handshake/PMKID from a single SSID

[CyberIQ-ai-LLC]

In the previous version I would use --filterlist_ap to target a specific SSID. I'm not sure how to do that in this version. Looking at the docs it doesn't appear that it is possible. Is it? If so, how would it be done?

This is the line from my old script that prompts for the values.
hcxdumptool -i ${WIFI_NAME} -o ${FILE_NAME}.pcapng --enable_status=1 -c ${CHANNEL} --filtermode=2 --filterlist_ap=${AP_MAC}

The new version has changed a lot. This is how I am trying with 6.3.1-50-gdb8af47
hcxdumptool --essidlist ${file_name} -w ${FILE_NAME}
I thought that this might work. But I guess I'm not understanding the purpose of --essidlist. I have a file with a SSID that I want to target. I guess I'm doing it wrong?

Thanks in advance for your help.

[ZerBea]

Now the entire filter stuff is done by the Berkeley Packet Filter (BPF) only.
There are several ways to create the BPF. The simplest way is by tcpdump.

Let's say your target AP MAC is
11:22:33:44:55:66
Set monitor mode:
$ sudo hcxdumptool -m INTERFACENAME
Create BPF:
$ sudo tcpdump -i INTERFACENAME wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > target.bpf
Run hcxdumptool using this filter:
$ sudo hcxdumptool -i INTERFACENAME --bpf=target.bpf
Please notice:
We do not filter undirected PROBEREQUESTs from CLIENTs, because they may contain a password.

To attack more than one target:

1a:2a:3a:4a:5a:6a
1b:2b:3b:4b:5b:6b

Set monitor mode:
$ sudo hcxdumptool -m INTERFACENAME
Create BPF:
$ sudo tcpdump -i INTERFACENAME wlan addr3 1a:2a:3a:4a:5a:6a or wlan addr3 or wlan addr3 1b:2b:3b:4b:5b:6b -ddd > target.bpf
Run hcxdumptool using this filter:
$ sudo hcxdumptool -i INTERFACENAME --bpf=target.bpf

BTW:
You can tell hcxdumptool to terminate if one of the targets was successful attacked by option --exitoneapol.
Now remove this AP MAC from the BPF and re-run hcxdumptool.

More information is here:
#301 (comment)

The option --essid is not a filter option.
If targeting CLIENTs, hcxdumptool fill an internal ring buffer with entries of this list. Later on, this ring buffer will be filled with ESSIDs received from PROBEREQUESTs.
The first n entries (becaontx=n) are transmitted as BEACON to awake sleeping CLIENTs if it match to their wpa-supplicant.conf entry.

[CyberIQ-ai-LLC]

Thanks for such a quick reply. This is what I needed.

[ZerBea]

You're welcome.

BTW:
The BPF is a peace of code, loaded and attached to the kernel by hcxdumptool. It can filter everything and that really fast.