Skip to main content

hcxdumptool

This tool is awesome for wifi shenanigans.

info

For now I'm just dumping notes I gathered from a recent engagement where I needed to use this tool to capture/extract/crack PMKIDs.

Install

git clone https://github.com/ZerBea/hcxdumptool.git ~/hcxdumptool
sudo apt install build-essential git libpcap-dev -y
make -j $(noproc)

Enumerate nearby wifi

sudo hcxdumptool -i wlan0mon -F --rcascan=active

Attack just specific channels

sudo hcxdumptool -i wlan0mon -F --rds=1 -c40b,44b -w dump.pcapng

Basic run to start enumerating/attacking all the wifis

Taking these tips from this issue. This Cyberark blog was also very helpful.

sudo hcxdumptool -i INTERFACENAME -w dumpfile.pcapng --rds=1 -F
tip

Don't put in monitor mode first!

Build a filter list

Check out this issue for a good example. Also check out this discussion.

Capture away!

Capture with BPF

hcxdumptool -i NAME-OF-PHYSICAL-WIFI-INTERFACE --bpf=attack.bpf -w output.pcapng --rds=1 -F

Capture with BPF and specific channels

hcxdumptool -i NAME-OF-PHYSICAL-WIFI-INTERFACE --bpf=attack.bpf -w output.pcapng --rds=1 -F -c 55,23

As the scan runs you'll see a table with heading:

R 1 3 P S
  • R - AP in range or under attack
  • 1 - got EAPOL M1 challenge
  • 3 - got EAPOL M1M2M3 or EAPOL (hashcat/JTR can work with this)
  • P - got PMKID (hashcat/JTR can work with this)
  • S - authentication key management PSK
tip

Better explanation from this thread

real time display:
 R = + AP display:     AP is in TX range or under attack
 S = + AP display:     AUTHENTICATION KEY MANAGEMENT PSK
 P = + AP display:     got PMKID
 1 = + AP display:     got EAPOL M1 (CHALLENGE)
 3 = + AP display:     got EAPOL M1M2M3 (AUTHORIZATION)
 E = + CLIENT display: got EAP-START MESSAGE
 2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
warning

WPA3 is attacked differently! Check the hcxlabtool page for more information.