+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (/thread-6661.html)
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-02-2023
From hcxdumptool changelog:
Code:
06.05.2023
==========
hcxdumptool: added option to save GPS information to pcapng dumpfile
--nmea_pcapng : write GPS information to pcapng dump fileThere are standard and non-standard (e.g. Kismet GPS data) message formats. Nearly all GPS receivers output NMEA data. The NMEA standard is formatted in lines of data called sentences. Each sentence contains various bits of data organized in comma delimited format (i.e. data separated by commas).
https://en.wikipedia.org/wiki/NMEA_0183
https://www.tronico.fi/OH6NT/docs/NMEA0183.pdf
NME0183 GPRMC, GPGGA and GPWPL sentences are directly stored to a PCPNG CUSTOM BLOCK:
https://github.com/ZerBea/hcxdumptool/blob/db8af473686fd70c1d3b3d7571a2ed96dd7a9f01/hcxdumptool.c#L995C1-L995C30
hcxpcapngtool detect the presence of NMEA 0183 (recorded by hcxdumptool) and store it either as NMEA 0183 or as CSV (both formats are very common and widely used):
Code:
--nmea=<file> : output GPS data in NMEA 0183 format
format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
to convert it to gpx, use GPSBabel:
gpsbabel -i nmea -f hcxdumptool.nmea -o gpx,gpxver=1.1 -F hcxdumptool.gpx
to display the track, open file.gpx with viking
--csv=<file> : output ACCESS POINT information in CSV format
delimiter: tabulator (0x08)
columns:
YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI GPS(DM.m) GPS(D.d) GPSFIX SATCOUNT HDOP ALTITUDE UNIT
to convert it to other formats, use bash tools or scripting languages
GPS FIX:
0 = fix not available or invalid
1 = fix valid (GPS SPS mode)
2 = fix valid (differential GPS SPS Mode)
3 = not supported
4 = not supported
5 = not supported
6 = fix valid (Dead Reckoning Mode)There is no plan to add an additional format, because the entire information is available in NMEA 0183 fields or CSV fields.
Conversion to whatever you want can be done by simple bash commands or tools like
gpsbabel
https://www.gpsbabel.org/
or online converters
https://duckduckgo.com/?q=nmea+0183+gps+converter&t=ffab&ia=web
Viking will show this e.g. by GPS babel converted data on a map:
https://github.com/viking-gps/viking
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-02-2023
NMEA 0183 is well documented and there are various "how-to" in www, e.g.:
https://wiki.openstreetmap.org/wiki/Converting/NMEA_to_GPX
Am example is here:
https://github.com/ZerBea/hcxdumptool/issues/157
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - dork4541 - 09-04-2023
Thanks! This should be enough to get started on some scripts to convert to the format I need.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-04-2023
Glad to read this.
Pre-process data at runtime (to a non standard format) take a lot of CPU cycles.
And there are a lot of them:
https://www.gpsbabel.org/capabilities.html
hcxdumptool use and deliver this standard formats:
radiotap (interface information - taken from the interface)
https://www.radiotap.org/
80211 MAC (frames - taken from the traffic)
https://en.wikipedia.org/wiki/802.11_Frame_Types
NMEA 0183 (GPS - taken from the GPS receiver)
https://en.wikipedia.org/wiki/NMEA_0183
pcapng (storage)
https://pcapng.com
and hcxpcapngtool convert them to formats, hashcat and JtR understand.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - v71221 - 10-13-2023
Hi, ZerBea! Could you kindly provide examples of launching the hcxdumptool (ver6.3.1) for different attack vectors, particularly for clients-only attack (ap-less).
I found previous examples, but in the newest hcxdumptool the options have been changed.
https://hashcat.net/forum/thread-9639-post-50750.html#pid50750
https://hashcat.net/forum/thread-6661-post-52103.html#pid52103
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-13-2023
Code:
$ sudo hcxdumptool -i INTERFACENAME --rds=1 --attemptapmax=0 -t 120See hcxdumptool --help for more information.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - v71221 - 10-22-2023
Code:
sudo hcxdumptool -i wlan0 -w dump.pcapng --attemptapmax=0 --attemptclientmax=0Sorry for the question, but will the above options run hcxdumptool (ver6.3.1) as a passive dumper?
If not, please correct me.
Yes, I read the help, but sometimes what is obvious to the Author isn't always obvious to others.
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 10-22-2023
No, beacause hcxdumptool still transmit its own BEACON.
This must be disabled, too:
Code:
$ sudo hcxdumptool -i wlan0 -w dump.pcapng --attemptapmax=0 --attemptclientmax=0 --disable_beaconor on latest git head (>= 6.3.1-65-ge3c196e) additional option:
Code:
$ sudo hcxdumptool -i wlan0 -w dump.pcapng --attemptapmax=0 --attemptclientmax=0 --beacontx=0To monitor outgoing packets run tshark in parallel on the same interface:
Code:
$ tshark -i wlan0 -Y "radiotap.present.dbm_antsignal == 0"or run WireShark in parallel on the same interface and apply display filter:
Code:
radiotap.present.dbm_antsignal == 0RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - oayz - 09-19-2025
Hi ZerBea,
Could you please check what's wrong with hcxhashtool converting HC22000 to JtR? Sometimes it doesn't output "ssid:$WPAPSK$essid" part, JtR's hast start with PKMID:
HC22000 hash (nokopiallow.hc22000):
WPA*01*4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77***01
Running hcxhashtool.exe -i nokopiallow.hc22000 --info=nokopiallow.info:
SSID.......: nokopiallow
MAC_AP.....: 3c3786b931b5 (Unknown)
MAC_CLIENT.: b0ece1e0cb27 (Unknown)
PMKID......: 4b59ba28ed4cd75df672f5407a4204db
HASHLINE...: WPA*01*4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77***
Running hcxhashtool -i nokopiallow.hc22000 --john=nokopiallow.john:
4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77
Expected nokopiallow.john is:
$wpapsk$nokopiallow*4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77
There is also problem #2 - "normally" generated john hashes also seems to be wrong:
Tinni:$WPAPSK$Tinni#j7eCffK2b5M ...
instead of expected
$WPAPSK$Tinni*j7eCffK2b5M ...
And to keep you busy :-) trying to convert the same nokopiallow.hc22000 to cap and then to john:
hcxhash2cap.exe -c nokopiallow.cap --pmkid-eapol=nokopiallow.hc22000
wpapcap2john.exe nokopiallow.cap > nokopiallow.john
Results in another misformatted john hash:
nokopiallow:4b59ba28ed4cd75df672f5407a......c3786b931b5:
MKID:nokopiallow.capAm I doing something wrong?
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - ZerBea - 09-20-2025
Maybe you're running an outdated version of hcxtools or john. Please comment output of hcxhastool -v and john.
By the way, it looks like you're running a clone of hcxtools. Where did you get hcxtools from?
I asked because the latest official version from here https://github.com/ZerBea/hcxtools doesn't have any of the above described problems and there is absolutely no support for Microsoft products.
Running Linux and latest version of the tools everything is fine. The converted hash (mentioned in your post) is accepted by john
Code:
$ hcxhashtool -v
hcxhashtool 7.0.1-9-g19eda66 (C) 2025 ZeroBeat
$ john
John the Ripper 1.9.0-jumbo-1+bleeding-67fcf9fe5a 2025-09-04 23:50:10 +0200 MPI + OMP [linux-gnu 64-bit x86_64 AVX AC]
Copyright (c) 1996-2025 by Solar Designer and others
Homepage: https://www.openwall.com/john/
Usage: john [OPTIONS] [PASSWORD-FILES]
Use --help to list all available options.
$ john --no-log -w:hashmob.small --format=wpapsk-opencl test.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 1 password hash (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 HMAC-SHA256/AES-CMAC OpenCL])
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Note: Minimum length forced to 8 by format
LWS=256 GWS=2490368 (9728 blocks)
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 1461109 candidates buffered, minimum 2490368 needed for performance.
0g 0:00:00:01 DONE (2025-09-20 08:26) 0g/s 1293Kp/s 1293Kc/s 1293KC/s Dev#1:52°C 123456789..!1qazwsx
Session completedwpapcap2john produce a lot of unnecessary overhead.
But both hash lines (the short one as mentioned above and the expanded one created by wpapcap2john) are accepted by john. Where did you get john from?
I asked because the latest official version from herehttps://github.com/openwall/john doesn't have any of the above described problems
For more information about the new formats, please take a look at this:
https://github.com/openwall/john/issues/4183
https://github.com/hashcat/hashcat/issues/1816#issuecomment-566546059
To answer your question: "Am I doing something wrong?"
An update to latest version of john and hcxtools should fix your problems.
Latest git head of the official versions:
https://github.com/openwall/john
https://github.com/hashcat/hashcat
https://github.com/ZerBea
Avoid downloading them from dubious sources!