You are here: Home » Wireless Attacks » hcxdumptool

hcxdumptool

hcxdumptool Description

Small tool to capture packets from wlan devices.

Features:

  • hcxdumptool is able to prevent complete wlan traffic
  • hcxdumptool is able to capture PMKIDs from access points (only one single PMKID from an access point required)
  • hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required)
  • hcxdumptool is able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required)
  • hcxdumptool is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS)
  • hcxdumptool is able to capture passwords from the wlan traffic
  • hcxdumptool is able to capture plainmasterkeys from the wlan traffic
  • hcxdumptool is able to capture usernames and identities from the wlan traffic

Homepage: https://github.com/ZerBea/hcxdumptool

Author: ZeroBeat

License: MIT

hcxdumptool Help

usage:

hcxdumptool <options>

options:

-i <interface> : interface (monitor mode will be enabled by hcxdumptool)
                 can also be done manually:
                 ip link set <interface> down
                 iw dev <interface> set type monitor
                 ip link set <interface> up
-o <dump file> : output file in pcapngformat
                 management frames and EAP/EAPOL frames
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : output file in pcapngformat
                 unencrypted IPv4 and IPv6 frames
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-W <dump file> : output file in pcapngformat
                 encrypted WEP frames
                 including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit>     : set scanlist  (1,2,3,...)
                 default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
                 maximum entries: 127
                 allowed channels:
                 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
                 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
                 100, 104, 108, 112, 116, 120, 124, 128, 132,
                 136, 140, 144, 147, 149, 151, 153, 155, 157
                 161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216
-t <seconds>   : stay time on channel before hopping to the next channel
                 default: 5 seconds
-E <digit>     : EAPOL timeout
                 default: 150000 = 1 second
                 value depends on channel assignment
-D <digit>     : deauthentication interval
                 default: 10 (every 10 beacons)
                 the target beacon interval is used as trigger
-A <digit>     : ap attack interval
                 default: 10 (every 10 beacons)
                 the target beacon interval is used as trigger
-I             : show wlan interfaces and quit
-h             : show this help
-v             : show version

--filterlist=<file>                : mac filter list
                                     format: 112233445566 + comment
                                     maximum line lenght 255, maximum entries 64
--filtermode=<digit>               : mode for filter list
                                     1: use filter list as protection list (default)
                                     2: use filter list as target list
--disable_active_scan              : do not transmit proberequests to BROADCAST using a BROADCAST ESSID
                                     do not transmit BROADCAST beacons
                                     affected: ap-less and client-less attacks
--disable_deauthentications        : disable transmitting deauthentications
                                     affected: connections between client an access point
                                     deauthentication attacks will not work against protected management frames
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
                                     default: 100 tries (minimum: 4)
                                     affected: connections between client an access point
                                     deauthentication attacks will not work against protected management frames
--disable_disassociations          : disable transmitting disassociations
                                     affected: retry (EAPOL 4/4 - M4) attack
--disable_ap_attacks               : disable attacks on single access points
                                     affected: client-less (PMKID) attack
--give_up_ap_attacks=<digit>       : disable transmitting directed proberequests after n tries
                                     default: 100 tries (minimum: 4)
                                     affected: client-less attack
                                     deauthentication attacks will not work against protected management frames
--disable_client_attacks           : disable attacks on single clients
                                     affected: ap-less (EAPOL 2/4 - M2) attack
--do_rcascan                       : show radio channel assignment (scan for target access points)
--station_vendor=<digit>           : use this VENDOR information for station
                                     0: transmit no VENDOR information (default)
                                     1: Broadcom
                                     2: Apple-Broadcom
                                     3: Sonos
                                     4: Netgear-Broadcom
                                     5: Wilibox Deliberant Group LLC
                                     6: Cisco Systems, Inc
                                     you should disable auto scrolling in your terminal settings
--use_gpsd                         : use GPSD to retrieve position
                                     add latitude, longitude and altitude to every pcapng frame
--save_rcascan=<file>              : output rca scan list to file when hcxdumptool terminated
--save_rcascan_raw=<file>          : output file in pcapngformat
                                     unfiltered packets
                                     including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
--enable_status=<digit>            : enable status messages
                                     bitmask:
                                      1: EAPOL
                                      2: PROBEREQUEST/PROBERESPONSE
                                      4: AUTHENTICATON
                                      8: ASSOCIATION
                                     16: BEACON
--help                             : show this help
--version                          : show version

Do not use a logical interface and leave the physical interface in managed mode.

Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which takes access to the interface.

Stop all services which takes access to the physical interface (NetworkManager, wpa_supplicant,…).

Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space.

hcxdumptool Usage Example

Use the wireless interface (-i wlp39s0f3u4u5), it will be automatically switched to monitor mode, save the captured frames to a pcapng file (-o output.pcapng), stay on each channel for 5 seconds (-t 5), show EAPOL messages and PROBEREQUEST/PROBERESPONSE (--enable_status=3):

sudo hcxdumptool -i wlp39s0f3u4u5 -o output.pcapng -t 5 --enable_status=3

Example output:

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a225a8faa8
MAC ACCESS POINT.........: 00bb3a4250d5 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 61585
ANONCE...................: 765e00f3f9788ebf2df96c69ee9806b19df6105b2c39b389d76d4d85ee5f0f66

[10:37:11 - 001] 00156d9a26c0 -> f0a225a8faa8 Anan Apartment [PROBERESPONSE, SEQUENCE 2696, AP CHANNEL 1]
[10:37:12 - 001] 6c8dc120891f -> ffffffffffff Anan Apartment [PROBEREQUEST, SEQUENCE 2643]
[10:37:12 - 001] 00bb3a4250d6 -> 6c8dc120891f Anan Apartment [PROBERESPONSE, SEQUENCE 0, AP CHANNEL 1]
[10:37:12 - 001] 70778110c833 -> 00156d9a26c0  [PROBEREQUEST, SEQUENCE 256]
[10:37:32 - 009] 403decc272b8 -> 2c5bb8742b39 Paangoon_2G [PROBERESPONSE, SEQUENCE 1940, AP CHANNEL 9]
[10:37:36 - 011] ec1f72b8f3d1 -> f0a225a8faa8 Muay [PROBERESPONSE, SEQUENCE 2902, AP CHANNEL 11]
[10:37:38 - 011] 083e8eaa328b -> ffffffffffff Muay [PROBEREQUEST, SEQUENCE 9]
[10:37:38 - 011] 00bb3a4250d7 -> 083e8eaa328b Muay [PROBERESPONSE, SEQUENCE 9, AP CHANNEL 11]
[10:37:39 - 011] 083e8eaa328b -> ec1f72b8f3d1 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 14306]
[10:37:39 - 011] ec1f72b8f3d1 -> 083e8eaa328b [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 7419]
[10:37:50 - 002] 4c189a2fb76e -> ffffffffffff Topline_Wifi [PROBEREQUEST, SEQUENCE 344]
[10:37:50 - 002] 00bb3a4250d8 -> 4c189a2fb76e Topline_Wifi [PROBERESPONSE, SEQUENCE 10, AP CHANNEL 2]
[10:38:01 - 008] b6b98a73aa05 -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 1433, AP CHANNEL 8]
[10:38:01 - 008] b6b98a73e88a -> f0a225a8faa8 Panmongkon [PROBERESPONSE, SEQUENCE 3790, AP CHANNEL 8]
[10:38:20 - 001] 74da38b04d5a -> ffffffffffff seasun [PROBEREQUEST, SEQUENCE 3235]
[10:38:20 - 001] 00bb3a4250d9 -> 74da38b04d5a seasun [PROBERESPONSE, SEQUENCE 25, AP CHANNEL 1]
INFO: cha=9, rx=13802, rx(dropped)=1073, tx=319, powned=2, err=0

How to install hcxdumptool

Installation on Kali Linux

git clone https://github.com/ZerBea/hcxdumptool
cd hcxdumptool/
make
sudo make install

Installation on BlackArch

sudo pacman -S hcxdumptool

hcxdumptool Screenshots

hcxdumptool Tutorials

Related tools

Also recommended: