hcxlabtool - testing environment

[LLH-l]

Why no scanning function

Use sudo ./hcxlabtool --rds=1
When switching to other channels, unable to see captured all AP list, display should be add in the box below

When using BPF
Create BPF
sudo ./hcxlabtool --bpfc="wlan addr3 c43306000000" >filter.bpf

wifi_laboratory-main # sudo ./hcxlabtool -c 149b --bpf=filter.bpf

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse within a network, without specific authorization, may cause
irreparable damage and result in significant consequences!
Not understanding what you were doing is not going to work as an excuse!

starting...

Always stuck here, always waiting

Need add --rds to work
`sudo ./hcxlabtool -c 149b --bpf=filter.bpf --rds=3

[ZerBea]

That is easy to explain and mentioned in README.md

hcxlabtool
============
A tool to test updates on hcxdumptool.
Expect compiler warnings and ERRORs.
Expect missing or incomplete functions.

As of today, only this is being tested:

$ sudo hcxlabtool --rds=1
$ sudo hcxlabtool --rds=2

to get an overview of the impact of activated real time display on performance (in combination with a new attack vector).

rds=1 : the new real time display only shows APs on the current channel and CLIENTs from which we got an EAPOL M2
rds=2 : the new display only shows APs from all channels from which we got an M1M2, M1M2M3 or a PMKID and CLIENTs from which we got an EAPOL M2

Compared to the current real time display, both save a lot of CPU cycles because APs on other channels are ignored by the real time display. As a result there is no longer need to disable the real time display (via Makefile) on headless operation

All other combinations of command line options are untested, disabled or not working.

[ZerBea]

Form always follows function.
Everything that can be done off line should be done off line.

I have a clear (non-negotiable) priority when testing/adding new features:

1. performance (time response behavior when acting with targets and less destructive attack vector) 
2. computing time (less CPU cycles)
3. power consumption of the entire system
...
10. other features like GPS
...
9999. real time display

[LLH-l]

Test hcxlabtool and hcxdumptool the attack power is no problem
hcxdumptool have some messages report need enhance

[ZerBea]

Enhance, yes - but not at the expense of performance.

[ZerBea]

BTW:
sudo ./hcxlabtool --bpfc="wlan addr3 c43306000000" >filter.bpf

There is no need to create a BPF as super user:
$ ./hcxlabtool --bpfc="wlan addr3 c43306000000" > filter.bpf

[LLH-l]

captured all AP list, display should be add in the box below

CHA   LAST   A123P    MAC-CL       MAC-AP    ESSID            SCAN:  2462/11
-----------------------------------------------------------------------------
 11 17:21:30 p+++  fffffffffff1	fffffffffffa	TP-LINK
 11 17:21:30 p+++  fffffffffff2	fffffffffffb	LINK-TP
 11 17:21:30 p         fffffffffff3	fffffffffffc	SUSA
 11 17:21:30 p         fffffffffff4	fffffffffffd	ASUS
 11 17:20:47 p         fffffffffff5	fffffffffffe	DVR-HS1
    17:21:29  p++     fffffffffff6	ffffffffffff	TP
    17:21:26  p++     fffffffffff7	fffffffffff1	abc
    17:21:24  p++     fffffffffff8	fffffffffff2	LINK

captured list
-----------------------------------------------------------------------------
17:21:30 p+++    fffffffffff1	fffffffffffa	TP-LINK
17:21:30 p+++    fffffffffff2	fffffffffffb	LINK-TP
17:21:29  p++     fffffffffff6	ffffffffffff	TP
17:21:26  p++     fffffffffff7	fffffffffff1	abc
17:21:24  p++     fffffffffff8	fffffffffff2	LINK

[ZerBea]

first one: rds=1
second one: rds=2

[LLH-l]

1a,2a,3a,4a,5a,6a,7a,8a,9a,10a,11a,12a,13a,14a,36b,38b,40b,42b,44b,46b,48b,50b,52b,54b,56b,58b,60b,62b,64b,100b,102b,104b,106b,108b,100b,112b,114b,116b,118b,120b,122b,124b,126b,128b,130b,132b,134b,136b,138b,140b,149b,151b,153b,155b,157b,159b,161b,163b,165b,167b,169b,171b,173b,175b,177b,179b,181

If loop once, Each channel stays for 6s, when continuously switching channels, need wait how long see the captured to AP ? do you remember capture those APs in the previous channels ?

[ZerBea]

No, I can't, but --rds=2 will show all stations from which we got a PMKID or a MESSAGEPAIR.

BTW:
My terminal can't show all AP's and stations too, because it is limited (24 inch monitor) to 52 lines!

$ stty size
52 94

Therefore it doesn't make sense to to hold all stations (APs and CLIENTs) in a ring buffer.
It is much better (and faster) to show only the stations of a channel or to show all stations from which we got a usefull EAPOL MESSAGE.

I can add --rds=3 to show all stations from which we get noting yet, but that will blow up the display (due to MAC randomization e.g. of CLIENTs).

[ZerBea]

Normally, a real time shouldn't be needed.
Tell hcxdumptool what to do. Than wait until it stops.

[ZerBea]

Added rds=3
That should show all APs independent of the current operating channel.

[LLH-l]

Yeah , good
Apply it to hcxdumptool

[ZerBea]

When everything is finished hcxlabtool will become hcxdumptool (maybe v 6.7.0).

[LLH-l]

When executing an attack, this client disconnec from AP connection, unable again auto connect to AP
If it not auto connect to AP, it cannot be captured
Is there any way make it auto connect to AP ?
We need do channel cleaning ?

[ZerBea]

If you know the ESSID, store it or other essids to a file e.g. named: essid.list
Than run option essidlist=essid.list
--essidlist=<file> : initialize ESSID list with these ESSIDs

Should work on both hcxdumptool and better (improved) on hcxlabtool.

[LLH-l]

sudo ./hcxlabtool --essidlist=ssid.list
sudo ./hcxlabtool --rds=3 --essidlist=ssid.list
sudo ./hcxlabtool -F --rds=3 --essidlist=ssid.list
sudo ./hcxlabtool  --bpf=attack.bpf --rds=3 --essidlist=ssid.list

sudo hcxdumptool --essidlist=ssid.list
sudo hcxdumptool --rds=1 --essidlist=ssid.list
sudo hcxdumptool -F --rds=1 --essidlist=ssid.list
sudo hcxdumptool  --bpf=attack.bpf --rds=1 --essidlist=ssid.list

I tested them but still don't work
Must use manually connected it

Test using hcxlabtool, It is easy to encounter this situation
Test using hcxdumptool,this situation occurring is relatively low

[ZerBea]

In that case there is no chance to get an M2 from the CLIENT.

[LLH-l]

Test hcxlabtool attack, it easily cause client occur this situation

[LLH-l]

I tested active and passive scan
Passive scan, find this AP, active scan, not find this AP
Active scan, find this AP, passive scan, not find this AP

Should add mixed scan
hcxdumptool --rcascan=p+a -c 1a

[ZerBea]

Scanning methods explained:
https://wifisharks.com/2020/10/18/wlan-scanning/

With regard to hcxdumpool:

a passive scan is not detectable by an intrusion detection system but we have to wait until an AP becomes active
active scan include passive scan (the only difference is that hcxdumtool transmit a PROBEREQUESTs)
active scan is detectable by intrusion detection system

That ( --rcascan=p+a) doesn't make sense!

BTW:
It is good to know that not all APs respond to PROBERESPONSEs. I have deactivated this on my AP!.
It is good to know that not all APs use the same beacon interval (1024msec). My AP use an interval of 2 seconds to avoid to jam a frequency and to save power.
https://www.7signal.com/news/blog/controlling-beacons-boosts-wi-fi-performance

[LLH-l]

hcxlabtool and hcxdumptool capture handshake message report seems to have not been improved
I used hcxlabtool test, me saw capture m123 message on Wireshark ( I confirmed )
but hcxlabtool only prompted the capture of m12

[ZerBea]

If an EAPOL M1M2M3 has been received, hcxlabtool stops its attacks immediately,
To make sure that the handshake is really good, the requirements are very, very high:
EAPOL TIME between M1M2 <= 50000000 nsec and between M2M3 <= 50000000 nsec and between M1M3 <= 150000000 nsec and M1 NONCE == M3 NONCE. It is absolutely mandatory that this conditions are met!
Only if these conditions are met, hcxdumptool accepts the handshake and it stops the attack.
As long as the status display shows M1M2 only, the attack is going on.
If we lower the requirements, the chance to get an invalid handshake will increase.

Please check the time gap between the EAPOL MESSAGES displayed by Wireshark.
If the time gap is lower than mentioned above, it is a bug in hcxdumptool/hcxlabtool.
If the time gap is greater, exactly this behavior is wanted, because this handshake is not accepted by hcxdumptool.

But anyway, you can use hcxpcapngtool (option --eapoltimeout=x) on that dump file to convert the M1M2M3 regardless if the conditions are met or not.

Plase note that hcxdumptool (hcxlabtool) is designed to run mostly headless.
Goal is not to show a beautiful status display - goal is to get a valid handshake.

BTW:
I've mentioned that already (hcxdumptool):
#414 (comment)
A handshake is shown if these conditions met:

time between M1 and M2 20000000 nanoseconds
time between M2 and M3 20000000 nanoseconds
time between M3 and M4 20000000 nanoseconds

hcxlabtool:

time between M1 and M2 50000000 nanoseconds
time between M2 and M3 50000000 nanoseconds
time between M1 and M4 150000000 nanoseconds

I'm undecided about the final values. Maybe something between 20000000 and 50000000 nsec, but never every greater.

[ZerBea]

Please attach the wireshark pcapng to reproduce it.

[LLH-l]

I ignored it and didn't save it ！

[ZerBea]

Ok, maybe next time.
The hcxdumptool/hcxlabtool pcapng should be fine too, because it record nearly the same as Wireshark.

[LLH-l]

The easy reproduce it
This is m12 real-time capture
wireshark time zone not calibrated

[ZerBea]

I used hcxlabtool test, me saw capture m123 message on Wireshark ( I confirmed )
but hcxlabtool only prompted the capture of m12

But you're running hcxdumptool (Screenshot_2024-02-25_22-10-01.png) and hcxdumptool does not show M1M2:

                          Columns:
                             R = + AP display     : AP is in TX range or under attack
                             S = + AP display     : AUTHENTICATION KEY MANAGEMENT PSK
                             P = + AP display     : got PMKID hashcat / JtR can work on
                             1 = + AP display     : got EAPOL M1 (CHALLENGE)
                             3 = + AP display     : got EAPOL M1M2M3 or EAPOL M1M2M3M4 (AUTHORIZATION) hashcat / JtR can work on
                             E = + CLIENT display : got EAP-START MESSAGE
                             2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on

There is no M3 inside the dump file and hcxdumptool is exactly doing what is described in help

5	Feb 25, 2024 23:07:16.632034767 CET	96:ee:e7:00:00:77	8c:a6:df:cf:4a:40	1	1
6	Feb 25, 2024 23:07:16.639911886 CET	8c:a6:df:cf:4a:40	96:ee:e7:00:00:77	2	1
7	Feb 25, 2024 23:07:16.741293773 CET	8c:a6:df:cf:4a:40	96:ee:e7:00:00:77	4	2
8	Feb 25, 2024 23:07:19.059910197 CET	96:ee:e7:00:00:77	8c:a6:df:cf:4a:40	1	1
9	Feb 25, 2024 23:07:19.061290820 CET	96:ee:e7:00:00:77	8c:a6:df:cf:4a:40	1	1
10	Feb 25, 2024 23:07:19.066163716 CET	8c:a6:df:cf:4a:40	96:ee:e7:00:00:77	2	1

This has been mentioned already here:
#414 (comment)

Showing M1M2 will be added when hcxlabtool will become hcxdumptool.

[LLH-l]

Due the rapid popularity WIFI5, WIFI6, WIFI7,
If need optimiz scan or attack cycles
e.g add frequency representative parameters
e.g

2.4Ghz=<bng>
5Ghz=<ac>
6Ghz=<ax>

Only scan 2.4GHz all channels
./hcxlabtool --scan=bgn

Only on 2.4GHz channels attack 
./hcxlabtool -bgn

Only scan  5GHz all channels
./hcxlabtool --scan=ac

Only on 5GHz channels attack  
./hcxlabtool -ac

Only scan 6GHz all channels
./hcxlabtool --scan=ax

Only on 6GHz channels attack 
./hcxlabtool -ax

60Ghz ..etc...

Use network card all frequencies
./hcxlabtool -F

If want to implement it, encode seems a bit much

[ZerBea]

Good idea in theory, but nor feasible an practice due to the high effort to code this:

several different adapters with a different frequency range
highly dependent on wireless regulatory settings of the user
the combination of the device hardware and the wireless regulatory setting

I'm sure you have noticed that e.g. bgn (channel 1 to 11) is not equal to bgn (channel 1 to 13) is not equal to bgn (1 to 14):
https://www.everythingrf.com/community/2-4-ghz-wi-fi-802-11b-g-n-channels-and-frequency-band
The same applies to the other bands too:
https://support.metageek.com/hc/en-us/articles/203532644-802-11ac-Channels

and nice to read:
https://www.wiisfi.com/

To avoid this (a hard coded list), the commended way (custom lists) is:
get information about your device and your wireless regulatory domain setting by hcxdumptool -I INTERFACENAME
e.g.: TP-Link Archer T2U"

$ iw reg get
global
country DE: DFS-ETSI
	(2400 - 2483 @ 40), (N/A, 20), (N/A)
	(5150 - 5250 @ 80), (N/A, 23), (N/A), NO-OUTDOOR, AUTO-BW
	(5250 - 5350 @ 80), (N/A, 20), (0 ms), NO-OUTDOOR, DFS, AUTO-BW
	(5470 - 5725 @ 160), (N/A, 26), (0 ms), DFS
	(5725 - 5875 @ 80), (N/A, 13), (N/A)
	(5945 - 6425 @ 160), (N/A, 23), (N/A), NO-OUTDOOR
	(57000 - 66000 @ 2160), (N/A, 40), (N/A)

$ hcxdumptool -I wlp48s0f4u2u4

Requesting physical interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 503eaa7abe4f 503eaa7abe4f * wlp48s0f4u2u4    mt76x0u (NETLINK)

available frequencies: frequency [channel] tx-power of Regulatory Domain: DE

  2412 [  1] 14.0 dBm	  2417 [  2] 14.0 dBm	  2422 [  3] 14.0 dBm	  2427 [  4] 14.0 dBm
  2432 [  5] 14.0 dBm	  2437 [  6] 14.0 dBm	  2442 [  7] 14.0 dBm	  2447 [  8] 14.0 dBm
  2452 [  9] 14.0 dBm	  2457 [ 10] 14.0 dBm	  2462 [ 11] 14.0 dBm	  2467 [ 12] 14.0 dBm
  2472 [ 13] 14.0 dBm	  2484 [ 14] disabled	  5180 [ 36] 17.0 dBm	  5200 [ 40] 17.0 dBm
  5220 [ 44] 17.0 dBm	  5240 [ 48] 17.0 dBm	  5260 [ 52] 17.0 dBm	  5280 [ 56] 17.0 dBm
  5300 [ 60] 17.0 dBm	  5320 [ 64] 17.0 dBm	  5500 [100] 17.0 dBm	  5520 [104] 17.0 dBm
  5540 [108] 17.0 dBm	  5560 [112] 17.0 dBm	  5580 [116] 17.0 dBm	  5600 [120] 17.0 dBm
  5620 [124] 17.0 dBm	  5640 [128] 17.0 dBm	  5660 [132] 17.0 dBm	  5680 [136] 17.0 dBm
  5700 [140] 17.0 dBm	  5720 [144] 13.0 dBm	  5745 [149] 13.0 dBm	  5765 [153] 13.0 dBm
  5785 [157] 13.0 dBm	  5805 [161] 13.0 dBm	  5825 [165] 13.0 dBm	  5845 [169] 13.0 dBm
  5865 [173] 13.0 dBm	  5885 [177] disabled

Create your custom scan lists, e.g.:

export MYACNODFSSCANLIST="36b,40b,44b,48b"
export MYACNODFSLOWSCANLIST="36b,40b,44b,48b"
export MYACDFSSCANLIST="52b, 56b, ..., 140b,144b,"
export MYACNODFSHIGHSCANLIST="149b,153b, ...,169b,173b"

Run this before you start hcxdumptool or create a script that will do it or add the values to your .bash_profile to make them persistent. This shouldn't be a big challenge for an experienced user and it is a thousand times more flexible than to hard code it as you suggested.
Now you can run hcxdumptool with your custom list:
$ hcxdumptool -c "$MYACNODFSSCANLIST"

or inside a script:

#!/bin/bash

export MYACNODFSSCANLIST="36b,40b,44b,48b"
hcxdumptool -c "$MYACNODFSSCANLIST`

That will work with frequencies too (-f option).

Maybe I haven't mentioned that: I will not add functions that are covered by bash commands because that commands can do it much better than I ever could.

A good starting point to learn bash:
https://linuxhandbook.com/bash/

[ZerBea]

All hcxtools and hcxdumptool/hcxlabtool are designed to run headless and/or inside custom scripts.
This, e.g. is a custom script that starts hcxlabtool on boot running OpenWRT (placed in /etc/init.d):

#!/bin/sh /etc/rc.common
START=99

boot()
	{
	/etc/init.d/dropbear stop
	/etc/init.d/network stop
	/usr/sbin/iw reg set IN
	/usr/sbin/hcxlabtool --gpio_button=4 --gpio_statusled=17 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --onwatchdog=reboot --ftc -w /home/dumpfiles/dumpfile.pcapng  --bpf=/root/filter/own_ext.bpfc --essidlist=/root/essidlist/standard58.essidliste --associationmax=1000 --m2max=20 -c 1a,6a,11a,2a,1a,6a,11a,13a,1a,6a,11a,3a,1a,6a,11a,12a,1a,6a,11a,4a,1a,6a,11a,10a,1a,6a,11a,5a,1a,6a,11a,9a,1a,6a,11a,7a,1a,6a,11a,8a &
	if [ -d /sys/class/leds/led0 ]
	then
		echo none | tee /sys/class/leds/led0/trigger
		echo 0 | tee /sys/class/leds/led0/brightness
	fi
	if [ -d /sys/class/leds/led1 ]
	then
		echo none | tee /sys/class/leds/led1/trigger
		echo 0 | tee /sys/class/leds/led1/brightness
	fi
	}

stop()
	{
	service_stop /sbin/hcxlabtool
	}

[LLH-l]

add -c why no work

[ZerBea]

Thanks. Good investigation.
Now we can narrow down the problem to the way the channel change function.

[ZerBea]

I got it.
Please try latest git head.

[LLH-l]

latest git head

Still capturing failed

[LLH-l]

hcxdumptool latest git head

capturing pmkid success

hcxlabtool latest git head

Still capturing pmkid failed

[LLH-l]

In channel 44
Use wireshark bserving have

Authenticaton
Association
Authentication

But not get m1

[ZerBea]

Thanks for the tests. I think there is a second problem we haven't discovered, yet.
I'll code another debug version to narrow it down. Please give me a few minutes.

[ZerBea]

Here is another debug version. We only need the debug messages - Please run without rds
hcxlabtool.c.zip

unzip and replace hcxlabtool.c by the attached version
run make
run $ ./hcxlabtool -c 44b

should look like this:

$ sudo ./hcxlabtool -c 44b

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse within a network, without specific authorization, may cause
irreparable damage and result in significant consequences!
Not understanding what you were doing is not going to work as an excuse!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

starting...
cipher suite detected: 4
RSNPSK detected 
send association request 2 bc
send association request 2 bc
send authentication request
send association request 2
EAPOL M1 detected
PMKID detected

[LLH-l]

starting...
cipher suite detected: 4
RSNPSK detected 
send association request 2 bc
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2 bc
send authentication request
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected                                                                                                
cipher suite detected: 4                                                                                       
RSNPSK detected                                                                                                
send association request 2                                                                                     
send association request 2                                                                                     
cipher suite detected: 4                                                                                       
RSNPSK detected                                                                                                
cipher suite detected: 4                                                                                       
RSNPSK detected                                                                                                
cipher suite detected: 4                                                                                       
RSNPSK detected                                                                                                
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
send association request 2
send association request 2
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected 
cipher suite detected: 4
RSNPSK detected 
send association request 2
cipher suite detected: 4
RSNPSK detected 
^C
0 ERROR(s) during runtime
1821 Packet(s) captured by kernel
198 Packet(s) dropped by kernel
exit on sigterm

[ZerBea]

OK, thanks. That's looking good.
Now we have to find out, why the AP does not respond to our association request 2.
Please run tshark or Wireshark in parallel and attach this dump file. We need to know the answer of the AP.
Use a capture filter "wlan addr3" so that we get only the frames of this network.

[ZerBea]

tshark can't set monitor mode and it cant set the interface up.

Two ways:
first start hcxlabtool, that start tshark in a second terminal.
or
set monitor mode by hcxdumtpool $ sudo hcxdumptool -m wlan0
than run tshark

The difference.
interface is not in monitor mode:

$ tshark -i wlp48s0f4u2u4 -f "wlan addr3 c4:33:06:cd:4b:e9" -w test.pcapng
Capturing on 'wlp48s0f4u2u4'
tshark: Invalid capture filter "wlan addr3 c4:33:06:cd:4b:e9" for interface 'wlp48s0f4u2u4'.
That string isn't a valid capture filter ('addr3' and 'address3' are only supported on 802.11 with 802.11 headers).

interface is in monitor mode:

$ sudo hcxdumptool -m wlp48s0f4u2u4 -c 44b
$ tshark -i wlp48s0f4u2u4 -f "wlan addr3 c4:33:06:cd:4b:e9" -w test.pcapng
Capturing on 'wlp48s0f4u2u4'
32 ^C

[LLH-l]

[test.zip]

[ZerBea]

Thanks.
We don't need the dump files, because we already know that the packets are not going out.
Please comment the debug messages as shown by hcxlabtool.

[LLH-l]

run $ ./hcxlabtool -c 44b
No debugging messages displayed

$ sudo ./hcxlabtool -c 44b

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse within a network, without specific authorization, may cause
irreparable damage and result in significant consequences!
Not understanding what you were doing is not going to work as an excuse!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

starting...

[ZerBea]

Another try:
hcxlabtool.c.zip
same procedure.

$ sudo ./hcxlabtool -c 44b
This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse within a network, without specific authorization, may cause
irreparable damage and result in significant consequences!
Not understanding what you were doing is not going to work as an excuse!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

starting...
set channel
running debug loop

[LLH-l]

[ZerBea]

Is the target AP still on channel 44b?

[LLH-l]

[ZerBea]

I'll add some more debug code.

[ZerBea]

New debug version. Same procedure.
hcxlabtool.c.zip

Should now look like this:

received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attck
send association request 2 bc
send authentication request
send association request 2
EAPOL M1 detected
PMKID detected

[LLH-l]

$ sudo ./hcxlabtool -c 44b

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse within a network, without specific authorization, may cause
irreparable damage and result in significant consequences!
Not understanding what you were doing is not going to work as an excuse!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

starting...
set channel
running debug loop
received BEACON
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attck
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44                                                                        
prepare attck                                                                                         
received BEACON                                                                                       
confirmed BEACON on channel 44                                                                        
received BEACON                                                                                       
confirmed BEACON on channel 44                                                                        
received BEACON                                                                                       
confirmed BEACON on channel 44                                                                        
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attck
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attck
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
^C
0 ERROR(s) during runtime
2176 Packet(s) captured by kernel
562 Packet(s) dropped by kernel
exit on sigterm

[LLH-l]

Is the target AP still on channel 44b?

Yeah

[ZerBea]

Ok, thanks.
I'll add some more debug messages.

[ZerBea]

Here we go.
hcxlabtool.c.zip
Same procedure. Please commit debug messages.
We now should see the ESSID inside the debug messages.

[LLH-l]

$ sudo ./hcxlabtool -c 44b

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse within a network, without specific authorization, may cause
irreparable damage and result in significant consequences!
Not understanding what you were doing is not going to work as an excuse!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

starting...
set channel
running debug loop
received BEACON
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attack
ESSID ok CMCC-vKHZ-5G
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attack
ESSID ok CMCC-vKHZ-5G
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attack
ESSID ok CMCC-vKHZ-5G
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
prepare attack
ESSID ok CMCC-vKHZ-5G
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
received BEACON
confirmed BEACON on channel 44
^C
0 ERROR(s) during runtime
225 Packet(s) captured by kernel
41 Packet(s) dropped by kernel
exit on sigterm

[ZerBea]

OK, thanks.
Please give me some minutes.

[ZerBea]

Ok, next try:
hcxlabtool.c.zip
Same procedure, please commit debug messages.

This "AKM value is 2" is important:
AKM value is 2
AKM confirmed
MACRG used

[LLH-l]

$ sudo ./hcxlabtool -c 44b

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse within a network, without specific authorization, may cause
irreparable damage and result in significant consequences!
Not understanding what you were doing is not going to work as an excuse!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

starting...
set channel
running debug loop
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
prepare attack
ESSID ok CMCC-vKHZ-5G
AKM value is 0
^C
0 ERROR(s) during runtime
3389 Packet(s) captured by kernel
923 Packet(s) dropped by kernel
exit on sigterm

[ZerBea]

Ok, thanks.
Let me think awhile how we can handle this.
AKM is 0 but it should be 2.

[LLH-l]

hcxdumptool also has AKM issues

[ZerBea]

Next try please:
hcxlabtool.c.zip
Same procedure - please commit debug messages.

[LLH-l]

e.g Use command

sudo ./hcxlabtool --bpfc="wlan addr3 c43306cd4be9" >a.bpf
sudo ./hcxlabtool -c 44b --bpf=a.bpf --rds=3
tshark -i wlan0 -f "wlan addr3 c4:33:06:cd:4b:e9" -w test.pcapng

Need wireshark parallel pcapng file ?

[ZerBea]

Yes, please

[ZerBea]

BTW:
This is a great example

$ sudo ./hcxlabtool --bpfc="wlan addr3 c43306cd4be9" >a.bpf
$ sudo ./hcxlabtool -c 44b --bpf=a.bpf --rds=3
$ tshark -i wlan0 -f "wlan addr3 c4:33:06:cd:4b:e9" -w test.pcapng

It shows why hcxdumptool/hcxlabtool uses tshark BPF syntax and not aircrack-ng (--bssid) syntax.

[LLH-l]

[testtt.zip]

[ZerBea]

Thanks, downloaded it and you can delete the archive.
It will take awhile until I find a solution.

[LLH-l]

Use hcxdumptool capturing it , sometime success, but sometime fails, not every time success

Including capturing other AP handshakes situation (not every time success)
What the reason for this
Is it unstable or injection and monitor issues

[ZerBea]

Problem is related to latest optimization.
I'll add some new debug code to narrow it down.

[ZerBea]

Ok, here we go. Same procedure.
hcxlabtool.c.zip

./hcxlabtool --bpf=your_filter -c 44b

Debug info should look similar to this.
We need to find the difference between this one and your debug messages.

initial beacon
enter tag walk
ESSID tag walk TEST_AP
tag VENDOR detected
tag VENDOR detected
tag VENDOR detected
tag VENDOR detected
tag VENDOR detected
tag VENDOR detected
tag VENDOR detected
tag WPA detected
tag RSN detected
tag RSN length 20
GCS count 1
PCS count 1
AKM count 1
initial AKM value = 2
^C
0 ERROR(s) during runtime
61 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
exit on sigterm

[LLH-l]

Use command
sudo ./hcxlabtool -c 44b --bpf=a.bpf >attack.log
tshark -i wlan0 -f "wlan addr3 c4:33:06:cd:4b:e9" -w test.pcapng
[testffff.zip]

[ZerBea]

Should be fixed by latest commit:

starting...
initial beacon
enter tag walk
ESSID tag walk CMCC-vKHZ-5G
tag VENDOR detected
tag WPA detected
WPA ucs count 2
WPA AKM count 1
26 26
tag RSN detected
tag RSN length 24
GCS count 1
PCS count 2
AKM count 1
tag VENDOR detected
tag VENDOR detected
tag VENDOR detected
tag VENDOR detected
initial AKM value = 2

In case of WPA1/WPA2 mixed mode, both AKMs should be detected, now.

[LLH-l]

I'ii test latest git

[ZerBea]

Great, thanks (--rds=1) will show if it is working (or not).

[LLH-l]

test latest git OK !

[ZerBea]

Great, thanks to your kind help, we got it.

[LLH-l]

Don't mention, I am your fan and I hope hcxdumptool and hcxlabtool better

[LLH-l]

Test completed. due partial privacy, close