hcxtools - solution for capturing wlan traffic and conversion to hashcat formats

[ZerBea]

From hcxdumptool changelog:

Code:

06.05.2023
==========
hcxdumptool: added option to save GPS information to pcapng dumpfile
--nmea_pcapng                  : write GPS information to pcapng dump file

There are standard and non-standard (e.g. Kismet GPS data) message formats. Nearly all GPS receivers output NMEA data. The NMEA standard is formatted in lines of data called sentences. Each sentence contains various bits of data organized in comma delimited format (i.e. data separated by commas).
https://en.wikipedia.org/wiki/NMEA_0183
https://www.tronico.fi/OH6NT/docs/NMEA0183.pdf

NME0183 GPRMC, GPGGA and GPWPL sentences are directly stored to a PCPNG CUSTOM BLOCK:
https://github.com/ZerBea/hcxdumptool/bl...C1-L995C30

hcxpcapngtool detect the presence of NMEA 0183 (recorded by hcxdumptool) and store it either as NMEA 0183 or as CSV (both formats are very common and widely used):

Code:

--nmea=<file>                      : output GPS data in NMEA 0183 format
                                     format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL
                                     to convert it to gpx, use GPSBabel:
                                     gpsbabel -i nmea -f hcxdumptool.nmea -o gpx,gpxver=1.1 -F hcxdumptool.gpx
                                     to display the track, open file.gpx with viking
--csv=<file>                       : output ACCESS POINT information in CSV format
                                     delimiter: tabulator (0x08)
                                     columns:
                                     YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI GPS(DM.m) GPS(D.d) GPSFIX SATCOUNT HDOP ALTITUDE UNIT
                                     to convert it to other formats, use bash tools or scripting languages
                                     GPS FIX:
                                     0 = fix not available or invalid
                                     1 = fix valid (GPS SPS mode)
                                     2 = fix valid (differential GPS SPS Mode)
                                     3 = not supported
                                     4 = not supported
                                     5 = not supported
                                     6 = fix valid (Dead Reckoning Mode)

There is no plan to add an additional format, because the entire information is available in NMEA 0183 fields or CSV fields.
Conversion to whatever you want can be done by simple bash commands or tools like
gpsbabel
https://www.gpsbabel.org/
or online converters
https://duckduckgo.com/?q=nmea+0183+gps+...fab&ia=web

Viking will show this e.g. by GPS babel converted data on a map:
https://github.com/viking-gps/viking

[ZerBea]

NMEA 0183 is well documented and there are various "how-to" in www, e.g.:
https://wiki.openstreetmap.org/wiki/Conv...MEA_to_GPX

Am example is here:
https://github.com/ZerBea/hcxdumptool/issues/157

[dork4541]

Thanks! This should be enough to get started on some scripts to convert to the format I need.

[ZerBea]

Glad to read this.

Pre-process data at runtime (to a non standard format) take a lot of CPU cycles.

And there are a lot of them:
https://www.gpsbabel.org/capabilities.html

hcxdumptool use and deliver this standard formats:

radiotap (interface information - taken from the interface)
https://www.radiotap.org/

80211 MAC (frames - taken from the traffic)
https://en.wikipedia.org/wiki/802.11_Frame_Types

NMEA 0183 (GPS - taken from the GPS receiver)
https://en.wikipedia.org/wiki/NMEA_0183

pcapng (storage)
https://pcapng.com

and hcxpcapngtool convert them to formats, hashcat and JtR understand.

[v71221]

Hi, ZerBea! Could you kindly provide examples of launching the hcxdumptool (ver6.3.1) for different attack vectors, particularly for clients-only attack (ap-less).

I found previous examples, but in the newest hcxdumptool the options have been changed.
https://hashcat.net/forum/thread-9639-po...l#pid50750
https://hashcat.net/forum/thread-6661-po...l#pid52103

[ZerBea]

Code:

$ sudo hcxdumptool -i INTERFACENAME  --rds=1  --attemptapmax=0 -t 120

See hcxdumptool --help for more information.

[v71221]

Code:

sudo hcxdumptool -i wlan0 -w dump.pcapng --attemptapmax=0 --attemptclientmax=0

Sorry for the question, but will the above options run hcxdumptool (ver6.3.1) as a passive dumper?
If not, please correct me.
Yes, I read the help, but sometimes what is obvious to the Author isn't always obvious to others.

[ZerBea]

No, beacause hcxdumptool still transmit its own BEACON.

This must be disabled, too:

Code:

$ sudo hcxdumptool -i wlan0 -w dump.pcapng --attemptapmax=0 --attemptclientmax=0 --disable_beacon

or on latest git head (>= 6.3.1-65-ge3c196e) additional option:

Code:

$ sudo hcxdumptool -i wlan0 -w dump.pcapng --attemptapmax=0 --attemptclientmax=0 --beacontx=0

To monitor outgoing packets run tshark in parallel on the same interface:

Code:

$ tshark -i wlan0 -Y "radiotap.present.dbm_antsignal == 0"

or run WireShark in parallel on the same interface and apply display filter:

Code:

radiotap.present.dbm_antsignal == 0

[oayz]

Hi ZerBea,

Could you please check what's wrong with hcxhashtool converting HC22000 to JtR? Sometimes it doesn't output "ssid:$WPAPSK$essid" part, JtR's hast start with PKMID:

HC22000 hash (nokopiallow.hc22000):
WPA*01*4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77***01

Running hcxhashtool.exe -i nokopiallow.hc22000 --info=nokopiallow.info:
SSID.......: nokopiallow
MAC_AP.....: 3c3786b931b5 (Unknown)
MAC_CLIENT.: b0ece1e0cb27 (Unknown)
PMKID......: 4b59ba28ed4cd75df672f5407a4204db
HASHLINE...: WPA*01*4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77***

Running hcxhashtool -i nokopiallow.hc22000 --john=nokopiallow.john:
4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77

Expected nokopiallow.john is:
$wpapsk$nokopiallow*4b59ba28ed4cd75df672f5407a4204db*3c3786b931b5*b0ece1e0cb27*6e6f6b6f7069616c6c6f77

There is also problem #2 - "normally" generated john hashes also seems to be wrong:
Tinni:$WPAPSK$Tinni#j7eCffK2b5M ...
instead of expected
$WPAPSK$Tinni*j7eCffK2b5M ...

And to keep you busy :-) trying to convert the same nokopiallow.hc22000 to cap and then to john:
hcxhash2cap.exe -c nokopiallow.cap --pmkid-eapol=nokopiallow.hc22000
wpapcap2john.exe nokopiallow.cap  > nokopiallow.john

Results in another misformatted john hash:
nokopiallow:4b59ba28ed4cd75df672f5407a......c3786b931b5:MKID:nokopiallow.cap

Am I doing something wrong?

[ZerBea]

Maybe you're running an outdated version of hcxtools or john. Please comment output of hcxhastool -v and john.
By the way, it looks like you're running a clone of hcxtools. Where did you get hcxtools from?
I asked because the latest official version from here https://github.com/ZerBea/hcxtools doesn't have any of the above described problems and there is absolutely no support for Microsoft products.

Running Linux and latest version of the tools everything is fine. The converted hash (mentioned in your post) is accepted by john

Code:

$ hcxhashtool -v
hcxhashtool 7.0.1-9-g19eda66 (C) 2025 ZeroBeat

$ john
John the Ripper 1.9.0-jumbo-1+bleeding-67fcf9fe5a 2025-09-04 23:50:10 +0200 MPI + OMP [linux-gnu 64-bit x86_64 AVX AC]
Copyright (c) 1996-2025 by Solar Designer and others
Homepage: https://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]

Use --help to list all available options.

$ john --no-log -w:hashmob.small --format=wpapsk-opencl test.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 1 password hash (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 HMAC-SHA256/AES-CMAC OpenCL])
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Note: Minimum length forced to 8 by format
LWS=256 GWS=2490368 (9728 blocks)
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 1461109 candidates buffered, minimum 2490368 needed for performance.
0g 0:00:00:01 DONE (2025-09-20 08:26) 0g/s 1293Kp/s 1293Kc/s 1293KC/s Dev#1:52°C 123456789..!1qazwsx
Session completed

wpapcap2john produce a lot of unnecessary overhead.
But both hash lines (the short one as mentioned above and the expanded one created by wpapcap2john) are accepted by john. Where did you get john from?
I asked because the latest official version from herehttps://github.com/openwall/john doesn't have any of the above described problems

For more information about the new formats, please take a look at this:
https://github.com/openwall/john/issues/4183
https://github.com/hashcat/hashcat/issue...-566546059

To answer your question: "Am I doing something wrong?"
An update to latest version of john and hcxtools should fix your problems.

Latest git head of the official versions:
https://github.com/openwall/john
https://github.com/hashcat/hashcat
https://github.com/ZerBea

Avoid downloading them from dubious sources!