Comments (1)
ZerBea
commented on July 20, 2024
hcxdumptool does not have this options "-o dumpfile.pcapng --active_beacon --enable_status=15"
All options can be listed by "-h" or "--help"
$ hcxdumptool -h
hcxdumptool 6.3.1-56-g89278de (C) 2023 ZeroBeat
usage: hcxdumptool <options>
first stop all services that take access to the interface, e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
then run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
do not merge (pcapng) dump files, because this destroys assigned hash values!
short options:
-i <INTERFACE> : name of INTERFACE to be used
default: first suitable INTERFACE
warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile> : write packets to a pcapng-format file named <outfile>
default outfile name: yyyyddmmhhmmss-interfacename.pcapng
get more information: https://pcapng.com/
-c <digit> : set channel (1a,2a,36b...)
default: 1a,6a,11a
important notice: channel numbers are not unique
it is mandatory to add band information to the channel number (e.g. 12a)
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz)
to disable frequency management, set this option to a single frequency/channel
-f <digit> : set frequency (2412,2417,5180,...)
-F : use available frequencies from INTERFACE
-t <second> : minimum stay time (will increase on new stations and/or authentications)
default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-p : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC)
default monitor mode: active (ACK all incoming frames addressed to the device MAC)
-L : show INTERFACE list
-l : show INTERFACE list (tabulator separated and greppable)
-I <INTERFACE> : show detailed information about INTERFACE
-h : show this help
-v : show version
long options:
--bpf=<file> : input kernel space Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
$ hcxdumptool -m <interface>
create BPF to protect MACs
$ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
create BPF to attack a MAC
$ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
see man pcap-filter for a list of all filter options
add BPF code:
$ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon : do not transmit BEACON frames
--disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest : do not transmit PROBEREQUEST frames
--disable_association : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation : do not REASSOCIATE a CLIENT
--beacontx=<digit> : transmit BEACON of first n entries of ESSID list
default: 10
--proberesponsetx=<digit> : transmit PROBERESPONSEs of first n entries of ESSID list
default: 10
--essidlist=<file> : initialize ESSID list with these ESSIDs
--errormax=<digit> : set maximum allowed ERRORs
default: 100 ERRORs
--watchdogmax=<seconds> : set maximum TIMEOUT when no packets received
default: 600 seconds
--attemptclientmax=<digit> : set maximum of attempts to request an EAPOL M2
default: 10 attempts
to disable CLIENT attacks set 0
--attemptapmax=<digit> : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
default: stop after 4 received BEACONs
attemptapmax=0 include this options:
disable_deauthentication: do not transmit DEAUTHENTICATION/DISASSOCIATION frames
disable_proberequest : do not transmit PROBEREQUEST frames
disable_association : do not AUTHENTICATE/ASSOCIATE
disable_reassociation : do not REASSOCIATE a CLIENT
--tot=<digit> : enable timeout timer in minutes
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID
2 = EAPOL M2
4 = EAPOL M3
target BPF filter is recommended
--onsigterm=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ontot=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onwatchdog=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onerror=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
push GPIO button (> 10 seconds) to terminate program
default: 0 (GPIO not in use)
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default: 0 (GPIO not in use)
--nmea_dev=<NMEA device> : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
baudrate = BD9600
--gpsd : use gpsd to get position
gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile> : write GPS information to a nmea-format file named <outfile>
default outfile name: yyyymmddhhmmss.nmea
output: NMEA 0183 standard messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
use gpsbabel to convert to other formats:
gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx
gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
get more information: https://en.wikipedia.org/wiki/NMEA_0183
--nmea_pcapng : write GPS information to pcapng dump file
--rcascan=<character> : do (R)adio (C)hannel (A)ssignment scan
default = passive scan
a = active scan
p = passive scan
--rds=<digit> : sort real time display
default: sort by time (last seen on top)
1 = sort by status (last PMKID/EAPOL on top)
--help : show this help
--version : show version
Legend
real time display:
R = + AP display: AP is in TX range or under attack
S = + AP display: AUTHENTICATION KEY MANAGEMENT PSK
P = + AP display: got PMKID hashcat / JtR can work on
1 = + AP display: got EAPOL M1 (CHALLENGE)
3 = + AP display: got EAPOL M1M2M3 (AUTHORIZATION) hashcat / JtR can work on
E = + CLIENT display: got EAP-START MESSAGE
2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on
Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel
The simplest command to run hcxdumptool is:
$ sudo hcxdumptool -F --rds1
For more information read help menu, changelog (why options has been changed) and README.md
Closed, because this is not a bug.
from hcxdumptool.
Related Issues (20)
- orange pi zero HOT 1
- hcxdumptool: unrecognized option 'enable_status=15' HOT 2
- Is the problem in the driver or in the operating system? HOT 1
- Add a gpiowait.svg alongside gpiowait.odg HOT 2
- attack behaviors rules HOT 65
- openwrt: Issue finding interfaces HOT 44
- Android build instructions HOT 5
- prevent spoofed beacons from transmitting HOT 3
- How can I delete this tool? HOT 2
- hcxdumptool missing options HOT 2
- What to use it in 2024?
- error using option "-o" to write the dump file.
- Older version HOT 1
- undirected proberequest frames. HOT 1
- rds Usage HOT 1
- Atheros chipset (ERRORs caused by misconfigured KALI) HOT 21
- Arrays explained HOT 1
- Documentation about attack vectors and what options affect them HOT 7
- How to filter (skip) certain access points? HOT 1
- Issues using hcxdumptool in conjuction with ALFA AWUS036ACH HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hcxdumptool.