- hcxtools
- List of hcxtools toolkit
- hcxtools Help
- hcxpcapngtool Help
- hcxpcapngtool usage examples
- Saved searches
- Use saved searches to filter your results more quickly
- License
- warecrer/Hcxpcaptool
- Name already in use
- Sign In Required
- Launching GitHub Desktop
- Launching GitHub Desktop
- Launching Xcode
- Launching Visual Studio Code
- Latest commit
- Git stats
- Files
- README.md
hcxtools
A set of tools for converting captured Wi-Fi frames. It is able to convert between different formats and hashes for use with the latest versions of Hashcat or John the Ripper.
The letters in the title mean:
- h = hash
- c = capture, convert and calculate candidates – now the capture function is divided into a separate program hcxdumptool.
- x = different hashtypes
These tools are 100% compatible with hashcat and John the Ripper and are recommended by the Hashcat author. Released new versions of hcxtools are very closely synchronized with the latest versions of hashcat on Git (meaning: the latest hcxtools match the latest hashcat beta) and the John the Ripper (“bleeding-jumbo”) Git branch.
The following hash modes are supported for hashcat: 4800, 5500, 2200x, 16100, 250x (deprecated), 1680x (deprecated)
The following hash modes are supported for John the Ripper: WPAPSK-PMK, PBKDF2-HMAC-SHA1, chap, netntlm, tacacs-plus.
It supports hashes (one file per archive) compressed in gzip (.gz) format.
List of hcxtools toolkit
| Tool | Description |
|---|---|
| hcxpcapngtool | Converts captured wireless frames with handshakes and PMKIDs to hashes of the new hashcat 22000 format. |
| hcxhashtool | Shows information about PMKID/EAPOL hashes and provides various filtering operations with new PMKID/EAPOL hashes. |
| hcxpsktool | Generates password candidates for hashcat and john to brute force based on hcxpcapngtool output or command line input. |
| hcxpmktool | Calculate and verify a PSK and/or a PMK |
| hcxeiutool | Prepares dictionaries obtained from the output of the hcxpcapngtool command when using the -E, -I, and -U options for use in a hashcat + rule or JtR + rule. |
| hcxwltool | Calculates candidates for hashcat and john based on mixed wordlists |
| hcxhash2cap | Converts hash file (PMKID&EAPOL, PMKID, EAPOL-hccapx, EAPOL-hccap, WPAPSK-john) to cap |
| wlancap2wpasec | Upload multiple (gzip compressed) pcapng, pcap and cap files to https://wpa-sec.stanev.org |
| whoismac | Show vendor information and/or download oui reference list |
hcxtools Help
hcxtools is a common name of a set of tools, each executes only one specific function, and each has option set.
hcxpcapngtool Help
Converts captured wireless frames with handshakes and PMKIDs to hashes of the new hashcat 22000 format.
hcxpcapngtool hcxpcapngtool input.pcapng hcxpcapngtool *.pcapng hcxpcapngtool *.pcap hcxpcapngtool *.cap hcxpcapngtool *.*
short options: -o : output WPA-PBKDF2-PMKID+EAPOL hash file (hashcat -m 22000) get full advantage of reuse of PBKDF2 on PMKID and EAPOL -E : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker retrieved from every frame that contain an ESSID -R : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker retrieved from PROBEREQUEST frames only -I : output unsorted identity list to use as input wordlist for cracker -U : output unsorted username list to use as input wordlist for cracker -D : output device information list format MAC MANUFACTURER MODELNAME SERIALNUMBER DEVICENAME UUID -h : show this help -v : show version long options: --all : convert all possible hashes instead of only the best one that can lead to much overhead hashes use hcxhashtool to filter hashes need hashcat --nonce-error-corrections >= 8 --eapoltimeout= : set EAPOL TIMEOUT (milliseconds) : default: 5000 ms --nonce-error-corrections= : set nonce error correction warning: values > 0 can lead to uncrackable handshakes : default: 0 --ignore-ie : do not use CIPHER and AKM information this will convert all frames regadless of CIPHER and/OR AKM information, and can lead to uncrackable hashes --max-essids= : maximum allowed ESSIDs default: 1 ESSID disregard ESSID changes and take ESSID with highest ranking --eapmd5= : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapmd5-john= : output EAP MD5 CHALLENGE (john chap) --eapleap= : output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) --tacacs-plus= : output TACACS PLUS (hashcat -m 16100, john tacacs-plus) --nmea= : output GPS data in NMEA format format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx,gpxver=1.1 -F hcxdumptool.gpx to display the track, open file.gpx with viking --csv= : output ACCESS POINT information in CSV format delimiter: tabulator (0x08) columns: YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI GPS(DM.m) GPS(D.d) GPSFIX SATCOUNT HDOP ALTITUDE UNIT to convert it to other formats, use bash tools or scripting languages GPS FIX: 0 = fix not available or invalid 1 = fix valid (GPS SPS mode) 2 = fix valid (differential GPS SPS Mode) 3 = not supported 4 = not supported 5 = not supported 6 = fix valid (Dead Reckoning Mode) --log= : output logfile --raw-out= : output frames in HEX ASCII : format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM --raw-in= : input frames in HEX ASCII : format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM --pmkid= : output deprecated PMKID file (delimter *) --hccapx= : output deprecated hccapx v4 file --hccap= : output deprecated hccap file --john= : output deprecated PMKID/EAPOL (JtR wpapsk-opencl/wpapsk-pmk-opencl) --prefix= : convert everything to lists using this prefix (overrides single options): -o : output PMKID/EAPOL hash file -E : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker -I : output unsorted identity list to use as input wordlist for cracker -U : output unsorted username list to use as input wordlist for cracker --eapmd5= : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapleap= : output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) --tacacs-plus= : output TACACS+ (hashcat -m 16100, john tacacs-plus) --nmea= : output GPS data in NMEA format --help : show this help --version : show version
Bitmask of message pair field:
2,1,0: 000 = M1+M2, EAPOL from M2 (challenge) 001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 010 = M2+M3, EAPOL from M2 (authorized) 011 = M2+M3, EAPOL from M3 (authorized) - unused 100 = M3+M4, EAPOL from M3 (authorized) - unused 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 3: reserved 4: ap-less attack (set to 1) - nonce-error-corrections not required 5: LE router detected (set to 1) - nonce-error-corrections required only on LE 6: BE router detected (set to 1) - nonce-error-corrections required only on BE 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory
Do not edit, merge or convert pcapng files! This will remove optional comment fields!
Detection of bit errors does not work on cleaned dump files!
Do not use hcxpcapngtool in combination with third party cap/pcap/pcapng cleaning tools (except: tshark and/or Wireshark)! It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this.
Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark
Recommended tool to filter converted hash by several options: hcxhashtool
Recommended tool to get default or standard PSKs: hcxpsktool
Recommended tool to calculate wordlists based on ESSID: hcxeiutool
Recommended tools to retrieve PSK from hash: hashcat, JtR
hcxpcapngtool usage examples
Convert captured wireless frames (dumpfile.pcapng file) to hashes (will be saved to dumpfile.pcapng file) with extraction of password candidates (will be saved to wordlist.txt file):
hcxpcapngtool -o hash.hc22000 -E wordlist.txt dumpfile.pcapng
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
License
warecrer/Hcxpcaptool
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
README.md
Small set of tools convert packets from captures (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch («bleeding-jumbo»).
Support for hashcat hash-modes: 2500, 2501, 4800, 5500, 12000, 16100, 16800, 16801
Support for John the Ripper hash-modes: WPAPSK-PMK, PBKDF2-HMAC-SHA1, chap, netntlm, tacacs-plus
After capturing, upload the «uncleaned» cap here (https://wpa-sec.stanev.org/?submit) to see if your ap or the client is vulnerable by using common wordlists. Convert the cap to hccapx and/or to WPA-PMKID-PBKDF2 hashline (16800) and check if wlan-key or plainmasterkey was transmitted unencrypted.
Multiple stand-alone binaries — designed to run on Arch Linux.
All of these utils are designed to execute only one specific function.
Read this post: hcxtools — solution for capturing wlan traffic and conversion to hashcat formats (https://hashcat.net/forum/thread-6661.html)
| Tool | Description |
|---|---|
| hcxpcaptool | Shows info of pcap/pcapng file and convert it to other hashformats accepted by hashcat and John the Ripper |
| hcxhashcattool | Calculate PMKs from hashcat -m 2500 potfile |
| wlanhcx2cap | Converts hccapx to cap |
| wlanhc2hcx | Converts hccap to hccapx |
| wlanwkp2hcx | Converts wpk (ELMCOMSOFT EWSA projectfile) to hccapx |
| wlanhcx2essid | Merges hccapx containing the same ESSID |
| wlanhcx2ssid | Strips BSSID, ESSID, OUI |
| wlanhcxinfo | Shows detailed info from contents of hccapxfile |
| wlanhcxmnc | Help to calculate hashcat’s nonce-error-corrections value on byte number xx of an anonce |
| wlanhashhcx | Generate hashlist from hccapx hashfile (md5_64 hash:mac_ap:mac_sta:essid) |
| wlanhcxcat | Simple password recovery tool for WPA/WPA2/WPA2 SHA256 AES-128-CMAC (hash-modes 2500, 2501) |
| wlanpmk2hcx | Converts plainmasterkey and ESSID for use with hashcat hash-mode 12000 or john PBKDF2-HMAC-SHA1 |
| wlanjohn2hcx | Converts john wpapsk hashfiles for use with hashcat hash-modes 2500, 2501 |
| wlancow2hcxpmk | Converts pre-computed cowpatty hashfiles for use with hashcat hash-mode 2501 |
| wlanhcx2john | Converts hccapx to format expected by John the Ripper |
| wlanhcx2psk | Calculates candidates for hashcat based on the hccapx file |
| wlancap2wpasec | Upload multiple caps to https://wpa-sec.stanev.org |
| whoismac | Show vendor information and/or download oui reference list |
make make install (as super user) - Linux (recommended Arch Linux, but other distros should work, too (no support for other distributions).
- libopenssl and openssl-dev installed
- librt and librt-dev installed (should be installed by default)
- zlib and zlib-dev installed (for gzip compressed cap/pcap/pcapng files)
- libcurl and curl-dev installed (used by whoismac and wlancap2wpasec)
- libpthread and pthread-dev installed (used by hcxhashcattool)
To install requirements on Kali use the following ‘apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev’
| Script | Description |
|---|---|
| piwritecard | Example script to restore SD-Card |
| piwreadcard | Example script to backup SD-Card |
Most output files will be appended to existing files (with the exception of .cap files).
Bitmask message pair field (hcxpcaptool)
4: ap-less attack (set to 1) — no nonce-error-corrections neccessary
5: LE router detected (set to 1) — nonce-error-corrections only for LE neccessary
6: BE router detected (set to 1) — nonce-error-corrections only for BE neccessary
7: not replaycount checked (set to 1) — replaycount not checked, nonce-error-corrections definitely neccessary