hcxdumptool
hcxdumptool Description
A small tool for capturing packets from wireless network devices and detecting weaknesses in Wi-Fi networks (for example, PreSharedKey or PlainMasterKey are transmitted unencrypted by the CLIENT).
The pcapng capture format is compatible with Wireshark and tshark.
hcxdumptool is for analysis. This means everything is requested/saved by default. Unwanted information must be filtered later, offline.
Program features:
- complete blocking of wlan traffic
- can capture PMKIDs from access points (requires only one PMKID from access point) (use hcxpcapngtool to convert them to a format understandable by hashcat and/or JtR)
- can capture handshakes from unconnected clients (requires only one single M2 from the client) (use hcxpcapngtool to convert them to a format understandable by hashcat and/or JtR)
- can capture handshakes from 5/6 GHz clients on 2.4 GHz (requires only one single M2 from client) (use hcxpcapngtool to format to hashcat or JtR hash)
- can capture passwords from wlan traffic (use hcxpcapngtool -E to save them to file along with network names)
- can query and capture extended EAPOL (RADIUS, GSM-SIM, WPS) (hcxpcapngtool will show you info about them)
- can collect IDs from wireless network traffic (for example: request IMSI numbers from mobile phones – use hcxpcapngtool -I to save them to a file)
- can capture usernames from wlan traffic (eg: server authentication username – use hcxpcapngtool -U to save them to a file)
Homepage: https://github.com/ZerBea/hcxdumptool
Author: ZeroBeat
License: MIT
hcxdumptool Help
Usage:
hcxdumptool <options>
Options:
short options: -i <interface> : interface (monitor mode will be enabled by hcxdumptool) it is mandatory that the driver support ioctl() system calls, monitor mode and full packet injection! -o <dump file> : output file in pcapng format, filename '-' outputs to stdout, '+' outputs to client including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -f <frames> : frames to save bitmask: 0: clear default values 1: MANAGEMENT frames (default) 2: EAP and EAPOL frames (default) 4: IPV4 frames 8: IPV6 frames 16: WEP encrypted frames 32: WPA encrypted frames 64: vendor defined frames (AWDL) to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4) -c <digit> : set frequency (2437,2462,5600,...) or channel (1,2,3, ...) default: auto frequency/auto band maximum entries: 255 0 - 1000 treated as channel > 1000 treated as frequency in MHz on 5GHz and 6Ghz it is recommended to use frequency instead of channel number because channel numbers are not longer unique standard 802.11 channels (depend on device, driver and world regulatory domain): https://en.wikipedia.org/wiki/List_of_WLAN_channels -s <digit> : set predefined scanlist 0 = auto frequency/auto band (default) 1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz) 2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz) 3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 5GHz) 4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 2.4GHz/5GHz) -t <seconds> : stay time on frequency before hopping to the next channel default 4 seconds -m <interface> : set monitor mode by ioctl() system call and quit -I : show WLAN interfaces and quit -C : show available device channels and quit if no frequencies are available, interface is probably in use or doesn't support monitor mode if additional frequencies are available, firmware, driver and regulatory domain is probably patched -h : show this help -v : show version long options: --do_rcascan : show radio channel assignment (scan for target access points) this can be used to test that ioctl() calls and packet injection is working if you got no HIT, packet injection is possible not working also it can be used to get information about the target and to determine that the target is in range use this mode to collect data for the filter list run this mode at least for 2 minutes to save all received raw packets use option -o default scanlist: channel 1 ...13 --rcascan_max=digit> : show only n highest ranking lines default: 256 lines --rcascan_order=digit> : rcascan sorting order: 0 = sort by PROBERESPONSE count (default) 1 = sort by BEACON count 2 = sort by CHANNEL --do_targetscan=<MAC_AP> : same as do_rcascan - hide all networks, except target format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 --reason_code=<digit> : deauthentication reason code recommended codes: 1 WLAN_REASON_UNSPECIFIED 2 WLAN_REASON_PREV_AUTH_NOT_VALID 4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY 5 WLAN_REASON_DISASSOC_AP_BUSY 6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA 7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default) 9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH --disable_client_attacks : do not attack clients affected: ap-less (EAPOL 2/4 - M2) attack --stop_client_m2_attacks=<digit> : stop attacks against CLIENTS after 10 M2 frames received affected: ap-less (EAPOL 2/4 - M2) attack require hcxpcangtool --all option --disable_ap_attacks : do not attack access points affected: connected clients and client-less (PMKID) attack --stop_ap_attacks=<digit> : stop attacks against ACCESS POINTs if <n> BEACONs received default: stop after 600 BEACONs --resume_ap_attacks=<digit> : resume attacks against ACCESS POINTs after <n> BEACONs received default: 864000 BEACONs --disable_deauthentication : do not send deauthentication or disassociation frames affected: conntected clients --silent : do not transmit! hcxdumptool is acting like a passive dumper expect possible packet loss --eapoltimeout=<digit> : set EAPOL TIMEOUT (microseconds) default: 20000 usec --eapoleaptimeout=<digit> : set EAPOL EAP TIMEOUT (microseconds) over entire request sequence default: 2500000 usec --bpfc=<file> : input kernel space Berkeley Packet Filter (BPF) code affected: incoming and outgoing traffic - that include rca scan steps to create a BPF (it only has to be done once): set hcxdumptool monitormode $ hcxdumptool -m <interface> create BPF to protect a MAC $ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf recommended to protect own devices or create BPF to attack a MAC $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req) see man pcap-filter for a list of all filter options to use the BPF code $ hcxdumptool -i <interface> --bpfc=attack.bpf ... notice: this is a protect/attack, a capture and a display filter --filtermode=<digit> : user space filter mode for filter list mandatory in combination with --filterlist_ap and/or --filterlist_client affected: only outgoing traffic notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel 0: ignore filter list (default) 1: use filter list as protection list do not interact with ACCESS POINTs and CLIENTs from this list 2: use filter list as target list only interact with ACCESS POINTs and CLIENTs from this list not recommended, because some useful frames could be filtered out using a filter list doesn't have an affect on rca scan only for testing useful - devices to be protected should be added to BPF notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter --filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_ap_vendor=<file> : ACCESS POINT VENDOR filter list by VENDOR format: 112233, 11:22:33, 11-22-33 # comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_client=<file or MAC> : CLIENT MAC or MAC filter list format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! --filterlist_client_VENDOR=<file> : CLIENT VENDOR filter list format: 112233, 11:22:33, 11-22-33 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! --weakcandidate=<password> : use this pre shared key (8...63 characters) for weak candidate alert will be saved to pcapng to inform hcxpcaptool default: 12345678 --essidlist=<file> : transmit beacons from this ESSID list maximum total entries: 256 ESSIDs --essidlist_wpaent=<file> : transmit WPA-Enterprise-only beacons from this ESSID list maximum total entries: 256 ESSIDs --active_beacon : transmit beacon from collected ESSIDs and from essidlist once every 10000000 nsec affected: ap-less --flood_beacon : transmit beacon on every received beacon affected: ap-less --all_m2 : accept all connection attempts from a CLIENT affected: CLIENTs warning: that can prevent that a CLIENT can establish a connection to an assigned ACCESS POINT --infinity : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT affected: ACCESS POINTs and CLIENTs --beaconparams=<TLVs> : update or add Information Elements in all reactive and essidlist beacons maximum 50 IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten multiple IEs with same tag id are added, default IE is overwritten by the first --wpaent : enable announcement of WPA-Enterprise in beacons and probe responses in addition to WPA-PSK --eapreq=[:] [: ],... send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type mode prefix determines layer the request is exclusively send on: T: = only if any TLS tunnel is up, ignored otherwise response is terminated with: :F = EAP Failure :S = EAP Success :I = EAP ERP Initiate :F = EAP ERP Finish :D = Deauthentication :T = TLS shutdown :- = no packet default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated --eapreq_follownak : jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence --eaptlstun : activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using --eapreq requires --eap_server_cert and --eap_server_key --eap_server_cert=<server.pem> : EAP TLS tunnel Server cert PEM file --eap_server_key=<server.key> : EAP TLS tunnel Server private key file --use_gps_device=<device> : use GPS device /dev/ttyACM0, /dev/ttyUSB0, ... NMEA 0183 $GPGGA $GPGGA --use_gpsd : use GPSD device NMEA 0183 $GPGGA, $GPRMC --nmea=<file> : save track to file format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx to display the track, open file.gpx with viking --gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27) default = GPIO not in use --gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27) default = GPIO not in use --gpio_statusled_intervall=<digit> : Raspberry Pi GPIO LED flash intervall default = flash every 5 seconds --tot=<digit> : enable timeout timer in minutes (minimum = 2 minutes) hcxdumptool will terminate if tot reached (EXIT code = 2) for a successful attack tot > 120 minutes recommended --error_max=<digit> : terminate hcxdumptool if error maximum reached default: 100 errors --reboot : once hcxdumptool terminated, reboot system --poweroff : once hcxdumptool terminated, power off system --enable_status=<digit> : enable real-time display (waterfall) only incoming traffic each message is displayed only once at the first occurrence to avoid spamming the real-time display bitmask: 0: no status (default) 1: EAPOL 2: ASSOCIATION and REASSOCIATION 4: AUTHENTICATION 8: BEACON and PROBERESPONSE 16: ROGUE AP 32: GPS (once a minute) 64: internal status (once a minute) 128: run as server 256: run as client 512: EAP 1024: EAP NAK characters < 0x20 && > 0x7e are replaced by . example: show everything but don't run as server or client (1+2+4+8+16 = 31) show only EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3) --ip=<IP address> : define IP address for server / client (default: 224.0.0.255) multicast, localhost or client unicast IP address on both sides --server_port=<digit> : define port for server status output (1...65535) : default IP: 224.0.0.255 : default port: 60123 --client_port=<digit> : define port for client status read (1...65535) default IP: 224.0.0.255 default port: 60123 --check_driver : run several tests to determine that driver support all(!) required ioctl() system calls the driver must support monitor mode and full packet injection otherwise hcxdumptool will not work as expected --check_injection : run antenna test and packet injection test to determine that driver support full packet injection packet injection will not work as expected if the Wireless Regulatory Domain is unset --force_interface : ignore all ioctl() warnings and error counter allow hcxdumptool to run on a virtual NETLINK monitor interface warning: packet injection and/or channel change may not work as expected you have been warned: do not report issues! --example : show abbreviations and example command lines --help : show this help --version : show version
Recommended usage guidelines
Do not use a logical interface and leave the physical interface in managed mode.
Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which takes access to the interface.
Stop all services which takes access to the physical interface (NetworkManager, wpa_supplicant,…).
Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space.
Work flow
The sequence of using the tools is as follows: hcxdumptool → hcxpcapngtool → hcxhashtool (additional hcxpsktool/hcxeiutool) → hashcat or JtR
- hcxdumptool: attack and capture everything (depending on options)
- hcxpcapngtool: convert everything
- hcxhashtool: filter hashes
- hcxpsktool: get weak PSK candidates
- hcxeiutool: calculate wordlists from ESSID
- hashcat or JtR: get PSK from hash
Recommendations
- Make sure that the Wireless Regulatory Domain is not unset!
- Run
sudo hcxdumptool -i interface --do_rcascan
for at least 30 seconds, to get information about the target!
- Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
- It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this, as well as wpa-sec.stanev.org.
- If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately!
- If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool!
- Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark
- Recommended tool to convert hashes to formats that hashcat and JtR understand: hcxpcapngtool
- Recommended tool to get possible PSKs from pcapng file: hcxpcapngtool
- Important notice: Using filter options, could cause that some useful frames are filtered out! In that case hcxpcapngtool will show a warning that this frames are missing!
- Use SIGHUB with care, because it will impact pselect()
Abbreviations
- PMKIDROGUE = PMKID requested from ACCESS POINT by hcxdumptool
- M1M2ROGUE = M2 requested from CLIENT by hcxdumptool
- M1M2 = CHALLENGE MESSAGE PAIR
- M2M3 = AUTHORIZED MESSAGE PAIR
- M3M4 = AUTHORIZED MESSAGE PAIR
- M1M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
- M3M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
- KDV0 = Key Descriptor Version 0 = Authentication Management Key defined
- KDV1 = Key Descriptor Version 1 = WPA1 HMAC-MD5
- KDV2 = Key Descriptor Version 2 = WPA2 HMAC-SHA1
- KDV3 = Key Descriptor Version 3 = WPA2 AES-128-CMAC
hcxdumptool Usage Example
Use the wireless interface (-i wlp39s0f3u4u5), it will be automatically switched to monitor mode, save the captured frames to a pcapng file (-o output.pcapng), stay on each channel for 5 seconds (-t 5), show EAPOL messages and PROBEREQUEST/PROBERESPONSE (--enable_status=3):
sudo hcxdumptool -i wlp39s0f3u4u5 -o output.pcapng -t 5 --enable_status=3
Example output:
start capturing (stop with ctrl+c) NMEA 0183 SENTENCE........: N/A INTERFACE NAME............: wlp0s20f0u2 INTERFACE PROTOCOL........: IEEE 802.11 INTERFACE TX POWER........: 36 dBm (lowest value reported by the device) INTERFACE HARDWARE MAC....: 00c0ca96cfcb (not used for the attack) INTERFACE VIRTUAL MAC.....: 00c0ca96cfcb (not used for the attack) DRIVER....................: ath9k_htc DRIVER VERSION............: 5.16.8-arch1-1 DRIVER FIRMWARE VERSION...: 1.4 openSSL version...........: 1.1 ERRORMAX..................: 100 errors BPF code blocks...........: 0 FILTERLIST ACCESS POINT...: 0 entries FILTERLIST CLIENT.........: 0 entries FILTERMODE................: unused WEAK CANDIDATE............: 12345678 ESSID list................: 0 entries ACCESS POINT (ROGUE)......: 000e1726743a (BROADCAST HIDDEN used for the attack) ACCESS POINT (ROGUE)......: 000e1726743b (BROADCAST OPEN used for the attack) ACCESS POINT (ROGUE)......: 000e1726743c (used for the attack and incremented on every new client) CLIENT (ROGUE)............: b025aac62e0f EAPOLTIMEOUT..............: 20000 usec EAPOLEAPTIMEOUT...........: 2500000 usec REPLAYCOUNT...............: 62969 ANONCE....................: 5630c66168cdb3f4a93da3509541b808afd72bf2e848576f822b8ddd3e6a1006 SNONCE....................: 3f4872fcafb3165345aa603842c7f01039763994419cbd80ada5fa239f7673bf 10:28:24 2412/1 ffffffffffff c891f9c7eff6 RT-728005 [BEACON] 10:28:24 2412/1 ffffffffffff 142e5e5636f0 RT-WiFi-36EE [BEACON] 10:28:24 2412/1 ffffffffffff e4186b1abe4c 114 [BEACON] 10:28:24 2412/1 ffffffffffff e8377a94a520 Keenetic-1606 [BEACON] 10:28:25 2412/1 7aa0dc189b9b c891f9c7eff6 RT-728005 [PROBERESPONSE] 10:28:25 2412/1 7aa0dc189b9b e4186b1abe4c 114 [PROBERESPONSE] 10:28:25 2412/1 ffffffffffff 6466b3489a20 TP-LINK_489A20 [BEACON] 10:28:26 2412/1 ffffffffffff f0b4d29f8889 DIR-615-8888 [BEACON] 10:28:26 2412/1 ffffffffffff bc0f9a24a294 DIR-615-A293 [BEACON] 10:28:28 2412/1 ffffffffffff 78321b502db0 DIR-615 [BEACON] 10:28:28 2412/1 b025aac62e0f c891f9c7eff6 RT-728005 [PMKIDROGUE:7a611b478d7ad30d13f884033de72a6d KDV:2] 10:28:33 2412/1 daa119a3ce9b 6466b3489a20 TP-LINK_489A20 [PROBERESPONSE] 10:28:36 2412/1 d8a98ba2e8f8 f0b4d29f8889 DIR-615-8888 [PROBERESPONSE] 10:28:39 2412/1 304a261d7203 bc0f9a24a294 DIR-615-A293 [PROBERESPONSE] 10:28:48 2412/1 52983911000d e8377a94a520 Keenetic-1606 [PROBERESPONSE] 10:28:52 2412/1 ffffffffffff 24d3f2aa99a5 RT-WiFi_66 [BEACON] 10:29:25 2412/1 4c6371e0e52e 142e5e5636f0 RT-WiFi-36EE [PROBERESPONSE] 10:29:42 2412/1 d8c0a6b19e25 78321b503d48 DIR-615-3D47 [PROBERESPONSE] 10:30:00 2417/2 ffffffffffff d8af817653ce RT-WiFi-53CD [BEACON] 10:30:00 2417/2 ffffffffffff ec43f6dc7d68 Jenechka [BEACON] 10:30:00 2417/2 ffffffffffff 045ea4543b86 [HIDDEN BEACON] 10:30:02 2417/2 402f86f57436 ec43f6dc7d68 Jenechka [PROBERESPONSE] 10:30:08 2417/2 304a261d7203 d8af817653ce RT-WiFi-53CD [PROBERESPONSE] 10:30:11 2417/2 ffffffffffff c471544fbb30 TP-LINK_BB30 [BEACON] 10:30:26 2417/2 9444443388b6 000e1726743e Moto G (5S) Plus 110282 [AUTHENTICATION] 10:30:26 2417/2 9444443388b6 000e1726743e Moto G (5S) Plus 110282 [ASSOCIATION] 10:30:44 2417/2 9444443388b6 000e1726743e Moto G (5S) Plus 110282 [REASSOCIATION] 10:30:57 2417/2 ffffffffffff f8f082b2d0df trytek_76 [BEACON] 10:31:47 2417/2 008e7af12a6e 000e1726743f RT-104 [AUTHENTICATION] 10:31:47 2417/2 008e7af12a6e 000e1726743f RT-104 [ASSOCIATION] 10:31:47 2417/2 008e7af12a6e 000e1726743f RT-104 [EAPOL:M1M2ROGUE EAPOLTIME:169 RC:62969 KDV:2] 10:31:57 2417/2 586356f41838 c471544fbb30 TP-LINK_BB30 [PROBERESPONSE] 10:32:00 2422/3 ffffffffffff f81a67494462 Old'est_WEB [BEACON] 10:32:05 2422/3 daa119f66eb6 e865d48431c1 Tenda_8431C0 [PROBERESPONSE]
Modified Raspberry Pi, aggressive mode with deauthentication (default), mobile (fast switching between channels, this is the default), targets APs (default) and CLIENTS (--active_beacon):
sudo hcxdumptool --gpio_button=4 --gpio_statusled=17 -i wlan0 -o dump.pcapng --poweroff --stop_ap_attacks=6000 --resume_ap_attacks=12000 --bpfc=own.bpfc --essidlist=beaconlist --active_beacon
Modified Raspberry Pi, stationary (long switching between channels “-t 120”), targets CLIENTS (--disable_deauthentication --disable_ap_attacks --active_beacon):
sudo hcxdumptool --gpio_button=4 --gpio_statusled=17 -i wlan0 -o dump.pcapng --tot=1440 --bpfc=own.bpfc --disable_deauthentication --disable_ap_attacks --active_beacon -c 1,3,5,7,9,11,2,4,6,8,10 -t 120
Client-only EAP probing attack using tunneled PEAP sequence MS-CHAP-V2, EAP-MD5, GTC:
sudo hcxdumptool -i wlan0 -t 120 -o dump.pcapng --enable_status=1567 --disable_deauthentication --disable_ap_attacks --wpaent --eaptlstun --eap_server_cert=server.crt --eap_server_key=server.key --eapreq=1921:-,T:1a0104001610000102030405060708090a0b0c0d0e0f20:-,T:04010020:-,T:06:-
How to install hcxdumptool
Installation on Kali Linux
sudo apt install hcxdumptool
Installation on BlackArch
sudo pacman -S hcxdumptool
Installation on Debian, Linux Mint, Ubuntu and their derivatives
sudo apt install libssl1.1 libssl-dev git git clone https://github.com/ZerBea/hcxdumptool cd hcxdumptool/ make sudo make install
hcxdumptool Screenshots
hcxdumptool Tutorials
- Hacking Wi-Fi without users
- USB Wi-Fi Adapters with monitor mode and wireless injection (100% compatible with Kali Linux)
- Wi-Fi security audit improved: new tools, hash, and techniques
- Wi-Fi security audit with Hashcat and hcxdumptool
Related tools
- Airmon-ng (93.4%)
- WiFite (59%)
- Aircrack-ng (Tool) (59%)
- Router Scan (59%)
- Fern Wifi Cracker (59%)
- WiFi-autopwner (RANDOM - 56.3%)
Comments are Closed