient...


interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 74da38eb451c 74da38eb451c * wlp22s0f0u4      mt7601u (NETLINK)

available frequencies: frequency [channel] tx-power of Regulatory Domain: IN

  2412 [  1] 30.0 dBm	  2417 [  2] 30.0 dBm	  2422 [  3] 30.0 dBm	  2427 [  4] 30.0 dBm
  2432 [  5] 30.0 dBm	  2437 [  6] 30.0 dBm	  2442 [  7] 30.0 dBm	  2447 [  8] 30.0 dBm
  2452 [  9] 30.0 dBm	  2457 [ 10] 30.0 dBm	  2462 [ 11] 30.0 dBm	  2467 [ 12] 30.0 dBm
  2472 [ 13] 30.0 dBm

bye-bye

As already mentioned above, impact of this settings is really huge (e.g sudo iw reg set DE):

$ hcxdumptool -I wlp22s0f0u4

Requesting interface capabilities. This may take some time.
Please be patient...


interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 74da38eb451c 74da38eb451c * wlp22s0f0u4      mt7601u (NETLINK)

available frequencies: frequency [channel] tx-power of Regulatory Domain: DE

  2412 [  1] 20.0 dBm	  2417 [  2] 20.0 dBm	  2422 [  3] 20.0 dBm	  2427 [  4] 20.0 dBm
  2432 [  5] 20.0 dBm	  2437 [  6] 20.0 dBm	  2442 [  7] 20.0 dBm	  2447 [  8] 20.0 dBm
  2452 [  9] 20.0 dBm	  2457 [ 10] 20.0 dBm	  2462 [ 11] 20.0 dBm	  2467 [ 12] 20.0 dBm
  2472 [ 13] 20.0 dBm

bye-bye

If you would like to get benefit of all features (and there are a lot of features) some knowledge (as mentioned in README.md) might be helpful:

* knowledge of radio technology
* knowledge of electromagnetic-wave engineering
* detailed knowledge of 802.11 protocol
* detailed knowledge of key derivation functions
* detailed knowledge of Linux (strict)
* detailed knowledge of filter procedures (Berkeley Packet Filter, capture filter, display filter)

[ZerBea]

Nice example is here:
#331