LabEx
Log InJoin Free

Use hcxdumptool to Capture Handshakes for Fluxion

Beginner
Practice Now

Introduction

In this lab, you will learn the complete workflow for capturing Wi-Fi handshake data using hcxdumptool and preparing it for use in the social engineering tool, Fluxion. hcxdumptool is a powerful tool designed to capture packets from wlan devices, specializing in obtaining PMKIDs (Pairwise Master Key Identifiers) and handshakes without needing to wait for a user to connect or by using deauthentication attacks.

You will go through the following process:

  1. Install hcxdumptool from its source code.
  2. Run hcxdumptool to capture network data from a simulated wireless interface.
  3. Use the companion tool hcxpcaptool to convert the captured data into a standard .cap file format.
  4. Move the converted file into the appropriate directory for Fluxion to use.
  5. Understand how to import and utilize this handshake within the Fluxion framework.

By the end of this lab, you will have a practical understanding of a key technique used in Wi-Fi security auditing.

Install hcxdumptool on Kali Linux

In this step, you will install hcxdumptool. Since it's not always available in the default package repositories, the most reliable way to get the latest version is to compile it from the source code available on GitHub. The setup script has already installed the necessary dependencies for you.

First, clone the official hcxdumptool repository from GitHub. All your work should be done in the ~/project directory.

git clone https://github.com/ZerBea/hcxdumptool.git

You should see output indicating the repository is being cloned:

Cloning into 'hcxdumptool'...
remote: Enumerating objects: 8133, done.
remote: Counting objects: 100% (154/154), done.
remote: Compressing objects: 100% (88/88), done.
remote: Total 8133 (delta 81), reused 125 (delta 66), pack-reused 7979
Receiving objects: 100% (8133/8133), 2.21 MiB | 5.62 MiB/s, done.
Resolving deltas: 100% (6061/6061), done.

Next, navigate into the newly created hcxdumptool directory:

cd hcxdumptool

Now, compile the source code using the make command:

make

Finally, install the compiled binary onto the system so you can run it from anywhere:

sudo make install

To verify that hcxdumptool was installed correctly, you can check its help menu:

hcxdumptool -h

This command should display a long list of available options, confirming the tool is ready to use.

Run hcxdumptool to Capture PMKIDs and Handshakes

In this step, you will use hcxdumptool to start capturing network traffic. For this lab, a simulated wireless interface named wlan0 has been created for you.

First, navigate back to your main project directory:

cd ~/project

Now, run hcxdumptool to listen on the wlan0 interface and save any captured data to a file named dump.pcapng. We will also enable a status display to see what the tool is doing.

Execute the following command. Let it run for about 10-15 seconds, and then press Ctrl+C to stop the capture process.

sudo hcxdumptool -i wlan0 -o dump.pcapng --enable_status=1

While it's running, you will see a status screen that updates in real-time:

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
FILTERLIST...............: 0 entries
MAC CLIENT...............: 000000000000
MAC ACCESS POINT.........: 000000000000
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 63468
ANONCE...................: a1a2a3a4a5a6a7a8a9b1b2b3b4b5b6b7b8b9c1c2c3c4c5c6c7c8c9d1d2d3d4d5

[22:12:30 - 001]

After you press Ctrl+C, the tool will stop and save the capture file. You can verify that the file dump.pcapng has been created by listing the files in your current directory:

ls -l

You should see dump.pcapng in the output list.

-rw-r--r-- 1 labex labex   24 Mar 20 22:12 dump.pcapng
drwxr-xr-x 8 labex labex 4096 Mar 20 22:10 fluxion
drwxr-xr-x 3 labex labex 4096 Mar 20 22:11 hcxdumptool

Convert the Output to a .cap File using hcxpcaptool

In this step, you will convert the raw dump.pcapng file into a format that is compatible with other tools like Fluxion or Hashcat. The hcxdumptool suite includes a tool called hcxpcaptool for this purpose. It extracts the valuable handshake and PMKID information from the raw capture.

Run the following hcxpcaptool command to process your dump.pcapng file. This command will create a new file named handshake.cap containing the cleaned-up data.

hcxpcaptool -o handshake.cap dump.pcapng
  • -o handshake.cap: Specifies the name of the output file.
  • dump.pcapng: The input file from the previous step.

The command will produce output summarizing the conversion process. Since we are in a simulated environment with no real traffic, it's normal for it to find 0 handshakes. The goal is to learn the command workflow.

summary:
--------
file name....................: dump.pcapng
file type....................: pcapng
file hardware information....: x86_64
file os information..........: Linux 5.15.0-101-generic
file application information.: hcxdumptool 6.2.7
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: 0
packets inside...............: 1
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 0
probe requests...............: 1
probe responses..............: 0
association requests.........: 0
association responses........: 0
reassociation requests.......: 0
reassociation responses......: 0
authentications (OPEN SYSTEM): 0
authentications (BROADCOM)...: 0
EAPOL packets................: 0
EAPOL PMKIDs.................: 0
EAPOL M1M2ROGUEs.............: 0
EAPOL M2s....................: 0
EAPOL M3s....................: 0
EAPOL M4s....................: 0
found handshakes.............: 0

Now, list the files in your directory again to confirm that handshake.cap was created:

ls -l

You should now see handshake.cap in the file list.

Copy the Converted .cap File to the Fluxion Handshakes Folder

In this step, you will move the handshake.cap file to the specific directory where Fluxion looks for pre-captured handshakes. This allows you to use the captured data in a Fluxion attack without having to capture it again within the tool itself.

The Fluxion tool, which was cloned for you during setup, has a dedicated folder for this purpose located at fluxion/attacks/HandshakeSnooper/handshakes/.

Use the cp command to copy your handshake.cap file into that directory:

cp handshake.cap fluxion/attacks/HandshakeSnooper/handshakes/

To verify that the file was copied successfully, list the contents of the destination directory:

ls -l fluxion/attacks/HandshakeSnooper/handshakes/

You should see your handshake.cap file listed in the output, along with a .gitkeep file that is there by default.

total 4
-rw-r--r-- 1 labex labex 24 Mar 20 22:14 handshake.cap
-rw-r--r-- 1 labex labex  0 Mar 20 22:10 .gitkeep

Your handshake file is now in the correct location for Fluxion to use.

Import and Use the Handshake within Fluxion

In this final step, we will discuss how the prepared handshake file is used within Fluxion. Running the full interactive Fluxion tool is complex and outside the scope of this lab, but it's important to understand the process.

With the handshake.cap file placed in the fluxion/attacks/HandshakeSnooper/handshakes/ directory, you have successfully prepared it for use.

In a real-world scenario, you would run Fluxion with the following commands:

cd fluxion
sudo ./fluxion.sh

After launching, you would navigate its menu system. When you select an attack that requires a handshake, such as the "Captive Portal" attack, Fluxion will give you an option to either capture a new handshake or use a pre-existing one. By choosing to use an existing one, Fluxion will automatically detect and load your handshake.cap file. You could then proceed with the rest of the attack.

The primary goal of this lab—to capture a handshake with hcxdumptool and prepare it for Fluxion—is now complete. You have successfully bridged the gap between these two powerful tools.

To confirm one last time that everything is in place, you can run the ls command again on the target directory:

ls -l /home/labex/project/fluxion/attacks/HandshakeSnooper/handshakes/handshake.cap

This command should execute without error, showing the details of your file, confirming it's ready for a real attack.

Summary

In this lab, you successfully learned the end-to-end process of using hcxdumptool to prepare handshake files for the Fluxion framework. This is a fundamental and practical skill for modern Wi-Fi security auditing.

You have mastered the following key steps:

  • Installed the hcxdumptool utility by compiling it from its source code.
  • Used hcxdumptool to capture raw packet data from a simulated wireless interface into a .pcapng file.
  • Converted the raw capture file into the standard .cap format using the hcxpcaptool utility.
  • Copied the final .cap file into the correct directory for it to be automatically recognized and used by Fluxion.

You now understand the complete workflow, from initial capture to final preparation, for using externally captured handshakes in advanced security tools.