Comments (16)
Some good news:
https://bugzilla.kernel.org/show_bug.cgi?id=218040#c7
from hcxdumptool.
Some information about the ERRORs and WARNINGs:
Warning: out of sequence timestamps!
This dump file contains frames with out sequence timestamps.
That is a bug of the capturing tool.
You're running an outdated version of hcxpcapngtool
$ hcxpcapngtool --version
hcxpcapngtool 6.2.7 (C) 2022 ZeroBeat
It can't handle the new time resolution of hcxdumptool > v6.3.0
It is mandatory to update to either v6.3.1 or latest git head.
Running into 101 errors during runtime error after <60sec of capturing handshakes, when trying to recapture again it will show the same error in <10 secs.
This is a driver problem. Packet injection is not working on this driver.
BTW:
Your report reminded me to add rtw_88xx chipsets/drivers (and in general all Realtek devices) to the list of not working (not working as expected) devices.
Please read more here (especially the Realtek section):
morrownr/USB-WiFi#314
from hcxdumptool.
A test on rtw_8821ce driver confirmed that packet injection is not working on this driver.
The R column of the status display remains empty.
$ uname -r
6.5.8-arch1-1
$ hcxdumptool -L
Requesting physical interface capabilities. This may take some time.
Please be patient...
available wlan devices:
phy idx hw-mac virtual-mac m ifname driver (protocol)
---------------------------------------------------------------------------------------------
0 3 70665594bd1f 70665594bd1f + wlp4s0 rtw_8821ce (NETLINK)
* active monitor mode available
+ monitor mode available
- no monitor mode available
bye-bye
There is nothing I can do. We have to wait for a driver fix.
from hcxdumptool.
A frame injection test running aireplay-ng confirmed that the driver is not working as expected:
$ sudo ./aireplay-ng --test wlp4s0
10:51:43 Trying broadcast probe requests...
10:51:45 No Answer...
10:51:45 Found 0 APs
I think we can close this report, because the problem is related to the driver (no frame injection).
from hcxdumptool.
BTW:
hcxdumptool has a similar function to test packet injection:
$ sudo hcxdumptool -F --rcascan=active
Terminate it after a period of a few minutes.
If you got a message like this frame injection is not working (driver bug):
Warning: no responses received (packet injection may not work)
from hcxdumptool.
I reported this to bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=218040
from hcxdumptool.
Even though this is not the news I was hoping to hear thank you very much for testing, debugging and getting back to me so quickly!
from hcxdumptool.
Please notice:
Your kernel
$ uname -a
Linux Captain 5.19.0-kali2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1kali2 (2022-10-10) x86_64 GNU/Linux
is outdated and not longer under maintenance:
https://www.kernel.org/
It will not get the fix.
from hcxdumptool.
Thank you for keeping me updated! I'll keep an eye out for the 6.6 kernel release.
from hcxdumptool.
Looks like kernel 6.6 will be a good one regarding rtw88 driver. The compiled custom kernel (6.6-RC7) is running fine.
This tested custom kernel is very close to Arch Linux:
https://wiki.archlinux.org/title/Kernel
I do something between the traditional way
https://wiki.archlinux.org/title/Kernel/Traditional_compilation
and the Arch Build system
https://wiki.archlinux.org/title/Kernel/Arch_Build_System
to configure and build this kernel.
from hcxdumptool.
Heyo, hope you are doing well, I'm back again!
I have since updated to kernel version 6.6.0 but still getting the 101 errors during runtime
error. I then updated to the new 6.6.4 release but again still getting that error which causes the dump stop capturing after a certain time. The injection tests, however, was able to keep running until manually stopped. Let me know if you need any additional info to help debug this.
The injection tests:
$ sudo hcxdumptool -F --rcascan=active
Requesting physical interface capabilities. This may take some time.
Please be patient...
interface information:
phy idx hw-mac virtual-mac m ifname driver (protocol)
---------------------------------------------------------------------------------------------
0 2 7440bb49dc95 96de07abfd6a + wlan0 rtw_8822be (NETLINK)
available frequencies: frequency [channel] tx-power of Regulatory Domain: 00
2412 [ 1] 20.0 dBm 2417 [ 2] 20.0 dBm 2422 [ 3] 20.0 dBm 2427 [ 4] 20.0 dBm
2432 [ 5] 20.0 dBm 2437 [ 6] 20.0 dBm 2442 [ 7] 20.0 dBm 2447 [ 8] 20.0 dBm
2452 [ 9] 20.0 dBm 2457 [ 10] 20.0 dBm 2462 [ 11] 20.0 dBm 2467 [ 12] 20.0 dBm
2472 [ 13] 20.0 dBm 2484 [ 14] 20.0 dBm 5180 [ 36] 20.0 dBm 5200 [ 40] 20.0 dBm
5220 [ 44] 20.0 dBm 5240 [ 48] 20.0 dBm 5260 [ 52] 20.0 dBm 5280 [ 56] 20.0 dBm
5300 [ 60] 20.0 dBm 5320 [ 64] 20.0 dBm 5500 [100] 20.0 dBm 5520 [104] 20.0 dBm
5540 [108] 20.0 dBm 5560 [112] 20.0 dBm 5580 [116] 20.0 dBm 5600 [120] 20.0 dBm
5620 [124] 20.0 dBm 5640 [128] 20.0 dBm 5660 [132] 20.0 dBm 5680 [136] 20.0 dBm
5700 [140] 20.0 dBm 5720 [144] 20.0 dBm 5745 [149] 20.0 dBm 5765 [153] 20.0 dBm
5785 [157] 20.0 dBm 5805 [161] 20.0 dBm 5825 [165] 20.0 dBm
scan frequencies: frequency [channel] of Regulatory Domain: 00
2412 [ 1] 2417 [ 2] 2422 [ 3] 2427 [ 4] 2432 [ 5]
2437 [ 6] 2442 [ 7] 2447 [ 8] 2452 [ 9] 2457 [ 10]
2462 [ 11] 2467 [ 12] 2472 [ 13] 2484 [ 14] 5180 [ 36]
5200 [ 40] 5220 [ 44] 5240 [ 48] 5260 [ 52] 5280 [ 56]
5300 [ 60] 5320 [ 64] 5500 [100] 5520 [104] 5540 [108]
5560 [112] 5580 [116] 5600 [120] 5620 [124] 5640 [128]
5660 [132] 5680 [136] 5700 [140] 5720 [144] 5745 [149]
5765 [153] 5785 [157] 5805 [161] 5825 [165]
This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!
Initialize main scan loop...
CHA FREQ BEACON RESPONSE S MAC-AP ESSID SCAN-FREQUENCY: 2432
--------------------------------------------------------------------------
1 2412 14:01:29 + a8...52 {SSID} [0]
1 2412 14:01:28 + 4e...1b {SSID} [0]
1 2412 14:01:28 + 72...1e [0]
1 2412 14:01:28 + bc...37 {SSID} [0]
1 2412 14:01:28 + 7e...ea {SSID} [0]
1 2412 14:01:28 + 8d...d9 [0]
1 2412 14:01:28 + 9e...d2 {SSID} [0]
161 5805 14:01:27 + ae...16 {SSID} [0]
157 5785 14:01:27 + ad...e8 [0]
157 5785 14:01:27 bb...e8 [0]
157 5785 14:01:27 + fb...8e {SSID} [0]
149 5745 14:01:26 + 8e...f6 [0]
6 2437 14:01:15 e8...b1 [0]
6 2437 14:01:15 + 5e...9f {SSID} [0]
6 2437 14:01:14 + 40...43 {SSID} [0]
^C
10 ERROR(s) during runtime
10542 Packet(s) captured by kernel
835 Packet(s) dropped by kernel
Warning: no PROBERESPONSES received (frame injection may not work as expected)
Possible reasons:
no AP in range
frames are filtered out by BPF
driver is broken
driver does not support frame injection
exit on sigterm
---
$ sudo aireplay-ng --test wlan0
14:02:13 Trying broadcast probe requests...
14:02:15 No Answer...
14:02:15 Found 4 APs
14:02:15 Trying directed probe requests...
14:02:15 D6...85 - channel: 6 - {SSID}
14:02:21 0/30: 0%
14:02:21 5E...9D - channel: 6 - ''
14:02:22 Ping (min/avg/max): 1.039ms/38.736ms/170.404ms Power: -77.72
14:02:22 29/30: 96%
14:02:22 Injection is working!
14:02:22 5E...9F - channel: 6 - {SSID}
14:02:26 Ping (min/avg/max): 1.019ms/17.460ms/70.213ms Power: -78.00
14:02:26 18/30: 60%
14:02:26 9C...42 - channel: 6 - {SSID}
14:02:33 0/30: 0%
Dump error:
$ sudo hcxdumptool -i wlan0 -w dumpfile.pcapng
CHA LAST R 1 3 P S MAC-AP ESSID (last seen on top) SCAN-FREQUENCY: 2412
-----------------------------------------------------------------------------------------
1 13:57:12 + 18...d3 {SSID}
1 13:57:12 + ae...97
1 13:57:12 88...bb
1 13:57:12 + 88...47
1 13:57:12 + 88...46 {SSID}
1 13:57:12 + 90...23
1 13:57:12 b6...d2
1 13:57:12 + ac...d2 {SSID}
1 13:57:12 + 42...51
1 13:57:12 + a6...d2
1 13:57:12 + 9c...f2 {SSID}
1 13:57:12 + 70...4d
1 13:57:12 + bc...97 {SSID}
1 13:57:12 + a8...15 {SSID}
1 13:57:12 + 70...4a {SSID}
1 13:57:12 + 82...51
1 13:57:12 70...54
1 13:57:12 + 70...4b
1 13:57:12 + 88...49
1 13:57:12 + 18...d3 {SSID}
LAST E 2 MAC-AP-ROGUE MAC-CLIENT ESSID (last seen on top)
-----------------------------------------------------------------------------------------
103 ERROR(s) during runtime
1585 Packet(s) captured by kernel
837 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
55 EPB written to pcapng dumpfile
exit on error
New info:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2023.4
Codename: kali-rolling
$ uname -a
Linux Captain 6.6.4 #2 SMP PREEMPT_DYNAMIC x86_64 GNU/Linux
$ hcxdumptool --version
hcxdumptool 6.3.2-73-gc32827d (C) 2023 ZeroBeat
running on Linux kernel 6.6.4
running GNU libc version 2.37
compiled by gcc 13.2.0
compiled with Linux API headers 6.5.6
compiled with GNU libc headers 2.37
enabled REALTIME DISPLAY
enabled GPS support
disabled BPF compiler
$ hcxpcapngtool --version
hcxpcapngtool 6.3.2-15-g80c151f (C) 2023 ZeroBeat
from hcxdumptool.
That is not a problem of hcxdumptool. It looks like the PCIe device has been deactivated by ASPM,
Please try this.
Add "rtw88_pci.disable_aspm=y" to the kernel command line on boot.
It will disable the Active-State Power Management of this device and hcxdumptool dosn't throw ERRORs any longer:
This is the status of my rtw_8821ce after ASPM has been disabled running kernel:
$ uname -r
6.6.4-arch1-1
$ sudo hcxdumptool --rcascan=active
0 ERROR(s) during runtime
145 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
42 PROBERESPONSE(s) captured
exit on sigterm
from hcxdumptool.
BTW:
You shouldn't trust a test of short time duration.
This test maybe successful, but it doesn't detect if the device goes to sleep later on.
hcxdumptool detect this and it throws ERRORs.
Some words about KALI.
It is mandatory to configure/customize KALI. By default configuration It may not do what you expect.
If you decide to use a PCIe device as attack device it is mandatory to prevent that it goes to sleep. Looks like that KALI doesn't do that.
from hcxdumptool.
Please notice that there are still some open bugs:
https://bugzilla.kernel.org/show_bug.cgi?id=213195
https://bugzilla.kernel.org/show_bug.cgi?id=216386
Also please notice that it is in general not a good idea to use internal PCIe devices:
https://www.phoronix.com/news/AMD-WBRF-For-Linux-6.8
from hcxdumptool.
kali-linux-2023.4 and wifislax64-3.4-final
Use rt5572 rtl8812AU can capture to PMKID
CHA LAST R 1 3 P S MAC-AP ESSID (last seen on top) SCAN-FREQUENCY: 5745
-----------------------------------------------------------------------------------------
149 17:36:30 + + + + c43fffffffff CMCC-vKDZ
Test using 8812bu (Chipset: rtw_8822be) cannot capture to PMKID
But can capture handshake
run command . . .
sudo hcxdumptool -c 149b --bpf=attack.bpf
CHA LAST R 1 3 P S MAC-AP ESSID (last seen on top) SCAN-FREQUENCY: 5745
-----------------------------------------------------------------------------------------
149 17:36:34 + c43fffffffff CMCC-vKDZ
LAST E 2 MAC-AP-ROGUE MAC-CLIENT ESSID (last seen on top)
-----------------------------------------------------------------------------------------
^C
0 ERROR(s) during runtime
92 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
1 EPB written to pcapng dumpfile
exit on sigterm
seems no error
from hcxdumptool.
8812bu is an out of tree kernel driver - it is not part of the Linux stock kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/realtek?h=v6.7.5
There are several different drivers out in the wildness. Some of them may support packet injection and some not:
https://github.com/morrownr/88x2bu-20210702
https://github.com/fastoe/RTL8812BU
An overview is here:
morrownr/USB-WiFi#314
from hcxdumptool.
Related Issues (20)
- hcxdumptool: invalid option -- 'o' HOT 5
- HCXDumpTool runtime error on MediaTEK MT7922 / MT7921E HOT 19
- HCXDumpTool & MediaTEK MT7922 / MT7921E (Part 2) HOT 3
- orange pi zero HOT 1
- hcxdumptool: unrecognized option 'enable_status=15' HOT 2
- Is the problem in the driver or in the operating system? HOT 1
- Add a gpiowait.svg alongside gpiowait.odg HOT 2
- attack behaviors rules HOT 65
- openwrt: Issue finding interfaces HOT 44
- Android build instructions HOT 5
- prevent spoofed beacons from transmitting HOT 3
- How can I delete this tool? HOT 2
- hcxdumptool missing options HOT 2
- What to use it in 2024?
- error using option "-o" to write the dump file.
- Older version HOT 1
- undirected proberequest frames. HOT 1
- rds Usage HOT 1
- Atheros chipset (ERRORs caused by misconfigured KALI) HOT 21
- Arrays explained HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hcxdumptool.