rtw_8821ce / rtw_8822be (frame injection failed): 101 errors during runtime about hcxdumptool HOT 16 CLOSED

Newcool1230 commented on July 20, 2024

rtw_8821ce / rtw_8822be (frame injection failed): 101 errors during runtime

from hcxdumptool.

Comments (16)

ZerBea commented on July 20, 2024 1

Some good news:
https://bugzilla.kernel.org/show_bug.cgi?id=218040#c7

from hcxdumptool.

ZerBea commented on July 20, 2024

Some information about the ERRORs and WARNINGs:

Warning: out of sequence timestamps!
This dump file contains frames with out sequence timestamps.
That is a bug of the capturing tool.

You're running an outdated version of hcxpcapngtool

$ hcxpcapngtool --version
hcxpcapngtool 6.2.7 (C) 2022 ZeroBeat

It can't handle the new time resolution of hcxdumptool > v6.3.0
It is mandatory to update to either v6.3.1 or latest git head.

Running into 101 errors during runtime error after <60sec of capturing handshakes, when trying to recapture again it will show the same error in <10 secs.

This is a driver problem. Packet injection is not working on this driver.

BTW:
Your report reminded me to add rtw_88xx chipsets/drivers (and in general all Realtek devices) to the list of not working (not working as expected) devices.

Please read more here (especially the Realtek section):
morrownr/USB-WiFi#314

from hcxdumptool.

ZerBea commented on July 20, 2024

A test on rtw_8821ce driver confirmed that packet injection is not working on this driver.
The R column of the status display remains empty.

$ uname -r
6.5.8-arch1-1

$ hcxdumptool -L

Requesting physical interface capabilities. This may take some time.
Please be patient...

available wlan devices:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   3 70665594bd1f 70665594bd1f + wlp4s0           rtw_8821ce (NETLINK)

* active monitor mode available
+ monitor mode available
- no monitor mode available

bye-bye

There is nothing I can do. We have to wait for a driver fix.

from hcxdumptool.

ZerBea commented on July 20, 2024

A frame injection test running aireplay-ng confirmed that the driver is not working as expected:

$ sudo ./aireplay-ng --test  wlp4s0
10:51:43  Trying broadcast probe requests...
10:51:45  No Answer...
10:51:45  Found 0 APs

I think we can close this report, because the problem is related to the driver (no frame injection).

from hcxdumptool.

ZerBea commented on July 20, 2024

BTW:
hcxdumptool has a similar function to test packet injection:
$ sudo hcxdumptool -F --rcascan=active

Terminate it after a period of a few minutes.

If you got a message like this frame injection is not working (driver bug):
Warning: no responses received (packet injection may not work)

from hcxdumptool.

ZerBea commented on July 20, 2024

I reported this to bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=218040

from hcxdumptool.

Newcool1230 commented on July 20, 2024

Even though this is not the news I was hoping to hear thank you very much for testing, debugging and getting back to me so quickly!

from hcxdumptool.

ZerBea commented on July 20, 2024

Please notice:
Your kernel

$ uname -a
Linux Captain 5.19.0-kali2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1kali2 (2022-10-10) x86_64 GNU/Linux

is outdated and not longer under maintenance:
https://www.kernel.org/

It will not get the fix.

from hcxdumptool.

Newcool1230 commented on July 20, 2024

Thank you for keeping me updated! I'll keep an eye out for the 6.6 kernel release.

from hcxdumptool.

ZerBea commented on July 20, 2024

Looks like kernel 6.6 will be a good one regarding rtw88 driver. The compiled custom kernel (6.6-RC7) is running fine.
This tested custom kernel is very close to Arch Linux:
https://wiki.archlinux.org/title/Kernel

I do something between the traditional way
https://wiki.archlinux.org/title/Kernel/Traditional_compilation
and the Arch Build system
https://wiki.archlinux.org/title/Kernel/Arch_Build_System
to configure and build this kernel.

from hcxdumptool.

Newcool1230 commented on July 20, 2024

Heyo, hope you are doing well, I'm back again!

I have since updated to kernel version 6.6.0 but still getting the 101 errors during runtime error. I then updated to the new 6.6.4 release but again still getting that error which causes the dump stop capturing after a certain time. The injection tests, however, was able to keep running until manually stopped. Let me know if you need any additional info to help debug this.

The injection tests:

$ sudo hcxdumptool -F --rcascan=active      

Requesting physical interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  0   2 7440bb49dc95 96de07abfd6a + wlan0            rtw_8822be (NETLINK)


available frequencies: frequency [channel] tx-power of Regulatory Domain: 00

  2412 [  1] 20.0 dBm     2417 [  2] 20.0 dBm     2422 [  3] 20.0 dBm     2427 [  4] 20.0 dBm
  2432 [  5] 20.0 dBm     2437 [  6] 20.0 dBm     2442 [  7] 20.0 dBm     2447 [  8] 20.0 dBm
  2452 [  9] 20.0 dBm     2457 [ 10] 20.0 dBm     2462 [ 11] 20.0 dBm     2467 [ 12] 20.0 dBm
  2472 [ 13] 20.0 dBm     2484 [ 14] 20.0 dBm     5180 [ 36] 20.0 dBm     5200 [ 40] 20.0 dBm
  5220 [ 44] 20.0 dBm     5240 [ 48] 20.0 dBm     5260 [ 52] 20.0 dBm     5280 [ 56] 20.0 dBm
  5300 [ 60] 20.0 dBm     5320 [ 64] 20.0 dBm     5500 [100] 20.0 dBm     5520 [104] 20.0 dBm
  5540 [108] 20.0 dBm     5560 [112] 20.0 dBm     5580 [116] 20.0 dBm     5600 [120] 20.0 dBm
  5620 [124] 20.0 dBm     5640 [128] 20.0 dBm     5660 [132] 20.0 dBm     5680 [136] 20.0 dBm
  5700 [140] 20.0 dBm     5720 [144] 20.0 dBm     5745 [149] 20.0 dBm     5765 [153] 20.0 dBm
  5785 [157] 20.0 dBm     5805 [161] 20.0 dBm     5825 [165] 20.0 dBm


scan frequencies: frequency [channel] of Regulatory Domain: 00

  2412 [  1]      2417 [  2]      2422 [  3]      2427 [  4]      2432 [  5]
  2437 [  6]      2442 [  7]      2447 [  8]      2452 [  9]      2457 [ 10]
  2462 [ 11]      2467 [ 12]      2472 [ 13]      2484 [ 14]      5180 [ 36]
  5200 [ 40]      5220 [ 44]      5240 [ 48]      5260 [ 52]      5280 [ 56]
  5300 [ 60]      5320 [ 64]      5500 [100]      5520 [104]      5540 [108]
  5560 [112]      5580 [116]      5600 [120]      5620 [124]      5640 [128]
  5660 [132]      5680 [136]      5700 [140]      5720 [144]      5745 [149]
  5765 [153]      5785 [157]      5805 [161]      5825 [165]

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

Initialize main scan loop...

 CHA  FREQ  BEACON  RESPONSE S    MAC-AP    ESSID  SCAN-FREQUENCY:   2432
--------------------------------------------------------------------------
   1  2412 14:01:29          + a8...52 {SSID}  [0]
   1  2412 14:01:28          + 4e...1b {SSID} [0]
   1  2412 14:01:28          + 72...1e  [0]
   1  2412 14:01:28          + bc...37 {SSID}  [0]
   1  2412 14:01:28          + 7e...ea {SSID}  [0]
   1  2412 14:01:28          + 8d...d9  [0]
   1  2412 14:01:28          + 9e...d2 {SSID} [0]
 161  5805 14:01:27          + ae...16 {SSID}  [0]
 157  5785 14:01:27          + ad...e8  [0]
 157  5785 14:01:27            bb...e8  [0]
 157  5785 14:01:27          + fb...8e {SSID}  [0]
 149  5745 14:01:26          + 8e...f6  [0]
   6  2437 14:01:15            e8...b1  [0]
   6  2437 14:01:15          + 5e...9f {SSID} [0]
   6  2437 14:01:14          + 40...43 {SSID}  [0]
^C
10 ERROR(s) during runtime
10542 Packet(s) captured by kernel
835 Packet(s) dropped by kernel
Warning: no PROBERESPONSES received (frame injection may not work as expected)
Possible reasons:
 no AP in range
 frames are filtered out by BPF
 driver is broken
 driver does not support frame injection

exit on sigterm
---

$ sudo aireplay-ng --test wlan0       
14:02:13  Trying broadcast probe requests...
14:02:15  No Answer...
14:02:15  Found 4 APs

14:02:15  Trying directed probe requests...
14:02:15  D6...85 - channel: 6 - {SSID}
14:02:21   0/30:   0%

14:02:21  5E...9D - channel: 6 - ''
14:02:22  Ping (min/avg/max): 1.039ms/38.736ms/170.404ms Power: -77.72
14:02:22  29/30:  96%

14:02:22  Injection is working!

14:02:22  5E...9F - channel: 6 - {SSID}
14:02:26  Ping (min/avg/max): 1.019ms/17.460ms/70.213ms Power: -78.00
14:02:26  18/30:  60%

14:02:26  9C...42 - channel: 6 - {SSID}
14:02:33   0/30:   0%

Dump error:

$ sudo hcxdumptool -i wlan0 -w dumpfile.pcapng

 CHA   LAST   R 1 3 P S    MAC-AP    ESSID (last seen on top)     SCAN-FREQUENCY:   2412
-----------------------------------------------------------------------------------------
   1 13:57:12         + 18...d3 {SSID}
   1 13:57:12         + ae...97 
   1 13:57:12           88...bb 
   1 13:57:12         + 88...47 
   1 13:57:12         + 88...46 {SSID}
   1 13:57:12         + 90...23 
   1 13:57:12           b6...d2 
   1 13:57:12         + ac...d2 {SSID}
   1 13:57:12         + 42...51 
   1 13:57:12         + a6...d2 
   1 13:57:12         + 9c...f2 {SSID}
   1 13:57:12         + 70...4d 
   1 13:57:12         + bc...97 {SSID}
   1 13:57:12         + a8...15 {SSID}
   1 13:57:12         + 70...4a {SSID}
   1 13:57:12         + 82...51 
   1 13:57:12           70...54 
   1 13:57:12         + 70...4b 
   1 13:57:12         + 88...49 
   1 13:57:12         + 18...d3 {SSID}


   LAST   E 2 MAC-AP-ROGUE   MAC-CLIENT   ESSID (last seen on top)
-----------------------------------------------------------------------------------------

103 ERROR(s) during runtime
1585 Packet(s) captured by kernel
837 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
55 EPB written to pcapng dumpfile

exit on error

New info:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2023.4
Codename:       kali-rolling

$ uname -a
Linux Captain 6.6.4 #2 SMP PREEMPT_DYNAMIC x86_64 GNU/Linux

$ hcxdumptool --version
hcxdumptool 6.3.2-73-gc32827d (C) 2023 ZeroBeat
running on Linux kernel 6.6.4
running GNU libc version 2.37
compiled by gcc 13.2.0
compiled with Linux API headers 6.5.6
compiled with GNU libc headers 2.37
enabled REALTIME DISPLAY
enabled GPS support
disabled BPF compiler

$ hcxpcapngtool --version
hcxpcapngtool 6.3.2-15-g80c151f (C) 2023 ZeroBeat

from hcxdumptool.

ZerBea commented on July 20, 2024

That is not a problem of hcxdumptool. It looks like the PCIe device has been deactivated by ASPM,
Please try this.
Add "rtw88_pci.disable_aspm=y" to the kernel command line on boot.
It will disable the Active-State Power Management of this device and hcxdumptool dosn't throw ERRORs any longer:

This is the status of my rtw_8821ce after ASPM has been disabled running kernel:
$ uname -r
6.6.4-arch1-1

$ sudo hcxdumptool --rcascan=active

0 ERROR(s) during runtime
145 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
42 PROBERESPONSE(s) captured

exit on sigterm

from hcxdumptool.

ZerBea commented on July 20, 2024

BTW:
You shouldn't trust a test of short time duration.
This test maybe successful, but it doesn't detect if the device goes to sleep later on.
hcxdumptool detect this and it throws ERRORs.

Some words about KALI.
It is mandatory to configure/customize KALI. By default configuration It may not do what you expect.
If you decide to use a PCIe device as attack device it is mandatory to prevent that it goes to sleep. Looks like that KALI doesn't do that.

from hcxdumptool.

ZerBea commented on July 20, 2024

Please notice that there are still some open bugs:
https://bugzilla.kernel.org/show_bug.cgi?id=213195
https://bugzilla.kernel.org/show_bug.cgi?id=216386

Also please notice that it is in general not a good idea to use internal PCIe devices:
https://www.phoronix.com/news/AMD-WBRF-For-Linux-6.8

from hcxdumptool.

LLH-l commented on July 20, 2024

kali-linux-2023.4 and wifislax64-3.4-final
Use rt5572 rtl8812AU can capture to PMKID

CHA   LAST   R 1 3 P S    MAC-AP    ESSID (last seen on top)     SCAN-FREQUENCY:   5745
-----------------------------------------------------------------------------------------
149 17:36:30 + +   + + c43fffffffff CMCC-vKDZ

Test using 8812bu (Chipset: rtw_8822be) cannot capture to PMKID
But can capture handshake

run command . . .
sudo hcxdumptool -c 149b --bpf=attack.bpf

 CHA   LAST   R 1 3 P S    MAC-AP    ESSID (last seen on top)     SCAN-FREQUENCY:   5745
-----------------------------------------------------------------------------------------
 149 17:36:34         + c43fffffffff CMCC-vKDZ



   LAST   E 2 MAC-AP-ROGUE   MAC-CLIENT   ESSID (last seen on top)
-----------------------------------------------------------------------------------------
^C
0 ERROR(s) during runtime
92 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
1 EPB written to pcapng dumpfile

exit on sigterm

seems no error

from hcxdumptool.

ZerBea commented on July 20, 2024

8812bu is an out of tree kernel driver - it is not part of the Linux stock kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/realtek?h=v6.7.5

There are several different drivers out in the wildness. Some of them may support packet injection and some not:
https://github.com/morrownr/88x2bu-20210702
https://github.com/fastoe/RTL8812BU

An overview is here:
morrownr/USB-WiFi#314

from hcxdumptool.

rtw_8821ce / rtw_8822be (frame injection failed): 101 errors during runtime about hcxdumptool HOT 16 CLOSED

Comments (16)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent