simple hccapx(2500) to 22000 converter python script
#1
https://gist.github.com/sleshep/eba78270...65705f647d

Code:
import sys
import os
import struct


def main():
    if len(sys.argv) != 2:
        print("Usage: python convert_hccapx_to_22000.py <input_hccapx_file>")
        sys.exit(1)

    input_file = sys.argv[1]

    if not os.path.isfile(input_file):
        print(f"Error: File '{input_file}' does not exist.")
        sys.exit(1)

    with open(input_file, "rb") as f:
        data = f.read()

    def get_data(fmt, data):
        result = struct.unpack(fmt, data)
        # unpack the (som,) to som
        if isinstance(result, tuple) and len(result) == 1:
            result = result[0]
        return result

    """
    Field name Offsets (hex) Offsets (dec) Field description
    signature 0x00 to 0x03 0 to 3 the signature (file magic) of .hccapx files, it is always the string HCPX
    version 0x04 to 0x07 4 to 7 the version number of the .hccapx file format
    message_pair 0x08 8 possible values range from 0 to 5 or 128 to 133 (see message_pair table below) 1
    essid_len 0x09 9 the length of the network name (ESSID)
    essid 0x0a to 0x29 10 to 41 the network name (ESSID)
    keyver 0x2a 42 set to 1 if WPA is used, other values (preferably 2) means WPA2
    keymic 0x2b to 0x3a 43 to 58 the actual hash value (MD5 for WPA, SHA1 for WPA2) truncated to 128 bit (16 bytes)
    mac_ap 0x3b to 0x40 59 to 64 the mac address of the access point (BSSID)
    nonce_ap 0x41 to 0x60 65 to 96 nonce (random salt) generated by the access point
    mac_sta 0x61 to 0x66 97 to 102 the mac address of the client connecting to the access point
    nonce_sta 0x67 to 0x86 103 to 134 nonce (random salt) generated by the client connecting to the access point
    eapol_len 0x87 to 0x88 135 to 136 the length of the EAPOL
    eapol 0x89 to 0x188 137 to 392 the EAPOL (max 256 bytes)
    """
    signature: str = get_data('4s', data[0:4])  # type:ignore
    if signature != b'HCPX':
        print(f"Error: Invalid hccapx file.signature is {signature}")
        sys.exit(1)
    version: int = get_data('I', data[4:8])  # type:ignore
    message_pair: int = get_data('B', data[8:9])  # type:ignore
    essid_len: int = get_data('B', data[9:10])  # type:ignore
    essid: bytes = get_data(
        f'{essid_len}s', data[10:10+essid_len])  # type:ignore
    keyver: int = get_data('B', data[42:43])  # type:ignore
    keymic: bytes = get_data('16s', data[43:59])  # type:ignore
    mac_ap: bytes = get_data('6s', data[59:65])  # type:ignore
    nonce_ap: bytes = get_data('32s', data[65:97])  # type:ignore
    mac_sta: bytes = get_data('6s', data[97:103])  # type:ignore
    nonce_sta: bytes = get_data('32s', data[103:135])  # type:ignore
    eapol_len: int = get_data('H', data[135:137])  # type:ignore
    eapol: bytes = get_data(f'{eapol_len}s', data[137:137+eapol_len])  # type:ignore

    """
    For developers
    The new hash format 22000 in detail:
    Code:
    PROTOCOL*TYPE*PMKID/MIC*MACAP*MACCLIENT*ESSID*ANONCE*EAPOL*MESSAGEPAIR
    PROTOCOL = Fixed string "WPA"
    TYPE = 01 for PMKID, 02 for EAPOL
    PMKID/MIC = PMKID if TYPE=01, MIC if TYPE=02
    MACAP = MAC of AP
    MACCLIENT = MAC of CLIENT
    ESSID = network name (ESSID) in HEX
    ANONCE = ANONCE
    EAPOL = EAPOL (SNONCE is in here)
    MESSAGEPAIR = Bitmask:
    0: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
    1: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
    2: MP info (https://hashcat.net/wiki/doku.php?id=hccapx)
    3: x (unused)
    4: ap-less attack (set to 1) - no nonce-error-corrections necessary
    5: LE router detected (set to 1) - nonce-error-corrections only for LE necessary
    6: BE router detected (set to 1) - nonce-error-corrections only for BE necessary
    7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections definitely necessary
    """

# Construct hashcat 22000 format string
    protocol = "WPA"
    pmkid_mic = keymic.hex()
    type = "02"
    if keyver == 1:
        raise Exception("version 2 file not supported")
    mac_ap_hex = mac_ap.hex()
    mac_client_hex = mac_sta.hex()
    essid_hex = essid.hex()
    nonce_ap_hex = nonce_ap.hex()
    eapol_hex = eapol.hex()
    message_pair_hex = f"{message_pair:02x}"
    print(f"{protocol}*{type}*{pmkid_mic}*{mac_ap_hex}*{mac_client_hex}*{essid_hex}*{nonce_ap_hex}*{eapol_hex}*{message_pair_hex}")

if __name__ == "__main__":
    main()
Reply
#2
Works! ThX!
Reply
#3
Nice work.
By this portable tool, there is no longer need to run hashcat on ancient binary hccapx files.
Reply
#4
(05-05-2023, 10:47 AM)ZerBea Wrote: Nice work.
By this portable tool, there is no longer need to run hashcat on ancient binary hccapx files.

For me there is a need to run ancient binary files.

hashcat will not work on old hardware such as my ancient graphics card.  Without hcx still being able to convert to .hccap I would be priced out.  Sad

Thank you ZeroBeat for continuing to support .hccap and hccapx !
Reply
#5
Indeed, older hardware is a serious problem and it is becoming more and more difficult to support it.
A couple of hours ago I released hcxdumptool 6.3.0 (and hcxtools 6.3.0) according to the release of Linux kernel 6.3.0.
After I compiled kernel 6.3, I got this dmesg warning:
Code:
[ 2770.939021] warning: hcxdumptool uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
Now, I finally realized that WIRELESS EXTENSIONS (WEXT) are dead and I have to move to NL80211 which has led to a complete redesign of hcxdumptool. This redesign may not be compatible with old hardware, old kernel and old gcc versions, but it was absolutely necessary.

For the first time I noticed that when Arch Linux discontinued support for the ARMv5 and ARMv6 architectures, late 2022:
https://archlinuxarm.org/about
As I write this comment, Arch Linux is on
Code:
$ uname -r
6.3.1-arch1-1
and
Code:
$ gcc -v
gcc version 13.1.1 20230429 (GCC)
and it is nearly impossible for me to run all older kernels and gcc versions to make sure the new features are working on them.
Reply