-
Notifications
You must be signed in to change notification settings - Fork 401
/
changelog
2372 lines (1934 loc) · 94.5 KB
/
changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
11.11.2024
==========
release v6.3.5
better compatibility with OpenWRT
several fixes
04.03.2024
==========
README.md: removed entire instructions how to compile hcxdumptool on different distributions
check the distribution's page how to update the ditribution, how to install missing dependencies and missing header files
25.02.2024
==========
release v6.3.4
release v6.3.3
internal BPFC compiler enabled by default
new dependency libpcap
04.02.2024
==========
hcxdumptool: changed bit mask order of exitoneapol
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID (from AP)
2 = EAPOL M2M3 (authorized)
4 = EAPOL M1M2/M1M2ROGUE (not authorized)
8 = EAPOL M1
06.01.2024
==========
hcxdumptool: changed option --beacon_off to --disable_beacon
04.12.2023
==========
hcxdumptool: allow to set monitor mode (-m) in combination with channel (-c) or frequency (-f)
28.12.2023
==========
hcxdumptool: do not spam channel with retries
changed SNAPLEN
22.12.2023
==========
hcxdumptool: added BE support
removed option beacontx
--beaconoff : disable internal BEACON (one BEACON/second to wildcard SSID)
08.12.2023
==========
Some drivers report incorrectly active monitor mode capability.
hcxdumptool: do not set active monitor mode by default if driver report that it is possible
removed option -p
added new option -A in case active monitor mode is working as expected
-A : ACK incoming frames
INTERFACE must support active monitor mode
28.11.2023
==========
hcxdumptool: added full featured BPF compiler
due to additional dependency (libpcap and libpcap-dev) this feature must be enabled in Makefile
added PROBEREQUEST counter to rcascan mode
added option to sort rcascan display by PROBEREQUEST counter
27.11.2023
==========
hcxdumptool: accept Berklev Packet filter code in tcpdump raw format and in tcpdump c style format
-bpf=<file> : input Berkeley Packet Filter (BPF) code (maximum 4096 instructions)
in tcpdump raw format:
example: tcpdump high level compiler:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 11:22:33:44:55:66 -ddd > filter.bpf
see man pcap-filter
eample: bpf_asm low level compiler
$ bpf_asm filter.asm | tr ',' '\n' > filter.bpf
see https://www.kernel.org/doc/html/latest/networking/filter.html
example: bpfc low level compiler:
$ bpfc -f tcpdump -i filter.asm > filter.bpf
see man bpfc
in tcpdump c style format:
example: tcpdump high level compiler:
$ tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 11:22:33:44:55:66 -dd > filter.bpf
see man pcap-filter
example: bpfc low level compiler:
$ bpfc -f C -i filter.asm > filter.bpf
see man bpfc
01.11.2023
==========
release v6.3.2
23.10.2023
==========
hcxdumptool: removed option "disable_beacon" because it is replaced by option beacontx=0
01.09.2023
==========
hcxdumptool: added new option to get shart and greppable interface list
26.07.2023
==========
hcxdumptool: added compile time information to version information
$ hcxdumptool -v
hcxdumptool 6.3.1-35-g1a0930e (C) 2023 ZeroBeat
compiled by gcc 13.1.1
Linux API headers 6.3.0
compiled with glibc 2.37
Under normal circumstances, the Linux kernel version could be
greater than the "Linux API headers" version, but never less.
24.07.2023
==========
hcxdumptool: added new option to EXIT on EAPOL
--exitoneapol=<type> : exit on first EAPOL occurrence:
bitmask:
1 = PMKID
2 = EAPOL M2
4 = EAPOL M3
target BPF filter is recommended
get more information here:
https://github.com/ZerBea/hcxdumptool/issues/333#issuecomment-1647684235
03.07.2023
==========
added -Wpedantic to compiler flags and fixed all warnings
30.06.2023
==========
release v6.3.1
09.05.2023
==========
hcxdumptool: added option to remove active monitor flag
-p : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC
default monitor mode: active (ACK all incoming frames addresed to the device MAC)
This is a workaround on mt7601u devices/drivers.
Running active monitor mode, only frames addressed to the MAC of the device
or addressed to BROADCAST MAC are received. This is a driver/firmware problem!
To verify if you are affected:
run hcxdumptool
run Wireshark in parallel and set filter option to "eapol"
if Wireshark only show EAPOL M1 frames it is mandatory to disable active monitor mode
by option "-p"
Problem is reported here:
https://bugzilla.kernel.org/show_bug.cgi?id=217465
06.05.2023
==========
hcxdumptool: added option to save GPS information to pcapng dumpfile
--nmea_pcapng : write GPS information to pcapng dump file
05.05.2023
==========
release v6.3.0
Since kernel 6.3 Kernel developer decided to print a dmesg warning if tools are detected that use deprecated WEXT:
[ 2770.939021] warning: `hcxdumptool' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
hcxdumptool used ioctl(SIOCGIWNAME) to detect presence of WEXT. That was the last remnant of WEXT code.
To get rid of this dmesg warning, this detection has been removed by latest commit.
03.05.2023
==========
hcxdumptool: changed/added several options:
$ hcxdumptool --help
hcxdumptool 6.2.9-161-gf581815 (C) 2023 ZeroBeat
usage: hcxdumptool <options>
first stop all services that take access to the interface, e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
then run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
do not merge (pcapng) dump files, because this destroys assigned hash values!
short options:
-i <INTERFACE> : name of INTERFACE to be used
default: first suitable INTERFACE
warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile> : write packets to a pcapng-format file named <outfile>
default outfile name: yyyyddmmhhmmss-interfacename.pcapng
get more information: https://pcapng.com/
-c <digit> : set channel (1a,2a,36b...)
default: 1a,6a,11a
important notice: channel numbers are not unique
it is mandatory to add band information to the channel number (e.g. 12a)
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz)
to disable frequency management, set this option to a single frequency/channel
-f <digit> : set frequency (2412,2417,5180,...)
-F : use available frequencies from INTERFACE
-t <second> : minimum stay time (will increase on new stations and/or authentications)
default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-L : show INTERFACE list
-I <INTERFACE> : show detailed information about INTERFACE
-h : show this help
-v : show version
long options:
--bpf=<file> : input kernel space Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
$ hcxdumptool -m <interface>
create BPF to protect MACs
$ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
create BPF to attack a MAC
$ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
see man pcap-filter for a list of all filter options
add BPF code:
$ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon : do not transmit BEACON frames
--disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest : do not transmit PROBEREQUEST frames
--disable_association : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation : do not REASSOCIATE a CLIENT
--beacontx=<digit> : transmit BEACON of first n entries of ESSID list
default: 10
--proberesponsetx=<digit> : transmit PROBERESPONSEs of first n entries of ESSID list
default: 10
--essidlist=<file> : initialize ESSID list with these ESSIDs
--errormax=<digit> : set maximum allowed ERRORs
default: 100 ERRORs
--watchdogmax=<seconds> : set maximum TIMEOUT when no packets received
default: 600 seconds
--attemptclientmax=<digit> : set maximum of attempts to request an EAPOL M2
default: 10 attempts
--attemptapmax=<digit> : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
default: stop after 4 received BEACONs
--tot=<digit> : enable timeout timer in minutes
--onsigterm=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ontot=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onwatchdog=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onerror=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
push GPIO button (> 10 seconds) to terminate program
default: 0 (GPIO not in use)
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default: 0 (GPIO not in use)
--nmea_dev=<NMEA device> : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
baudrate = BD9600
--gpsd : use gpsd to get position
gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile> : write GPS information to a nmea-format file named <outfile>
default outfile name: yyyymmddhhmmss.nmea
output: NMEA 0183 standard messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
use gpsbabel to convert to other formats:
gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx
gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
get more information: https://en.wikipedia.org/wiki/NMEA_0183
--rcascan=<character> : do (R)adio (C)hannel (A)ssignment scan
default = passive scan
a = active scan
p = passive scan
--rds=<digit> : sort real time display
default: sort by time (last seen on top)
1 = sort by status (last PMKID/EAPOL on top)
--help : show this help
--version : show version
Legend
real time display:
R = + AP display: AP is in TX range or under attack
S = + AP display: AUTHENTICATION KEY MANAGEMENT PSK
P = + AP display: got PMKID
1 = + AP display: got EAPOL M1 (CHALLENGE)
3 = + AP display: got EAPOL M1M2M3 (AUTHORIZATION)
E = + CLIENT display: got EAP-START MESSAGE
2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel
19.04.2023
==========
hcxdumptool: changed rcascan
--rcascan=<character> : do (R)adio (C)hannel (A)ssignment scan
default = passive scan
a = active scan
p = passive scan
14.04.2023
==========
hcxdumptool: added new option to sort status display
--rds=<digit> : sort real time display
default: sort by time (last seen on top)
1 = sort by status (last PMKID/EAPOL on top)
07.04.2023
==========
removed obsolete hcxpioff
refactored hcxdumptool: replaced entire hcxdumptool code by hcxlabtool code
$ hcxdumptool --help
hcxdumptool 6.2.9-22-gace924f (C) 2023 ZeroBeat
usage: hcxdumptool <options>
first stop all services that take access to the interface , e.g.:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
than run hcxdumptool
press ctrl+c to terminate
press GPIO button to terminate
hardware modification is necessary, read more:
https://github.com/ZerBea/hcxdumptool/tree/master/docs
do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)
do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw
do not use virtual machines or emulators
do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)
do not use tools to change MAC (like macchanger)
stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface
short options:
-i <INTERFACE> : name of INTERFACE to be used
default: first suitable INTERFACE
warning: hcxdumptool changes the virtual MAC address of the INTERFACE
-w <outfile> : write packets to a pcapng-format file named <outfile>
default outfile name: yyyyddmmhhmmss-interfacename.pcapng
get more information: https://pcapng.com/
-c <digit> : set channel (1a,2a,36b...)
default: 1a,6a,11a
important notice: channel numbers are not unique
it is mandatory to add band information to the channel number (e.g. 12a)
band a: NL80211_BAND_2GHZ
band b: NL80211_BAND_5GHZ
band c: NL80211_BAND_6GHZ
band d: NL80211_BAND_60GHZ
band e: NL80211_BAND_S1GHZ (902 MHz)
to disable frequency management, set this option to a single frequency/channel
-f <digit> : set frequency (2412,2417,5180,...)
-F : use available frequencies from INTERFACE
-t <second> : minimum stay time (will increase on new stations and/or authentications
default 1 seconds
-m <INTERFACE> : set monitor mode and terminate
-L : show INTERFACE list
-I <INTERFACE> : show detailed information about INTERFACE
-h : show this help
-v : show version
long options:
--bpf=<file> : input kernel space Berkeley Packet Filter (BPF) code
steps to create a BPF (it only has to be done once):
$ hcxdumptool -m <interface>
create BPF to protect MACs
$ tcpdump -i <INTERFACE> not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf
recommended to protect own devices
create BPF to attack a MAC
$ tcpdump -i <INTERFACE> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf
it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)
$ tcpdump -i <interface> wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf
see man pcap-filter for a list of all filter options
add BPF code:
$ hcxdumptool -i <INTERFACE> --bpf=attack.bpf ...
--disable_beacon : do not transmit BEACON frames
--disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames
--disable_proberequest : do not transmit PROBEREQUEST frames
--disable_association : do not AUTHENTICATE/ASSOCIATE
--disable_reassociation : do not REASSOCIATE a CLIENT
--beacontx=<digit> : transmit BEACON of first n entries of ESSID list
default: 10
--proberesponsetx=<digit> : transmit PROBERESPONSEs of first n entries of ESSID list
default: 10
--essidlist=<file> : initialize ESSID list with this ESSIDs
--errormax=<digit> : set maximum allowed ERRORs
default: 100 ERRORs
--watchdog=<seconds> : set maximum TIMOUT when no packets received
default: 600 seconds
--attemptclientmax=<digit> : set maximum of attempts to request an EAPOL M2
default: 10 attempts
--attemptapmax=<digit> : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake
default: stop after 4 received BEACONs
--tot=<digit> : enable timeout timer in minutes
--onsigterm=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongpiobutton=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--ongtot=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onwatchdog=<action : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--onerror=<action> : action when the program has been terminated (poweroff, reboot)
poweroff: power off system
reboot: reboot system
--gpio_button=<digit> : Raspberry Pi GPIO pin number of button (2...27)
push GIPO button (> 10 seconds) to terminate program
default: 0 (GPIO not in use)
--gpio_statusled=<digit> : Raspberry Pi GPIO number of status LED (2...27)
default: 0 (GPIO not in use)
--nmea_dev=<NMEA device> : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)
baudrate = BD9600
--gpsd : use gpsd to get position
gpsd will be switched to NMEA0183 mode
--nmea_out=<outfile> : write GPS information to a nmea-format file named <outfile>
default outfile name: yyyyddmmhhmmss.nmea
output: NMEA 0183 standard messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
use gpsbabel to convert to other formats:
gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file_gpx
gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml
get more information: https://en.wikipedia.org/wiki/NMEA_0183
--rcascan_passive : do passive (R)adio (C)hannel (A)ssignment scan
--help : show this help
--version : show version
Legend
real time display:
R = + AP is in TX range
P = + got PMKID
M = + AP display: got EAPOL M1M2M3 (AUTHORIZATION)
M = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
A = + AUTHENTICATION KEY MANAGEMENT PSK
Notice:
This is a penetration testing tool!
It is made to detect vulnerabilities in your NETWORK mercilessly!
To store entire traffic, run <tshark -i <interface> -w allframes.pcapng> in parallel
06.04.2023
==========
release v6.2.9
several bug fixes
This is the last version:
that use WIRELESS EXTENSIONS
that use ETHTOOL to get/set virtual MAC address
that use old style status output
that use soft coded filter lists
that use msec timestamp
that use crypto stuff
that use server/client mode to display status
Next version will go back to the roots:
set focus on WPA PSK (WPA1, WPA2, WPA2 key version 3)
set bandwidth to 20MHz to increase range
set bitrate to lowest values to increase range
use active monitor mode
use NL80211 stack
use RTNETLINK
band a, b, c, d, e support
use NMEA messages:
$GPRMC: Position, velocity, time and date
$GPGGA: Position, orthometric height, fix related data, time
$GPWPL: Position and MAC AP
$GPTXT: ESSID in HEX ASCII
remove options that slow hcxdumptool down
10.03.2023
==========
release v6.2.8
move to OpenSSL 3.0 EVP API (from now on OPenSSL >= 3.0 is mandatory)
new options
several bug fixes
16.01.2023
==========
hcxdumptool: added option to reset an USB device without unplugging it
--reset_usb_device=<sysfs dev path>: reset USB device by BUS ID and device ID (/dev/bus/usb/bus_id/device_id
$ lsusb
Bus 005 Device 006: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi
sysfs dev path = /dev/bus/usb/005/006
12.11.2022
==========
start moving to OpenSSL 3.0 EVP API
this is a huge step forward an will break backward compatibility
https://wiki.openssl.org/index.php/OpenSSL_3.0
07.08.2022
==========
release v6.2.7
several bug fixes
still using OpenSSL 1.1
02.06.2022
==========
hcxdumptool: added warning if a not recommended driver has been detected
31.05.2022
==========
hcxpcapngtool: added new option according to https://github.com/ZerBea/hcxdumptool/issues/220
--passive : channel management is completely disabled - initial channel must be set by a third party tool
hcxdumptool is acting like a passive dumper (silent mode)
expect possible heavy packet loss
22.04.2022
==========
release v6.2.6
several bug fixes
license update
still supporting OpenSSL 1.1
01.12.2021
==========
release v6.2.5
still supporting OpenSSL 1.1
08.11.2021
==========
hcxdumptool: replaced channel scan engine by frequency scan engine
this is high experimental
tested devices:
USB:
Bus 005 Device 060: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
Bus 005 Device 062: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter
Bus 005 Device 064: ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter
Bus 005 Device 065: ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter
Bus 005 Device 066: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n
Bus 005 Device 068: ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter
Bus 005 Device 071: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi
Bus 005 Device 073: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
Bus 005 Device 075: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
Bus 005 Device 078: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U]
Bus 005 Device 082: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
PCI:
04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter
That is neccessary because, since WiFi 6, channel numbers are no longer unique:
https://en.wikipedia.org/wiki/List_of_WLAN_channels
24.10.2021
==========
hcxdumptool: added new option to ignore ioctl() warnings
--force_interface : ignore all ioctl() warnings
do not report issues, if attacks or channel switch is not working as expected
23.10.2021
==========
added generic hcxdumptool.1 man page
22.10.2021
==========
moved install dir from usr/local/bin to /usr/bin
14.09.2021
==========
release v6.2.4
This is the last version, supporting OpenSSL 1.1
Next version 6.3.0 will need OpenSSL 3.0.0
01.09.2021
==========
hcxdumptool: added new option to the next EAP request entry contained in the sequence passed to
--eapreq with a type matching the Desired Auth Type requested in a client's Legacy NAK response
--eapreq_follownak : jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence
29.08.2021
==========
hcxdumptool: GPIO flash intervall not longer hardcoded
--gpio_statusled_intervall=<digit> : Raspberry Pi GPIO LED flash intervall
default = flash every 5 seconds
15.08.2021
==========
hcxdumptool: allow MAC instead of filter list
--filterlist_ap=<file or MAC> : ACCESS POINT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client=<file or MAC> : CLIENT MAC or MAC filter list
format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
17.05.2021
==========
release v 6.1.6
get ready for gcc 11.1.0
18.03.2021
==========
hcxdumptool: added VENDOR filter
--filterlist_ap_vendor=<file> : ACCESS POINT MAC filter list by VENDOR
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
run first --do_rcascan to retrieve information about the target
--filterlist_client_VENDOR=<file> : CLIENT MAC filter list
format: 112233, 11:22:33, 11-22-33 # comment
maximum entries 256
due to MAC randomization of the CLIENT, it does not always work!
09.03.2021
==========
release v 6.1.6
get ready for OpenSSL 3.0
05.03.2021
==========
hcxdumptool: removed preamble option, because it is ignored by most wlan adapters
04.03.2021
==========
hcxdumptool: added new option to use short preamble
--short_preamble : use short preamble
default: use long preamble
that may not work on older devices!
23.02.2021
==========
hcxdumptool: allow output to stdout
-o <dump file> : output file in pcapng format, filename '-' outputs to stdout
including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)
14.02.2021
==========
sll_pkttype = PACKET_OUTGOING is completey ingnored in promiscuous mode
At least I found a way to detect outgoing packets.
Luckily IEEE80211_RADIOTAP_TX_FLAGS is set on outgoing packets. If we check this, we are able to ignore them.
That save us CPU time.
13.02.2021
==========
hcxdumptool: added WATCHDOG - we need that to determine if USB device died
Raspberry Pi LED will flash twice if now packet received turing the last past 600 seconds
print AGE of last received packet in status
09.02.2021
==========
started to prepare to use openssl 3.0
Many structures have been made opaque in OpenSSL 3.0 since OpenSSL 1.0.2
https://wiki.openssl.org/index.php/OpenSSL_3.0
it is recommended to upgrade to at least to OpenSSL 1.1
06.02.2021
==========
hcxdumptool: fixed handling of BE (according to hcxpcapngtool fixes)
18.01.2021
==========
hcxdumptool: added auto channel/auto band.
therefore default channel list and predefined channel lists changed!
-c <digit> : set channel (1,2,3, ...)
default: auto channel/auto band
maximum entries: 255
standard 802.11 channels (depends on device, driver and world regulatory domain):
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
36, 38, 40, 44, 48, 52, 56, 60, 64
100, 104, 108, 112, 116, 120, 124, 128
132, 136, 140, 144, 149, 153, 157, 161, 165
201, 205, 209, 213, 217, 221, 225, 229, 233
-s <digit> : set predefined scanlist
0 = auto channel/auto band (default)
1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz)
2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz)
3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 5GHz)
4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 2.4GHz/5GHz)
5 = 201,205,209,213,217,221,225,229,233 (standard 6GHz)
16.01.2021
==========
hcxdumptool: added new option - rcascan ranking is no longer hard coded
--rcascan_order=digit> : rcascan sorting order:
0 = sort by HIT (PROBERESPONSE) (default)
1 = sort by COUNT (BEACON)
2 = sort by CHANNEL
14.01.2021
==========
release v 6.1.5
03.01.2021
==========
hcxdummptool: added new option to limit status of rcascan to n lines
--rcascan_max=digit> : show only n highest ranking lines
default: 256 lines
21.12.2020
==========
removed TP-LINK TL-WN722N v1 (ath9k driver) from list of working devices due to driver issue
hcxdumptool: moved from select() to pselect()
20.12.2020
==========
hcxdumptool: added tot (transmission timeout timer)
hcxdumptool will no longer freeze if driver died
this is a workaround on ath9k driver issue:
https://github.com/ZerBea/hcxdumptool/issues/80#issuecomment-748622644
not caused by hcxdumptool:
https://bugs.archlinux.org/task/68578
19.12.2020
==========
hcxdumptool: added support for 6GHz channels 201,205,209,213,217,221,225,229,233 on option -c and option -s
-s <digit> : set predefined scanlist
0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default)
1 = 1,2,3,4,5,6,7,8,9,10,11,12,13
2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
4 = 201,205,209,213,217,221,225,229,233
10.12.2020
==========
Makefile: make use of pkg-config
02.12.2020
==========
release v 6.1.4
27.11.2020
==========
hcxdumptool: show openSSL version in status
24.10.2020
==========
hcxdumptool: Default channels are not longer hard coded.
Now hcxdumptool test if channel is available. That allow handling of channels
from a patched driver.
Some 2 GHz ath9k radios are actually tunable on 2312-2732 on 5 MHz steps
CHAN2G(2407, 14)
CHAN2G(2402, 15)
CHAN2G(2397, 16)
CHAN2G(2392, 17)
CHAN2G(2387, 18)
CHAN2G(2382, 19)
CHAN2G(2377, 20)
CHAN2G(2372, 21)
CHAN2G(2367, 22)
CHAN2G(2362, 23)
CHAN2G(2357, 24)
CHAN2G(2352, 25)
CHAN2G(2347, 26)
CHAN2G(2342, 27)
CHAN2G(2337, 28)
CHAN2G(2332, 29)
CHAN2G(2327, 30)
CHAN2G(2322, 31)
CHAN2G(2317, 32)
CHAN2G(2312, 33)
09.10.2020
==========
release v 6.1.3
fixed broken GPS handling
added better GPS error handling
03.10.2020
==========
hcxdumptool: added new option
--example : show some example command lines
30.09.2020
==========
hcxdumptool: added new options
--eapreq=<type><data>[:<term>],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type
response is terminated with:
:F = EAP Failure
:S = EAP Success
:I = EAP ERP Initiate
:F = EAP ERP Finish
:D = Deauthentication
:T = TLS shutdown
:- = no packet
default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated
--eaptlstun : activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using --eapreq
requires --eap_server_cert and --eap_server_key
--eap_server_cert=<server.pem> : EAP TLS tunnel Server cert PEM file
--eap_server_key=<server.key> : EAP TLS tunnel Server private key file
17.09.2020
==========
release v 6.1.2
15.09.2020
==========
hcxdumptool: added new option
--stop_client_m2_attacks=<digit> : stop attacks against CLIENTS after 10 M2 frames received
affected: ap-less (EAPOL 2/4 - M2) attack
require hcxpcangtool --all option
24.08.2020
==========
hcxdumptool: added new option
--eapreq=<type><data>[:<term>],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type
response is terminated with :F = EAP Failure, :S = EAP Success, :I = EAP ERP Initiate, :F = EAP ERP Finish,
:D = Deauthentication, :- = no packet
default behavior is terminating all responses with a Failure packet, after last one the client is deauthenticated
14.08.2020
==========
hcxdumptool: added new option --wpaent to announce WPA ENTERPRISE
06.08.2020
==========
release v 6.1.1
fixed handling of long opts
30.07.2020
==========
hcxdumptool: added new option --ip to allow to set IP for server / client mode
29.07.2020
==========
hcxdumptool: add new radiotap flag: IEEE80211_RADIOTAP_F_TX_NOSEQNO
https://patchwork.kernel.org/patch/11680527/
29.07.2020
==========
release v 6.1.0
19.07.2020
==========
hcxdumptool: new option
--beaconparams=<TLVs> : update or add Information Elements in all transmitted beacons
maximum 50 IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten
multiple IEs with same tag id are added, default IE is overwritten by the first
06.07.2020
==========
hcxdumptool: allow to set channel (-c) on --check_injection
fixed display channel if tags.channel is empty
added new option -s to set predefined scanlists
-s <digit> : set predefined scanlist
0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default)
1 = 1,2,3,4,5,6,7,8,9,10,11,12,13
2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165
15.06.2020
==========
release v 6.0.7
10.06.2020
==========
hcxdumptool: changed behavior of --essidlist and --active_beacon
according to https://github.com/ZerBea/hcxdumptool/issues/115
--essidlist - transmit beacons from this list only
--active_beacon - transmit beacons from collected ESSIDs and from essidlist
21.05.2020
==========
release v 6.0.6
18.05.2020
==========
hcxdumptool: added new option --do_targetscan
--do_targetscan=<MAC_AP> : same as do_rcascan - hide all networks, except target
17.05.2020
==========
hcxdumptool: fixed issue that caused hcxdumptool to respond on probereuest even if --silent is selcted
allow MAC format 11:22:33:44:55:66 and 11-22-33-44-55-66 in filterlists
01.05.2020
==========
hcxdumptool: added option mask to save vendor defined action frames
-f <frames> : frames to save
bitmask:
0: clear default values
1: MANAGEMENT frames (default)
2: EAP and EAPOL frames (default)
4: IPV4 frames
8: IPV6 frames
16: WEP encrypted frames
32: WPA encrypted frames
64: vendor defined frames (AWDL)
05.04.2020
==========
release v 6.0.5
Security fix: We do not want to disturb uninvolved users!
Increase error count and terminate hcxdumptool if channel was changed by a third party tool.
After transmitting a request, hcxdumptool expect an answer on the same channel.
If the channel was changed by a third party tool, hcxdumptool will never get this answer and transmit again, again and again. This will jam all channels, set by the third party tool.
https://forum.hashkiller.io/index.php?threads/ap-less-attack-with-hcxtools.21036/page-4#post-237403
04.04.2020
==========
release v 6.0.4
27.03.2020
==========
hcxdumptool: ERROR_MAX not longer hard coded
--error_max=<digit> : terminate hcxdumptool if error maximum reached
default: 100 errors
26.03.2020
==========