-
Notifications
You must be signed in to change notification settings - Fork 404
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
not an issue just a comment #301
Comments
The old status function is very CPU cycle intensive. It show status when an event occurs. Compared to the old WIRELESS EXTENSION version, the NL80211 version is trimmed for effectiveness and speed. But I leave this request open. Active RCASCAN is still missing, too as well as requesting EAP-IDs. I have to add this before the next release. BTW:
To simplify it, you can add this commands to a bash script, e.g.: showeapol
|
By last commit I added a new option:
on rds=1 last last last AP of which a PMKID/EAPOL M1M2M3 was received is on top |
thanks and now you've explained why it makes sense |
Compared to the old WIRELESS EXTENSION version, NL80211 version is a thousand times more effective. |
where can I contact you ZerBea? |
You can get my email address via git API: |
wow, I didnt know that API, thanks! |
can someone share an Android version of this tool for capturing PMKID to file |
hcxdumptool should run fine on Android: Unfortunately I don't have an Android environment to compile it. Maybe some Android users can help. |
Ok. thanks. |
With the introduction of 6.3.0 I can't seem to get it to run in the background with '&' at the end of the command line. Or maybe it is running, but It does disappear from htop. Thus I assume its not running.... But I could be wrong. |
I'll check it. Could be related to the new real time display. |
Ok, tested it. Terminal 2:
Doing exactly what expected. Terminating in terminal 2:
Terminal 1 ctrl+c:
And now the funny part: According to this: |
Awwwww I have a lot to learn....yea what confused me is the fact you can see the process in top until you close the session..... I'll give it another few runs. I just checked out the timestamps in the .pcapng and it does seem to still be running. I guess I was just after something visual to ensure it was up. |
Wait wait....im still not having much luck here. Maybe I am not understanding it properly. It is my understanding that I should be able to close 'Terminal 1' and the process will continue to run in the background. I am still not seeing that behaviour. As soon as I close terminal 1 (Simulating putting my laptop away) the process seems to stop. (I confirm this by running the 'ps -All | grep hcxdumptool' command again which shows no process running. Apologies if this does not make sense. Love your work by the way! its incredible! |
That is correct. If you close the terminal, hcxdumptool will stop because it will not detach from the terminal (there is no code inside to run hcxdumptool as a deamon). There are several ways to detach a process from a terminal. One of them is setsid: More information is here: a tutorial and some wore ways is here: |
SETSID worked a treat! I'll have a play with all those methods as well now. ELEVATE PRIVS
SHUTDOWN INTERFERING SERVICES
START HCXDUMPTOOL ON SELECTED INTERFACE
CLOSE TERMINALTURN PI OFF TO STOP.or ***You can see the service continue to run in HTOP if you want to confirm it is still running detached. |
I prefer a different method - hcx dumptool is compiled without -DSTATUS
|
Perhaps a little bit beyond my skillset. However, I'll use that s a benchmark and have a go at it. Appreciate it. |
Hi Zerbea, can you help pls? When I try to convert "file.pcapng" to "file.22000" with hcxpcapngtool I get:
|
Immediately after starting hgcxdumptool, it create a dump file and it store an initial packet. This packet contain some information about the used MAC addresses and hashes. Hcxpcapngtool can work in this information. You have to run hcxdumptool until you get an information that your attack is successful and the mandatory EAPOL messages are received or retrieved.
Once you got this information, you can stop hcxdumptool and convert the content of the pcapng file to a hc22000 file. |
I realized my mistake, but it still doesn't work. |
Some APs do not transmit a PMKID. Looks like your AP is among them. |
The screenshot who the split screen. Below = results of attacks on CLIENTs. |
Holy man, thank you, now I understand everything |
Hello, I'm one of the maintainers of the airgeddon tool. I noticed that in the latest version of hcxdumptool (tested on 6.3.0) , the existing I already have a version check in the tool because something similar happened to me in the past when the I'd like your advice about the best command to use. hcxdumptool is used in airgeddon to capture PMKID, and this was the first command used <=6.0.0):
If >=6.0.0 was detected the command is:
Now it seems I need to change the command line again if a new version is detected. Which version introduces the changes and how should be the needed command to do the same? Thanks. |
The Linux kernel team decided to drop WIRELESS EXTENSIONS (WEXT) on new WiFi hardware starting with kernel 6.3.0. Version 6.2.9 is the latest "old style" version. Starting with version 6.3.0 nearly everything changed. The real time display is now always on. On headless operation it can be disabled completely. Goal of all changes is to save CPU cycles. The changelog gives an overview what changed and when it changed. The simplest command to do nearly the same is: You can add e.g. tcpdump to airgeddon to create the BPF code as suggested by this user here: BTW: |
I forgot to mention: |
omg... this changed so much... I can see the Understood about the versions... now I have 3 ranges:
The conditional about the versions is not a problem. I sorted it out. Now I need to figure out how to do the same using new stuff. Please, help me out checking this: The bottom highlighted in red part is the command. As you can see all are sharing only the I don't have defined the filter bpfc file. Not sure yet what is that. Can it be static? I mean, can you give me one to test? and can I use the same always? I hope so. If you tell me that is something that changes each time depending on the target that is going to be a very big problem for me. What format does it have? Please, I'd like to ask you about keep retro-compatiblity to easy ways... The scenario is this: we have a wifi card, a target (BSSID) and we want to get PMKID. That's all. Can that be done just launching a hcxdumptool command like before? if not, please take into consideration to keep a mode to working like this (as always). Otherwise it could be very complex process to implement using your tool. But I know you are a very proactive developer and probably will find a solution for this. Thanks in advance. |
Let's say the target MAC is 11:22:33:44:55:66 and you would like to get a PMKID of this target: First create as much as filters as you want or combine several MACs in a single filter
Now run The same filter, but it allow to retrieve undirected PROBEREQUEST frames, too:
That sounds complex, but it is ultra fast, because we're doing filtering in kernel space. Please notice that (if running this kind of filter) nearly 75% of the real capabilities of hcxdumptool are unused and you will loose a lot of useful information. It does not make sense to capture a PMKID only or a 4way handshake only and to disregard the rest of the traffic: Please answer this question yourself: With the help of hcxdumptool/hcxtools ~ 2 seconds
And I'm not running a big GPU. A GTX 1650 (mobile) and an ASUS TUF notebook - that's all:
Now please answer the second question yourself BTW: |
An example:
You can create this filters (for every purpose) and store them e.g. in the folder filters.
|
Now the complex explanation:
or c code:
If the code is converted to decimals, hcxdumptool read this code snippet
and attach it to the kernel. From now on, the code snipped is active and does the entire filtering for hcxdumptool inside the kernel space. |
That is the Linux kernel way how to filter traffic. |
Ok, let me some time to digest all of this info and to do some tests. I hope the resulting file can be parsed in the same way by hcxpcapngtool without any changes. My conditional command to trigger a successful capture is still this:
Thanks. |
The option -m does a little bit more than setting monitor mode. |
Conclusion: This are only two improvements. There are a lot more in v6.3.0. |
Another powerful tool is tshark. It can be used inside scripts and hcxdumptool pcapng output is 100% compatible to it. You can filter everything, directly on the fly or later on on the dump file, e.g. to get all PMKIDs from a pcapng dump file: An overview of the filter options is here: More information is here: Will say, you can remove the entire status display of hcxdumptool before compiling it: Or you can use hcxdumptool real time display in terminal 1 and tshark real time display in terminal 2. Or you can use hcxdumptool with BPF options in terminal 1 and tshark with different filter options in terminal 2. Or you can use hcxdumptool and run tshark later on on hcxdumptool's pcapng dump file. I know, that is really hard core, but this is extremely flexible and ultra fast. |
I already have the tshark part implemented for later (after getting the pmkid capture) as an option to transform the file from hashcat format to aircrack format. I'm developing right now the base (dependencies, checks etc...), and later I'll do the testing to implement the new way. I'll tell you if I have any issue. Thanks again. |
Shouldn't be no more big "show stoppers" - but the improvements are worth it. BTW: |
hmmm.... weird. I finished implementing it and I have no errors but also is not working... nothing is captured. Let's troubleshoot this: After implementing all the validations, tcpdump dependency if >=6.30 version is used and bla, bla, bla, here is the code which constructs the command: The tcpdump is constructing well the .bpf file in the temp dir. Then the command is launched and this appears first: Then this other start after some seconds: But nothing happens until reach the timeout. I tested it using 20, 30 and 40 seconds. Same result. I double checked after this test using hcxdumptool old v6.0.0 that is working and PMKID is captured correctly from my AP. As you can see, the channel is 6 from 2.4ghz band, so I'm adding to the command the Could it be related with the fact of airgeddon is setting monitor mode before and I'm not launching the |
Is the target MAC in addr1, addr2 and addr3 of the filter? BTW: |
The tcpdump command I'm launching was this:
That part I think is ok because the file is well generated and contains the right content. after some testing trial and error... I decided to generate traffic to the AP just authenticating a real user to the PMKID vulnerable AP and something was shown, but I think that doesn't mean a PMKID was captured yet I need to do more tests because my first thoughts about this is that it is not very reliable. At least for the purpose in airgeddon which is to get just a single pmkid from a single target. It is supposed that airgeddon is a pentest tool to be launched over a specific target. That is one of the main reasons to not having "massive or random" attacks to surrounding APs and it's focused on a single target. The reason is that I want to be used mainly in legal and tailored wifi penetration tests. Let's see if this version finally is able to do what airgeddon needs. Need to do more testing to confirm but for now, I had bad results. I have no more time today to keep testing. I'll keep trying other day. |
The BPF is merciless. This frames are filtered out: Explanation is here: |
An example to reproduce wrong BPF techniques. To reproduce get the PMKID example hash from: store it to hc22000 file: hc22000 line in detail:
connvert it to cap file:
For this example:
unfiltere output:
Correct filtering (by e.g. wlan.bssid):
Now the impact of wrong filtering - we set the BSSID as wlan.ra (tcpdump syntax = wlan addr1):
The impact is huge. All wanted frames are filtered out! Why do I prefer the BPF? The user can decide which tool he would like to use and the way how he will use it. Different filtering, but same result. We filter by transmitter address instead of BSSID:
Now it's up to you to turn your good script into a fantastic script. |
So you think I'm not getting the PMKID because the filter is not well prepared? ok, maybe... now let's create the right bpf file using tcpdump. Data and stuff the user have in airgeddon on PMKID menu: BSSID of the target Let's suppose they are: How could be the tcpdump right command to be used later on hcxdumptool to get a PMKID? Right now I have this: And then my hcxdumptool looks like this: Can you help me to generate a better or more precise bpf file to be able to get a PMKID of a target? I'm guessing based on your comments that a better bpf file could be this way: Configuring it and testing it in some minutes... EDIT Tested but it seems I'm not doing well something... |
Ok, I was missing the "or" ... I added them and it worked!!!! Finally the tcpdump filter creation command was: And my tshark transformation over the right file worked flawlessy. So I think I have all I need. Thanks for the help and the patience 😄 |
You're welcome. Would be nice if all this is helpful to improve airgeddon. Correct, this is the "all-in-one" solution that covers the target MAC in addr1 (ra) addrs 2 (ta) and addr 3 (bssid): |
great, it works like a charm now. And I must admit it is faster now. I needed to perform so many changes, but it was worth in the end I think, you were right. The hardest part was to prepare the "structure" to keep it robust validating all and adding the new dependency to be checked only if version >=6.3.0 , etc etc... but now it is done, commit here: v1s1t0r1sh3r3/airgeddon@ef71d96 Regards. |
I fully agree. BTW: |
not sure if it worths to tune in more. Do you think could be interesting? as you know, we want only to get the needed stuff to get a valid PMKID and then it is supposed that is going to be cracked offline. That changes that you are suggesting could improve this in any way? |
Le't say your hunting for three PMKIDs of three different NETWORKs:
create on filter for the three NETWORKs: and let hcxdumptool hunt for them: |
Ok but as I said, in airgeddon everything is done intentionally only for a concrete target. It is designed to perform professional wifi audits. I removed the wlan addr1 and the wlan addr2 leaving only wlan addr3 in the filter whichs seems to be the only needed to get the PMKID. |
Exactly that is the purpose of the BPF. |
BTW: You should know that it destroy timestamps and remove the M3 and M4 eapol frames (AUTHORIZATION) and leave M1 and M2 only (CHALLENGE). Example and wpaclean are taken from latest git head aircrack-ng:
we do a clean: And this happens:
M3 and M4 are removed. After the cleaning procedure the user doesn't know if it is a challenge or if the CLIENT is authorized to join the NETWORK. |
yeah, don't worry. We know it's not very reliable and sometimes may cause problems in the .cap file. It is warned always to the user before using it |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
just upgraded from a version from last year and whilst the new version works I do miss the old style --enable_status=XXX stuff as it was much easier to keep an eye on while doing other stuff
The text was updated successfully, but these errors were encountered: