.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.15. .TH HCXDUMPTOOL "1" "May 2020" "hcxdumptool 6.0.5 (C) 2020 ZeroBeat" "User Commands" .SH NAME hcxdumptool \- hcx tools set-N .SH DESCRIPTION hcxdumptool 6.0.5 (C) 2020 ZeroBeat usage : hcxdumptool .IP press the switch to terminate hcxdumptool hardware modification is necessary, read more: https://github.com/ZerBea/hcxdumptool/tree/master/docs .PP example: hcxdumptool \fB\-o\fR output.pcapng \fB\-i\fR wlp39s0f3u4u5 \fB\-t\fR 5 \fB\-\-enable_status\fR=\fI\,3\/\fR .IP do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon) do not use hcxdumptool in combination with 3rd party tools, which take access to the interface (except: tshark, wireshark, tcpdump) .PP short options: \fB\-i\fR : interface (monitor mode will be enabled by hcxdumptool) .IP some Realtek interfaces require NETLINK to set monitor mode in this case try iw: ip link set down iw dev set type monitor ip link set up WARNING: .IP hcxdumptool may not work as expected on virtual NETLINK interfaces do not report issues related to iw .PP \fB\-o\fR : output file in pcapng format .IP including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) .PP \fB\-f\fR : frames to save .IP bitmask: .IP 0: clear default values 1: MANAGEMENT frames (default) 2: EAP and EAPOL frames (default) 4: IPV4 frames 8: IPV6 frames .IP 16: WEP encrypted frames 32: WPA encrypted frames to clear default values use \fB\-f\fR 0 first, followed by desired frame type (e.g. \fB\-f\fR 0 \fB\-f\fR 4) .PP \fB\-c\fR : set scan list (1,2,3, ...) .IP default scan list: 1...13 maximum entries: 127 allowed channels (depends on the device): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128 132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159 161, 165, 169, 173 .PP \fB\-t\fR : stay time on channel before hopping to the next channel .IP default 4 seconds .PP \fB\-m\fR : set monitor mode by ioctl() system call and quit \fB\-I\fR : show WLAN interfaces and quit \fB\-C\fR : show available channels and quit .IP if no channels are available, interface is probably in use or doesn't support monitor mode .PP long options: \fB\-\-do_rcascan\fR : show radio channel assignment (scan for target access points) .TP this can be used to test that ioctl() calls and packet injection is working if you got no HIT, packet injection is possible not working also it can be used to get information about the target and to determine that the target is in range use this mode to collect data for the filter list run this mode at least for 2 minutes to save all received raw packets use option \fB\-o\fR .PP \fB\-\-reason_code=\fR : deauthentication reason code .TP recommended codes: 1 WLAN_REASON_UNSPECIFIED 2 WLAN_REASON_PREV_AUTH_NOT_VALID 4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY 5 WLAN_REASON_DISASSOC_AP_BUSY 6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA 7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default) 9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH .PP \fB\-\-disable_client_attacks\fR : do not attack clients .IP affected: ap\-less (EAPOL 2/4 \- M2) attack .PP \fB\-\-disable_ap_attacks\fR : do not attack access points .IP affected: connected clients and client\-less (PMKID) attack .PP \fB\-\-stop_ap_attacks=\fR : stop attacks against ACCESS POINTs if BEACONs received .IP default: stop after 600 BEACONs .PP \fB\-\-resume_ap_attacks=\fR : resume attacks against ACCESS POINTs after BEACONs received .IP default: 864000 BEACONs .PP \fB\-\-disable_deauthentication\fR : do not send deauthentication or disassociation frames .IP affected: conntected clients .PP \fB\-\-silent\fR : do not transmit! .TP hcxdumptool is acting like a passive dumper expect possible packet loss .PP \fB\-\-eapoltimeout=\fR : set EAPOL TIMEOUT (microseconds) .IP default: 20000 usec .PP \fB\-\-bpfc=\fR : input Berkeley Packet Filter (BPF) code .TP steps to create a BPF (it only has to be done once): set hcxdumptool monitormode .IP \f(CW$ hcxumptool -m \fR .TP create BPF to protect a MAC $ tcpdump \fB\-i\fR not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 \fB\-ddd\fR > protect.bpf recommended to protect own devices .TP or create BPF to attack a MAC $ tcpdump \fB\-i\fR wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 \fB\-ddd\fR > attack.bpf not recommended, because important pre\-authentication frames will be lost due to MAC randomization of the CLIENTs .TP use the BPF code $ hcxumptool \fB\-i\fR \fB\-\-bpfc\fR=\fI\,attack\/\fR.bpf ... .IP see man pcap\-filter for a list of all filter options .PP \fB\-\-filterlist_ap=\fR : ACCESS POINT MAC filter list .TP format: 112233445566 + comment maximum entries 256 run first \fB\-\-do_rcascan\fR to retrieve information about the target .PP \fB\-\-filterlist_client=\fR : CLIENT MAC filter list .TP format: 112233445566 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! .PP \fB\-\-filtermode=\fR : mode for filter list .TP mandatory in combination with \fB\-\-filterlist_ap\fR and/or \fB\-\-filterlist_client\fR 0: ignore filter list (default) 1: use filter list as protection list .TP do not interact with ACCESS POINTs and CLIENTs from this list 2: use filter list as target list .TP only interact with ACCESS POINTs and CLIENTs from this list not recommended, because important pre\-authentication frames will be lost due to MAC randomization of the CLIENTs .PP \fB\-\-weakcandidate=\fR : use this pre shared key (8...63 characters) for weak candidate alert .TP will be saved to pcapng to inform hcxpcaptool default: .PP \fB\-\-mac_ap\fR : use this MAC as ACCESS POINT MAC instead of a randomized one .IP format: 112233445566 .PP \fB\-\-mac_client\fR : use this MAC as CLIENT MAC instead of a randomized one .IP format: 112233445566 .PP \fB\-\-essidlist=\fR : transmit beacons from this ESSID list .IP maximum entries: 256 ESSIDs .PP \fB\-\-active_beacon\fR : transmit beacon once every 200000 usec .IP affected: ap\-less .PP \fB\-\-flood_beacon\fR : transmit beacon on every received beacon .IP affected: ap\-less .PP \fB\-\-infinity\fR : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT .IP affected: ACCESS POINTs and CLIENTs .PP \fB\-\-use_gps_device=\fR : use GPS device .TP \fI\,/dev/ttyACM0\/\fP, \fI\,/dev/ttyUSB0\/\fP, ... NMEA 0183 $GPGGA $GPGGA .PP \fB\-\-use_gpsd\fR : use GPSD device .IP NMEA 0183 $GPGGA, $GPRMC .PP \fB\-\-nmea=\fR : save track to file .TP format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL to convert it to gpx, use GPSBabel: gpsbabel \fB\-i\fR nmea \fB\-f\fR hcxdumptool.nmea \fB\-o\fR gpx \fB\-F\fR file.gpx to display the track, open file.gpx with viking .PP \fB\-\-gpio_button=\fR : Raspberry Pi GPIO pin number of button (2...27) .IP default = GPIO not in use .PP \fB\-\-gpio_statusled=\fR : Raspberry Pi GPIO number of status LED (2...27) .IP default = GPIO not in use .PP \fB\-\-tot=\fR : enable timeout timer in minutes (minimum = 2 minutes) .IP : hcxdumptool will terminate if tot reached (EXIT code = 2) .PP \fB\-\-error_max=\fR : terminate hcxdumptool if error maximum reached .IP default: 100 errors .PP \fB\-\-reboot\fR : once hcxdumptool terminated, reboot system \fB\-\-poweroff\fR : once hcxdumptool terminated, power off system \fB\-\-enable_status=\fR : enable real\-time display (waterfall) .TP only incoming traffic only once at the first occurrence due to MAC randomization of CLIENTs bitmask: .TP 0: no status (default) 1: EAP and EAPOL 2: ASSOCIATION and REASSOCIATION 4: AUTHENTICATION 8: BEACON and PROBERESPONSE .TP 16: ROGUE AP 32: GPS (once a minute) 64: internal status (once a minute) .TP 128: run as server 256: run as client .TP characters < 0x20 && > 0x7e are replaced by . example: show everything but don't run as server or client (1+2+4+8+16 = 31) .IP show only EAP and EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3) .PP \fB\-\-server_port=\fR : define port for server status output (1...65535) .TP : default IP: 224.0.0.255 : default port: 60123 .PP \fB\-\-client_port=\fR : define port for client status read (1...65535) .TP : default IP: 224.0.0.255 : default port: 60123 .PP \fB\-\-check_driver\fR : run several tests to determine that driver support all(!) required ioctl() system calls \fB\-\-check_injection\fR : run packet injection test to determine that driver support full packet injection .TP the driver must support monitor mode and full packet injection otherwise hcxdumptool will not work as expected .PP \fB\-\-help\fR : show this help \fB\-\-version\fR : show version .PP Run hcxdumptool \fB\-i\fR interface \fB\-\-do_rcascan\fR for at least 30 seconds, to get information about the target! Do not edit, merge or convert this pcapng files, because it will remove optional comment fields! It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this. If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately! If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool! .SH "SEE ALSO" The full documentation for .B hcxdumptool is maintained as a Texinfo manual. If the .B info and .B hcxdumptool programs are properly installed at your site, the command .IP .B info hcxdumptool .PP should give you access to the complete manual.