hcxdumptool
This tool is awesome for wifi shenanigans.
INFO
For now I'm just dumping notes I gathered from a recent engagement where I needed to use this tool to capture/extract/crack PMKIDs.
Install
git clone https://github.com/ZerBea/hcxdumptool.git ~/hcxdumptool
cd ~/hcxdumptool
sudo apt install build-essential git libpcap-dev -y
make -j $(noproc)Enumerate nearby wifi
sudo hcxdumptool -i wlan0mon -F --rcascan=activeAttack just specific channels
sudo hcxdumptool -i wlan0mon -F --rds=1 -c40b,44b -w dump.pcapngBasic run to start enumerating/attacking all the wifis
Taking these tips from this issue. This Cyberark blog was also very helpful.
sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -FTIP
Don't put in monitor mode first!
Build a filter list
Check out this issue for a good example. Also check out this discussion.
Capture away!
Capture with BPF
hcxdumptool -i NAME-OF-PHYSICAL-WIFI-INTERFACE --bpf=attack.bpf -w output.pcapng --rds=1 -FCapture with BPF and specific channels
hcxdumptool -i NAME-OF-PHYSICAL-WIFI-INTERFACE --bpf=attack.bpf -w output.pcapng --rds=1 -F -c 55,23As the scan runs you'll see a table with heading:
R 1 3 P S- R - AP in range or under attack
- 1 - got EAPOL M1 challenge
- 3 - got EAPOL M1M2M3 or EAPOL (hashcat/JTR can work with this)
- P - got PMKID (hashcat/JTR can work with this)
- S - authentication key management PSK
TIP
Better explanation from this thread
real time display:
R = + AP display: AP is in TX range or under attack
S = + AP display: AUTHENTICATION KEY MANAGEMENT PSK
P = + AP display: got PMKID
1 = + AP display: got EAPOL M1 (CHALLENGE)
3 = + AP display: got EAPOL M1M2M3 (AUTHORIZATION)
E = + CLIENT display: got EAP-START MESSAGE
2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)WPA3 is attacked differently! Check the hcxlabtool page for more information.