Hcxpcaptool Footprint Question

[MtnDew]

Bit of a noob so please bear with me. I have been curious about the digital footprint hcxpcaptool leaves on AP's after reading up on the new PMKID exploit, in regards to the new exploit itself as well as how the tool generally operates.

If I understand the original notes by atom (the guy who discovered this) correctly only a single EOPOL frame is needed to recieve the response from the target(s) AP. Would the hcxpcaptool recognize when it has received a result and stop sending the EOPOL packet to the AP or would someone notice just a flood of them constantly being recieved if they were watching it with something like wireshark?

I also notice the tool can gather things like the normal 4 way handshakes as well which would involve spilling out alot of de-auth packets if the user didnt want to wait for a new device to connect.

I'm doing Google-foo in the background, this was just a specific topic I was curious about.

[whiteknight]

So the easy answer is there is no "footprint" both the pmkid and 4 way eapol attacks are based around "capturing" the bits in question. This means your radio must hear the communications and your software must record the information. The tools from the -ng suite are acceptable pieces of software for this type of attack. Your question of "footprint" is really a question of speed. here is how that breaks down.

The PMKID is contained within the 4 way eapol. So getting the EAPOL or the PMKID is entirely the same. A deauth attack is the noisy way to cause a reconnect to occur. However these packets do occur naturally when a device joins the network, thus it is possible to capture an EAPOL or PMKID without sending a single packet from your radio. Reconnects happen around a human schedule. Engaging a business? just listen between 1130 and 1400. Someone will head off campus for lunch. Engaged in a neighbourhood? Just listen between 1600 and 2000 to capture someone coming home from work. These reconnections will occur naturally and thus leave no "footprint" because you never sent a single electron.

Backtrack had a motto, "the quieter you are the more you will hear." Combine that with social engineering and you can capture your target packets.

[Zylla]

In normal situations the footprint is comparable with tools like airodump-ng or mdk3/mdk4, and can be lowered even more when disabling deauth attacks.
The PMKID can in some instances even be captured without the AP being present.

And yeah, simply capturing traffic when a client connects to the AP will capture the 4-way handshake.
If you let Kismet run for a day at home, you will find that a lot of handshakes have been captured while running.
It even allows downloading the handshakes in the browser. :)