.TH HCXDUMPTOOL "1" "Dec 2021" "HCXDUMPTOOL 6.2.5" "tool to capture packets from wlan devices"
.\" Text automatically generated by txt2man
.RS
.SH NAME
\fBhcxdumptool \fP- tool to capture packets from wlan devices.
\fB
.SH SYNOPSIS
.nf
.fam C
\fBhcxdumptool\fP [\fIOPTIONS\fP]

.fam T
.fi
.fam T
.fi
.SH DESCRIPTION
Tool to capture wpa handshake from Wi-Fi networks and run several tests to
determine if Wi-Fi access points or clients are vulnerable to brute-force
atacks.
.SH OPTIONS
press ctrl+c to terminate \fBhcxdumptool\fP
press GPIO button to terminate \fBhcxdumptool\fP
hardware modification is necessary, read more:
https://github.com/ZerBea/\fBhcxdumptool\fP/tree/master/docs
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not run \fBhcxdumptool\fP on logical (NETLINK) interfaces (monx, wlanxmon, prismx, \.\.\.) created by airmon-ng and iw
do not run hcxdumtool on virtual machines or emulators
do not run \fBhcxdumptool\fP in combination with tools (channel hopper), that take access to the interface (except: tshark, wireshark, tcpdump)
do not use tools like machcanger, because \fBhcxdumptool\fP run its own MAC space and will ignore this changes
stop all this services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
.RE
.PP
short options:
\fB-i\fP <interface>: interface (monitor mode will be enabled by \fBhcxdumptool\fP)
it is mandatory that the driver support \fBioctl\fP() system calls, monitor mode and full packet injection!
.RS
.PP
\fB-o\fP <dump file>: output file in pcapng format, filename '-' outputs to stdout, '+' outputs to client
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
.PP
\fB-f\fP <frames>: frames to save
.PP
.nf
.fam C
  bitmask:

  0: clear default values

  1: MANAGEMENT frames (default)

  2: EAP and EAPOL frames (default)

  4: IPV4 frames

  8: IPV6 frames

  16: WEP encrypted frames

  32: WPA encrypted frames

  64: vendor defined frames (AWDL)
  to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4)

.fam T
.fi
\fB-c\fP <digit>: set frequency (2437,2462,5600,\.\.\.) or channel (1,2,3, \.\.\.)
default: auto frequency/auto band
maximum entries: 255
0 - 1000 treated as channel
> 1000 treated as frequency in MHz
on 5GHz and 6Ghz it is recommended to use frequency instead of channel number
because channel numbers are not longer unique
standard 802.11 channels (depend on device, driver and world regulatory domain):
https://en.wikipedia.org/wiki/List_of_WLAN_channels
.PP
\fB-s\fP <digit>: set predefined scanlist
0 = auto frequency/auto band (default)
.RS
.PP
1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13
    (optimized 2.4GHz)
.PP
2 = 1,2,3,4,5,6,7,8,9,10,11,12,13
    (standard 2.4 GHz)
.PP
3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,
    124,128,132,136,140,144,149,153,157,161,165
    (standard 5GHz)
.PP
4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,
    64,100,104,108,112,116,120,124,128,132,136,140,144,
    149,153,157,161,165
    (standard 2.4GHz/5GHz)
.RE
.TP
.B
\fB-t\fP <seconds>
: stay time on frequency before hopping to the next channel
default 4 seconds
\fB-m\fP <interface> : set monitor mode by \fBioctl\fP() system call and quit
.TP
.B
\fB-I\fP
: show WLAN interfaces and quit
.TP
.B
\fB-C\fP
: show available device channels and quit
if no frequencies are available, interface is probably in use or doesn't support monitor mode
if additional frequencies are available, firmware, driver and regulatory domain is probably patched
.TP
.B
\fB-h\fP
: show this help
.TP
.B
\fB-v\fP
: show version
.IP \(bu 3
long options:
.TP
.B
\fB--do_rcascan\fP
: show radio channel assignment (scan for target access points)
this can be used to test that \fBioctl\fP() calls and packet injection is working
if you got no HIT, packet injection is possible not working
also it can be used to get information about the target
and to determine that the target is in range
use this mode to collect data for the filter list
run this mode at least for 2 minutes
to save all received raw packets use option \fB-o\fP
default scanlist: channel 1 \.\.\.13
.RS
.TP
.B
\fB--rcascan_max\fP=digit>
: show only n highest ranking lines
default: 256 lines
.TP
.B
\fB--rcascan_order\fP=digit>
: rcascan sorting order:
0 = sort by PROBERESPONSE count (default)
1 = sort by BEACON count
2 = sort by CHANNEL
.TP
.B
\fB--do_targetscan\fP=<MAC_AP>
: same as do_rcascan - hide all networks, except target
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66
.TP
.B
\fB--reason_code\fP=<digit>
: deauthentication reason code
recommended codes:
1 WLAN_REASON_UNSPECIFIED
2 WLAN_REASON_PREV_AUTH_NOT_VALID
4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY
5 WLAN_REASON_DISASSOC_AP_BUSY
6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA
7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default)
9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH
.TP
.B
\fB--disable_client_attacks\fP
: do not attack clients
affected: ap-less (EAPOL 2/4 - M2) attack
.TP
.B
\fB--stop_client_m2_attacks\fP=<digit>
: stop attacks against CLIENTS after 10 M2 frames received
affected: ap-less (EAPOL 2/4 - M2) attack
require hcxpcangtool \fB--all\fP option
.TP
.B
\fB--disable_ap_attacks\fP
: do not attack access points
affected: connected clients and client-less (PMKID) attack
.TP
.B
\fB--stop_ap_attacks\fP=<digit>
: stop attacks against ACCESS POINTs if <n> BEACONs received
default: stop after 600 BEACONs
.TP
.B
\fB--resume_ap_attacks\fP=<digit>
: resume attacks against ACCESS POINTs after <n> BEACONs received
default: 864000 BEACONs
.TP
.B
\fB--disable_deauthentication\fP
: do not send deauthentication or disassociation frames
affected: conntected clients
.TP
.B
\fB--silent\fP
: do not transmit!
\fBhcxdumptool\fP is acting like a passive dumper
expect possible packet loss
.TP
.B
\fB--eapoltimeout\fP=<digit>
: set EAPOL TIMEOUT (microseconds)
default: 20000 usec
.TP
.B
\fB--eapoleaptimeout\fP=<digit>
: set EAPOL EAP TIMEOUT (microseconds) over entire request sequence
default: 2500000 usec
.TP
.B
\fB--bpfc\fP=<file>
: input kernel space Berkeley Packet Filter (BPF) code
affected: incoming and outgoing traffic - that include rca scan
steps to create a BPF (it only has to be done once):
set \fBhcxdumptool\fP monitormode
$ \fBhcxdumptool\fP \fB-m\fP <interface>
create BPF to protect a MAC
$ tcpdump \fB-i\fP <interface> not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 \fB-ddd\fP > protect.bpf
recommended to protect own devices
or create BPF to attack a MAC
$ tcpdump \fB-i\fP <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 \fB-ddd\fP > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
see man pcap-filter for a list of all filter options
to use the BPF code
$ \fBhcxdumptool\fP \fB-i\fP <interface> \fB--bpfc\fP=attack.bpf \.\.\.
notice: this is a protect/attack, a capture and a display filter
.TP
.B
\fB--filtermode\fP=<digit>
: user space filter mode for filter list
mandatory in combination with \fB--filterlist_ap\fP and/or \fB--filterlist_client\fP
affected: only outgoing traffic
notice: \fBhcxdumptool\fP act as passive dumper and it will capture the whole traffic on the channel
0: ignore filter list (default)
1: use filter list as protection list
do not interact with ACCESS POINTs and CLIENTs from this list
2: use filter list as target list
only interact with ACCESS POINTs and CLIENTs from this list
not recommended, because some useful frames could be filtered out
using a filter list doesn't have an affect on rca scan
only for testing useful - devices to be protected should be added to BPF
notice: this filter option will let \fBhcxdumptool\fP protect or attack a target - it is neither a capture nor a display filter
.TP
.B
\fB--filterlist_ap\fP=<file or MAC>
: ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first \fB--do_rcascan\fP to retrieve information about the target
.TP
.B
\fB--filterlist_ap_vendor\fP=<file>
: ACCESS POINT VENDOR  filter list by VENDOR
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
run first \fB--do_rcascan\fP to retrieve information about the target
.TP
.B
\fB--filterlist_client\fP=<file or MAC>
: CLIENT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
.TP
.B
\fB--filterlist_client_VENDOR\fP=<file>
: CLIENT VENDOR filter list
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
.TP
.B
\fB--weakcandidate\fP=<password>
: use this pre shared key (8\.\.\.63 characters) for weak candidate alert
will be saved to pcapng to inform hcxpcaptool
default: 12345678
.TP
.B
\fB--essidlist\fP=<file>
: transmit beacons from this ESSID list
maximum total entries: 256 ESSIDs
.TP
.B
\fB--essidlist_wpaent\fP=<file>
: transmit WPA-Enterprise-only beacons from this ESSID list
maximum total entries: 256 ESSIDs
.TP
.B
\fB--active_beacon\fP
: transmit beacon from collected ESSIDs and from essidlist once every 10000000 nsec
affected: ap-less
.TP
.B
\fB--flood_beacon\fP
: transmit beacon on every received beacon
affected: ap-less
.TP
.B
\fB--all_m2\fP
: accept all connection attempts from a CLIENT
affected: CLIENTs
warning: that can prevent that a CLIENT can establish a connection to an assigned ACCESS POINT
.TP
.B
\fB--infinity\fP
: prevent that a CLIENT can establish a connection to an assigned ACCESS POINT
affected: ACCESS POINTs and CLIENTs
.TP
.B
\fB--beaconparams\fP=<TLVs>
: update or add Information Elements in all reactive and essidlist beacons
maximum 50 IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten
multiple IEs with same tag id are added, default IE is overwritten by the first
.TP
.B
\fB--wpaent\fP
: enable announcement of WPA-Enterprise in beacons and probe responses in addition to WPA-PSK
.PP
\fB--eapreq\fP=[<mode>:]<type><data>[:<term>],\.\.\.
send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type
mode prefix determines layer the request is exclusively send on:
T: = only if any TLS tunnel is up, ignored otherwise
response is terminated with:
:F = EAP Failure
:S = EAP Success
:I = EAP ERP Initiate
:F = EAP ERP Finish
:D = Deauthentication
:T = TLS shutdown
:- = no packet
default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated
.TP
.B
\fB--eapreq_follownak\fP
: jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence
.TP
.B
\fB--eaptlstun\fP
: activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using \fB--eapreq\fP
requires \fB--eap_server_cert\fP and \fB--eap_server_key\fP
.TP
.B
\fB--eap_server_cert\fP=<server.pem>
: EAP TLS tunnel Server cert PEM file
.TP
.B
\fB--eap_server_key\fP=<server.key>
: EAP TLS tunnel Server private key file
.TP
.B
\fB--use_gps_device\fP=<device>
: use GPS device
/dev/ttyACM0, /dev/ttyUSB0, \.\.\.
NMEA 0183 $GPGGA $GPGGA
.TP
.B
\fB--use_gpsd\fP
: use GPSD device
NMEA 0183 $GPGGA, $GPRMC
.TP
.B
\fB--nmea\fP=<file>
: save track to file
format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
to convert it to gpx, use GPSBabel:
gpsbabel \fB-i\fP nmea \fB-f\fP hcxdumptool.nmea \fB-o\fP gpx \fB-F\fP file.gpx
to display the track, open file.gpx with viking
.TP
.B
\fB--gpio_button\fP=<digit>
: Raspberry Pi GPIO pin number of button (2\.\.\.27)
default = GPIO not in use
.TP
.B
\fB--gpio_statusled\fP=<digit>
: Raspberry Pi GPIO number of status LED (2\.\.\.27)
default = GPIO not in use
.PP
\fB--gpio_statusled_intervall\fP=<digit> : Raspberry Pi GPIO LED flash intervall
default = flash every 5 seconds
.TP
.B
\fB--tot\fP=<digit>
: enable timeout timer in minutes (minimum = 2 minutes)
\fBhcxdumptool\fP will terminate if tot reached (EXIT code = 2)
for a successful attack tot > 120 minutes recommended
.TP
.B
\fB--error_max\fP=<digit>
: terminate \fBhcxdumptool\fP if error maximum reached
default: 100 errors
.TP
.B
\fB--reboot\fP
: once \fBhcxdumptool\fP terminated, reboot system
.TP
.B
\fB--poweroff\fP
: once \fBhcxdumptool\fP terminated, power off system
.TP
.B
\fB--enable_status\fP=<digit>
: enable real-time display (waterfall)
only incoming traffic
each message is displayed only once at the first occurrence to avoid spamming the real-time display
bitmask:
0: no status (default)
1: EAPOL
2: ASSOCIATION and REASSOCIATION
4: AUTHENTICATION
8: BEACON and PROBERESPONSE
16: ROGUE AP
32: GPS (once a minute)
64: internal status (once a minute)
128: run as server
256: run as client
512: EAP
1024: EAP NAK
characters < 0x20 && > 0x7e are replaced by .
example: show everything but don't run as server or client (1+2+4+8+16 = 31)
show only EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
.TP
.B
\fB--ip\fP=<IP address>
: define IP address for server / client (default: 224.0.0.255)
multicast, localhost or client unicast IP address on both sides
.TP
.B
\fB--server_port\fP=<digit>
: define port for server status output (1\.\.\.65535)
: default IP: 224.0.0.255
: default port: 60123
.TP
.B
\fB--client_port\fP=<digit>
: define port for client status read (1\.\.\.65535)
default IP: 224.0.0.255
default port: 60123
.TP
.B
\fB--check_driver\fP
: run several tests to determine that driver support \fBall\fP(!) required \fBioctl\fP() system calls
the driver must support monitor mode and full packet injection
otherwise \fBhcxdumptool\fP will not work as expected
.TP
.B
\fB--check_injection\fP
: run antenna test and packet injection test to determine that driver support full packet injection
packet injection will not work as expected if the Wireless Regulatory Domain is unset
.RE
.TP
.B
\fB--force_interface\fP
: ignore all \fBioctl\fP() warnings and error counter
allow \fBhcxdumptool\fP to run on a virtual NETLINK monitor interface
warning: packet injection and/or channel change may not work as expected
you have been warned: do not report issues!
.RS
.TP
.B
\fB--example\fP
: show abbreviations and example command lines
.TP
.B
\fB--help\fP
: show this help
.TP
.B
\fB--version\fP
: show version
.RE
.PP
Make sure that the Wireless Regulatory Domain is not unset!
Run \fBhcxdumptool\fP \fB-i\fP interface \fB--do_rcascan\fP for at least 30 seconds, to get information about the target!
Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!
It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this,
as well as wpa-sec.stanev.org.
If \fBhcxdumptool\fP captured your password from WiFi traffic, you should check all your devices immediately!
If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start \fBhcxdumptool\fP!
Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark
Recommended tool to convert hashes to formats that hashcat and JtR understand: hcxpcapngtool
Recommended tool to get possible PSKs from pcapng file: hcxpcapngtool
Important notice:
Using filter options, could cause that some useful frames are filtered out!
In that case hcxpcapngtool will show a warning that this frames are missing!
Use SIGHUB with care, because it will impact \fBpselect\fP()
.SH AUTHOR
Written by ZeroBeat <zerobeat@gmx.de>.
.PP
This manual page was written by Paulo Roberto Alves de Oliveira (aka kretcheu)
<kretcheu@gmail.com> for the Debian project (but may be used by others).
.SH COPYRIGHT
Copyright 2000-2021 ZeroBeat.
.PP
License MIT.