zerbea / hcxdumptool Goto Github PK

Small tool to capture packets from wlan devices.

License: MIT License

C 99.08% Shell 0.17% Makefile 0.75%

pcap wifi-security raspberry-pi pcapng hashcat john-the-ripper penetration-testing-framework wifi

hcxdumptool's Introduction

hcxdumptool

A tool to capture packets from WLAN devices and to discover potential weak points within own WiFi networks by running layer 2 attacks against the WPA protocol.

Designed to to run (mostly headless) on small systems like a Raspberry Pi Zero.

General Information

An overview of Hashcat mode 22000. - Hashcat Wiki
A set of tools by ZerBea intended for processing capture files. - hcxtools Repository
Old but still applicable write-up by atom of the Hashcat forums covering a new attack on WPA/WPA2 using PMKID. - Hashcat Forum Thread
Hashcat mode 22000 write-up by atom of the Hashcat forums. - Hashcat Forum Thread
A write-up by Ido Hoorvitch from CyberArk covering the statistics of WPA/WPA2 password cracking. - CyberArk Article
A section of this README that covers hcxdumptool's abilities and the responsibilities of using it. - Warning!

What Doesn't hcxdumptool Do?

It does not crack WPA PSK related hashes. (Use Hashcat or JtR to recover the PSK.)
It does not crack WEP. (Use the aircrack-ng suite instead.)
It does not crack WPS. (Use Reaver or Bully instead.)
It does not decrypt encrypted traffic. (Use tshark or Wireshark in parallel.)
It does not record all traffic captured on the WLAN device. (Use tshark or Wireshark in parallel.)
It does not perform Evil Twin attacks.
It does not provide a beautiful status display.
It is not a honey pot.

Unsupported: Windows OS, macOS, Android, emulators or wrappers!

Detailed Description

Tool	Description
hcxdumptool	Tool to run several tests against WPA PSK to determine if ACCESS POINTs or CLIENTs are vulnerable.
hcxpcapngtool	Tool to convert raw PCAPNG files to Hashcat and JtR readable formats. (hcxtools)
hcxhashtool	Tool to filter hashes from HC22000 files based on user input. (hcxtools)
hcxpsktool	Tool to get weak PSK candidates from HC22000 files. (hcxtools)
hcxeiutool	Tool to calculate wordlists based off ESSIDs gathered. (hcxtools)
Hashcat/JtR	Third party tools used to infer PSK from HC22000 hash files.

Work Flow

hcxdumptool -> hcxpcapngtool -> hcxhashtool (additional hcxpsktool/hcxeiutool) -> Hashcat or JtR

Requirements

Knowledge of radio technology.
Knowledge of electromagnetic-wave engineering.
Detailed knowledge of 802.11 protocol.
Detailed knowledge of key derivation functions.
Detailed knowledge of Linux.
Detailed knowledge of filter procedures. (Berkeley Packet Filter, capture filter, display filter, etc.)
Operating system: Linux (recommended: kernel >= 6.6, mandatory: kernel >= 5.15)
Recommended: Arch Linux (notebooks and desktop systems), OpenWRT (small systems like Raspberry Pi, WiFi router)
WLAN device chipset must be able to run in monitor mode. MediaTek chipsets are preferred due to active monitor mode capabilities.
WLAN device driver must support monitor and full frame injection mode.
gcc >= 13 recommended (deprecated versions are not supported: https://gcc.gnu.org/)
make
libpcap and libpcap-dev (If internal BPF compiler has been enabled.)
Raspberry Pi A, B, A+, B+, Zero (WH). (Recommended: Zero (WH) or A+, because of a very low power consumption), but notebooks and desktops will work as well.
GPIO hardware mod recommended (push button and LED) on Raspberry Pi
To allow 5/6/7GHz packet injection, it is mandatory to uncomment a regulatory domain that support this: /etc/conf.d/wireless-regdom

Install Guide

On most distributions, hcxdumptool and hcxtools are available through the package manager.

If you decide to compile latest git head, make sure that your distribution is updated to it's latest version and make sure that all header files and dependencies have been installed!

Notice: The packages mentioned in the "Requirements" section sometimes come under different names in a package manager! Make sure to install the correct packages!

Clone Repository

git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool

Compile & Install

make -j $(nproc)

Install to /usr/bin:

make install (as super user)

Or install to /usr/local/bin:

make install PREFIX=/usr/local (as super user)

On headless operation, remove -DSTATUSOUT from the Makefile before compiling! That way, the status display will not be compiled. This will save CPU cycles and prevent ERRORs from occurring.

It is theoretically possible to compile hcxdumptool for other systems (e.g. Android) and other distributions (e.g. KALI) and other operating systems (BSD) as well, but there is no support and feature requests will be rejected.

Adapters

Do not expect flawless drivers on brand new hardware!
Driver must support monitor mode and full packet injection!
No support for prism devices!
WIRELESS EXTENSIONS are deprecated and not longer supported!

Get information about VENDOR, model, chipset, and driver here: https://wikidevi.wi-cat.ru/

Manufacturers do change chipsets without changing model numbers. Sometimes they add (v)ersion or (rev)vision.

Preferred chipsets come from MediaTek due to active monitor mode being very reliable. (Important notice: Massive problems with MT76 USB 3.0 devices if connected to some USB 3.0 ports!)

Some device and driver tests are here: #361

Always verify the actual chipset with 'lsusb' and/or 'lspci'!

No support for a third party driver which is not part of the official Linux kernel (https://www.kernel.org/) Report related issues to the site, from which you downloaded the driver.

No support for a driver which doesn't support monitor mode and full frame injection natively. If you need these features, do a request on www.kernel.org

Recommended WiFi chipsets:

MediaTek (mt76)
Realtek (rtl8xxxu)
Ralink (rt2800usb)

Not recommended WiFi chipsets:

Broadcom (Neither monitor mode nor frame injection by official Linux kernel.)
Qualcomm (No frame injection by official Linux kernel.)
Intel (Monitor mode and frame injection problems.)

More information about possible issues or limitations:

https://bugzilla.kernel.org

https://wireless.wiki.kernel.org/en/users/Drivers/ath10k

morrownr/USB-WiFi#314

Antennas

The best high frequency amplifier is a good antenna!

It is much better to achieve gain using a good antenna instead of increasing transmission power.

VENDOR MODEL	TYPE
LOGILINK WL0097	Grid Parabolic
TP-LINK TL-ANT2414 A/B	Panel
LevelOne WAN-1112	Panel
DELOCK 88806	Panel
TP-LINK TL-ANT2409 A	Panel

GPS devices (NMEA 0183 protocol)

VENDOR MODEL	TYPE
NAVILOCK NL-701US	USB
JENTRO BT-GPS-8 activepilot	BLUETOOTH

Useful Scripts

Script	Description
stopnm	Example script to start NetworkManager
startnm	Example script to stop NetworkManager
startnlmon	Example script to activate NETLINK monitor

Hardware Mod - See Docs gpiowait.png (hcxdumptool)

When using this hardware modification, the LED will flash every 10 seconds if everything is fine and signals are received correctly.

To terminate manually, press the push button for at least 10 seconds until LED turns on. (The LED will also turn on if hcxdumptool terminates.)

Afterwards, the Raspberry Pi can be turned off and disconnected from it's power supply.

PCAPNG Option Codes (Section Header Block)

ENTERPRISE NUMBER: 0x2a, 0xce, 0x46, 0xa1

MAGIC NUMBER: 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62, 0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98

OPTIONCODE_MACMYORIG: 0xf29a (6 byte)

OPTIONCODE_MACMYAP: 0xf29b (6 byte)

OPTIONCODE_RC: 0xf29c (8 byte)

OPTIONCODE_ANONCE: 0xf29d (32 byte)

OPTIONCODE_MACMYSTA: 0xf29e (6 byte)

OPTIONCODE_SNONCE: 0xf29f (32 byte)

OPTIONCODE_WEAKCANDIDATE: 0xf2a0 (64 byte) == 63 characters + zero

OPTIONCODE_GPS: 0xf2a1 (max 128 byte)

Warning!

You might expect me to recommend that everyone should be using hcxdumptool/hcxtools. But the fact of the matter is, hcxdumptool/hcxtools is NOT recommended to be used by inexperienced users or newbies.

If you are not familiar with Linux in general or you do not have at least a basic level of knowledge as mentioned in the "Requirements" section, hcxdumptool/hcxtools is probably not what you are looking for. However, if you have that knowledge hcxdumptool/hcxtools can do magic for you.

Misuse of hcxdumptool within a network, particularly without authorization, may cause irreparable damage and result in significant consequences. “Not understanding what you were doing” is not going to work as an excuse.

The entire toolkit (hcxdumptool and hcxtools) is designed to be an analysis toolkit.

It should only be used in a 100% controlled environment!

If you can't control the environment it is absolutely mandatory to set the BPF!

Everything is requested/stored by default and unwanted information must be filtered out by option/filter actively or offline.

You must use hcxdumptool only on networks you have permission to do this and if you know what you are doing, because:

hcxdumptool is able to prevent complete WLAN traffic transmission. (Depending on selected options.)
hcxdumptool is able to capture PMKIDs from access points. (Only one single PMKID from an access point is required. Use hcxpcapngtool to convert them to a format Hashcat or JtR understands.)
hcxdumptool is able to capture handshakes from non-connected clients. (Only one single M2 from the client is required. Use hcxpcapngtool to convert them to a format Hashcat or JtR understands.)
hcxdumptool is able to capture handshakes from 5/6GHz clients on 2.4GHz. (Only one single M2 from the client is required. Use hcxpcapngtool to to a format Hashcat or JtR understands.)
hcxdumptool is able to capture passwords from the WLAN traffic. (Use hcxpcapngtool -R to save them to file, or together with networknames [-E].)
hcxdumptool is able to request and capture extended EAPOL (RADIUS, GSM-SIM, WPS. hcxpcapngtool will show you information about them.)
hcxdumptool is able to capture identities from the WLAN traffic. (Example: Request IMSI numbers from mobile phones - use hcxpcapngtool -I to save them to file.)
hcxdumptool is able to capture usernames from the WLAN traffic. (Example: User name of a server authentication - use hcxpcapngtool -U to save them to file.)
Do not use a logical interface and leave the physical interface in managed mode!
Do not use hcxdumptool in combination with the aircrack-ng suite, Reaver, Bully or other tools which take access to the interface!
Stop all services which take access to the physical interface! (NetworkManager, wpa_supplicant,...)
Do not use tools like macchanger as they are useless since hcxdumptool uses its own random MAC address space.
Do not merge PCAPNG dumpfiles because that will destroy custom block hash assignments!
Capture format PCAPNG is compatible with Wireshark and tshark.

Useful Links

PCAPNG Format Information - https://pcapng.com/
The Linux Kernel Documentation - https://www.kernel.org/doc/html/latest/
BPF Documentation - https://www.kernel.org/doc/html/latest/bpf/index.html
Linux Commands Handbook - https://www.freecodecamp.org/news/the-linux-commands-handbook/
WPA2 Information - https://en.wikipedia.org/wiki/Wpa2
802.11 Frame Types - https://en.wikipedia.org/wiki/802.11_Frame_Types
802.11 Security Improvements - https://en.wikipedia.org/wiki/IEEE_802.11i-2004

hcxdumptool's People

Contributors

Stargazers

Watchers

Forkers

leuldereje johnjohnsp1 w00t3k techlord-rce voidp34r joncampbell123 ferranespigares anthraxx adavan goayandi littlefoxhelper gragonvlad epicfail78 kegansb rajivraj thisisfalcon linecode theanalyz3r grayhats mrmugiwara tommyknockers igorgts123 interrupt21h ut4utc pavlinux mikeyb tim1512 aydgelee chillspike-zz ana3zoz jesusdrodriguez k4mm0 ch4p34un0ir luan0ap shangadi clesiorki2018 lhlsec iitzdn fuckup1337 jdiazmx vnc0d9r bc24 jinnu92 csky6688 kranthi556 securitym0nk vasylkorzhyk touhidshaikh richard39 3453-315h hpxpat minh77 mygib weiwulunlun veteransec camer-n ro9ueadmin prodject magnumripper nobbie2009 hapser optionalg zard777 tannerjh5 legisam chalamanenijeevanprasad sabu061 smeaime danilonc senukavee98 silentxdice dieuxfr2003 sabrinaanaa hashemahmad realender j1m1l0k0 anarchy8088 excacambo justindallen82 nanosofttech scr3w-2ooth forkitallsec dev0p0 mbodskii lalit387 vitalik7475 thepozerus koalazak onganga aucaner toby1991 m7md1255 bemonolit cjsatuforc leezhi0513 projectarchives marciopocebon eldertugboat786 tsiebecker lagartoplastico

hcxdumptool's Issues

Please put that in the Documentation .

compiling the tools does require some packages to be installed (debian/ubuntu/kali...)

if u received this errors , this is what u should do.

hcxpcaptool.c:16:10: fatal error: openssl/sha.h: No such file or directory
#include <openssl/sha.h>

u need to install libssl-dev (sudo apt install libssl-dev)

In file included from hcxpcaptool.c:35:
include/gzops.c:1:10: fatal error: zlib.h: No such file or directory
#include <zlib.h>

u need to install zlib1g-dev (sudo apt install zlib1g-dev)

wlanhcx2cap.c:12:10: fatal error: pcap.h: No such file or directory
#include <pcap.h>

u need to install libpcap0.8-dev (sudo apt-get install libpcap0.8-dev)

wlanhcx2cap.c:19:10: fatal error: curl/curl.h: No such file or directory
#include <curl/curl.h>

u need to install libcurl4-openssl-dev (apt install libcurl4-openssl-dev)

summary
sudo apt install libcurl4-openssl-dev libpcap0.8-dev zlib1g-dev libssl-dev

failed to read packet: Network is down

I'm trying to capture using an Intel Wireless-AC 9260 (iwlwifi kmod)

06:00.0 Network controller: Intel Corporation Wireless-AC 9260 (rev 29)

and run into the following issue, without the tool finding anything usable.

$ sudo ./hcxdumptool/hcxdumptool -o test.pcapng -i wlp6s0 --enable_status 

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp6s0
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc23399c311 (client)
MAC ACCESS POINT.........: 11111141b95a (start NIC)
EAPOL TIMEOUT............: 1000000
DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 61654
ANONCE...................: 43d3a6696159fbcca67531e333d7946b0e8c9a914ce90137613211cea69d43e9

INFO: cha=13, rx=0, rx(dropped)=0, tx=7, powned=0, err=0
failed to read packet: Network is down
INFO: cha=9, rx=0, rx(dropped)=0, tx=70, powned=0, err=1
failed to read packet: Network is down
INFO: cha=5, rx=0, rx(dropped)=0, tx=133, powned=0, err=2
failed to read packet: Network is down
INFO: cha=1, rx=0, rx(dropped)=0, tx=196, powned=0, err=3 
failed to read packet: Network is down
INFO: cha=10, rx=0, rx(dropped)=0, tx=259, powned=0, err=4
failed to read packet: Network is down
INFO: cha=6, rx=0, rx(dropped)=0, tx=322, powned=0, err=5
failed to read packet: Network is down
INFO: cha=2, rx=0, rx(dropped)=0, tx=385, powned=0, err=6 
failed to read packet: Network is down
INFO: cha=11, rx=0, rx(dropped)=0, tx=448, powned=0, err=7
failed to read packet: Network is down
INFO: cha=7, rx=0, rx(dropped)=0, tx=511, powned=0, err=8
failed to read packet: Network is down
INFO: cha=3, rx=0, rx(dropped)=0, tx=574, powned=0, err=9
failed to read packet: Network is down
INFO: cha=12, rx=0, rx(dropped)=0, tx=637, powned=0, err=10
failed to read packet: Network is down
INFO: cha=8, rx=0, rx(dropped)=0, tx=700, powned=0, err=11
failed to read packet: Network is down
INFO: cha=4, rx=0, rx(dropped)=0, tx=763, powned=0, err=12
failed to read packet: Network is down
INFO: cha=13, rx=0, rx(dropped)=0, tx=826, powned=0, err=13
failed to read packet: Network is down
INFO: cha=9, rx=0, rx(dropped)=0, tx=889, powned=0, err=14
failed to read packet: Network is down
INFO: cha=5, rx=0, rx(dropped)=0, tx=913, powned=0, err=15
[...]

I put the device into monitor mode beforehand:

$ iw dev
phy#0
	Unnamed/non-netdev interface
		wdev 0x4
		addr 30:24:32:**:**:**
		type P2P-device
		txpower 0.00 dBm
	Interface wlp6s0
		ifindex 2
		wdev 0x1
		addr 7e:0b:f7:**:**:**
		type monitor
		txpower 22.00 dBm

And made sure that the admin state is up.

2: wlp6s0: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state DORMANT group default qlen 1000
    link/ieee802.11/radiotap 7e:0b:f7:**:**:** brd ff:ff:ff:ff:ff:ff

What could be the issue?

respect common system variables

I know this is not a top priority but I need it before I can port the tool for Pentoo.

There are two important variables (at least) PREFIX and DESTDIR.
Could you please update the Makefile?

Edit: I have also fixed typo in the LDFLAGS

improvement to Debian package

Hi,
I'm packaging hcxdumptool to Debian.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924592

First of all, I like hcx* tools! And I use it with wifite to pentests.

Some thinks could be made to improve compliance of Debian policies and turn hcxdumptool even better.

Following what Debian Lintian says about it.

P: hcxdumptool source: source-contains-empty-directory include/android-ifaddrs/

Having an empty directory in itself does not cause problems but ...
Keeping the empty directory in the source package can prevent others from contributing to the package when using tools like git-buildpackage. In this workflow the empty directory would be lost. Potentially causing errors if the installed binary package or its tests subsequently rely upon them.

I: hcxdumptool source: testsuite-autopkgtest-missing
Having a test suite aids with automated quality assurance of the archive outside of your package.

X: hcxdumptool source: debian-watch-does-not-check-gpg-signature

Of course, not all upstreams provide such signatures but you could
request them as a way of verifying that no third party has modified the
code after its release (projects such as phpmyadmin, unrealircd, and
proftpd have suffered from this kind of attack).

I found some typos:
02.fix.spellerros.txt

Thanks a lot.
Regars.
kretcheu
❌

Trouble Installing

I'm quite new to Linux so it may be a simple fix but I just can't figure this out.

camer@user:~/hcxdumptool$ make cc -O3 -Wall -Wextra -std=gnu99 -o hcxdumptool hcxdumptool.c -lpthread /usr/bin/ld: cannot open output file hcxdumptool: Is a directory collect2: error: ld returned 1 exit status Makefile:29: recipe for target 'build' failed make: *** [build] Error 1

Not working with mt7612u on kernel 4.19

./hcxdumptool -i wlx00c0ca95876c

initialization...
failed to save current interface mode: Operation not supported
failed to init socket

Are these chipsets all support for hcxdumptool?
If not, then which of these are support?

And which one do you suggest to use?

Thanks!

(If there are some grammar mistakes, I apologize......)

about killing wpa_supplicant

when i ran this command:
sudo hcxdumptool -i wlan1 -o test.pcapng --enable_status=1 -c 6

I got this message:
initialization...
warning: wpa_supplicant is running with pid 349 333
interface may not be operational
failed to init socket
hcxdumptool need full (monitor mode and full packet injection running all packet types) and exclusive access to the adapter
that is not the case

therefore, I killed 349 333
but the ssh connection got killed and can't connect the server by using ssh command.

I have two wifi interfaces.
wlan0 for ssh connection

wlan1 for attacking.

how can I keep the connection and to use wlan1 to attack?

Ability to not capture handshakes from the networks specified in the blacklist

It appears that although the tool is not de-authenticating the networks specified in the blacklist, it's still capturing the handshakes from them. With the BPF filters in wlandump-ng it's really more convenient to be able to completely exclude a network from the collection process.

hcxdumptool not filter right mac address

heres what my my capture looks like and the first two captures are from my router the second two are not is this normal? anyway when i turn the pmkid into hash and try to crack it.. hashcat gives me password from wrong access point.
hcxdumptool -o hashingit -i wlan0 --filterlist=tvfp2filer.txt --filtermode=2 --enable_status=1

the mac address that is suppose to filter is: 009fa9073914
the filter works seems like for a short period then starts grabbing from all access points in area
still havent been able to capture pmkid from 009fa9073914

the pmkid captureed belongs to 2c56dc54e238 using awus036nha. i have a awus036nh on the way to my house for testing.
capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
FILTERLIST...............: 1 entries
MAC CLIENT...............: fcc233dadfba
MAC ACCESS POINT.........: b025aa99a8f8 (incremented on every new client) EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63156
ANONCE...................: 1f963f900448da8c1182e40ba288928877f40543759cd5e6425deb3548407868 [16:26:17 - 001] 009fa9073914 -> 5c93a20b3897 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2516]
[16:40:15 - 001] 009fa9073914 -> ccfb65942f7e [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2651] [17:19:39 - 001] b44bd20fd6ba -> 5c8fe0bf2984 [EAPOL 4/4 - M4 RETRY ATTACK] [17:39:53 - 011] 2c56dc54e238 -> 5ccf7f48a404 [FOUND PMKID] INFO: cha=11, rx=145350, rx(dropped)=3145, tx=2453, powned=3, err=0^C terminated...

the filter is working somewhat atleast cuz i tried without filter and got slammed with tons more

installaction problem

what's the problem?...

$ make
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c
hcxdumptool.c:23:10: fatal error: 'include/android-ifaddrs/ifaddrs.h' file not found
#include "include/android-ifaddrs/ifaddrs.h"
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
make: *** [Makefile:29: build] Error 1

$ sudo make install
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c
hcxdumptool.c:23:10: fatal error: 'include/android-ifaddrs/ifaddrs.h' file not found
#include "include/android-ifaddrs/ifaddrs.h"
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
make: *** [Makefile:29: build] Error 1

Isues installing HCXDUMPtools and hcxtools.

hi all. i am keep getting errors while installing hcxdumtools, hcxtools and hashcat.

the error i am gettitng for the hcxdumptool is as below:

cc -O3 -Wall -Wextra -std=gnu99 -o hcxdumptool hcxdumptool.c
/usr/bin/ld: cannot open output file hcxdumptool: Is a directory
collect2: error: ld returned 1 exit status
make: *** [Makefile:29: build] Error 1

can someone please specify the steps by steps how to install the above tools.

thank you

No results

Hi there,

./hcxdumptool -i wlo1 --enable_status -c 11 -o test.pcapng

start capturing (stop with ctrl+c)
INTERFACE:...............: wlo1
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc23336aea3 (client)
MAC ACCESS POINT.........: 5c6b4f05fcf3 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64221
ANONCE...................: 143c3b909c823a0bb81c45274616f0135532e35013d178698562a0d0fc75d712

Beyond this I receive no further results. Even if I don't specify what channel or try bitmasking, still no results come through.

If I try a specific enable status I get this:

./hcxdumptool -i wlo1 --enable_status=1 -c 11 -o test.pcapng

start capturing (stop with ctrl+c)
INTERFACE:...............: wlo1
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a2255ed74c (client)
MAC ACCESS POINT.........: 000101485130 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63472
ANONCE...................: 9d1fdf0518bd421217bce5866614ac2b334e5f581682c08a31b10ababf8fdfdd

INFO: cha=11, rx=10, rx(dropped)=10, tx=1, powned=0, err=0^C

(nothing else).

Start NIC??

Can anyone tell me why at MAC ACCESS POINT I am seeing "(incremented on every new client)" instead of "(start NIC)" ?? Is this why I am not receiving any PMKID's? Or is it even an issue that it's different? It runs fine, no errors, I'm just not getting any pmkid's, after it running for the guts of an hour.

nexmon support

Why can't I use nexmon patched firmware to dump?

nexmon: https://github.com/seemoo-lab/nexmon

 ⚡ root@samsung-jflte  ~  ip link set wlan0 down ; ip link set wlan0 up ; ./nexutil -m2 -d
 ⚡ root@samsung-jflte  ~  export LD_PRELOAD="./libfakeioctl.so"                                         
 ⚡ root@samsung-jflte  ~  strace -o strace.log ./hcxdumptool -i wlan0 -o hcx_fun          
initialization...
__nex_driver_io: error
failed to set monitor mode: No such device
failed to init socket
__nex_driver_io: error
 ✘ ⚡ root@samsung-jflte  ~  cat strace.log 
execve("./hcxdumptool", ["./hcxdumptool", "-i", "wlan0", "-o", "hcx_fun"], 0xbe849cd8 /* 25 vars */) = 0
set_tls(0xb6f78588)                     = 0
set_tid_address(0xb6f7852c)             = 4992
open("./libfakeioctl.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0755, st_size=13336, ...}) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\234\7\0\0004\0\0\0"..., 936) = 936
mmap2(NULL, 77824, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb6ee3000
mmap2(0xb6ef4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0xb6ef4000
close(3)                                = 0
mprotect(0xb6ef4000, 4096, PROT_READ)   = 0
mprotect(0xb6f9b000, 4096, PROT_READ)   = 0
getuid32()                              = 0
ioctl(1, TIOCGWINSZ, {ws_row=62, ws_col=271, ws_xpixel=0, ws_ypixel=0}) = 0
writev(1, [{iov_base="initialization...", iov_len=17}, {iov_base="\n", iov_len=1}], 2) = 18
pipe2([3, 4], O_CLOEXEC)                = 0
pipe2([5, 6], O_CLOEXEC)                = 0
rt_sigprocmask(SIG_BLOCK, ~[], [], 8)   = 0
clone(child_stack=0xbefd2af0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 4993
close(6)                                = 0
read(5, "", 4)                          = 0
close(5)                                = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
fcntl64(3, F_SETFD, 0)                  = 0
close(4)                                = 0
read(3, "", 1024)                       = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4993, si_uid=0, si_status=0, si_utime=0, si_stime=4} ---
close(3)                                = 0
wait4(4993, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 4993
pipe2([3, 4], O_CLOEXEC)                = 0
pipe2([5, 6], O_CLOEXEC)                = 0
rt_sigprocmask(SIG_BLOCK, ~[], [], 8)   = 0
clone(child_stack=0xbefd2af0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 4994
close(6)                                = 0
read(5, "", 4)                          = 0
close(5)                                = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
fcntl64(3, F_SETFD, 0)                  = 0
close(4)                                = 0
read(3, "", 1024)                       = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4994, si_uid=0, si_status=0, si_utime=0, si_stime=3} ---
close(3)                                = 0
wait4(4994, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 4994
socket(AF_PACKET, SOCK_RAW, 768)        = 3
ioctl(3, SIOCGIFFLAGS, {ifr_name="wlan0", ifr_flags=IFF_UP|IFF_BROADCAST|IFF_RUNNING|IFF_MULTICAST}) = 0
ioctl(3, SIOCGIWMODE, 0xb6fa01ec)       = 0
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, SIOCDEVPRIVATE, 0xb6f76110)    = 0
close(4)                                = 0
ioctl(3, SIOCSIFFLAGS, {ifr_name="wlan0", ifr_flags=0}) = 0
ioctl(3, SIOCSIWMODE, 0xb6fa0e04)       = -1 EOPNOTSUPP (Not supported)
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, SIOCDEVPRIVATE, 0xb6f76110)    = -1 ENODEV (No such device)
writev(1, [{iov_base="__nex_driver_io", iov_len=15}, {iov_base=": error\n", iov_len=8}], 2) = 23
close(4)                                = 0
writev(2, [{iov_base="", iov_len=0}, {iov_base="failed to set monitor mode", iov_len=26}], 2) = 26
writev(2, [{iov_base="", iov_len=0}, {iov_base=":", iov_len=1}], 2) = 1
writev(2, [{iov_base="", iov_len=0}, {iov_base=" ", iov_len=1}], 2) = 1
writev(2, [{iov_base="", iov_len=0}, {iov_base="No such device", iov_len=14}], 2) = 14
writev(2, [{iov_base="", iov_len=0}, {iov_base="\n", iov_len=1}], 2) = 1
writev(2, [{iov_base="", iov_len=0}, {iov_base="failed to init socket\n", iov_len=22}], 2) = 22
ioctl(3, SIOCSIFFLAGS, {ifr_name="wlan0", ifr_flags=0}) = 0
ioctl(3, SIOCSIWMODE, 0xb6fa01ec)       = -1 EOPNOTSUPP (Not supported)
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, SIOCDEVPRIVATE, 0xb6f76110)    = -1 ENODEV (No such device)
writev(1, [{iov_base="__nex_driver_io", iov_len=15}, {iov_base=": error\n", iov_len=8}], 2) = 23
close(4)                                = 0
ioctl(3, SIOCSIFFLAGS, {ifr_name="wlan0", ifr_flags=IFF_UP|IFF_BROADCAST|IFF_RUNNING|IFF_MULTICAST}) = 0
close(3)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++

unable to use --filterlist

hello,

I try to use hcxdumptool through the following cmd 👍

hcxdumptool - o hash -i wlan0mon --filterlist=list.txt --filtermode=2 --enable_status

I get the following error 👍

hcxdumptool: option '--enable_status' require an argument
invalid argument specified.

Any idea about the argument waited by hcxdumptool?

thanks for help.

hcxdumptool has no mac os compatibility

When will it support the mac os?

Search for infinite networks and mac address of the unattached filter

For days I try to crack my wifi and create the file filter.txt and even if it finds the corresponding network does not perform any attack. After many hours it is still in scan.

Error compiling: too many arguments for format

I tried running make today and ran up against:

cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c -lpthread 
hcxdumptool.c: In function ‘process80211probe_resp’:
hcxdumptool.c:1842:18: warning: too many arguments for format [-Wformat-extra-args]
  fprintf(stdout, " [PROBERESPONSE, SEQUENCE %d, AP CHANNEL %d]\n", c, macfrx->sequence >> 4, apchannel);
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It looks like that line was touched today in 3c486c8. Is it possible that commit added a regression?

big endian problem

It does not recognize frames on big endian systems. Also accesses memory outside of the buffer (because length is not 0x30 but 0x3000)
Fixed it by changing
rth->it_len to le16toh(rth->it_len);

Cant install tool

I downloaded the tool and tried make but I get this make: Nothing to be done for all'.`

why hcxdumptool scan all network

why hcxdumptool scan all network even if i select filter.txt ?

is it possible to scan only filter ?

thx

initialization hanging with rtl8192eu

Hi. I bought another adapter with chipset rtl8192eu. I installed mange's driver and am able to use airodump. It works ok to capture packages. But it hangs when I use hcxdumptools.

# lsusb
Bus 001 Device 002: ID 2357:0108 TP-Link TL-WN822N Version 4 RTL8192EU
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

# ip link set wlan0 down
# iw dev wlan0 set type monitor
# ip link set wlan0 up
# iw dev
phy#0
	Interface wlan0
		ifindex 3
		wdev 0x1
		addr 50:3e:aa:48:0b:48
		type monitor
		txpower 12.00 dBm

gpsd data invalid

How do you process gpsd data?
I have a problem where if i run hcxdumptool on location where no fix is available then even if i get to a location where GPS acquires fix, coordinates comment will stay on value 0 for all packets captured after the gps acquired fix.

Same is valid if you do other way around, you start with gps fixed and then loose fix, all packets will continue to use last fixed coordinate even if gps acquired fix again in mean time.

enable_status option requires argument

Im using this tool to test latest WPA2 flaw (PMKID capturing). In many tutorials, the command is issued with "--enable_status" option. however it takes values 1,2,4,8. Whenever i use any of these options, if PMKID is captured its not logged in terminal.

enable_status=1

sudo hcxdumptool -o test2.pcapng -i wlp2s0mon  --filterlist=f2-matrix.txt --filtermode=2 --enable_status=1      
[sudo] password for thor: 

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp2s0mon
FILTERLIST...............: 1 entries
MAC CLIENT...............: fcc233c3026a (client)
MAC ACCESS POINT.........: 1100aa7f0d1a (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64933
ANONCE...................: 27eeea4b47739b815b2c536e46bac31215c891269ebb4633e41376aec13bd269

INFO: cha=3, rx=119, rx(dropped)=0, tx=2, powned=0, err=0^C

enable_status=2

sudo hcxdumptool -o test2.pcapng -i wlp2s0mon  --filterlist=f2-matrix.txt --filtermode=2 --enable_status=2

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp2s0mon
FILTERLIST...............: 1 entries
MAC CLIENT...............: fcc233703b20 (client)
MAC ACCESS POINT.........: 0418b60ad190 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 61990
ANONCE...................: 5fbd0055af0dcc03143a14bf3cddaa1acc31f9b755dc4900fd5bf0727f909bde

[15:03:34 - 003] b4e62a183a06 -> ffffffffffff matrix [PROBEREQUEST, SEQUENCE 2920]
[15:03:40 - 007] f4f26d25b268 -> fcc233703b20 matrix [PROBERESPONSE, SEQUENCE 1215, AP CHANNEL 8]
INFO: cha=7, rx=192, rx(dropped)=16, tx=14, powned=1, err=0^C

The same happens for option 4 and 8 as well.

BUT for some strange reason if "--enable_status=1,2,4,8" its showing the status properly.

sudo hcxdumptool -o test2.pcapng -i wlp2s0mon  --filterlist=f2-matrix.txt --filtermode=2 --enable_status=1,2,4,8

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp2s0mon
FILTERLIST...............: 1 entries
MAC CLIENT...............: f0a225ee1382 (client)
MAC ACCESS POINT.........: acde482d1654 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63478
ANONCE...................: 75ec843719a0d17613de85ca32cb4cd8c02b56e41d68b39f0de285c384e794f9

[14:42:05 - 001] f4f26d25b268 -> f0a225ee1382 [FOUND PMKID CLIENT-LESS]
[14:42:06 - 001] f4f26d25b268 -> e8de27125d90 [FOUND PMKID]

Please fix this issue, Thanks

ADAA

MT76x8 support

I am on GL.iNet GL-MT300N v2 with Openwrt. I can go into monitor mode:

# iw phy phy0 interface add mon0 type monitor
# ifconfig mon0 up
# hcxdumptool -i mon0 -o /tmp/wifi.pcapng --enable_status=1

But I have always timeouts:

initialization...
warning: mon0 is probably a monitor interface

start capturing (stop with ctrl+c)
...
...
[18:10:34 - 001] 00888888002a -> e8abfa960007 [FOUND AUTHORIZED HANDSHAKE, > [18:11:52 - 001] 54600930adc4 -> c4ea1d3d2a2f [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 2894]
INFO: cha=1, rx=6194, rx(dropped)=1460, tx=599, powned=3, err=0

I compiled hcxdumptool with adde88 Makefile without his patch.

What's wrong? How can I check if is my device (unofficially) supported? Is the patch useful?

Filter file usage causes segmentation fault

Hey there,

I see that you fixed a segfault bug recently but I'm running off master and I still have them.

./hcxdumptool -c 1 -o cap.pcapng -i <interface> --filterlist=filter.file --filtermode=<1 or 2>

filter.file:

112233445566 + comment

Installation problem

Cant install on Ubuntu Please help

mohsin@mohsin-HP-Pavilion-15-Notebook-PC:~/hcxdumptool-master$ make install
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c -lpthread 
make: cc: Command not found
Makefile:29: recipe for target 'build' failed
make: *** [build] Error 127

PMKID not found on TP-Link / D-Link router

Hi to all.
I have a problem with this software. When I try to find PKMID it give me only a Proberequest and a Handshake AP-LESS within 3-4 hours from a TP-LINK/ D-LINK target! Signal strong was -67.

I use this Wifi Card: AWUS036H (RTL8187 Drivers) and +10dB gain antenna

I use this command: hcxdumptool -o test.pcapng -i wlan0 --filterlist=mac.txt --filtermode=3 -c 6 - --enable_status=3

anyway without the filter list the software found PKMID of nearest and farest AP except my target! Why?

Thank you for answers.

GitHub releases

Would it be possible to tag releases such that GitHub can generate tarballs? This will help with making stable releases.

Gemini PDA

I have a Gemini PDA with Kali Linux on it running a very old kernel of 3.18.41 (that is all that is offered).

I know that airodump-ng works with the older kernel, but is there a way to get this tool to work? I tried to use the android ndk builds, but no look.

The error I get is:

failed to save current interface mode: Operation not supported on transport endpoint
failed to init socket

issue with make error

make

fails

I have a mt7610u and hope that you will be able to support it in the future.

i'm using this one: 'TL-WDN5200'~~~~~
and.. I don't know what to say....... just.. thx ^^''

Filterlist larger than 64 entries

In the help output of the tool I noticed that the maximum number of entries is 64. Is possible to increase it to a larger number or there's some technical limitation in the implementation?

Stuck!

using a RT2080 usb card my attack gets stuck to this state
https://imgur.com/a/V6qyQER Also,can someone tell me how to properly install my network drivers for this card?
Thank you!

Will not work with USB wifi device based on RTL8192 chipset

I have tried many different guides to try and get this tool to work with the RTL8192 cu chipset, but no luck. I do have this dongle working with airmon and airgeddon no problem.

My setup is RPi 3 B7+
Linux Raspberry Pi 4.14.90-v

When I run sudo hcxdumptool -wlan0 -o ....... --enable_status=2 , I get:

initialization....
interface is not up
failed to init socket

Wrong timestamp

Hi,
I've tried on two different rpie's with raspbian images and they have same timestamp with weird values. Debian VM gives normal epoch time.
Date/time is set up correctly.

(This is opened with wireshark)

Frame 1: 226 bytes on wire (1808 bits), 226 bytes captured (1808 bits) on interface 0
    Interface id: 0 (wlan1)
    Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
    Arrival Time: Jan  1, 1970 01:25:10.864502000 Romance Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1510.864502000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 226 bytes (1808 bits)
    Capture Length: 226 bytes (1808 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: radiotap:wlan_radio:wlan]

In bigger capture file I noticed that starting packets have epoch values 1000/2000 and then on frame 255 it jumps to (-) value, like seen below. Later packets switch back to 1000/2000 and to (-) value again. That was on approx. 1hr long capture file.

Frame 255: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface 0
    Interface id: 0 (wlan0)
    Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
    Arrival Time: Not representable
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: -140464757.873059000 seconds
    [Time delta from previous captured frame: -140466901.308239000 seconds]
    [Time delta from previous displayed frame: -140466901.308239000 seconds]
    [Time since reference or first frame: -140466833.115197000 seconds]
    Frame Number: 255
    Frame Length: 106 bytes (848 bits)
    Capture Length: 106 bytes (848 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: radiotap:wlan_radio:wlan]

I don't quite understand the code and I'm not really sure what to check next.
Any ideas?
Thx

hostapd + wpa_supplicant

Hi, have you ever heard whether your approach/code work with hostapd + wpa_supplicant?

Congratulations for your work and thank you for sharing the code.

No man page to hcxdumptool

Hi,

I made a man page using output of 'hcxdumptool --help' putting in txt file and using script to convert to troff file.

Thanks
Regards
kretcheu
:x

hcxdumptool.txt

genallman.sh.txt

EAPOL timeout is low cannot convert after capture

Hi, i get this error with hcxdumptool when i capture the PMKID.

i capture the PMKID no problem, FOUND PMKID

but when i try to convet the capture file that i -o utput in hcxdumptool

i get this error

EAPOL timout is to low

So i cannot convert the file for hashcat

Any ideas why im getting this error any1

is it a common error with hcxdumptool

thanks for any advice...

i capture with this code.

hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

get resuts
[08:50:37 - 006] 002417bdb675 -> d8cf9c805f44 [FOUND PMKID]

the convert code i use is as follows after i capture the pmkid

hcxdumptool -E essidlist -I identitulist -U usernamelist -z capturedthis.16800 pmkid.pcapng

then i get the error

EAPOL timeout is low

git release tag for 5.1.1 missing

it looks 5.1.1 was released but the git tag was not pushed?
At least so far once the version.h was bumped it was always at the same time as a release tag.

cheers

Can not run it

Hi ZerBea,
I'm getting this "interface is not up" and "failed to init socket error".
Above these two lines, there are warnings about NetworkManager is running with pid xxx.
Buf after I closed networkmanager with "service network-manager stop" I can still receive these two error lines.
the command I use is "hcxdumptool -o temp.pcapng -i wlan0 -t 5 --enable_status=3"
the wlan0 is my physical wireless interface, and the wireless card I'm using is TL-WN722N, and there is no error during make && make install. The system is Kali Linux.

Blacklist entire access point

Is there a way to blacklist an entire access point without having to specify all of the bssid+client+ssid pairs in the blacklist file? Something like a wildcard for any of the fields in the file?

Supported adapters

Are those listed the only ones supported? What do I have these I can do something?
ualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)
Atheros Communications, Inc. AR9271 802.11n 1

thank you

OSX

Would be great to get this working on osx.

Gets stuck with on "#include <netpacket/packet.h>" - doesn't exist on osx and not sure how to get it.

unable to set channel with rtl8188eu

I am using kali and was able to set the adapter to monitor mode using kimocoder driver (https://github.com/kimocoder/rtl8188eus). I can use airodump to receive packets but it is not working using hcxdumptool.
I only get this as a result:

# hcxdumptool -i wlan0 -o output.pcapng -c 1,6,11 --enable_status=1
initialization...
warning: unable to set channel 1 (removed this channel from scan list)
warning: unable to set channel 6 (removed this channel from scan list)
warning: unable to set channel 11 (removed this channel from scan list)
no available channel found in scan list

terminated...

Packet injection with aireplay is working, though:

# aireplay-ng -9 wlan0
15:37:11  Trying broadcast probe requests...
15:37:13  No Answer...
15:37:13  Found 2 APs

15:37:13  Trying directed probe requests...
15:37:13  XX:XX:XX:XX:XX:XX - channel: 11 - 'HOST1'
15:37:13  Ping (min/avg/max): 2.717ms/10.364ms/24.075ms Power: -41.67
15:37:13  30/30: 100%

15:37:13  Injection is working!

15:37:13  XX:XX:XX:XX:XX:XX - channel: 11 - 'HOST2'
15:37:13  Ping (min/avg/max): 2.921ms/9.882ms/22.017ms Power: -40.87
15:37:13  30/30: 100%

Here are the commands I've run:

# lsusb
Bus 001 Device 002: ID 2001:3310 D-Link Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

# ip link set wlan0 down
# iw dev wlan0 set type monitor
# ip link set wlan0 up
# iw dev
phy#0
	Interface wlan0
		ifindex 3
		wdev 0x1
		addr c2:67:84:6f:42:9c
		type monitor
		txpower 13.00 dBm

# hcxdumptool -I
wlan interfaces:
1062eb30659b wlan0 (rtl8188eu)
warning: NetworkManager is running with pid 441
warning: wpa_supplicant is running with pid 799

# kill 441 799
# hcxdumptool -I
wlan interfaces:
1062eb30659b wlan0 (rtl8188eu)

Make file build failing with `hcxdumptool.c:4775:16: error: 'ETH_ALEN' undeclared`

I'm on Ubuntu 18.04, Below are the logs of make

/home/o_o/miniconda/bin/x86_64-conda_cos6-linux-gnu-cc -march=nocona -mtune=haswell -ftree-vectorize -fPIC -fstack-protector-strong -fno-plt -O2 -ffunction-sections -pipe -std=gnu99 -DNDEBUG -D_FORTIFY_SOURCE=2 -O2 -o hcxpioff hcxpioff.c -Wl,-O2 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,--disable-new-dtags -Wl,--gc-sections
/home/o_o/miniconda/bin/x86_64-conda_cos6-linux-gnu-cc -march=nocona -mtune=haswell -ftree-vectorize -fPIC -fstack-protector-strong -fno-plt -O2 -ffunction-sections -pipe -std=gnu99 -DNDEBUG -D_FORTIFY_SOURCE=2 -O2 -o hcxdumptool hcxdumptool.c -Wl,-O2 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,--disable-new-dtags -Wl,--gc-sections
In file included from /home/o_o/miniconda/x86_64-conda_cos6-linux-gnu/sysroot/usr/include/endian.h:61:0,
                 from /home/o_o/miniconda/x86_64-conda_cos6-linux-gnu/sysroot/usr/include/ctype.h:41,
                 from hcxdumptool.c:2:
hcxdumptool.c: In function 'opensocket':
hcxdumptool.c:4664:51: error: 'ETH_P_ALL' undeclared (first use in this function); did you mean 'ETH_TP_MDI'?
 if((fd_socket = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0)
                                                   ^
hcxdumptool.c:4664:51: note: each undeclared identifier is reported only once for each function it appears in
hcxdumptool.c:4775:16: error: 'ETH_ALEN' undeclared (first use in this function); did you mean 'ETH_P_ALL'?
 ll.sll_halen = ETH_ALEN;
                ^~~~~~~~
                ETH_P_ALL
Makefile:20: recipe for target 'build' failed
make: *** [build] Error 1

MT7601U Linux Driver

Hello,
sorry my english, I'm not a native speaker.
For using hcxdumptool I buy a new wireless adepter called Tenda W311MA，chipset is MT7601U, but official driver is only for linux kernel 2.6-2.8, I google it, finded some vendor driver, but it doesn't work.
does anyone have the valid MT7601U driver for Kali linux, or anyone can help me please!

root@kali:~# uname -a
Linux kali 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux

root@kali:~# lsusb
...  
Bus 001 Device 002: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter  
...

root@kali:~# dmesg  
...  
[  118.049886] platform regulatory.0: firmware: failed to load regulatory.db (-2)
[  118.049890] firmware_class: See https://wiki.debian.org/Firmware for information about missing firmware
[  118.049892] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[  118.049895] cfg80211: failed to load regulatory.db
[  118.291535] usb 1-1: reset high-speed USB device number 2 using ehci-pci
[  118.471693] mt7601u 1-1:1.0: ASIC revision: 76010001 MAC revision: 76010500
[  118.525292] mt7601u 1-1:1.0: firmware: direct-loading firmware mt7601u.bin
[  118.525299] mt7601u 1-1:1.0: Firmware Version: 0.1.00 Build: 7640 Build time: 201302052146____
[  121.817616] mt7601u 1-1:1.0: Vendor request req:02 off:0a44 failed:-110
[  127.222926] mt7601u 1-1:1.0: Vendor request req:07 off:09a8 failed:-110
[  130.485039] mt7601u 1-1:1.0: Vendor request req:02 off:09a8 failed:-110
[  133.685535] mt7601u 1-1:1.0: Vendor request req:07 off:0734 failed:-110
[  136.913990] mt7601u 1-1:1.0: Vendor request req:42 off:0230 failed:-110
[  140.176270] mt7601u 1-1:1.0: Vendor request req:07 off:0080 failed:-110
[  143.438823] mt7601u 1-1:1.0: Vendor request req:02 off:0080 failed:-110
[  146.701059] mt7601u 1-1:1.0: Vendor request req:02 off:0080 failed:-110
[  146.701104] mt7601u: probe of 1-1:1.0 failed with error -110
[  146.701130] usbcore: registered new interface driver mt7601u
...

Not get result even after more than half hour

I have "Ralink corp. RT3290 Wireless 802.11n 1T/1R PCIe" adapter which comes with my laptop.
I tried:
hcxdumptool -o test.pcapng -i wlo1mon --filterlist=aashik.txt --filtermode=2 --enable_status=4
And waited about an half hour but still don't get PMKId.