15.03.2025
==========
hcxdumptool: added new option --rdt to disable TIOCGWINSZ
--rdt : disable TIOCGWINSZ for real time displays
03.03.2025
==========
hcxnmealog: removed WPS information - all tested APs use WPS 2.0!
03.03.2025
==========
hcxnmealog: changed option -c to -t because output is tabulator separated an not comma separated
02.03.2025
==========
replaced hcxdumptool by hcxlabtool
major changes:
removed split screen ACCESS POINT <-> CLIENT
improved attack modes
added RSSI to rcascan
moved entire GPS handling from hcxdumptool to new hcxnmealog (still work on progress)
hcxdumptool:
most common options:
--------------------
-i <INTERFACE> : name of INTERFACE to be used
default: first suitable INTERFACE
warning:
hcxlabtool changes the mode of the INTERFACE
hcxlabtool changes the virtual MAC address of the INTERFACE
hcxlabtool changes the channel of the INTERFACE
-w <outfile> : write packets to a pcapng-format file named <outfile>
default outfile name: yyyyddmmhhmmss-interfacename.pcapng
existing file will not be overwritten
get more information: https://pcapng.com/
-c <digit> : set channel (1a,2a,36b,...)
default: 1a,6a,11a
important notice: channel numbers are not unique
it is mandatory to add band information to the channel number (e.g. 12a)
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz)
to disable frequency management, set this option to a single frequency/channel
-f <digit> : set frequency (2412,2417,5180,...)
-F : use all available frequencies from INTERFACE
-t <second> : minimum stay time (will increase on new stations and/or authentications)
default 7 seconds
-A : ACK incoming frames
INTERFACE must support active monitor mode
-L : show PHYSICAL INTERFACE list and terminate
-l : show PHYSICAL INTERFACE list (tabulator separated and greppable) and terminate
-I <INTERFACE> : show detailed information about INTERFACE and terminate
--bpfc=<filter> : compile Berkeley Packet Filter (BPF) and exit
$ hcxlabtool --bpfc="wlan addr3 112233445566" > filter.bpf
see man pcap-filter
--bpfd=<mode> : set output mode for compiled Berkeley Packet Filter (BPF)
default = 0
0 = compile BPF code as decimal numbers (readable by --bpf)
1 = compile BPF code as decimal numbers preceded with a count (readable by --bpf)
2 = compile BPF code as a C program fragment (readable by --bpf)
3 = compile BPF code as a ASM program (tcpdump style)
4 = compile BPF code as as decimal numbers (bpf_debug style)
see man pcap-filter
--bpf=<file> : input Berkeley Packet Filter (BPF) code (maximum 4096 instructions) in tcpdump decimal numbers format
see --help for more information
--ftc : enable fake time clock
--rds=<digit> : enable real time display
attack mode:
0 = off(default)
1 = show APs on current channel, show CLIENTs (M1M2ROGUE)
2 = show all APs (M1M2, M1M2M3 or PMKID), show CLIENTs (M1M2ROGUE)
3 = show all APs, show CLIENTs (M1M2ROGUE)
columns:
E = encryption (e)ncrypted / (o)pen
A = AKM (p)re-shared key
1 = received M1
2 = received M1M2
3 = received M1M2M3
P = received PMKID
rcascan mode
0 = show APs on current channel sorted by BEACON timestamp
1 = show APs on current channel sorted by RESPONSE timestamp
2 = show APs on current channel sorted by RSSI
--rcascan=<mode> : radio channel assement scan
(a)ctive = activ scan (transmit undirected PROBEREQUEST frames)
no PROBERESPONSE, AP is out of RANGE, packet injection is broken
(p)assive = passive scan (listen only)
-h : show this help
-v : show version
less common options:
--------------------
-m <INTERFACE> : set monitor mode and terminate
--m2max=<digit> : set maximum of received M1M2ROGUE
default: 4 M1M2ROGUE
to reject CLIENTs set 0
--associationmax=<digit> : set maximum of attempts to associate with an AP
default: 100 attempts
to disable association with an AP set 0
--disable_disassociation : do not transmit DISASSOCIATION frames
--proberesponsetx=<digit> : transmit n PROBERESPONSEs from the ESSID ring buffer
default: 1023
--essidlist=<file> : initialize ESSID list with these ESSIDs
--errormax=<digit> : set maximum allowed ERRORs
default: 100 ERRORs
--watchdogmax=<seconds> : set maximum TIMEOUT when no packets received
default: 600 seconds
--tot=<digit> : enable timeout timer in minutes
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID (from AP)
2 = EAPOL M2M3 (authorized)
4 = EAPOL M1M2 (not authorized)
8 = EAPOL M1M2ROGUE (not authorized)
16 = EAPOL M1
target BPF filter is recommended
--onsigterm=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ontot=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onwatchdog=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onerror=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
push GPIO button (> 10 seconds) to terminate program
default: 0 (GPIO not in use)
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default: 0 (GPIO not in use)
--help : show additional help (example and trouble shooting)
--version : show version
added new passive GPS logger hcxnmealog. It can run in parallel with hcxdumptool, tshark or Wireshark
data is logged to NMEA 0183 format (BSSID only - can be prosssed by gpsbabel) and CSV (tabulator separeted)
hcxnmealog:
-n <file> : output nmea 0183 track to file
track append to file: filename
use gpsbabel to convert to other formats:
gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx
gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
time = UTC (in accordance with the NMEA 0183 standard)
-t <file> : output separated by tabulator (tsv)
clolumns:
LINUX EPOCH (seconds that have passed since the date January 1st, 1970)
use date -d @epoch_value to convert to human readable time
BSSID (MAC ACCESS POINT)
ESSID (network name)
COUNTRY CODE (ISO / IEC 3166 alpha2 country code)
ENCRYPTION (encrypted / open)
RSN INFORMATION ELEMENT (WPA2/WPA3)
bitmask (--help for more information)
WPA INFORMATION ELEMENT (WPA1)
bitmask (--help for more information)
FREQUENCY (interface frequency in MHz)
CHANNEL
RSSI (signal strength in dBm)
lATITUDE (decimal degrees)
LONGITUDE (decimal degrees)
ALTITUDE (decimal degrees)
SPEED (knots)
PDOP (position -3D- dilution of precision)
HDOP (horizontal dilution of precision)
VDOP (vertical dilution of precision)
VDOP (vertical dilution of precision)
-d <device> : GPS source
use gpsd: gpsd
use device: /dev/ttyACM0, /dev/tty/USBx, ...
get more information: https://en.wikipedia.org/wiki/NMEA_0183
depending on the device it can take a while to get a fix
-b <digit> : baudrate of GPS device
default: 9600
-i <INTERFACE> : name of INTERFACE to be used
-h : show this help
-v : show version
--bpf=<file> : input Berkeley Packet Filter (BPF) code (maximum 4096 instructions) in tcpdump decimal numbers format
see --help for more information
--help : show additional help
--version : show version
Additional information:
0x00000000 suite not in use
Cipher Suites (bitmask)
0x00000001 WEP
0x00000002 TKIP
0x00000004 RESERVED
0x00000008 CCMP-128
0x00000010 WEP-104
0x00000020 BIP-CMAC-128
0x00000040 Group Address Traffic Not Allowed
0x00000080 GCMP-128
0x00000100 GCMP-256
0x00000200 CCMP-256
0x00000400 BIP-GMAC-128
0x00000800 BIP-GMAC-256
0x00001000 BIP-CMAC-256
0x00008000 unknown
Authentication Management Suites (bitmask)
0x00010000 802.1X
0x00020000 PSK
0x00040000 FT + 802.1X
0x00080000 FT + PSK
0x00100000 802.1X SHA-256
0x00200000 PSK SHA-256
0x00400000 TDLS
0x00800000 SAE SHA-256
0x01000000 FT + SAE SHA-256
0x02000000 AP Peer Key Authentication
0x04000000 802.1X Suite B EAP SH-256
0x08000000 802.1X Suite B EAP SH-384
0x10000000 FT + 802.1X SHA-384
0x80000000 unknown
11.11.2024
==========
release v6.3.5
better compatibility with OpenWRT
several fixes
04.03.2024
==========
README.md: removed entire instructions how to compile hcxdumptool on different distributions
check the distribution's page how to update the ditribution, how to install missing dependencies and missing header files
25.02.2024
==========
release v6.3.4
release v6.3.3
internal BPFC compiler enabled by default
new dependency libpcap
04.02.2024
==========
hcxdumptool: changed bit mask order of exitoneapol
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID (from AP)
2 = EAPOL M2M3 (authorized)
4 = EAPOL M1M2/M1M2ROGUE (not authorized)
8 = EAPOL M1
06.01.2024
==========
hcxdumptool: changed option --beacon_off to --disable_beacon
04.12.2023
==========
hcxdumptool: allow to set monitor mode (-m) in combination with channel (-c) or frequency (-f)
28.12.2023
==========
hcxdumptool: do not spam channel with retries
changed SNAPLEN
22.12.2023
==========
hcxdumptool: added BE support
removed option beacontx
--beaconoff : disable internal BEACON (one BEACON/second to wildcard SSID)
08.12.2023
==========
Some drivers report incorrectly active monitor mode capability.
hcxdumptool: do not set active monitor mode by default if driver report that it is possible
removed option -p
added new option -A in case active monitor mode is working as expected
-A : ACK incoming frames
INTERFACE must support active monitor mode
28.11.2023
==========
hcxdumptool: added full featured BPF compiler
due to additional dependency (libpcap and libpcap-dev) this feature must be enabled in Makefile
added PROBEREQUEST counter to rcascan mode
added option to sort rcascan display by PROBEREQUEST counter
27.11.2023
==========
hcxdumptool: accept Berklev Packet filter code in tcpdump raw format and in tcpdump c style format
-bpf=<file> : input Berkeley Packet Filter (BPF) code (maximum 4096 instructions)
in tcpdump raw format:
example: tcpdump high level compiler:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 11:22:33:44:55:66 -ddd > filter.bpf
see man pcap-filter
eample: bpf_asm low level compiler
$ bpf_asm filter.asm | tr ',' '\n' > filter.bpf
see https://www.kernel.org/doc/html/latest/networking/filter.html
example: bpfc low level compiler:
$ bpfc -f tcpdump -i filter.asm > filter.bpf
see man bpfc
in tcpdump c style format:
example: tcpdump high level compiler:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 11:22:33:44:55:66 -dd > filter.bpf
see man pcap-filter
example: bpfc low level compiler:
$ bpfc -f C -i filter.asm > filter.bpf
see man bpfc
01.11.2023
==========
release v6.3.2
23.10.2023
==========
hcxdumptool: removed option "disable_beacon" because it is replaced by option beacontx=0
01.09.2023
==========
hcxdumptool: added new option to get shart and greppable interface list
26.07.2023
==========
hcxdumptool: added compile time information to version information
$ hcxdumptool -v
hcxdumptool 6.3.1-35-g1a0930e (C) 2023 ZeroBeat
compiled by gcc 13.1.1
Linux API headers 6.3.0
compiled with glibc 2.37
Under normal circumstances, the Linux kernel version could be
greater than the "Linux API headers" version, but never less.
24.07.2023
==========
hcxdumptool: added new option to EXIT on EAPOL
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID
2 = EAPOL M2
4 = EAPOL M3
target BPF filter is recommended
get more information here:
https://github.com/ZerBea/hcxdumptool/issues/333#issuecomment-1647684235
03.07.2023
==========
added -Wpedantic to compiler flags and fixed all warnings
30.06.2023
==========
release v6.3.1
09.05.2023
==========
hcxdumptool: added option to remove active monitor flag
-p : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC
default monitor mode: active (ACK all incoming frames addresed to the device MAC)
This is a workaround on mt7601u devices/drivers.
Running active monitor mode, only frames addressed to the MAC of the device
or addressed to BROADCAST MAC are received. This is a driver/firmware problem!
To verify if you are affected:
run hcxdumptool
run Wireshark in parallel and set filter option to "eapol"
if Wireshark only show EAPOL M1 frames it is mandatory to disable active monitor mode
by option "-p"
Problem is reported here:
https://bugzilla.kernel.org/show_bug.cgi?id=217465
06.05.2023
==========
hcxdumptool: added option to save GPS information to pcapng dumpfile
--nmea_pcapng : write GPS information to pcapng dump file
05.05.2023
==========
release v6.3.0
Since kernel 6.3 Kernel developer decided to print a dmesg warning if tools are detected that use deprecated WEXT:
[ 2770.939021] warning: `hcxdumptool' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
hcxdumptool used ioctl(SIOCGIWNAME) to detect presence of WEXT. That was the last remnant of WEXT code.
To get rid of this dmesg warning, this detection has been removed by latest commit.
03.05.2023
==========
hcxdumptool: changed/added several options:
$ hcxdumptool --help
hcxdumptool 6.2.9-161-gf581815 (C) 2023 ZeroBeat
usage: hcxdumptool <options>
first stop all services that take access to the interface, e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
then run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
do not merge (pcapng) dump files, because this destroys assigned hash values!
short options:
-i <INTERFACE> : name of INTERFACE to be used
default: first suitable INTERFACE
warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile> : write packets to a pcapng-format file named <outfile>
default outfile name: yyyyddmmhhmmss-interfacename.pcapng
get more information: https://pcapng.com/
-c <digit> : set channel (1a,2a,36b...)
default: 1a,6a,11a
important notice: channel numbers are not unique
it is mandatory to add band information to the channel number (e.g. 12a)
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz)
to disable frequency management, set this option to a single frequency/channel
-f <digit> : set frequency (2412,2417,5180,...)
-F : use available frequencies from INTERFACE
-t <second> : minimum stay time (will increase on new stations and/or authentications)
default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-L : show INTERFACE list
-I <INTERFACE> : show detailed information about INTERFACE
-h : show this help
-v : show version
long options:
--bpf=<file> : input kernel space Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
$ hcxdumptool -m <interface>
create BPF to protect MACs
$ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
create BPF to attack a MAC
$ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
see man pcap-filter for a list of all filter options
add BPF code:
$ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon : do not transmit BEACON frames
--disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest : do not transmit PROBEREQUEST frames
--disable_association : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation : do not REASSOCIATE a CLIENT
--beacontx=<digit> : transmit BEACON of first n entries of ESSID list
default: 10
--proberesponsetx=<digit> : transmit PROBERESPONSEs of first n entries of ESSID list
default: 10
--essidlist=<file> : initialize ESSID list with these ESSIDs
--errormax=<digit> : set maximum allowed ERRORs
default: 100 ERRORs
--watchdogmax=<seconds> : set maximum TIMEOUT when no packets received
default: 600 seconds
--attemptclientmax=<digit> : set maximum of attempts to request an EAPOL M2
default: 10 attempts
--attemptapmax=<digit> : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
default: stop after 4 received BEACONs
--tot=<digit> : enable timeout timer in minutes
--onsigterm=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ontot=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onwatchdog=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onerror=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
push GPIO button (> 10 seconds) to terminate program
default: 0 (GPIO not in use)
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default: 0 (GPIO not in use)
--nmea_dev=<NMEA device> : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
baudrate = BD9600
--gpsd : use gpsd to get position
gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile> : write GPS information to a nmea-format file named <outfile>
default outfile name: yyyymmddhhmmss.nmea
output: NMEA 0183 standard messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
use gpsbabel to convert to other formats:
gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx
gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
get more information: https://en.wikipedia.org/wiki/NMEA_0183
--rcascan=<character> : do (R)adio (C)hannel (A)ssignment scan
default = passive scan
a = active scan
p = passive scan
--rds=<digit> : sort real time display
default: sort by time (last seen on top)
1 = sort by status (last PMKID/EAPOL on top)
--help : show this help
--version : show version
Legend
real time display:
R = + AP display: AP is in TX range or under attack
S = + AP display: AUTHENTICATION KEY MANAGEMENT PSK
P = + AP display: got PMKID
1 = + AP display: got EAPOL M1 (CHALLENGE)
3 = + AP display: got EAPOL M1M2M3 (AUTHORIZATION)
E = + CLIENT display: got EAP-START MESSAGE
2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel
19.04.2023
==========
hcxdumptool: changed rcascan
--rcascan=<character> : do (R)adio (C)hannel (A)ssignment scan
default = passive scan
a = active scan
p = passive scan
14.04.2023
==========
hcxdumptool: added new option to sort status display
--rds=<digit> : sort real time display
default: sort by time (last seen on top)
1 = sort by status (last PMKID/EAPOL on top)
07.04.2023
==========
removed obsolete hcxpioff
refactored hcxdumptool: replaced entire hcxdumptool code by hcxlabtool code
$ hcxdumptool --help
hcxdumptool 6.2.9-22-gace924f (C) 2023 ZeroBeat
usage: hcxdumptool <options>
first stop all services that take access to the interface , e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
than run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
short options:
-i <INTERFACE> : name of INTERFACE to be used
default: first suitable INTERFACE
warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile> : write packets to a pcapng-format file named <outfile>
default outfile name: yyyyddmmhhmmss-interfacename.pcapng
get more information: https://pcapng.com/
-c <digit> : set channel (1a,2a,36b...)
default: 1a,6a,11a
important notice: channel numbers are not unique
it is mandatory to add band information to the channel number (e.g. 12a)
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz)
to disable frequency management, set this option to a single frequency/channel
-f <digit> : set frequency (2412,2417,5180,...)
-F : use available frequencies from INTERFACE
-t <second> : minimum stay time (will increase on new stations and/or authentications
default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-L : show INTERFACE list
-I <INTERFACE> : show detailed information about INTERFACE
-h : show this help
-v : show version
long options:
--bpf=<file> : input kernel space Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
$ hcxdumptool -m <interface>
create BPF to protect MACs
$ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
create BPF to attack a MAC
$ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
see man pcap-filter for a list of all filter options
add BPF code:
$ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon : do not transmit BEACON frames
--disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest : do not transmit PROBEREQUEST frames
--disable_association : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation : do not REASSOCIATE a CLIENT
--beacontx=<digit> : transmit BEACON of first n entries of ESSID list
default: 10
--proberesponsetx=<digit> : transmit PROBERESPONSEs of first n entries of ESSID list
default: 10
--essidlist=<file> : initialize ESSID list with this ESSIDs
--errormax=<digit> : set maximum allowed ERRORs
default: 100 ERRORs
--watchdog=<seconds> : set maximum TIMOUT when no packets received
default: 600 seconds
--attemptclientmax=<digit> : set maximum of attempts to request an EAPOL M2
default: 10 attempts
--attemptapmax=<digit> : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
default: stop after 4 received BEACONs
--tot=<digit> : enable timeout timer in minutes
--onsigterm=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongtot=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onwatchdog=<action : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onerror=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
push GIPO button (> 10 seconds) to terminate program
default: 0 (GPIO not in use)
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default: 0 (GPIO not in use)
--nmea_dev=<NMEA device> : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
baudrate = BD9600
--gpsd : use gpsd to get position
gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile> : write GPS information to a nmea-format file named <outfile>
default outfile name: yyyyddmmhhmmss.nmea
output: NMEA 0183 standard messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
use gpsbabel to convert to other formats:
gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file_gpx
gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
get more information: https://en.wikipedia.org/wiki/NMEA_0183
--rcascan_passive : do passive (R)adio (C)hannel (A)ssignment scan
--help : show this help
--version : show version
Legend
real time display:
R = + AP is in TX range
P = + got PMKID
M = + AP display: got EAPOL M1M2M3 (AUTHORIZATION)
M = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
A = + AUTHENTICATION KEY MANAGEMENT PSK
Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel
06.04.2023
==========
release v6.2.9
several bug fixes
This is the last version:
that use WIRELESS EXTENSIONS
that use ETHTOOL to get/set virtual MAC address
that use old style status output
that use soft coded filter lists
that use msec timestamp
that use crypto stuff
that use server/client mode to display status
Next version will go back to the roots:
set focus on WPA PSK (WPA1, WPA2, WPA2 key version 3)
set bandwidth to 20MHz to increase range
set bitrate to lowest values to increase range
use active monitor mode
use NL80211 stack
use RTNETLINK
band a, b, c, d, e support
use NMEA messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
remove options that slow hcxdumptool down
10.03.2023
==========
release v6.2.8
move to OpenSSL 3.0 EVP API (from now on OPenSSL >= 3.0 is mandatory)
new options
several bug fixes
16.01.2023
==========
hcxdumptool: added option to reset an USB device without unplugging it
--reset_usb_device=<sysfs dev path>: reset USB device by BUS ID and device ID (/dev/bus/usb/bus_id/device_id
$ lsusb
Bus 005 Device 006: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi
sysfs dev path = /dev/bus/usb/005/006
12.11.2022
==========
start moving to OpenSSL 3.0 EVP API
this is a huge step forward an will break backward compatibility
https://wiki.openssl.org/index.php/OpenSSL_3.0
07.08.2022
==========
release v6.2.7
several bug fixes
still using OpenSSL 1.1
02.06.2022
==========
hcxdumptool: added warning if a not recommended driver has been detected
31.05.2022
==========
hcxpcapngtool: added new option according to https://github.com/ZerBea/hcxdumptool/issues/220
--passive : channel management is completely disabled - initial channel must be set by a third party tool
hcxdumptool is acting like a passive dumper (silent mode)
expect possible heavy packet loss
22.04.2022
==========
release v6.2.6
several bug fixes
license update
still supporting OpenSSL 1.1
01.12.2021
==========
release v6.2.5
still supporting OpenSSL 1.1
08.11.2021
==========
hcxdumptool: replaced channel scan engine by frequency scan engine
this is high experimental
tested devices:
USB:
Bus 005 Device 060: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
Bus 005 Device 062: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
Bus 005 Device 064: ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter
Bus 005 Device 065: ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter
Bus 005 Device 066: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
Bus 005 Device 068: ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter
Bus 005 Device 071: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi
Bus 005 Device 073: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
Bus 005 Device 075: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
Bus 005 Device 078: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
Bus 005 Device 082: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
PCI:
04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter
That is neccessary because, since WiFi 6, channel numbers are no longer unique:
https://en.wikipedia.org/wiki/List_of_WLAN_channels
24.10.2021
==========
hcxdumptool: added new option to ignore ioctl() warnings
--force_interface : ignore all ioctl() warnings
do not report issues, if attacks or channel switch is not working as expected
23.10.2021
==========
added generic hcxdumptool.1 man page
22.10.2021
==========
moved install dir from usr/local/bin to /usr/bin
14.09.2021
==========
release v6.2.4
This is the last version, supporting OpenSSL 1.1
Next version 6.3.0 will need OpenSSL 3.0.0
01.09.2021
==========
hcxdumptool: added new option to the next EAP request entry contained in the sequence passed to
--eapreq with a type matching the Desired Auth Type requested in a client's Legacy NAK response
--eapreq_follownak : jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence
29.08.2021
==========
hcxdumptool: GPIO flash intervall not longer hardcoded
--gpio_statusled_intervall=<digit> : Raspberry Pi GPIO LED flash intervall
default = flash every 5 seconds
15.08.2021
==========
hcxdumptool: allow MAC instead of filter list
--filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC> : CLIENT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
17.05.2021
==========
release v 6.1.6
get ready for gcc 11.1.0
18.03.2021
==========
hcxdumptool: added VENDOR filter
--filterlist_ap_vendor=<file> : ACCESS POINT MAC filter list by VENDOR
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client_VENDOR=<file> : CLIENT MAC filter list
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
09.03.2021
==========
release v 6.1.6
get ready for OpenSSL 3.0
05.03.2021
==========
hcxdumptool: removed preamble option, because it is ignored by most wlan adapters
04.03.2021
==========
hcxdumptool: added new option to use short preamble
--short_preamble : use short preamble
default: use long preamble
that may not work on older devices!
23.02.2021
==========
hcxdumptool: allow output to stdout
-o <dump file> : output file in pcapng format, filename '-' outputs to stdout
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
14.02.2021
==========
sll_pkttype = PACKET_OUTGOING is completey ingnored in promiscuous mode
At least I found a way to detect outgoing packets.
Luckily IEEE80211_RADIOTAP_TX_FLAGS is set on outgoing packets. If we check this, we are able to ignore them.
That save us CPU time.
13.02.2021
==========
hcxdumptool: added WATCHDOG - we need that to determine if USB device died
Raspberry Pi LED will flash twice if now packet received turing the last past 600 seconds
print AGE of last received packet in status
09.02.2021
==========
started to prepare to use openssl 3.0
Many structures have been made opaque in OpenSSL 3.0 since OpenSSL 1.0.2
https://wiki.openssl.org/index.php/OpenSSL_3.0
it is recommended to upgrade to at least to OpenSSL 1.1
06.02.2021
==========
hcxdumptool: fixed handling of BE (according to hcxpcapngtool fixes)
18.01.2021
==========
hcxdumptool: added auto channel/auto band.
therefore default channel list and predefined channel lists changed!
-c <digit> : set channel (1,2,3, ...)
default: auto channel/auto band
maximum entries: 255
standard 802.11 channels (depends on device, driver and world regulatory domain):
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
36, 38, 40, 44, 48, 52, 56, 60, 64
100, 104, 108, 112, 116, 120, 124, 128
132, 136, 140, 144, 149, 153, 157, 161, 165
201, 205, 209, 213, 217, 221, 225, 229, 233
-s <digit> : set predefined scanlist
0 = auto channel/auto band (default)
1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz)
2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz)
3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 5GHz)
4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 2.4GHz/5GHz)
5 = 201,205,209,213,217,221,225,229,233 (standard 6GHz)
16.01.2021
==========
hcxdumptool: added new option - rcascan ranking is no longer hard coded
--rcascan_order=digit> : rcascan sorting order:
0 = sort by HIT (PROBERESPONSE) (default)
1 = sort by COUNT (BEACON)
2 = sort by CHANNEL
14.01.2021
==========
release v 6.1.5
03.01.2021
==========
hcxdummptool: added new option to limit status of rcascan to n lines
--rcascan_max=digit> : show only n highest ranking lines
default: 256 lines
21.12.2020
==========
removed TP-LINK TL-WN722N v1 (ath9k driver) from list of working devices due to driver issue
hcxdumptool: moved from select() to pselect()
20.12.2020
==========
hcxdumptool: added tot (transmission timeout timer)
hcxdumptool will no longer freeze if driver died
this is a workaround on ath9k driver issue:
https://github.com/ZerBea/hcxdumptool/issues/80#issuecomment-748622644
not caused by hcxdumptool:
https://bugs.archlinux.org/task/68578
19.12.2020
==========
hcxdumptool: added support for 6GHz channels 201,205,209,213,217,221,225,229,233 on option -c and option -s
-s <digit> : set predefined scanlist
0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default)
1 = 1,2,3,4,5,6,7,8,9,10,11,12,13
2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
4 = 201,205,209,213,217,221,225,229,233
10.12.2020
==========
Makefile: make use of pkg-config
02.12.2020
==========
release v 6.1.4
27.11.2020
==========
hcxdumptool: show openSSL version in status
24.10.2020
==========
hcxdumptool: Default channels are not longer hard coded.
Now hcxdumptool test if channel is available. That allow handling of channels
from a patched driver.
Some 2 GHz ath9k radios are actually tunable on 2312-2732 on 5 MHz steps
CHAN2G(2407, 14)
CHAN2G(2402, 15)
CHAN2G(2397, 16)
CHAN2G(2392, 17)
CHAN2G(2387, 18)
CHAN2G(2382, 19)
CHAN2G(2377, 20)
CHAN2G(2372, 21)
CHAN2G(2367, 22)
CHAN2G(2362, 23)
CHAN2G(2357, 24)
CHAN2G(2352, 25)
CHAN2G(2347, 26)
CHAN2G(2342, 27)
CHAN2G(2337, 28)
CHAN2G(2332, 29)
CHAN2G(2327, 30)
CHAN2G(2322, 31)
CHAN2G(2317, 32)
CHAN2G(2312, 33)
09.10.2020
==========
release v 6.1.3
fixed broken GPS handling
added better GPS error handling
03.10.2020
==========
hcxdumptool: added new option
--example : show some example command lines
30.09.2020
==========
hcxdumptool: added new options
--eapreq=<type><data>[:<term>],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type
response is terminated with:
:F = EAP Failure
:S = EAP Success
:I = EAP ERP Initiate
:F = EAP ERP Finish
:D = Deauthentication
:T = TLS shutdown
:- = no packet
default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated
--eaptlstun : activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using --eapreq
requires --eap_server_cert and --eap_server_key
--eap_server_cert=<server.pem> : EAP TLS tunnel Server cert PEM file
--eap_server_key=<server.key> : EAP TLS tunnel Server private key file
17.09.2020
==========
release v 6.1.2
15.09.2020
==========
hcxdumptool: added new option
--stop_client_m2_attacks=<digit> : stop attacks against CLIENTS after 10 M2 frames received
affected: ap-less (EAPOL 2/4 - M2) attack
require hcxpcangtool --all option
24.08.2020
==========
hcxdumptool: added new option
--eapreq=<type><data>[:<term>],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type
response is terminated with :F = EAP Failure, :S = EAP Success, :I = EAP ERP Initiate, :F = EAP ERP Finish,
:D = Deauthentication, :- = no packet
default behavior is terminating all responses with a Failure packet, after last one the client is deauthenticated
14.08.2020
==========
hcxdumptool: added new option --wpaent to announce WPA ENTERPRISE
06.08.2020
==========
release v 6.1.1
fixed handling of long opts
30.07.2020
==========
hcxdumptool: added new option --ip to allow to set IP for server / client mode
29.07.2020
==========
hcxdumptool: add new radiotap flag: IEEE80211_RADIOTAP_F_TX_NOSEQNO
https://patchwork.kernel.org/patch/11680527/
29.07.2020
==========
release v 6.1.0
19.07.2020
==========
hcxdumptool: new option
--beaconparams=<TLVs> : update or add Information Elements in all transmitted beacons
maximum 50 IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten
multiple IEs with same tag id are added, default IE is overwritten by the first
06.07.2020
==========
hcxdumptool: allow to set channel (-c) on --check_injection
fixed display channel if tags.channel is empty
added new option -s to set predefined scanlists
-s <digit> : set predefined scanlist
0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default)
1 = 1,2,3,4,5,6,7,8,9,10,11,12,13
2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
15.06.2020
==========
release v 6.0.7
10.06.2020
==========
hcxdumptool: changed behavior of --essidlist and --active_beacon
according to https://github.com/ZerBea/hcxdumptool/issues/115
--essidlist - transmit beacons from this list only
--active_beacon - transmit beacons from collected ESSIDs and from essidlist
21.05.2020
==========
release v 6.0.6
18.05.2020
==========
hcxdumptool: added new option --do_targetscan
--do_targetscan=<MAC_AP> : same as do_rcascan - hide all networks, except target
17.05.2020
==========
hcxdumptool: fixed issue that caused hcxdumptool to respond on probereuest even if --silent is selcted
allow MAC format 11:22:33:44:55:66 and 11-22-33-44-55-66 in filterlists
01.05.2020
==========
hcxdumptool: added option mask to save vendor defined action frames
-f <frames> : frames to save
bitmask:
0: clear default values
1: MANAGEMENT frames (default)
2: EAP and EAPOL frames (default)
4: IPV4 frames
8: IPV6 frames
16: WEP encrypted frames
32: WPA encrypted frames
64: vendor defined frames (AWDL)
05.04.2020
==========
release v 6.0.5
Security fix: We do not want to disturb uninvolved users!
Increase error count and terminate hcxdumptool if channel was changed by a third party tool.
After transmitting a request, hcxdumptool expect an answer on the same channel.
If the channel was changed by a third party tool, hcxdumptool will never get this answer and transmit again, again and again. This will jam all channels, set by the third party tool.
https://forum.hashkiller.io/index.php?threads/ap-less-attack-with-hcxtools.21036/page-4#post-237403
04.04.2020
==========
release v 6.0.4
27.03.2020
==========
hcxdumptool: ERROR_MAX not longer hard coded
--error_max=<digit> : terminate hcxdumptool if error maximum reached
default: 100 errors
26.03.2020
==========
Some drivers / firmwares provide only limited monitor functions instead of full packet injection capabilities.
hcxdumptool: added packet injection test
--check_injection : run packet injection test to determine that driver support full packet injection\n"
18.03.2020
==========
release v 6.0.3
removed debug message "OS not supported" from Makefile
14.03.2020
==========
release v 6.0.2
complete rewrite from scratch
the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed.
improved IE tag walk similar to hcxpcapngtool
improved attack vector
added new options to improve attack vector against hardened targets
added more information to help menu
added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist
make less noise on the the channel (receive more, transmit less)
WLAN REASON CODE (deauthentication) no longer hardcoded
moved to git versioning on non releases
$ hcxdumptool -h
hcxdumptool 6.0.2 (C) 2020 ZeroBeat
usage : hcxdumptool <options>
press the switch to terminate hcxdumptool
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status=3
do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon)
do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface
short options:
-i <interface> : interface (monitor mode will be enabled by hcxdumptool)
can also be done manually:
ip link set <interface> down
iw dev <interface> set type monitor
ip link set <interface> up
WARNING: iw use NETLINK (libnl) and hcxdumptool will not work on pure NETLINK interfaces
-o <dump file> : output file in pcapng format
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-f <frames> : frames to save
bitmask:
0: clear default values
1: MANAGEMENT frames (default)
2: EAP and EAPOL frames (default)
4: IPV4 frames
8: IPV6 frames
16: WEP encrypted frames
32: WPA encrypted frames
to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4)
-c <digit> : set scan list (1,2,3, ...)
default scan list: 1...13
maximum entries: 127
allowed channels (depends on the device):
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96
100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128
132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159
161, 165, 169, 173
-t <seconds> : stay time on channel before hopping to the next channel
default 4 seconds
-m <interface> : set monitor mode by ioctl() system call and quit
-I : show WLAN interfaces and quit
-C : show available channels and quit
if no channels are available, interface is probably in use or doesn't support monitor mode
long options:
--do_rcascan : show radio channel assignment (scan for target access points)
this can be used to test that ioctl() calls and packet injection is working
if you got no HIT, packet injection is possible not working
also it can be used to get information about the target
and to determine that the target is in range
use this mode to collect data for the filter list
run this mode at least for 2 minutes
to save all received raw packets use option -o
--reason_code=<digit> : deauthentication reason code
recommended codes:
1 WLAN_REASON_UNSPECIFIED
2 WLAN_REASON_PREV_AUTH_NOT_VALID
4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY
5 WLAN_REASON_DISASSOC_AP_BUSY
6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA
7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default)
9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH
--disable_client_attacks : do not attack clients
affected: ap-less (EAPOL 2/4 - M2) attack
--disable_ap_attacks : do not attack access points
affected: connected clients and client-less (PMKID) attack
--stop_ap_attacks=<digit> : stop attacks against ACCESS POINTs if <n> BEACONs received
default: stop after 600 BEACONs
--resume_ap_attacks=<digit> : resume attacks against ACCESS POINTs after <n> BEACONs received
default: 864000 BEACONs
--disable_deauthentication : do not send deauthentication or disassociation frames
affected: conntected clients
--silent : do not transmit!
hcxdumptool is acting like a passive dumper
expect possible packet loss
--eapoltimeout=<digit> : set EAPOL TIMEOUT (microseconds)
default: 20000 usec
--bpfc=<file> : input Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
set hcxdumptool monitormode
$ hcxumptool -m <interface>
create BPF to protect a MAC
$ tcpdump -i <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
or create BPF to attack a MAC
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf
not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs
use the BPF code
$ hcxumptool -i <interface> --bpfc=attack.bpf ...
see man pcap-filter for a list of all filter options
--filterlist_ap=<file> : ACCESS POINT MAC filter list
format: 112233445566 + comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file> : CLIENT MAC filter list
format: 112233445566 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
--filtermode=<digit> : mode for filter list
mandatory in combination with --filterlist_ap and/or --filterlist_client
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs
--weakcandidate=<password> : use this pre shared key (8...63 characters) for weak candidate alert
will be saved to pcapng to inform hcxpcaptool
default:
--mac_ap : use this MAC as ACCESS POINT MAC instead of a randomized one
format: 112233445566
--mac_client : use this MAC as CLIENT MAC instead of a randomized one
format: 112233445566
--essidlist=<file> : transmit beacons from this ESSID list
maximum entries: 256 ESSIDs
--active_beacon : transmit beacon once every 200000 usec
affected: ap-less
--flood_beacon : transmit beacon on every received beacon
affected: ap-less
--infinity : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT
affected: ACCESS POINTs and CLIENTs
--use_gps_device=<device> : use GPS device
/dev/ttyACM0, /dev/ttyUSB0, ...
NMEA 0183 $GPGGA $GPGGA
--use_gpsd : use GPSD device
NMEA 0183 $GPGGA, $GPRMC
--nmea=<file> : save track to file
format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
to convert it to gpx, use GPSBabel:
gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx
to display the track, open file.gpx with viking
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
default = GPIO not in use
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default = GPIO not in use
--tot=<digit> : enable timeout timer in minutes (minimum = 2 minutes)
: hcxdumptool will terminate if tot reached (EXIT code = 2)
--reboot : once hcxdumptool terminated, reboot system
--poweroff : once hcxdumptool terminated, power off system
--enable_status=<digit> : enable real-time display (waterfall)
only incoming traffic
only once at the first occurrence due to MAC randomization of CLIENTs
bitmask:
0: no status (default)
1: EAP and EAPOL
2: ASSOCIATION and REASSOCIATION
4: AUTHENTICATION
8: BEACON and PROBERESPONSE
16: ROGUE AP
32: GPS (once a minute)
64: internal status (once a minute)
128: run as server
256: run as client
characters < 0x20 && > 0x7e are replaced by .
example: show everything but don't run as server or client (1+2+4+8+16 = 31)
show only EAP and EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
--server_port=<digit> : define port for server status output (1...65535)
: default IP: 224.0.0.255
: default port: 60123
--client_port=<digit> : define port for client status read (1...65535)
: default IP: 224.0.0.255
: default port: 60123
--check_driver : run several tests to determine that driver support all(!) required ioctl() system calls
--help : show this help
--version : show version
Run hcxdumptool -i interface --do_rcascan for at least 30 seconds, before you start an attack!
Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this.
If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately!
If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool!
06.03.2020
==========
complete rewrite from scratch
the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed.
improved IE tag walk similar to hcxpcapngtool
improved attack vector
added new options to improve attack vector against hardened targets
added more information to help menu
added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist
make less noise on the the channel (receive more, transmit less)
WLAN REASON CODE (deauthentication) no longer hardcoded
moved to git versioning on non releases
29.01.2020
==========
moved to v6.0.1
removed options to set userdefined MAC_AP and/or MAC_CLIENT, because they make hcxdumptool's stealth capability ineffective
improved handling of association/reassociation frames
improved handling of null/powersave frames
added counter for PMKID/EAPOL frames
handle EAP request/response frames
improved IE tag walk similar to hcxpcapngtool
fixed cipher suite and AKM suite handling
handle wrong FCS
reduce pcapng size
fixed internal counters
allow mixed attack vector PSK/PSK256
handle PMKID in reassociationrequest
11.12.2019
==========
moved to v6.0.0
hcxdumptool: complete rewrite from scratch
filterlist splitted (APs, CLIENTs), entries increased upt to 256 each list:
--filterlist_ap
--filterlist_client
improved real time display:
driver information and firmware information (if available)
detailed information about PMKID and MESSAGE PAIR)
allow more than one option (--enable_status)
0: no status (default)
1: EAPOL
2: PROBE REQUEST/PROBE RESPONSE
4: AUTHENTICATON
8: ASSOCIATION/REASSOCIATION
16: BEACON
32: GPS (once a minute)
64: internal status
128: send status to client
choose pcapng frames to save (-f) using option -o
improved rca_scan:
0: no real time display
1: show only access points in range (default)
2: show only access points not range
3: show all access points
improved GPS handling:
read GPS information directly from device
--use_gps_device=<device>
or us GPSD
--use_gpsd
use full standard NMEA raw sentence $GPGGA, $GPRMC, $GPGWL
this version need hcxpcaptool v6.0.0 to convert GPS information or gpsbabel
gpsbabel -i nmea -f nmea.txt -o gpx -F test.gpx
then open test.gpx with viking (layer -> waypoint -> BSSID)
ignore M4 if SNONCE is zeroed
ignore PMKID if zeroed
improved handling of radiatapheader on ath9k_htc driver
new option codes:
ENTERPRISE NUMBER 0x2a, 0xce, 0x46, 0xa1
MAGIC NUMBER 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33,
0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62,
0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f,
0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98
OPTIONCODE_MACMYORIG 0xf29a (6 byte)
OPTIONCODE_MACMYAP 0xf29b (6 byte)
OPTIONCODE_RC 0xf29c (8 byte)
OPTIONCODE_ANONCE 0xf29d (32 byte)
OPTIONCODE_MACMYSTA 0xf29e (6 byte)
OPTIONCODE_SNONCE 0xf29f (32 byte)
OPTIONCODE_WEAKCANDIDATE 0xf2a0 (32 byte)
OPTIONCODE_GPS 0xf2a1 (max 128 byte)
removed weak candidate check, because it leads to many, many unauthorized MP:M1M2
hcxpioff: new options --tot, --poweroff, --reboot
--tot=<digit> : enable timeout timer in minutes (minimum = 2 minutes)
: hcxpioff will terminate if tot reached
--reboot : once hcxpioff terminated, reboot system
20.09.2019
==========
hcxdumptool: added pcapng custom block
we store all custom information inside this block
list of used pcapng option codes:
#define OPTIONCODE_MACMYORIG 0xf29a
#define OPTIONCODE_MACMYAP 0xf29b
#define OPTIONCODE_RC 0xf29c
#define OPTIONCODE_ANONCE 0xf29d
#define OPTIONCODE_MACMYSTA 0xf29e
#define OPTIONCODE_SNONCE 0xf29f
#define OPTIONCODE_WEAKCANDIDATE 0xf2a0
18.09.2019
==========
hcxdumptool: added new option --weak_candidate
added weak candidate detection on PMKID and WPA1
weak candidate is no longer "hard coded"
---weak_candidate=<password> : use this password (8...63 characters) for weak candidate alert
default: 00000000
affected: client-less attack
list of used pcapng option codes:
#define OPTIONCODE_MACMYAP 62107
#define OPTIONCODE_RC 62108
#define OPTIONCODE_ANONCE 62109
#define OPTIONCODE_MACMYSTA 62110
#define OPTIONCODE_SNONCE 62111
#define OPTIONCODE_WEAKCANDIDATE 62112
17.09.2019
==========
hcxdumptool: added weak password check
high experimental, only on WPA2 QOS
new dependency: lib crypto (openssl)
07.09.2019
==========
hcxdumptool: added new options
--reactive_beacon : send internal/external beacon on every received proberequest
affected: ap-less
--flood_beacon=<digit> : transmit internal/external beacon after every <x> received management packet
affected: ap-less
05.09.2019
==========
hcxdumptool: added new options (feature request: https://github.com/ZerBea/hcxdumptool/issues/70)
--disable_internal_beacons : do not transmit beacons using received ESSIDs
default: transmit this kind of beacon once on channel change or every five seconds
affected: ap-less and reactive_beacon, flood_beacon
--use_external_beaconlist=<file> : transmit beacons from this list
maximum ESSID length 32, maximum entries 4095
default: transmit this kind of beacon once on channel change or every five seconds
affected: ap-less and reactive_beacon, flood_beacon
28.08.2019
==========
moved to v5.2.2
02.09.2019
==========
hcxdumptool : added bind() ll.sll_pkttype = PACKET_OTHERHOST | PACKET_OUTGOING
added setsockopt() r.mr_type = PACKET_MR_PROMISC
now dmesg will show when device entered promiscuous mode
during hcxdumptool initialization:
[ 6313.657830] device wlp3s0f0u11u1 entered promiscuous mode
and when it left promiscuous mode when hcxdumptool terminated:
[ 6313.735833] device wlp3s0f0u11u1 left promiscuous mode
01.09.2019
==========
hcxdumptool : print additional information about interfering services
first_steps.txt : added quickstart guide to docs
28.08.2019
==========
moved to v5.2.1
25.08.2019
==========
hcxdumptool: removed option --ignore_warning (no longer needed)
hcxdumptool forces to set monitor mode running ioctl(SIOCGIWMODE) IW_MODE_MONITOR
if that doesn't work on first try, try it again and/or
do monitor mode manually:
ip link set <interface> down
iw dev <interface> set type monitor
ip link set <interface> up
warning: on some drivers rtlXXXX netlink will not notice that we use forced ioctl() system calls
in that case iw dev wlp3s0f0u11u4 will show you that the "netlink part" is still managed
Interface wlp3s0f0u11u4
ifindex 11
wdev 0x800000001
addr 70:f1:1c:27:ae:ec
type managed
wiphy 8
txpower 13.00 dBm
19.08.2019
==========
moved to v5.2.0
18.08.2019
==========
hcxdumptool: print ESSID on status 1
15.08.2019
==========
hcxdumptool: added server - client status output (only local networkes)
--server_port=<digit> : define port for server status output (1...65535)
: default IP: 224.0.0.255
--client_port=<digit> : define port for client status read (1...65535)
: default IP: 224.0.0.255
example:
on client machine run hcxdumptool with option --client_port=12345
$ hcxdumptool -i <interface> -o test.pcapng --enable_status=1 --client_port=12345
on caputure machine run hcxdumptool with option --server_port=12345
$ hcxdumptool -i <interface> -o test.pcapng --enable_status=1 --server_port=12345
13.08.2019
==========
hcxdumptool: added new option --check_driver
--check_driver : run several tests to determine that driver support all(!) required system calls
If everything is fine, result should look like this:
$ sudo hcxdumptool -i wlp3s0f0u10u4 --check_driver
driver tests passed - all required ioctl() system calls are supported by driver
If not, hcxdumptool will show which test failed:
$ sudo hcxdumptool -i wlp3s0f0u10u5 --check_driver
ioctl(SIOCGIFFLAGS) failed: No such device
ioctl(SIOCGIWMODE) failed: No such device
ioctl(SIOCSIFFLAGS) failed: No such device
ioctl(SIOCSIWMODE) - IW_MODE_MONITOR failed: No such device
ioctl(SIOCGIWMODE) failed: No such device
ioctl(SIOCGIWMODE) - IW_MODE_MONITOR failed
ioctl(SIOCSIFFLAGS) -IFF_UP failed: No such device
ioctl(SIOCGIFFLAGS) failed: No such device
ioctl(SIOCGIFFLAGS) - IFF_UP | IFF_RUNNING | IFF_BROADCAST failed
ioctl(SIOCGIFINDEX) failed: No such device
ioctl(SIOCETHTOOL) - ETHTOOL_GPERMADDR failed: No such device
ioctl(SIOCSIWFREQ) - IW_FREQ_FIXED failed: No such device
it looks like this interface/driver isn't suitable for hcxdumptool
possible reasons:
wrong interface selected
interface is blocked by another tool
driver doesn't support required ioctl() system calls
12.08.2019
==========
hcxdumptool: a crappy filter list is not longer a reason to terminate initialization
11.08.2019
==========
hcxdumptool: added new options --tot and --reboot
--tot=<digit> : enable timeout timer in minutes (minimum = 2 minutes)
: hcxdumptool will terminate if tot reached (EXIT code = 2)
--reboot : once hcxdumptool terminated, reboot system
hcxdumptool return values:
0 = every thing is fine
1 = error occured
2 = tot reached
23.07.2019
==========
hcxdumptool: moved from usleep() to nanosleep()
hcxpioff: moved from usleep() to nanosleep()
17.07.2019
==========
added some additional information which ioctl() command isn't supported by driver
added warning on option --do_rcascan if packet injection fails (driver doesn't support
full packet injection) after 20 seconds
Remarks:
nl80211/cfg80211/mac80211 doesn't use use ioctl() calls, they use netlink.
hcxdumptool use ioctl() calls and will not work on netlink.
That is the case, if ioctl(SIOCGIWMODE) or ioctl(SIOCSIWMODE) calls failed!
Read more here:
https://www.quora.com/What-are-the-differences-between-netlink-sockets-and-ioctl-calls
30.06.2019
==========
increased maximum filter list entries from 64 up to 255
this will have a price tag, because hcxdumptool's respond time increases.
25.06.2019
==========
detect Raspberry Pi 4
23.06.2019
==========
moved to v 5.1.7
hcxdumptool: improved help
fixed pcpng option header
12.06.2019
==========
hcxdumptool: ignore more warnings if --ignore_warning is selcted
do not report issues if you run this option!!!
29.05.2019
==========
hcxdumptool moved to v 5.1.5
19.05.2019
==========
hcxdumptool: activated option --ignore warning
--ignore_warning : ignore warnings
try this if you get some driver warnings
do not report issues
16.04.2019
==========
updated wiki device and README.md.
This adapters are working fine, running kernel 4.19, 4.20 and 5.0:
EDIMAX EW-7711UAN ID 7392:7710 Edimax Technology Co., Ltd
ALLNET ALL-WA0150N ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
TENDA W311U+ ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
LogiLink WL0151 ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
regardles of the xhci issue.
14.04.2019
==========
removed all device names from README.md, because VENDORS often change chipsets or driver errors occur:
v1 of a device is working fine, while v2 doesn't work
device A, running driver A is working fine, while device B running driver A doesn't work
driver doesn't support monitor mode
driver support monitor mode, but doesn't support packet injection
Examples here:
https://bugzilla.kernel.org/show_bug.cgi?id=202241
https://bugzilla.kernel.org/show_bug.cgi?id=202243
https://bugzilla.kernel.org/show_bug.cgi?id=202541
To find a working device, I recommend to read wikidevi:
https://wikidevi.com/
02.04.2019
==========
hcxdumptool now use this radiotap header:
static const uint8_t hdradiotap[] =
{
0x00, 0x00, // radiotap version + pad byte
0x0e, 0x00, // radiotap header length
0x06, 0x8c, 0x00, 0x00, // bitmap
0x00, // flags
0x02, // rate
0x14, // tx power
0x01, // antenna
0x08, 0x00 // tx flags
#define HDRRT_SIZE sizeof(hdradiotap)
};
read more about radiotap header here:
https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt
header is working with:
ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
removed "USB ID 7392:a812 Edimax Technology Co., Ltd" from "known as working device list"
because this driver is not working with the radiotap header.
30.03.2019
==========
hcxdumptool: added new option --silent
--silent : do not transmit!
hcxdumptool is acting like a passive dumper
added RTL8187. Removed the wron devices from the list (only RT3070 ia affected)
* USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H)
* USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter
29.03.2019
==========
added cflag DEBUG
if compiled with DEBUG, hcxdumptool show raw packets and raw GSP data, directly received from the device
removed ALFA AWUS036NH from the "known as workinging list", because the device doesn't work
any longer, running kernel 5.0.
28.03.2019
==========
removed devices from "known working" list:
* USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H)
* USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter
because they are not working running kernel 5.0
27.03.2019
==========
removed wiringPi dependency
now we are running "bare metal" - complete GPIO stuff moved to hcxdumptool and hcxpioff
do not use wiringPi in combination with hcxdumptool and/or hcxpioff
Makefile: removed DOGPIOSUPPORT
hcxdumptool: changed options wiringPi options to GPIO options
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
default = GPIO not in use
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default = GPIO not in use
hcxpioff: changed options wiringPi options to GPIO options
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
default = GPIO not in use
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default = GPIO not in use
The GPIO is disabled on default. If you like to activate GPIO support you must do
the hardware modifactions as described here: doc/gpiowait.odg
and set the options according to your modification.
You can choose every GPIO pin, as long as you use a pull down resistor to ground.
Raspberry model should be detected by automatic and according to the revision we use:
GPIO mem 0x20000000 for A, B, A+, B+, and Zero, Zero W(H)
GPIO mem 0x3F000000 for 2B, 3B, 3A+, 3B+
compute modules (CMx) are not supported.
20.03.2019
==========
hcxdumptool: GPIO pins are no longer hard coded!
--wpi_button=<digit> : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16)
default = 7
--wpi_statusled=<digit> : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16)
default = 0
19.03.2019
==========
hcxpioff: refactored - GPIO pins are no longer hard coded!
--wpi_button=<digit> : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16)
default = 7
--wpi_statusled=<digit> : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16)
default = 0
--help : show this help
--version : show version
16.03.2019
==========
added man page hcxdumptool.1
removed device from list:
USB ID 7392:a812 Edimax Technology Co., Ltd (Edimax AC600 USB / Manufacturer: Realtek)
because the driver from here: https://github.com/aircrack-ng/rtl8812au
is no longer working on kernel 5.0
09.03.2019
==========
hcxdumptool moved to v 5.1.4
hcxdumptool: added new option:
--ignore_warning : hcxdumptool will not terminate if other services take access on the device
: warning: expect problems if hcxdumptool tries to change channels
From now on, hcxdumptool will not terminate during the initalization
if another service take access on the interface.
Expect problems and do not report issues related to this option!!!!
From now on, hcxdumptool will also show channel and frequency (when running option -C)
1 / 2412MHz (20 dBm)
2 / 2417MHz (20 dBm)
3 / 2422MHz (20 dBm)
4 / 2427MHz (20 dBm)
5 / 2432MHz (20 dBm)
6 / 2437MHz (20 dBm)
7 / 2442MHz (20 dBm)
8 / 2447MHz (20 dBm)
9 / 2452MHz (20 dBm)
10 / 2457MHz (20 dBm)
11 / 2462MHz (20 dBm)
12 / 2467MHz (20 dBm)
13 / 2472MHz (20 dBm)
09.03.2019
==========
hcxdumptool: added improved warning message
Now hcxdumptool print the error message received from the driver inside the brackets
$ hcxdumptool -i wlp3s0f0u1 -c 14
initialization...
warning: unable to set channel 14 (Invalid argument) - removed this channel from scan list
In this case the user tried to set channel 14. The driver doesn't support this
and responds with Invalid argument
07.03.2019
==========
hcxdumptool: added debug code in main packet loop [processpackets()]
to print raw GPS data, received from GPSD:
/*
printf("\ndebug: %s\n", gpsddata);
*/
uncomment this before you run make to retrieve this values.
06.03.2019
==========
hcxdumptool: added GPS date and GPS time to status and pcapng comment field.
$ sudo hcxdumptool -i wlp3s0f0u1 --use_gpsd -o test.pcapng
initialization...
connecting to GPSD...
waiting up to 5 seconds to retrieve first position
GPSD activated
start capturing (stop with ctrl+c)
GPS LATITUDE.............: 49.126403
GPS LONGITUDE............: 4.626175
GPS ALTITUDE.............: 129.500000
GPS DATE.................: 06.03.2019
GPS TIME.................: 21:52:41
INTERFACE................: wlp3s0f0u1
ERRORMAX.................: 100 errors
FILTERLIST...............: 0 entries
MAC CLIENT...............: f04f7c89dabb
MAC ACCESS POINT.........: 980ee432604d (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 61455
ANONCE...................: 182972399cd2e65deb7941601cca14b644681c092dcf6f704935c7f3d2eaceea
INFO: cha=11, rx=7080, rx(dropped)=1676, tx=408, powned=10, err=0, lat=49.126342, lon=4.626268, alt=129.500000, gpsdate=06.03.2019, gpstime=22:01:55^C
terminated...
$ tshark -r test.pcapng-0 -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment
172 Mar 6, 2019 23:01:48.793212000 CET 1a:f8:7c:91:24:a3 lat:49.126337,lon:4.626268,alt:129.500000,date:06.03.2019,time:22:01:48
05.03.2019
==========
hcxdumptool: removed general info about tx-power - now we use iw style to show tx-power/channel
hcxdumptool -i <interface> -C
initialization...
available channels:
1 (20 dBm)
2 (20 dBm)
3 (20 dBm)
...
132 (26 dBm)
136 (26 dBm)
140 (26 dBm)
149 (13 dBm)
153 (13 dBm)
157 (13 dBm)
161 (13 dBm)
165 (13 dBm)
26.02.2019
==========
hcxdumptool moved to version 5.1.3 due several bug fixes and improved rcascan status output
18.02.2019
==========
release hcxdumptool v 5.1.2 due to serveral bugfixes
02.02.2019
==========
release hcxdumptool v 5.1.1
20.01.2019
==========
hcxdumptool:
added new MT76 device: "TP-LINK Archer Archer T2U"
working with kernel: 4.19, 4.20 (some issues), 5.0
read more here:
https://github.com/ZerBea/hcxdumptool/issues/42
https://bugzilla.kernel.org/show_bug.cgi?id=202241
https://bugzilla.kernel.org/show_bug.cgi?id=202243
11.01.2019
==========
hcxdudmptool:
From now on, we assume that a packet is outgoing, if
dBm Antenne Signal is absent.
08.01.2019
==========
hcxdudmptool and mac80211_hwsim
mac80211_hwsim is a Linux kernel module that can be used to simulate
arbitrary number of IEEE 802.11 radios for mac80211. It can be used to
test hcxdumptool:
load module:
$ sudo modprobe mac80211_hwsim
run hcxdumptool to retrieve informations about the interface:
$ hcxdumptool -I
wlan interfaces:
020000000000 wlan0 (mac80211_hwsim)
020000000100 wlan1 (mac80211_hwsim)
bring monitor interface up:
$ sudo sudo ip link set hwsim0 up
run hcxdumptool:
$ sudo hcxdumptool -i wlan0
initialization...
start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 0 entries
MAC CLIENT...............: c8aacc9c01ec
MAC ACCESS POINT.........: 580943000000 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 62263
ANONCE...................: 513282ebb604e6e10c450d6c3eaa6428d118b54abeef4672be3ef700052305d5
INFO: cha=11, rx=0, rx(dropped)=0, tx=120, powned=0, err=0
run wireshark on wlan0 or hwsim0 to monitor hcxdumptool output.
do not forget to remove mac80211_hwsim if the module is not longer needed!
read more here:
https://www.kernel.org/doc/readme/Documentation-networking-mac80211_hwsim-README
04.01.2019
==========
hcxdumptool - changed flash time:
LED flashes every 5 seconds = everything is fine
LED stays on = no signal received during the last past five seconds
hcxdumptool - ignore double outgoing packets (rth->it_present == 0)
03.01.2019
==========
hcxdumptool: changed flash time (5 times longer on ERROR)
hcxpioff: changed flash time
20.12.2018
==========
improved detection of broken driver
from now on GPIO LED blinks twice every 5 seconds
- if a possbile driver issue is detected
- if no packets received during the last past 5 seconds
another indicator is that the incoming packetcounter (rx=xxxx)
doesn't increase
or dmesg show this error:
[65786.808078] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush
[65824.174119] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush
[67801.029527] ------------[ cut here ]------------
it seems to be a kernel issue that hcxdumptool isn't able to handle, automatically:
https://bbs.archlinux.org/viewtopic.php?id=237028
https://bugs.openwrt.org/index.php?do=details&task_id=929&opened=169&status%5B0%5D=
https://community.spiceworks.com/topic/2132263-ubuntu-16-04-wifi-disconnects-randomly
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1750226
https://www.raspberrypi.org/forums/viewtopic.php?t=206815
workaround:
1) get driver information
$ hcxdumptool -I
wlan interfaces:
7cdd90xxxxxx wlp3s0f0u2 (rt2800usb)
2) remove module
$ modprobe -r rt2800usb
3) load module
$ modprobe rt2800usb
18.12.2018
==========
added new option to set station MAC address
--station_mac=<mac_addr> : use this MAC address for station
format = 112233445566
format = 112233000000 (to set only OUI)
format = 445566 (to set only NIC)
added new option to set access point MAC address
--ap_mac=<mac_addr> : use this MAC address for access point as start MAC
format = 112233445566
format = 112233000000 (to set only OUI)
format = 445566 (to set only NIC)
warning: do not use a MAC of an existing access point in your range
improved detection of broken driver
set default ERRORMAX to 100
added option to set ERRORMAX
-T <digit> : set maximum ERRROR count (hcxdumptool terminates when the value is reached)
default: 100 errors
Remarks:
errorcount will increase by one, if send packet (tx=xxx) > 3*incoming packets (rx=xxx)
15.12.2018
==========
improved random generator (now seeded with and adapter mac address)
Raspberry Pi: improved handling of GPIO switch
07.12.2018
==========
restore interface settings after -C
improved help menu
-more informations about monitor mode
-more informations about packet injection
monitor mode and packet injection must be supported by the driver,
otherwise hcxdumptool will not work.
05.12.2018
==========
moved to v 5.1.0 (according to hashcat)
04.12.2018
==========
added new option:
-C : show available channels and quit
27.11.2018
==========
added new option:
--poweroff : once hcxdumptool finished, power off system
26.11.2018
==========
several big endian fixes
switched to version 5.0.1
07.10.2018
==========
added new option filter mode 3:
--filterlist=<file> : mac filter list
format: 112233445566 + comment
maximum line lenght 255, maximum entries 64
--filtermode=<digit> : mode for filter list
1: use filter list as protection list (default) in transmission branch
receive everything, interact with all APs and CLIENTs in range,
except(!) the ones from the filter list
2: use filter list as target list in transmission branch
receive everything, only interact with APs and CLIENTs in range,
from the filter list
3: use filter list as target list in receiving branch
only receive APs and CLIENTs in range,
from the filter list
30.10.2018
==========
moved to version 5.0.0
05.10.2018
==========
added more error messages
fixed small bug in error count on channel change failure
04.10.2018
==========
show GPS position (if activated) in status line (refresh every 5 seconds)
fixed broken status display on rcascan
increased speed of rcascan
fixed error handling if selected channels not supported by driver
if option -t is not set, skip empty channels after one second
improved scan list
fixed some static var
01.10.2018
==========
changed order of channels in default scan list:
1, 9, 6, 3, 11, 7, 1, 10, 6, 8, 11, 4, 1, 12, 6, 2, 11, 5, 13
27.09.2018
==========
added GPSD support (stored as comment in pcapng file)
--use_gpsd : use GPSD to retrieve position
add latitude, longitude and altitude to every pcapng frame
device must be supported by GPSD:
http://www.catb.org/gpsd/hardware.html
(tested using: AktivePilot JENTRO BT-GPS-8)
Retrieve GPS information with:
$ tshark -r filename.pcapng -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment
write mac_ap to pcapng SHB
write mac_sta to pcapng SHB
SHB optioncodes:
#define OPTIONCODE_MACMYAP 62107
#define OPTIONCODE_RC 62108
#define OPTIONCODE_ANONCE 62109
#define OPTIONCODE_MACMYSTA 62110
16.09.2018
==========
show warning if NetworkManager and/or wpa_supplicant is running
15.09.2018
==========
added Cisco Systems, Inc VENDOR information
--station_vendor=<digit> : use this VENDOR information for station
0: transmit no VENDOR information (default)
1: Broadcom
2: Apple-Broadcom
3: Sonos
4: Netgear-Broadcom
5: Wilibox Deliberant Group LLC
6: Cisco Systems, Inc
11.09.2018
==========
You can “uncomment a line” in a configuration file
by removing the # at the start of the line.
Or, to “comment out” a line, add a # character
to the start of the line.
001122334455 myap
# aabbccddeeff ignore this mac
112233445566 second ap
# this is may comment
05.09.2018
==========
added Netgear Broadcom VENDOR information
added Wilibox Deliberant Group LLC VENDOR information
04.09.2018
==========
improved rcascan (show time and access points which hide their ESSID)
prepare detection of PMF
refactored access point handling
handle 4096 access points simultaneously
refactored client handling
handle 4096 clients simultaneously
speed up retrieving PMKIDs (< 1 minute)
attack access points which hide their ESSID
increased filter list line length
increased filter list maximum entries
added option to show beacons in status output:
--enable_status=<digit> : enable status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
16: BEACON
added option to choose station VENDOR information:
--station_chipset=<digit> : use this VENDOR information for station
0: transmit no VENDOR information (default)
1: Broadcom
2: Apple-Broadcom
3: Sonos
30.08.2018
==========
iw/ip functionality added!
now hcxdumptool will set monitor mode and bring up interface!
previous interface settings will be restored, when hcxdumptool terminated
19.08.2018
==========
parse SAE authentication
19.08.2018
==========
added radio assignment scan
--do_rcascan : show radio channel assignment (scan for target access points)
--save_rcascan=<file> : output rca scan list to file when hcxdumptool terminated
--save_rcascan_raw=<file> : output file in pcapngformat
unfiltered packets
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
17.08.2018
==========
detect NETWORK EAP authentication system
transmit BROADCAST beacon
16.08.2018
==========
From now on we store open system authentications to pcapng
only if they have have a vendor specific field.
we are no longer interested in standard open system authentications (payload len = 6)
changed some default values:
-D <digit> : deauthentication interval
default: 10 (every 10 beacons)
the target beacon interval is used as trigger
-A <digit> : ap attack interval
default: 10 (every 10 beacons)
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
default: 100 tries (minimum: 4)
affected: connections between client an access point
deauthentication attacks will not work against protected management frames
--give_up_ap_attacks=<digit> : disable transmitting directed proberequests after n tries
default: 100 tries (minimum: 4)
affected: client-less attack
deauthentication attacks will not work against protected management frames
13.08.2018
==========
increased some attack values:
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
default: 100 tries (minimum: 4)
affected: connections between client an access point
deauthentication attacks will not work against protected management frames
--give_up_ap_attacks=<digit> : disable transmitting directed proberequests after n tries
default: 100 tries (minimum: 4)
07.08.2018
==========
moved to 4.2.1
added communication between hcxdumptool and hcxpcaptool via pcapng option fields:
62108 for REPLAYCOUNT uint64_t
62109 for ANONCE uint8_t[32]
enabled hardware handshake instead of software handshake
changed beavior auf status:
--enable_status=<digit> : enables status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
Now we use a bitmask to deliver status messages.
06.08.2018
==========
write ISB (Interface Statistic Block) at the end of a cpature
04.08.2018
==========
addet new option (--disable-active_scan) to hcxdumptool
--disable_active_scan: do not transmit proberequests to BROADCAST using a BROADCAST ESSID
04.08.2018
==========
release hcxdumptool 4.2.0
complete refactored:
-various new options
-measurement of EAPOL timeout
-full support for hashcat hashmodes -m 16800 and 16801
-now default format is pcapng
$ ./hcxdumptool-bleeding --help
hcxdumptool 4.2.0 (C) 2018 ZeroBeat
usage : hcxdumptool <options>
example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status
options:
-i <interface> : interface (monitor mode must be enabled)
ip link set <interface> down
iw dev <interface> set type monitor
ip link set <interface> up
-o <dump file> : output file in pcapngformat
management frames and EAP/EAPOL frames
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : output file in pcapngformat
unencrypted IPv4 and IPv6 frames
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-W <dump file> : output file in pcapngformat
encrypted WEP frames
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit> : set scanlist (1,2,3,...)
default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
maximum entries: 127
allowed channels:
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64
100, 104, 108, 112, 116, 120, 124, 128, 132,
136, 140, 144, 147, 149, 151, 153, 155, 157
161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216
-t <seconds> : stay time on channel before hopping to the next channel
default: 5 seconds
-E <digit> : EAPOL timeout
default: 100000 = 1 second
value depends on channel assignment
-D <digit> : deauthentication interval
default: 20 (every 20 beacons)
the target beacon interval is used as trigger
-A <digit> : ap attack interval
default: 20 (every 20 beacons)
the target beacon interval is used as trigger
-I : show suitable wlan interfaces and quit
-h : show this help
-v : show version
--filterlist=<file> : mac filter list
format: 112233445566 + comment
maximum line lenght 128, maximum entries 32
--filtermode=<digit> : mode for filter list
1: use filter list as protection list (default)
2: use filter list as target list
--disable_deauthentications: disable transmitting deauthentications
affected: connections between client an access point
deauthentication attacks will not work against protected management frames
--give_up_deauthentications=<digit>: disable transmitting deauthentications after n tries
default: 10 tries (minimum: 4)
affected: connections between client an access point
deauthentication attacks will not work against protected management frames
--disable_disassociations : disable transmitting disassociations
affected: retry (EAPOL 4/4 - M4) attack
--disable_ap_attacks : disable attacks on single access points
affected: client-less (PMKID) attack
--give_up_ap_attacks=<digit> : disable transmitting directed proberequests after n tries
default: 10 tries (minimum: 4)
affected: client-less attack
deauthentication attacks will not work against protected management frames
--disable_client_attacks : disable attacks on single clients points
affected: ap-less (EAPOL 2/4 - M2) attack
--enable_status : enable status messages
--help : show this help
--version : show version
01.08.2018
==========
moved some stuff from hcxtools to hcxdumptool repository
prepare complete refactoring!
04.03.2018
==========
hcxdumptool: added new option -W
-W <dump file> : WEP encrypted packets output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
04.03.2018
==========
hcxdumptool again complete refactored:
02.03.2018
==========
hcxdumptool is complete refactored:
- improved scan engine
- improved authentication engine (incl. Radio Measurement, and NULL frame detection)
- dropped timer
- use threads for LED and channel switch
- use only one file descriptor for raw socket operations
- working on Intel Corporation Centrino Ultimate-N 6300 (rev 3e) WiFi adapter (kernel >= 4.15)
- working on Alfa AWUS036NH, Alfa AWUS036NHA
- working on Alfa AWUS036ACH (driver: https://github.com/kimocoder/rtl8812au)
- more channels allowed (depends on installed wireless regulatory domain)
- simple usage: hcxdumptool -i <interface> -o dumpfile.pcap -t 5
interface (real interface - no monX) must be in monitor - all services/programs with access to the interface must be stopped!
- new format of blacklist
- and more...
reported to run on Gentoo
https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369256915
reported to run on OpenWRT/LEDE
https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/3#issuecomment-369756725
reported to run with Intel Corporation Centrino Ultimate-N 6300 (rev 3e)
https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369259800
$ hcxdumptool -h
hcxdumptool 4.1.0 (C) 2018 ZeroBeat
usage:
hcxdumptool <options>
options:
-i <interface> : interface (monitor mode must be eanabled)
ip link set <interface> down
iw dev <interface> set type monitor
ip link set <interface> up
-o <dump file> : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-O <dump file> : ip based traffic output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
-c <digit> : set scanlist (1,2,3,... / default = default scanlist)
default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12
allowed channels:
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
36, 40, 44, 48, 52, 56, 60, 64
100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 147, 151, 155, 167
-t <seconds> : stay time on channel before hopping to the next channel
default = 5 seconds
-T <maxerrors> : terminate after <x> maximal errors
: default: 1000000
-D : do not transmit deauthentications or disassociations
-R : do not transmit requests
-A : do not respond to requests from clients
-B <file> : blacklist (do not deauthenticate clients from this hosts)
format = mac_ap:mac_sta:ESSID
112233445566:aabbccddeeff:networkname (max. 32 chars)
-P : enable poweroff
-s : enable status messages
-I : show suitable wlan interfaces and quit
-h : show this help
-v : show version
27.02.2018
==========
Now recommendations since we are run into heavy problems with latest drivers and operating systems
* Operatingsystem: archlinux (strict), Kernel >= 4.14 (strict)
* Raspberry Pi A, B, A+, B+ (Recommended: A+ = very low power consumption or B+), but notebooks and desktops could work, too.
* GPIO hardware mod recommended
Supported adapters (strict)
* USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
* USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
* USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
* USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
* USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter
25.02.2018
==========
- initial start of this repository
- added hcxdumptool
- added hcxpioff