Workflow: hcxdumptool/hcxlabtool -> hcxpcapngtool (and hcxeiutool to create wordlists) -> hcxhashtool -> hcxpsktool -> hashcat
A modern tool to capture packets from wlan devices and to detect weak points within own WiFi networks.
hcxdumptool is to run several tests to determine if ACCESS POINTs or CLIENTs are vulnerable.
IMPORTANT!
It is mandatory that chipset and driver support monitor mode and full packet injection!
do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not run hcxdumtool on virtual machines or emulators
do not run hcxdumptool in combination with tools (channel hopper), that take access to the interface (except: tshark, wireshark, tcpdump)
do not use tools like machcanger, because hcxdumptool run its own MAC space and will ignore this changes
stop all this services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
1. Identify interface and processes that interferes with hcxdumptool
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ hcxdumptool -I
wlan interfaces:
d85d4c9692a8 wlan0 (ath9k_htc) warning:spoofed MAC bea867f1a5f0 detected
Note: many network managers and macchanger use MAC randomization.
hcxdumptool detect and ignore this spoofed makes because it use its own MAC randomization.
2. Stop all services that are accessing the WLAN device (e.g .: NetworManager and wpa_supplicant.service)
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo systemctl stop NetworkManager.service
[sudo] password for freeroute:
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo systemctl stop wpa_supplicant.service
3. Check driver
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo hcxdumptool -i wlan0 --check_driver 3 ⨯
initialization of hcxdumptool 6.2.5-15-gb715530...
starting driver test...
driver tests passed...
all required ioctl() system calls are supported by driver
terminating...
4. Check that packet injection is working (run it at least 13 * 5 seconds)
IMPORTANT!
Run hcxdumptool -i wlan0 --do_rcascan for at least 30 seconds, to get information about the target!
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo hcxdumptool -i wlan0 --do_rcascan
BSSID FREQ CH RSSI BEACON RESPONSE ESSID SCAN-FREQ: 2457 INJECTION-RATIO: 59% [14:46:01]
-----------------------------------------------------------------------------------------------------
c83a355d9118 2447 8 -108 23 25 Tenda_5D9238
a08cf86fea74 2447 8 -108 26 18 T-6FEA25
8416f9af58d8 2447 8 -108 25 14 bbikes
68ff7b73b352 2432 5 -123 18 13 freeroute_2G
50c7bfba53f7 2412 1 113 12 13 TP-LINK_57F8
04b0e7c77a20 2442 7 -113 23 12 T-C67A10
c88d83e78698 2452 9 -108 14 9 T-E5868B
2059a0b4a130 2412 1 118 6 9 a0b4B130
f417b87de15a 2412 1 113 5 5 Geza_halo2
c88d83e78424 2412 1 108 1 5 T-E68416
346b46797a46 2412 1 113 5 4 Telekom-baFsXr
9055de680f18 2432 5 -128 3 4 TEST_640f18
9055de09a558 2412 1 108 2 4 TEST_09b558
50c7bf2337ee 2452 9 -108 0 3 KB25
28d127f80d1e 2442 7 -113 13 2 T-C77B10_plus
2c56dc8a0200 2412 1 113 11 2 V_T
dc21e222891c 2427 4 123 1 2 TEST-dcsz
ac9e178e6328 2437 6 -123 1 1 Pista-NewLink
6eff7b73b352 2432 5 -123 14 0
f417b87de156 2437 6 -118 11 0 Geza_halo2
28b448211b0c 2432 5 -128 5 0 T-231AFC
9017ace923b4 2412 1 108 4 0 T-E523A4
dc21e2228a7c 2422 3 118 4 0 TEST-t42e
44adb1e4cf68 2422 3 118 3 0 Mesa 2,4 Ghz
6889c1e321d8 2452 9 -108 4 0 T-E321CA
9017ace94df0 2452 9 -108 3 0 T-E54DE0
f86eee0ad838 2412 1 108 2 0 T-0AF82B
9055de6c3ba0 2412 1 108 2 0 TEST_6d3ba0
74a78eef5566 2412 1 108 2 0 BU
6889c1e30cec 2412 1 108 2 0 T-E20CDF
1c5f2bdaec9c 2417 2 118 2 0 Andruj
1c5f2bf40697 2432 5 -128 2 0 Amazon2.4Ghz
9055de0929e8 2412 1 108 1 0 TEST_0925e8
b09575886c8f 2432 5 -128 1 0 Pachnet
10feedbede4e 2437 6 -123 1 0 szilveszter
^C
terminating...
2 driver errors encountered
3 radiotap errors encountered
if the values increase and APs are in range, start the attack otherwise hcxdumptool will inform you that packet injection is not working as expected.
5. Check injection
┌──(freeroute㉿Orion-Nebula)-[~]
└─# hcxdumptool -i wlan0 --check_injection 127 ⨯
initialization of hcxdumptool 6.2.5-20-g08842f2...
starting antenna test and packet injection test (that can take up to two minutes)...
stage 2 of 2 probing frequency 2484/14 proberesponse 483
packet injection is working on 2.4GHz!
injection ratio: 36% (BEACON: 1312 PROBERESPONSE: 483)
your injection ratio is average, but there is still room for improvement
antenna ratio: 53% (NETWORK: 58 PROBERESPONSE: 31)
your antenna ratio is good
terminating...
6. Attack and capture everything
Show options
hcxdumptool -h
IMPORTANT!
Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
┌──(freeroute㉿Orion-Nebula)-[~/test/hcxdump]
└─$ sudo hcxdumptool -i wlan0 -o hcxdump_test.pcapng --enable_status=15 1 ⨯
initialization of hcxdumptool 6.2.5-15-gb715530...
start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
INTERFACE NAME............: wlan0
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: d85d4c9692a8 (not used for the attack)
INTERFACE VIRTUAL MAC.....: d85d4c9692a8 (not used for the attack)
DRIVER....................: ath9k_htc
DRIVER VERSION............: 5.14.0-kali4-amd64
DRIVER FIRMWARE VERSION...: 1.4
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 00234a3b3351 (BROADCAST HIDDEN used for the attack)
ACCESS POINT (ROGUE)......: 00234a3b3352 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 00234a3b3353 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: e00db9cbaf20
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62528
ANONCE....................: fba08a6f31c094c8d8e296bb8b8006d24cf8d875dceb2308bd15fdd96194c1e9
SNONCE....................: 6476e59d74616c1788999305110b6802f2d6688ab5f0b57bea54d089d967e60f
TIME FREQ/CH MAC_DEST MAC_SOURCE ESSID [FRAME TYPE]
14:51:18 2412/1 ffffffffffff 9055de09a558 TEST_09a458 [BEACON]
14:51:18 2412/1 ffffffffffff 50c7bfba53f7 TP-LINK_23F8 [BEACON]
14:51:19 2412/1 ffffffffffff 2c56dc8a0200 V_T [BEACON]
14:51:19 2412/1 ffffffffffff 2059a0b4a130 a0b4s130 [BEACON]
14:51:19 2412/1 b0be760a67c1 f417b87de15a Geza_halo2 [PROBERESPONSE]
14:51:19 2412/1 ffffffffffff f417b87de15a Geza_halo2 [BEACON]
14:51:20 2417/2 ffffffffffff 9055de0929e8 TEST_0979e8 [BEACON]
14:51:20 2417/2 529a920ef8e5 2059a0b4a130 a0b3a130 [PROBERESPONSE]
Note for enable_status:
--enable_status=<digit> : enable real-time display (waterfall)
only incoming traffic
each message is displayed only once at the first occurrence to avoid spamming the real-time display
bitmask:
0: no status (default)
1: EAPOL
2: ASSOCIATION and REASSOCIATION
4: AUTHENTICATION
8: BEACON and PROBERESPONSE
16: ROGUE AP
32: GPS (once a minute)
64: internal status (once a minute)
128: run as server
256: run as client
512: EAP
1024: EAP NAK
characters < 0x20 && > 0x7e are replaced by .
example: show everything but don't run as server or client (1+2+4+8+16 = 31)
show only EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
Status messages
PMKIDROGUE = PMKID requested from ACCESS POINT by hcxdumptool
M1M2ROGUE = M2 requested from CLIENT by hcxdumptool
M1M2 = CHALLENGE MESSAGE PAIR
M2M3 = AUTHORIZED MESSAGE PAIR
M3M4 = AUTHORIZED MESSAGE PAIR
M1M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
M3M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
KDV0 = Key Descriptor Version 0 = Authentication Management Key defined
KDV1 = Key Descriptor Version 1 = WPA1 HMAC-MD5
KDV2 = Key Descriptor Version 2 = WPA2 HMAC-SHA1
KDV3 = Key Descriptor Version 3 = WPA2 AES-128-CMAC
7. If attack finished and hcxdumptool terminated (Press Ctrl +C), restart services
──(freeroute㉿Orion-Nebula)-[~/test/hcxdump]
└─$ sudo systemctl start NetworkManager 1 ⨯
8. ┌──(freeroute㉿Orion-Nebula)-[~/test/hcxdump]
└─$ sudo systemctl start wpa_supplicant
If hcxdumptool is not able to set monitor mode for example on this driver:
github.com
run ip link and iw first - than run hcxdumptool:
$ sudo ip link set wlan0 down
$ sudo iw dev wlan0 set type monitor
$ sudo ip link set wlan0 up
$ sudo iw dev wlan0 info
Most (nearly all) occurring issues are related to the driver (driver doesn't support monitor mode and
full packet injection) and the system configuration (running services that take access to the interface).
The driver of the device must support both: monitor mode and full packet injection!
Otherwise hcxdumptool will fail!
Some of the issues are fixed:
bugzilla.kernel.org
Some of them are partly fixed (or somebody is working on them):
github.com
Some of them are not fixed, yet:
Unfortunately many, many drivers do not support monitor mode and full packet injection. Get more information here:
Github: https://github.com/ZerBea/hcxdumptool
Official wiki: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Old (outdated) post: https://forum.hashkiller.io/index.php?threads/ap-less-attack-with-hcxtools.21036/page-4#post-237597
A modern tool to capture packets from wlan devices and to detect weak points within own WiFi networks.
hcxdumptool is to run several tests to determine if ACCESS POINTs or CLIENTs are vulnerable.
IMPORTANT!
It is mandatory that chipset and driver support monitor mode and full packet injection!
do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not run hcxdumtool on virtual machines or emulators
do not run hcxdumptool in combination with tools (channel hopper), that take access to the interface (except: tshark, wireshark, tcpdump)
do not use tools like machcanger, because hcxdumptool run its own MAC space and will ignore this changes
stop all this services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
1. Identify interface and processes that interferes with hcxdumptool
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ hcxdumptool -I
wlan interfaces:
d85d4c9692a8 wlan0 (ath9k_htc) warning:spoofed MAC bea867f1a5f0 detected
Note: many network managers and macchanger use MAC randomization.
hcxdumptool detect and ignore this spoofed makes because it use its own MAC randomization.
2. Stop all services that are accessing the WLAN device (e.g .: NetworManager and wpa_supplicant.service)
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo systemctl stop NetworkManager.service
[sudo] password for freeroute:
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo systemctl stop wpa_supplicant.service
3. Check driver
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo hcxdumptool -i wlan0 --check_driver 3 ⨯
initialization of hcxdumptool 6.2.5-15-gb715530...
starting driver test...
driver tests passed...
all required ioctl() system calls are supported by driver
terminating...
4. Check that packet injection is working (run it at least 13 * 5 seconds)
IMPORTANT!
Run hcxdumptool -i wlan0 --do_rcascan for at least 30 seconds, to get information about the target!
┌──(freeroute㉿Orion-Nebula)-[~]
└─$ sudo hcxdumptool -i wlan0 --do_rcascan
BSSID FREQ CH RSSI BEACON RESPONSE ESSID SCAN-FREQ: 2457 INJECTION-RATIO: 59% [14:46:01]
-----------------------------------------------------------------------------------------------------
c83a355d9118 2447 8 -108 23 25 Tenda_5D9238
a08cf86fea74 2447 8 -108 26 18 T-6FEA25
8416f9af58d8 2447 8 -108 25 14 bbikes
68ff7b73b352 2432 5 -123 18 13 freeroute_2G
50c7bfba53f7 2412 1 113 12 13 TP-LINK_57F8
04b0e7c77a20 2442 7 -113 23 12 T-C67A10
c88d83e78698 2452 9 -108 14 9 T-E5868B
2059a0b4a130 2412 1 118 6 9 a0b4B130
f417b87de15a 2412 1 113 5 5 Geza_halo2
c88d83e78424 2412 1 108 1 5 T-E68416
346b46797a46 2412 1 113 5 4 Telekom-baFsXr
9055de680f18 2432 5 -128 3 4 TEST_640f18
9055de09a558 2412 1 108 2 4 TEST_09b558
50c7bf2337ee 2452 9 -108 0 3 KB25
28d127f80d1e 2442 7 -113 13 2 T-C77B10_plus
2c56dc8a0200 2412 1 113 11 2 V_T
dc21e222891c 2427 4 123 1 2 TEST-dcsz
ac9e178e6328 2437 6 -123 1 1 Pista-NewLink
6eff7b73b352 2432 5 -123 14 0
f417b87de156 2437 6 -118 11 0 Geza_halo2
28b448211b0c 2432 5 -128 5 0 T-231AFC
9017ace923b4 2412 1 108 4 0 T-E523A4
dc21e2228a7c 2422 3 118 4 0 TEST-t42e
44adb1e4cf68 2422 3 118 3 0 Mesa 2,4 Ghz
6889c1e321d8 2452 9 -108 4 0 T-E321CA
9017ace94df0 2452 9 -108 3 0 T-E54DE0
f86eee0ad838 2412 1 108 2 0 T-0AF82B
9055de6c3ba0 2412 1 108 2 0 TEST_6d3ba0
74a78eef5566 2412 1 108 2 0 BU
6889c1e30cec 2412 1 108 2 0 T-E20CDF
1c5f2bdaec9c 2417 2 118 2 0 Andruj
1c5f2bf40697 2432 5 -128 2 0 Amazon2.4Ghz
9055de0929e8 2412 1 108 1 0 TEST_0925e8
b09575886c8f 2432 5 -128 1 0 Pachnet
10feedbede4e 2437 6 -123 1 0 szilveszter
^C
terminating...
2 driver errors encountered
3 radiotap errors encountered
if the values increase and APs are in range, start the attack otherwise hcxdumptool will inform you that packet injection is not working as expected.
5. Check injection
┌──(freeroute㉿Orion-Nebula)-[~]
└─# hcxdumptool -i wlan0 --check_injection 127 ⨯
initialization of hcxdumptool 6.2.5-20-g08842f2...
starting antenna test and packet injection test (that can take up to two minutes)...
stage 2 of 2 probing frequency 2484/14 proberesponse 483
packet injection is working on 2.4GHz!
injection ratio: 36% (BEACON: 1312 PROBERESPONSE: 483)
your injection ratio is average, but there is still room for improvement
antenna ratio: 53% (NETWORK: 58 PROBERESPONSE: 31)
your antenna ratio is good
terminating...
6. Attack and capture everything
Show options
hcxdumptool -h
IMPORTANT!
Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
┌──(freeroute㉿Orion-Nebula)-[~/test/hcxdump]
└─$ sudo hcxdumptool -i wlan0 -o hcxdump_test.pcapng --enable_status=15 1 ⨯
initialization of hcxdumptool 6.2.5-15-gb715530...
start capturing (stop with ctrl+c)
NMEA 0183 SENTENCE........: N/A
INTERFACE NAME............: wlan0
INTERFACE PROTOCOL........: IEEE 802.11
INTERFACE TX POWER........: 20 dBm (lowest value reported by the device)
INTERFACE HARDWARE MAC....: d85d4c9692a8 (not used for the attack)
INTERFACE VIRTUAL MAC.....: d85d4c9692a8 (not used for the attack)
DRIVER....................: ath9k_htc
DRIVER VERSION............: 5.14.0-kali4-amd64
DRIVER FIRMWARE VERSION...: 1.4
openSSL version...........: 1.1
ERRORMAX..................: 100 errors
BPF code blocks...........: 0
FILTERLIST ACCESS POINT...: 0 entries
FILTERLIST CLIENT.........: 0 entries
FILTERMODE................: unused
WEAK CANDIDATE............: 12345678
ESSID list................: 0 entries
ACCESS POINT (ROGUE)......: 00234a3b3351 (BROADCAST HIDDEN used for the attack)
ACCESS POINT (ROGUE)......: 00234a3b3352 (BROADCAST OPEN used for the attack)
ACCESS POINT (ROGUE)......: 00234a3b3353 (used for the attack and incremented on every new client)
CLIENT (ROGUE)............: e00db9cbaf20
EAPOLTIMEOUT..............: 20000 usec
EAPOLEAPTIMEOUT...........: 2500000 usec
REPLAYCOUNT...............: 62528
ANONCE....................: fba08a6f31c094c8d8e296bb8b8006d24cf8d875dceb2308bd15fdd96194c1e9
SNONCE....................: 6476e59d74616c1788999305110b6802f2d6688ab5f0b57bea54d089d967e60f
TIME FREQ/CH MAC_DEST MAC_SOURCE ESSID [FRAME TYPE]
14:51:18 2412/1 ffffffffffff 9055de09a558 TEST_09a458 [BEACON]
14:51:18 2412/1 ffffffffffff 50c7bfba53f7 TP-LINK_23F8 [BEACON]
14:51:19 2412/1 ffffffffffff 2c56dc8a0200 V_T [BEACON]
14:51:19 2412/1 ffffffffffff 2059a0b4a130 a0b4s130 [BEACON]
14:51:19 2412/1 b0be760a67c1 f417b87de15a Geza_halo2 [PROBERESPONSE]
14:51:19 2412/1 ffffffffffff f417b87de15a Geza_halo2 [BEACON]
14:51:20 2417/2 ffffffffffff 9055de0929e8 TEST_0979e8 [BEACON]
14:51:20 2417/2 529a920ef8e5 2059a0b4a130 a0b3a130 [PROBERESPONSE]
Note for enable_status:
--enable_status=<digit> : enable real-time display (waterfall)
only incoming traffic
each message is displayed only once at the first occurrence to avoid spamming the real-time display
bitmask:
0: no status (default)
1: EAPOL
2: ASSOCIATION and REASSOCIATION
4: AUTHENTICATION
8: BEACON and PROBERESPONSE
16: ROGUE AP
32: GPS (once a minute)
64: internal status (once a minute)
128: run as server
256: run as client
512: EAP
1024: EAP NAK
characters < 0x20 && > 0x7e are replaced by .
example: show everything but don't run as server or client (1+2+4+8+16 = 31)
show only EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
Status messages
PMKIDROGUE = PMKID requested from ACCESS POINT by hcxdumptool
M1M2ROGUE = M2 requested from CLIENT by hcxdumptool
M1M2 = CHALLENGE MESSAGE PAIR
M2M3 = AUTHORIZED MESSAGE PAIR
M3M4 = AUTHORIZED MESSAGE PAIR
M1M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
M3M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR
KDV0 = Key Descriptor Version 0 = Authentication Management Key defined
KDV1 = Key Descriptor Version 1 = WPA1 HMAC-MD5
KDV2 = Key Descriptor Version 2 = WPA2 HMAC-SHA1
KDV3 = Key Descriptor Version 3 = WPA2 AES-128-CMAC
7. If attack finished and hcxdumptool terminated (Press Ctrl +C), restart services
──(freeroute㉿Orion-Nebula)-[~/test/hcxdump]
└─$ sudo systemctl start NetworkManager 1 ⨯
8. ┌──(freeroute㉿Orion-Nebula)-[~/test/hcxdump]
└─$ sudo systemctl start wpa_supplicant
If hcxdumptool is not able to set monitor mode for example on this driver:
GitHub - aircrack-ng/rtl8188eus: RealTek RTL8188eus WiFi driver with monitor mode & frame injection support
RealTek RTL8188eus WiFi driver with monitor mode & frame injection support - aircrack-ng/rtl8188eus
github.com
run ip link and iw first - than run hcxdumptool:
$ sudo ip link set wlan0 down
$ sudo iw dev wlan0 set type monitor
$ sudo ip link set wlan0 up
$ sudo iw dev wlan0 info
Most (nearly all) occurring issues are related to the driver (driver doesn't support monitor mode and
full packet injection) and the system configuration (running services that take access to the interface).
The driver of the device must support both: monitor mode and full packet injection!
Otherwise hcxdumptool will fail!
Some of the issues are fixed:
202241 – AMD RYZEN: IO_PAGE_FAULT when loading mt76x0u driver
bugzilla.kernel.org
Some of them are partly fixed (or somebody is working on them):
Injection not working in monitor mode · Issue #376 · aircrack-ng/rtl8812au
I'd like to re-open this issue: #348 I have the same identical problem. When monitor mode is set, injection is not working anymore. kernel: 4.15.0-1037-raspi2
github.com
Some of them are not fixed, yet:
Unfortunately many, many drivers do not support monitor mode and full packet injection. Get more information here:
Github: https://github.com/ZerBea/hcxdumptool
Official wiki: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Old (outdated) post: https://forum.hashkiller.io/index.php?threads/ap-less-attack-with-hcxtools.21036/page-4#post-237597
Last edited:
