__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

hcxdumptool Cheatsheet

← Back to cheatsheets

← Home

hcxdumptool is a WiFi handshake capture tool designed to capture WPA/WPA2 handshakes and PMKID hashes from wireless networks. It works with monitor mode interfaces and can extract handshakes even from APs without active clients.

Basic Usage

  • hcxdumptool -i <interface> -o <output> - Basic capture
  • hcxdumptool -i wlan0mon -o capture.pcapng - Capture to file
  • hcxdumptool -i <interface> --enable_status=1 -o <output> - With status output

Interface Options

  • -i <interface> - Monitor mode interface (required)
  • --filterlist_ap=<file> - Filter list of APs (maclist)
  • --filterlist_client=<file> - Filter list of clients
  • --filterlist_mac=<file> - Combined filter list
  • --filtermode=1 - Filter mode (0=disabled, 1=AP, 2=client, 3=both)

Target Selection

  • -c <channel> - Lock to specific channel
  • --do_rcascan - Perform channel scan
  • --rcascanlist=<channels> - Channels to scan (e.g., "1,6,11")
  • --bpf=<filter> - Berkeley Packet Filter

Capture Options

  • --enable_status=1 - Enable status output
  • --enable_status=2 - Verbose status output
  • --enable_status=3 - Very verbose output
  • --disable_client_attacks - Disable client attacks
  • --disable_ap_attacks - Disable AP attacks
  • --active_beacon - Send active beacons
  • --stop_ap_attacks=<num> - Stop after N AP attacks
  • --stop_client_attacks=<num> - Stop after N client attacks

Output Options

  • -o <file> - Output file (.pcapng format)
  • -w <file> - Write PMKID to file
  • --write_status=<file> - Write status to file
  • -k <file> - Read PMKID from file

PMKID Capture

  • --enable_status=1 - Enable PMKID capture
  • -w <file> - Save PMKID hashes
  • PMKID is captured in first EAPOL message
  • No client required for PMKID capture

Handshake Capture

  • Captures 4-way handshake automatically
  • Works when clients connect/disconnect
  • Can force deauthentication for handshake

Common Examples

Basic Capture

sudo hcxdumptool -i wlan0mon -o capture.pcapng

Capture with Status

sudo hcxdumptool -i wlan0mon --enable_status=1 -o capture.pcapng

Capture Specific Channel

sudo hcxdumptool -i wlan0mon -c 6 -o capture.pcapng

Filter Specific APs

sudo hcxdumptool -i wlan0mon --filterlist_ap=ap_list.txt --filtermode=1 -o capture.pcapng

Capture PMKID Only

sudo hcxdumptool -i wlan0mon -w pmkid.txt -o capture.pcapng

Scan Specific Channels

sudo hcxdumptool -i wlan0mon --do_rcascan --rcascanlist="1,6,11" -o capture.pcapng

Verbose Output

sudo hcxdumptool -i wlan0mon --enable_status=3 -o capture.pcapng

Disable Client Attacks

sudo hcxdumptool -i wlan0mon --disable_client_attacks -o capture.pcapng

Workflow

  1. Put interface in monitor mode: sudo airmon-ng start wlan0
  2. Start capture: sudo hcxdumptool -i wlan0mon -o capture.pcapng
  3. Let it run to capture handshakes/PMKIDs
  4. Convert with hcxpcapngtool for hashcat
  5. Crack with hashcat

Tips

  • Interface must be in monitor mode (use airmon-ng or iw)
  • Requires root/sudo privileges
  • PMKID capture doesn't require active clients
  • Handshake capture works best when clients connect/disconnect
  • Use --enable_status for real-time information
  • Filter lists help focus on specific targets
  • Use -c to lock to specific channel for better results
  • Output is in pcapng format (compatible with Wireshark)
  • Always test on authorized networks only
  • Convert pcapng to hashcat format with hcxpcapngtool

← Back to cheatsheets

← Home