zerbea / hcxdumptool Goto Github PK

View Code? Open in Web Editor NEW

1.7K 101.0 385.0 1.81 MB

Small tool to capture packets from wlan devices.

License: MIT License

C 99.08% Shell 0.17% Makefile 0.75%

pcap wifi-security raspberry-pi pcapng hashcat john-the-ripper penetration-testing-framework wifi

hcxdumptool's People

Contributors

Stargazers

Watchers

Forkers

leuldereje johnjohnsp1 w00t3k techlord-rce voidp34r joncampbell123 ferranespigares anthraxx adavan goayandi littlefoxhelper gragonvlad epicfail78 kegansb rajivraj thisisfalcon linecode theanalyz3r grayhats mrmugiwara tommyknockers igorgts123 interrupt21h ut4utc pavlinux mikeyb tim1512 aydgelee chillspike-zz ana3zoz jesusdrodriguez k4mm0 ch4p34un0ir luan0ap shangadi clesiorki2018 lhlsec iitzdn fuckup1337 jdiazmx vnc0d9r bc24 jinnu92 csky6688 kranthi556 securitym0nk vasylkorzhyk touhidshaikh richard39 3453-315h hpxpat minh77 mygib weiwulunlun veteransec camer-n ro9ueadmin prodject magnumripper nobbie2009 hapser optionalg zard777 tannerjh5 legisam chalamanenijeevanprasad sabu061 smeaime danilonc senukavee98 silentxdice dieuxfr2003 sabrinaanaa hashemahmad realender j1m1l0k0 anarchy8088 excacambo justindallen82 nanosofttech scr3w-2ooth forkitallsec dev0p0 mbodskii lalit387 vitalik7475 thepozerus koalazak onganga aucaner toby1991 m7md1255 bemonolit cjsatuforc leezhi0513 projectarchives marciopocebon eldertugboat786 tsiebecker lagartoplastico

hcxdumptool's Issues

Error compiling: too many arguments for format

I tried running make today and ran up against:

cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c -lpthread 
hcxdumptool.c: In function ‘process80211probe_resp’:
hcxdumptool.c:1842:18: warning: too many arguments for format [-Wformat-extra-args]
  fprintf(stdout, " [PROBERESPONSE, SEQUENCE %d, AP CHANNEL %d]\n", c, macfrx->sequence >> 4, apchannel);
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It looks like that line was touched today in 3c486c8. Is it possible that commit added a regression?

Wrong timestamp

Hi,
I've tried on two different rpie's with raspbian images and they have same timestamp with weird values. Debian VM gives normal epoch time.
Date/time is set up correctly.

(This is opened with wireshark)

Frame 1: 226 bytes on wire (1808 bits), 226 bytes captured (1808 bits) on interface 0
    Interface id: 0 (wlan1)
    Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
    Arrival Time: Jan  1, 1970 01:25:10.864502000 Romance Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1510.864502000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 226 bytes (1808 bits)
    Capture Length: 226 bytes (1808 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: radiotap:wlan_radio:wlan]

In bigger capture file I noticed that starting packets have epoch values 1000/2000 and then on frame 255 it jumps to (-) value, like seen below. Later packets switch back to 1000/2000 and to (-) value again. That was on approx. 1hr long capture file.

Frame 255: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface 0
    Interface id: 0 (wlan0)
    Encapsulation type: IEEE 802.11 plus radiotap radio header (23)
    Arrival Time: Not representable
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: -140464757.873059000 seconds
    [Time delta from previous captured frame: -140466901.308239000 seconds]
    [Time delta from previous displayed frame: -140466901.308239000 seconds]
    [Time since reference or first frame: -140466833.115197000 seconds]
    Frame Number: 255
    Frame Length: 106 bytes (848 bits)
    Capture Length: 106 bytes (848 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: radiotap:wlan_radio:wlan]

I don't quite understand the code and I'm not really sure what to check next.
Any ideas?
Thx

respect common system variables

I know this is not a top priority but I need it before I can port the tool for Pentoo.

There are two important variables (at least) PREFIX and DESTDIR.
Could you please update the Makefile?

Edit: I have also fixed typo in the LDFLAGS

Gemini PDA

I have a Gemini PDA with Kali Linux on it running a very old kernel of 3.18.41 (that is all that is offered).

I know that airodump-ng works with the older kernel, but is there a way to get this tool to work? I tried to use the android ndk builds, but no look.

The error I get is:

failed to save current interface mode: Operation not supported on transport endpoint
failed to init socket

failed to read packet: Network is down

I'm trying to capture using an Intel Wireless-AC 9260 (iwlwifi kmod)

06:00.0 Network controller: Intel Corporation Wireless-AC 9260 (rev 29)

and run into the following issue, without the tool finding anything usable.

$ sudo ./hcxdumptool/hcxdumptool -o test.pcapng -i wlp6s0 --enable_status 

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp6s0
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc23399c311 (client)
MAC ACCESS POINT.........: 11111141b95a (start NIC)
EAPOL TIMEOUT............: 1000000
DEAUTHENTICATIONINTERVALL: 20 beacons
GIVE UP DEAUTHENTICATIONS: 10 tries
REPLAYCOUNTER............: 61654
ANONCE...................: 43d3a6696159fbcca67531e333d7946b0e8c9a914ce90137613211cea69d43e9

INFO: cha=13, rx=0, rx(dropped)=0, tx=7, powned=0, err=0
failed to read packet: Network is down
INFO: cha=9, rx=0, rx(dropped)=0, tx=70, powned=0, err=1
failed to read packet: Network is down
INFO: cha=5, rx=0, rx(dropped)=0, tx=133, powned=0, err=2
failed to read packet: Network is down
INFO: cha=1, rx=0, rx(dropped)=0, tx=196, powned=0, err=3 
failed to read packet: Network is down
INFO: cha=10, rx=0, rx(dropped)=0, tx=259, powned=0, err=4
failed to read packet: Network is down
INFO: cha=6, rx=0, rx(dropped)=0, tx=322, powned=0, err=5
failed to read packet: Network is down
INFO: cha=2, rx=0, rx(dropped)=0, tx=385, powned=0, err=6 
failed to read packet: Network is down
INFO: cha=11, rx=0, rx(dropped)=0, tx=448, powned=0, err=7
failed to read packet: Network is down
INFO: cha=7, rx=0, rx(dropped)=0, tx=511, powned=0, err=8
failed to read packet: Network is down
INFO: cha=3, rx=0, rx(dropped)=0, tx=574, powned=0, err=9
failed to read packet: Network is down
INFO: cha=12, rx=0, rx(dropped)=0, tx=637, powned=0, err=10
failed to read packet: Network is down
INFO: cha=8, rx=0, rx(dropped)=0, tx=700, powned=0, err=11
failed to read packet: Network is down
INFO: cha=4, rx=0, rx(dropped)=0, tx=763, powned=0, err=12
failed to read packet: Network is down
INFO: cha=13, rx=0, rx(dropped)=0, tx=826, powned=0, err=13
failed to read packet: Network is down
INFO: cha=9, rx=0, rx(dropped)=0, tx=889, powned=0, err=14
failed to read packet: Network is down
INFO: cha=5, rx=0, rx(dropped)=0, tx=913, powned=0, err=15
[...]

I put the device into monitor mode beforehand:

$ iw dev
phy#0
	Unnamed/non-netdev interface
		wdev 0x4
		addr 30:24:32:**:**:**
		type P2P-device
		txpower 0.00 dBm
	Interface wlp6s0
		ifindex 2
		wdev 0x1
		addr 7e:0b:f7:**:**:**
		type monitor
		txpower 22.00 dBm

And made sure that the admin state is up.

2: wlp6s0: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state DORMANT group default qlen 1000
    link/ieee802.11/radiotap 7e:0b:f7:**:**:** brd ff:ff:ff:ff:ff:ff

What could be the issue?

why hcxdumptool scan all network

why hcxdumptool scan all network even if i select filter.txt ?

is it possible to scan only filter ?

thx

hcxdumptool has no mac os compatibility

When will it support the mac os?

Please put that in the Documentation .

compiling the tools does require some packages to be installed (debian/ubuntu/kali...)

if u received this errors , this is what u should do.

hcxpcaptool.c:16:10: fatal error: openssl/sha.h: No such file or directory
#include <openssl/sha.h>

u need to install libssl-dev (sudo apt install libssl-dev)

In file included from hcxpcaptool.c:35:
include/gzops.c:1:10: fatal error: zlib.h: No such file or directory
#include <zlib.h>

u need to install zlib1g-dev (sudo apt install zlib1g-dev)

wlanhcx2cap.c:12:10: fatal error: pcap.h: No such file or directory
#include <pcap.h>

u need to install libpcap0.8-dev (sudo apt-get install libpcap0.8-dev)

wlanhcx2cap.c:19:10: fatal error: curl/curl.h: No such file or directory
#include <curl/curl.h>

u need to install libcurl4-openssl-dev (apt install libcurl4-openssl-dev)

summary
sudo apt install libcurl4-openssl-dev libpcap0.8-dev zlib1g-dev libssl-dev

PMKID not found on TP-Link / D-Link router

Hi to all.
I have a problem with this software. When I try to find PKMID it give me only a Proberequest and a Handshake AP-LESS within 3-4 hours from a TP-LINK/ D-LINK target! Signal strong was -67.

I use this Wifi Card: AWUS036H (RTL8187 Drivers) and +10dB gain antenna

I use this command: hcxdumptool -o test.pcapng -i wlan0 --filterlist=mac.txt --filtermode=3 -c 6 - --enable_status=3

anyway without the filter list the software found PKMID of nearest and farest AP except my target! Why?

Thank you for answers.

EAPOL timeout is low cannot convert after capture

Hi, i get this error with hcxdumptool when i capture the PMKID.

i capture the PMKID no problem, FOUND PMKID

but when i try to convet the capture file that i -o utput in hcxdumptool

i get this error

EAPOL timout is to low

So i cannot convert the file for hashcat

Any ideas why im getting this error any1

is it a common error with hcxdumptool

thanks for any advice...

i capture with this code.

hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

get resuts
[08:50:37 - 006] 002417bdb675 -> d8cf9c805f44 [FOUND PMKID]

the convert code i use is as follows after i capture the pmkid

hcxdumptool -E essidlist -I identitulist -U usernamelist -z capturedthis.16800 pmkid.pcapng

then i get the error

EAPOL timeout is low

Blacklist entire access point

Is there a way to blacklist an entire access point without having to specify all of the bssid+client+ssid pairs in the blacklist file? Something like a wildcard for any of the fields in the file?

about killing wpa_supplicant

when i ran this command:
sudo hcxdumptool -i wlan1 -o test.pcapng --enable_status=1 -c 6

I got this message:
initialization...
warning: wpa_supplicant is running with pid 349 333
interface may not be operational
failed to init socket
hcxdumptool need full (monitor mode and full packet injection running all packet types) and exclusive access to the adapter
that is not the case

therefore, I killed 349 333
but the ssh connection got killed and can't connect the server by using ssh command.

I have two wifi interfaces.
wlan0 for ssh connection

wlan1 for attacking.

how can I keep the connection and to use wlan1 to attack?

Not get result even after more than half hour

I have "Ralink corp. RT3290 Wireless 802.11n 1T/1R PCIe" adapter which comes with my laptop.
I tried:
hcxdumptool -o test.pcapng -i wlo1mon --filterlist=aashik.txt --filtermode=2 --enable_status=4
And waited about an half hour but still don't get PMKId.

OSX

Would be great to get this working on osx.

Gets stuck with on "#include <netpacket/packet.h>" - doesn't exist on osx and not sure how to get it.

No man page to hcxdumptool

Hi,

I made a man page using output of 'hcxdumptool --help' putting in txt file and using script to convert to troff file.

Thanks
Regards
kretcheu
:x

hcxdumptool.txt

genallman.sh.txt

No results

Hi there,

./hcxdumptool -i wlo1 --enable_status -c 11 -o test.pcapng

start capturing (stop with ctrl+c)
INTERFACE:...............: wlo1
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc23336aea3 (client)
MAC ACCESS POINT.........: 5c6b4f05fcf3 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64221
ANONCE...................: 143c3b909c823a0bb81c45274616f0135532e35013d178698562a0d0fc75d712

Beyond this I receive no further results. Even if I don't specify what channel or try bitmasking, still no results come through.

If I try a specific enable status I get this:

./hcxdumptool -i wlo1 --enable_status=1 -c 11 -o test.pcapng

start capturing (stop with ctrl+c)
INTERFACE:...............: wlo1
FILTERLIST...............: 0 entries
MAC CLIENT...............: f0a2255ed74c (client)
MAC ACCESS POINT.........: 000101485130 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63472
ANONCE...................: 9d1fdf0518bd421217bce5866614ac2b334e5f581682c08a31b10ababf8fdfdd

INFO: cha=11, rx=10, rx(dropped)=10, tx=1, powned=0, err=0^C

(nothing else).

Not working with mt7612u on kernel 4.19

./hcxdumptool -i wlx00c0ca95876c

initialization...
failed to save current interface mode: Operation not supported
failed to init socket

nexmon support

Why can't I use nexmon patched firmware to dump?

nexmon: https://github.com/seemoo-lab/nexmon

 ⚡ root@samsung-jflte  ~  ip link set wlan0 down ; ip link set wlan0 up ; ./nexutil -m2 -d
 ⚡ root@samsung-jflte  ~  export LD_PRELOAD="./libfakeioctl.so"                                         
 ⚡ root@samsung-jflte  ~  strace -o strace.log ./hcxdumptool -i wlan0 -o hcx_fun          
initialization...
__nex_driver_io: error
failed to set monitor mode: No such device
failed to init socket
__nex_driver_io: error
 ✘ ⚡ root@samsung-jflte  ~  cat strace.log 
execve("./hcxdumptool", ["./hcxdumptool", "-i", "wlan0", "-o", "hcx_fun"], 0xbe849cd8 /* 25 vars */) = 0
set_tls(0xb6f78588)                     = 0
set_tid_address(0xb6f7852c)             = 4992
open("./libfakeioctl.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0755, st_size=13336, ...}) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\234\7\0\0004\0\0\0"..., 936) = 936
mmap2(NULL, 77824, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb6ee3000
mmap2(0xb6ef4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0xb6ef4000
close(3)                                = 0
mprotect(0xb6ef4000, 4096, PROT_READ)   = 0
mprotect(0xb6f9b000, 4096, PROT_READ)   = 0
getuid32()                              = 0
ioctl(1, TIOCGWINSZ, {ws_row=62, ws_col=271, ws_xpixel=0, ws_ypixel=0}) = 0
writev(1, [{iov_base="initialization...", iov_len=17}, {iov_base="\n", iov_len=1}], 2) = 18
pipe2([3, 4], O_CLOEXEC)                = 0
pipe2([5, 6], O_CLOEXEC)                = 0
rt_sigprocmask(SIG_BLOCK, ~[], [], 8)   = 0
clone(child_stack=0xbefd2af0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 4993
close(6)                                = 0
read(5, "", 4)                          = 0
close(5)                                = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
fcntl64(3, F_SETFD, 0)                  = 0
close(4)                                = 0
read(3, "", 1024)                       = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4993, si_uid=0, si_status=0, si_utime=0, si_stime=4} ---
close(3)                                = 0
wait4(4993, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 4993
pipe2([3, 4], O_CLOEXEC)                = 0
pipe2([5, 6], O_CLOEXEC)                = 0
rt_sigprocmask(SIG_BLOCK, ~[], [], 8)   = 0
clone(child_stack=0xbefd2af0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 4994
close(6)                                = 0
read(5, "", 4)                          = 0
close(5)                                = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
fcntl64(3, F_SETFD, 0)                  = 0
close(4)                                = 0
read(3, "", 1024)                       = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4994, si_uid=0, si_status=0, si_utime=0, si_stime=3} ---
close(3)                                = 0
wait4(4994, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 4994
socket(AF_PACKET, SOCK_RAW, 768)        = 3
ioctl(3, SIOCGIFFLAGS, {ifr_name="wlan0", ifr_flags=IFF_UP|IFF_BROADCAST|IFF_RUNNING|IFF_MULTICAST}) = 0
ioctl(3, SIOCGIWMODE, 0xb6fa01ec)       = 0
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, SIOCDEVPRIVATE, 0xb6f76110)    = 0
close(4)                                = 0
ioctl(3, SIOCSIFFLAGS, {ifr_name="wlan0", ifr_flags=0}) = 0
ioctl(3, SIOCSIWMODE, 0xb6fa0e04)       = -1 EOPNOTSUPP (Not supported)
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, SIOCDEVPRIVATE, 0xb6f76110)    = -1 ENODEV (No such device)
writev(1, [{iov_base="__nex_driver_io", iov_len=15}, {iov_base=": error\n", iov_len=8}], 2) = 23
close(4)                                = 0
writev(2, [{iov_base="", iov_len=0}, {iov_base="failed to set monitor mode", iov_len=26}], 2) = 26
writev(2, [{iov_base="", iov_len=0}, {iov_base=":", iov_len=1}], 2) = 1
writev(2, [{iov_base="", iov_len=0}, {iov_base=" ", iov_len=1}], 2) = 1
writev(2, [{iov_base="", iov_len=0}, {iov_base="No such device", iov_len=14}], 2) = 14
writev(2, [{iov_base="", iov_len=0}, {iov_base="\n", iov_len=1}], 2) = 1
writev(2, [{iov_base="", iov_len=0}, {iov_base="failed to init socket\n", iov_len=22}], 2) = 22
ioctl(3, SIOCSIFFLAGS, {ifr_name="wlan0", ifr_flags=0}) = 0
ioctl(3, SIOCSIWMODE, 0xb6fa01ec)       = -1 EOPNOTSUPP (Not supported)
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
ioctl(4, SIOCDEVPRIVATE, 0xb6f76110)    = -1 ENODEV (No such device)
writev(1, [{iov_base="__nex_driver_io", iov_len=15}, {iov_base=": error\n", iov_len=8}], 2) = 23
close(4)                                = 0
ioctl(3, SIOCSIFFLAGS, {ifr_name="wlan0", ifr_flags=IFF_UP|IFF_BROADCAST|IFF_RUNNING|IFF_MULTICAST}) = 0
close(3)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++

installaction problem

what's the problem?...

$ make
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c
hcxdumptool.c:23:10: fatal error: 'include/android-ifaddrs/ifaddrs.h' file not found
#include "include/android-ifaddrs/ifaddrs.h"
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
make: *** [Makefile:29: build] Error 1

$ sudo make install
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c
hcxdumptool.c:23:10: fatal error: 'include/android-ifaddrs/ifaddrs.h' file not found
#include "include/android-ifaddrs/ifaddrs.h"
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
make: *** [Makefile:29: build] Error 1

Will not work with USB wifi device based on RTL8192 chipset

I have tried many different guides to try and get this tool to work with the RTL8192 cu chipset, but no luck. I do have this dongle working with airmon and airgeddon no problem.

My setup is RPi 3 B7+
Linux Raspberry Pi 4.14.90-v

When I run sudo hcxdumptool -wlan0 -o ....... --enable_status=2 , I get:

initialization....
interface is not up
failed to init socket

Isues installing HCXDUMPtools and hcxtools.

hi all. i am keep getting errors while installing hcxdumtools, hcxtools and hashcat.

the error i am gettitng for the hcxdumptool is as below:

cc -O3 -Wall -Wextra -std=gnu99 -o hcxdumptool hcxdumptool.c
/usr/bin/ld: cannot open output file hcxdumptool: Is a directory
collect2: error: ld returned 1 exit status
make: *** [Makefile:29: build] Error 1

can someone please specify the steps by steps how to install the above tools.

thank you

gpsd data invalid

How do you process gpsd data?
I have a problem where if i run hcxdumptool on location where no fix is available then even if i get to a location where GPS acquires fix, coordinates comment will stay on value 0 for all packets captured after the gps acquired fix.

Same is valid if you do other way around, you start with gps fixed and then loose fix, all packets will continue to use last fixed coordinate even if gps acquired fix again in mean time.

Are these chipsets all support for hcxdumptool?
If not, then which of these are support?

And which one do you suggest to use?

Thanks!

(If there are some grammar mistakes, I apologize......)

unable to set channel with rtl8188eu

I am using kali and was able to set the adapter to monitor mode using kimocoder driver (https://github.com/kimocoder/rtl8188eus). I can use airodump to receive packets but it is not working using hcxdumptool.
I only get this as a result:

# hcxdumptool -i wlan0 -o output.pcapng -c 1,6,11 --enable_status=1
initialization...
warning: unable to set channel 1 (removed this channel from scan list)
warning: unable to set channel 6 (removed this channel from scan list)
warning: unable to set channel 11 (removed this channel from scan list)
no available channel found in scan list

terminated...

Packet injection with aireplay is working, though:

# aireplay-ng -9 wlan0
15:37:11  Trying broadcast probe requests...
15:37:13  No Answer...
15:37:13  Found 2 APs

15:37:13  Trying directed probe requests...
15:37:13  XX:XX:XX:XX:XX:XX - channel: 11 - 'HOST1'
15:37:13  Ping (min/avg/max): 2.717ms/10.364ms/24.075ms Power: -41.67
15:37:13  30/30: 100%

15:37:13  Injection is working!

15:37:13  XX:XX:XX:XX:XX:XX - channel: 11 - 'HOST2'
15:37:13  Ping (min/avg/max): 2.921ms/9.882ms/22.017ms Power: -40.87
15:37:13  30/30: 100%

Here are the commands I've run:

# lsusb
Bus 001 Device 002: ID 2001:3310 D-Link Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

# ip link set wlan0 down
# iw dev wlan0 set type monitor
# ip link set wlan0 up
# iw dev
phy#0
	Interface wlan0
		ifindex 3
		wdev 0x1
		addr c2:67:84:6f:42:9c
		type monitor
		txpower 13.00 dBm

# hcxdumptool -I
wlan interfaces:
1062eb30659b wlan0 (rtl8188eu)
warning: NetworkManager is running with pid 441
warning: wpa_supplicant is running with pid 799

# kill 441 799
# hcxdumptool -I
wlan interfaces:
1062eb30659b wlan0 (rtl8188eu)

Search for infinite networks and mac address of the unattached filter

For days I try to crack my wifi and create the file filter.txt and even if it finds the corresponding network does not perform any attack. After many hours it is still in scan.

MT7601U Linux Driver

Hello,
sorry my english, I'm not a native speaker.
For using hcxdumptool I buy a new wireless adepter called Tenda W311MA，chipset is MT7601U, but official driver is only for linux kernel 2.6-2.8, I google it, finded some vendor driver, but it doesn't work.
does anyone have the valid MT7601U driver for Kali linux, or anyone can help me please!

root@kali:~# uname -a
Linux kali 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux

root@kali:~# lsusb
...  
Bus 001 Device 002: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter  
...

root@kali:~# dmesg  
...  
[  118.049886] platform regulatory.0: firmware: failed to load regulatory.db (-2)
[  118.049890] firmware_class: See https://wiki.debian.org/Firmware for information about missing firmware
[  118.049892] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[  118.049895] cfg80211: failed to load regulatory.db
[  118.291535] usb 1-1: reset high-speed USB device number 2 using ehci-pci
[  118.471693] mt7601u 1-1:1.0: ASIC revision: 76010001 MAC revision: 76010500
[  118.525292] mt7601u 1-1:1.0: firmware: direct-loading firmware mt7601u.bin
[  118.525299] mt7601u 1-1:1.0: Firmware Version: 0.1.00 Build: 7640 Build time: 201302052146____
[  121.817616] mt7601u 1-1:1.0: Vendor request req:02 off:0a44 failed:-110
[  127.222926] mt7601u 1-1:1.0: Vendor request req:07 off:09a8 failed:-110
[  130.485039] mt7601u 1-1:1.0: Vendor request req:02 off:09a8 failed:-110
[  133.685535] mt7601u 1-1:1.0: Vendor request req:07 off:0734 failed:-110
[  136.913990] mt7601u 1-1:1.0: Vendor request req:42 off:0230 failed:-110
[  140.176270] mt7601u 1-1:1.0: Vendor request req:07 off:0080 failed:-110
[  143.438823] mt7601u 1-1:1.0: Vendor request req:02 off:0080 failed:-110
[  146.701059] mt7601u 1-1:1.0: Vendor request req:02 off:0080 failed:-110
[  146.701104] mt7601u: probe of 1-1:1.0 failed with error -110
[  146.701130] usbcore: registered new interface driver mt7601u
...

unable to use --filterlist

hello,

I try to use hcxdumptool through the following cmd 👍

hcxdumptool - o hash -i wlan0mon --filterlist=list.txt --filtermode=2 --enable_status

I get the following error 👍

hcxdumptool: option '--enable_status' require an argument
invalid argument specified.

Any idea about the argument waited by hcxdumptool?

thanks for help.

Make file build failing with `hcxdumptool.c:4775:16: error: 'ETH_ALEN' undeclared`

I'm on Ubuntu 18.04, Below are the logs of make

/home/o_o/miniconda/bin/x86_64-conda_cos6-linux-gnu-cc -march=nocona -mtune=haswell -ftree-vectorize -fPIC -fstack-protector-strong -fno-plt -O2 -ffunction-sections -pipe -std=gnu99 -DNDEBUG -D_FORTIFY_SOURCE=2 -O2 -o hcxpioff hcxpioff.c -Wl,-O2 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,--disable-new-dtags -Wl,--gc-sections
/home/o_o/miniconda/bin/x86_64-conda_cos6-linux-gnu-cc -march=nocona -mtune=haswell -ftree-vectorize -fPIC -fstack-protector-strong -fno-plt -O2 -ffunction-sections -pipe -std=gnu99 -DNDEBUG -D_FORTIFY_SOURCE=2 -O2 -o hcxdumptool hcxdumptool.c -Wl,-O2 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,--disable-new-dtags -Wl,--gc-sections
In file included from /home/o_o/miniconda/x86_64-conda_cos6-linux-gnu/sysroot/usr/include/endian.h:61:0,
                 from /home/o_o/miniconda/x86_64-conda_cos6-linux-gnu/sysroot/usr/include/ctype.h:41,
                 from hcxdumptool.c:2:
hcxdumptool.c: In function 'opensocket':
hcxdumptool.c:4664:51: error: 'ETH_P_ALL' undeclared (first use in this function); did you mean 'ETH_TP_MDI'?
 if((fd_socket = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0)
                                                   ^
hcxdumptool.c:4664:51: note: each undeclared identifier is reported only once for each function it appears in
hcxdumptool.c:4775:16: error: 'ETH_ALEN' undeclared (first use in this function); did you mean 'ETH_P_ALL'?
 ll.sll_halen = ETH_ALEN;
                ^~~~~~~~
                ETH_P_ALL
Makefile:20: recipe for target 'build' failed
make: *** [build] Error 1

Filter file usage causes segmentation fault

Hey there,

I see that you fixed a segfault bug recently but I'm running off master and I still have them.

./hcxdumptool -c 1 -o cap.pcapng -i <interface> --filterlist=filter.file --filtermode=<1 or 2>

filter.file:

112233445566 + comment

enable_status option requires argument

Im using this tool to test latest WPA2 flaw (PMKID capturing). In many tutorials, the command is issued with "--enable_status" option. however it takes values 1,2,4,8. Whenever i use any of these options, if PMKID is captured its not logged in terminal.

enable_status=1

sudo hcxdumptool -o test2.pcapng -i wlp2s0mon  --filterlist=f2-matrix.txt --filtermode=2 --enable_status=1      
[sudo] password for thor: 

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp2s0mon
FILTERLIST...............: 1 entries
MAC CLIENT...............: fcc233c3026a (client)
MAC ACCESS POINT.........: 1100aa7f0d1a (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64933
ANONCE...................: 27eeea4b47739b815b2c536e46bac31215c891269ebb4633e41376aec13bd269

INFO: cha=3, rx=119, rx(dropped)=0, tx=2, powned=0, err=0^C

enable_status=2

sudo hcxdumptool -o test2.pcapng -i wlp2s0mon  --filterlist=f2-matrix.txt --filtermode=2 --enable_status=2

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp2s0mon
FILTERLIST...............: 1 entries
MAC CLIENT...............: fcc233703b20 (client)
MAC ACCESS POINT.........: 0418b60ad190 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 61990
ANONCE...................: 5fbd0055af0dcc03143a14bf3cddaa1acc31f9b755dc4900fd5bf0727f909bde

[15:03:34 - 003] b4e62a183a06 -> ffffffffffff matrix [PROBEREQUEST, SEQUENCE 2920]
[15:03:40 - 007] f4f26d25b268 -> fcc233703b20 matrix [PROBERESPONSE, SEQUENCE 1215, AP CHANNEL 8]
INFO: cha=7, rx=192, rx(dropped)=16, tx=14, powned=1, err=0^C

The same happens for option 4 and 8 as well.

BUT for some strange reason if "--enable_status=1,2,4,8" its showing the status properly.

sudo hcxdumptool -o test2.pcapng -i wlp2s0mon  --filterlist=f2-matrix.txt --filtermode=2 --enable_status=1,2,4,8

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp2s0mon
FILTERLIST...............: 1 entries
MAC CLIENT...............: f0a225ee1382 (client)
MAC ACCESS POINT.........: acde482d1654 (start NIC)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63478
ANONCE...................: 75ec843719a0d17613de85ca32cb4cd8c02b56e41d68b39f0de285c384e794f9

[14:42:05 - 001] f4f26d25b268 -> f0a225ee1382 [FOUND PMKID CLIENT-LESS]
[14:42:06 - 001] f4f26d25b268 -> e8de27125d90 [FOUND PMKID]

Please fix this issue, Thanks

Installation problem

Cant install on Ubuntu Please help

mohsin@mohsin-HP-Pavilion-15-Notebook-PC:~/hcxdumptool-master$ make install
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c -lpthread 
make: cc: Command not found
Makefile:29: recipe for target 'build' failed
make: *** [build] Error 127

Supported adapters

Are those listed the only ones supported? What do I have these I can do something?
ualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)
Atheros Communications, Inc. AR9271 802.11n 1

thank you

Start NIC??

Can anyone tell me why at MAC ACCESS POINT I am seeing "(incremented on every new client)" instead of "(start NIC)" ?? Is this why I am not receiving any PMKID's? Or is it even an issue that it's different? It runs fine, no errors, I'm just not getting any pmkid's, after it running for the guts of an hour.

hcxdumptool not filter right mac address

heres what my my capture looks like and the first two captures are from my router the second two are not is this normal? anyway when i turn the pmkid into hash and try to crack it.. hashcat gives me password from wrong access point.
hcxdumptool -o hashingit -i wlan0 --filterlist=tvfp2filer.txt --filtermode=2 --enable_status=1

the mac address that is suppose to filter is: 009fa9073914
the filter works seems like for a short period then starts grabbing from all access points in area
still havent been able to capture pmkid from 009fa9073914

the pmkid captureed belongs to 2c56dc54e238 using awus036nha. i have a awus036nh on the way to my house for testing.
capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
FILTERLIST...............: 1 entries
MAC CLIENT...............: fcc233dadfba
MAC ACCESS POINT.........: b025aa99a8f8 (incremented on every new client) EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63156
ANONCE...................: 1f963f900448da8c1182e40ba288928877f40543759cd5e6425deb3548407868 [16:26:17 - 001] 009fa9073914 -> 5c93a20b3897 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2516]
[16:40:15 - 001] 009fa9073914 -> ccfb65942f7e [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2651] [17:19:39 - 001] b44bd20fd6ba -> 5c8fe0bf2984 [EAPOL 4/4 - M4 RETRY ATTACK] [17:39:53 - 011] 2c56dc54e238 -> 5ccf7f48a404 [FOUND PMKID] INFO: cha=11, rx=145350, rx(dropped)=3145, tx=2453, powned=3, err=0^C terminated...

the filter is working somewhat atleast cuz i tried without filter and got slammed with tons more

big endian problem

It does not recognize frames on big endian systems. Also accesses memory outside of the buffer (because length is not 0x30 but 0x3000)
Fixed it by changing
rth->it_len to le16toh(rth->it_len);

Cant install tool

I downloaded the tool and tried make but I get this make: Nothing to be done for all'.`

Stuck!

using a RT2080 usb card my attack gets stuck to this state
https://imgur.com/a/V6qyQER Also,can someone tell me how to properly install my network drivers for this card?
Thank you!

MT76x8 support

I am on GL.iNet GL-MT300N v2 with Openwrt. I can go into monitor mode:

# iw phy phy0 interface add mon0 type monitor
# ifconfig mon0 up
# hcxdumptool -i mon0 -o /tmp/wifi.pcapng --enable_status=1

But I have always timeouts:

initialization...
warning: mon0 is probably a monitor interface

start capturing (stop with ctrl+c)
...
...
[18:10:34 - 001] 00888888002a -> e8abfa960007 [FOUND AUTHORIZED HANDSHAKE, > [18:11:52 - 001] 54600930adc4 -> c4ea1d3d2a2f [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 2894]
INFO: cha=1, rx=6194, rx(dropped)=1460, tx=599, powned=3, err=0

I compiled hcxdumptool with adde88 Makefile without his patch.

What's wrong? How can I check if is my device (unofficially) supported? Is the patch useful?

Ability to not capture handshakes from the networks specified in the blacklist

It appears that although the tool is not de-authenticating the networks specified in the blacklist, it's still capturing the handshakes from them. With the BPF filters in wlandump-ng it's really more convenient to be able to completely exclude a network from the collection process.

Filterlist larger than 64 entries

In the help output of the tool I noticed that the maximum number of entries is 64. Is possible to increase it to a larger number or there's some technical limitation in the implementation?

initialization hanging with rtl8192eu

Hi. I bought another adapter with chipset rtl8192eu. I installed mange's driver and am able to use airodump. It works ok to capture packages. But it hangs when I use hcxdumptools.

# lsusb
Bus 001 Device 002: ID 2357:0108 TP-Link TL-WN822N Version 4 RTL8192EU
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

# ip link set wlan0 down
# iw dev wlan0 set type monitor
# ip link set wlan0 up
# iw dev
phy#0
	Interface wlan0
		ifindex 3
		wdev 0x1
		addr 50:3e:aa:48:0b:48
		type monitor
		txpower 12.00 dBm

improvement to Debian package

Hi,
I'm packaging hcxdumptool to Debian.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924592

First of all, I like hcx* tools! And I use it with wifite to pentests.

Some thinks could be made to improve compliance of Debian policies and turn hcxdumptool even better.

Following what Debian Lintian says about it.

P: hcxdumptool source: source-contains-empty-directory include/android-ifaddrs/

Having an empty directory in itself does not cause problems but ...
Keeping the empty directory in the source package can prevent others from contributing to the package when using tools like git-buildpackage. In this workflow the empty directory would be lost. Potentially causing errors if the installed binary package or its tests subsequently rely upon them.

I: hcxdumptool source: testsuite-autopkgtest-missing
Having a test suite aids with automated quality assurance of the archive outside of your package.

X: hcxdumptool source: debian-watch-does-not-check-gpg-signature

Of course, not all upstreams provide such signatures but you could
request them as a way of verifying that no third party has modified the
code after its release (projects such as phpmyadmin, unrealircd, and
proftpd have suffered from this kind of attack).

I found some typos:
02.fix.spellerros.txt

Thanks a lot.
Regars.
kretcheu
❌

Trouble Installing

I'm quite new to Linux so it may be a simple fix but I just can't figure this out.

camer@user:~/hcxdumptool$ make cc -O3 -Wall -Wextra -std=gnu99 -o hcxdumptool hcxdumptool.c -lpthread /usr/bin/ld: cannot open output file hcxdumptool: Is a directory collect2: error: ld returned 1 exit status Makefile:29: recipe for target 'build' failed make: *** [build] Error 1

Can not run it

Hi ZerBea,
I'm getting this "interface is not up" and "failed to init socket error".
Above these two lines, there are warnings about NetworkManager is running with pid xxx.
Buf after I closed networkmanager with "service network-manager stop" I can still receive these two error lines.
the command I use is "hcxdumptool -o temp.pcapng -i wlan0 -t 5 --enable_status=3"
the wlan0 is my physical wireless interface, and the wireless card I'm using is TL-WN722N, and there is no error during make && make install. The system is Kali Linux.

hostapd + wpa_supplicant

Hi, have you ever heard whether your approach/code work with hostapd + wpa_supplicant?

Congratulations for your work and thank you for sharing the code.

issue with make error

make

fails