hcxtools - solution for capturing wlan traffic and conversion to hashcat formats

[ZerBea]

To understand my last post and to reproduce the different methods:
- hc22000 -> john (hcxhashtool)
- hc22000 -> cap -> john (hcxhash2cap, hcxpcapngtool)
- hc22000 -> cap -> john (wpacap2john)

get the two example hashes (WPA 01 and WPA 02) from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
and store the 22000 hashes to a hash file:

Code:

$ cat test.hc22000
WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*a2

convert them to a format john understand and run john against the converted file:

Code:

$ hcxhashtool -i test.hc22000 --john=test.john

OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entries...................: 36946
total lines read..............: 2
valid hash lines..............: 2
PMKID hash lines..............: 1
EAPOL hash lines..............: 1
PMKID written to john.........: 1
EAPOL written to john.........: 1

$ cat test.john
4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964
TP-LINK_HASHCAT_TEST:$WPAPSK$TP-LINK_HASHCAT_TEST#N4OnXgDw6ZvQGPSeGAsgmub/zO2kzmyvyozHg4DFeHYUgDTTJ8L9xsSlML2Esvsv.3dWbcbS06pe9xl6bPUup5ND9FVfbBsJF4uL9U21.5I0.Ec............/GAsgmub/zO2kzmyvyozHg4DFeHYUgDTTJ8L9xsSlML2.................................................................3X.I.E..1uk2.E..1uk2.E..1uk0U...................................................................................................................................................................................../t.....U....7.6bZG79zwdIIbP1RWO4w:22-5e-dc-49-b7-aa:64-66-b3-8e-c3-fc:6466b38ec3fc::WPA2:verified:converted by hcxhashtool

$ john --no-log -w:word.list --format=wpapsk-opencl test.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 HMAC-SHA256/AES-CMAC OpenCL])
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Note: Minimum length forced to 8 by format
LWS=256 GWS=4980736 (19456 blocks)
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 745030 candidates buffered, minimum 4980736 needed for performance.
hashcat!         (TP-LINK_HASHCAT_TEST)    
hashcat!         (?)    
2g 0:00:00:01 DONE (2025-09-20 14:38) 1.626g/s 605715p/s 1211Kc/s 1211KC/s Dev#1:64°C         ..รหัสผ่าน
Use the "--show" option to display all of the cracked passwords reliably
Session completed

convert hashes back to cap, than to john (please note that this conversion is not lossless) and run john against them:

Code:

$ hcxhash2cap --pmkid-eapol=test.hc22000 -c test.cap
PMKIDs/EAPOL messages written to capfile(s): 2 (0 skipped)

$ ls
test.cap

$ hcxpcapngtool test.cap --john=test2.john
hcxpcapngtool 7.0.1-9-g19eda66 reading from test.cap...

summary capture file
--------------------
file name................................: test.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (timestamp)............: 20.09.2025 12:40:02 (1758372002)
timestamp maximum (timestamp)............: 20.09.2025 12:40:02 (1758372002)
duration of the dump tool (seconds)......: 0
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 5
ESSID (total unique).....................: 2
BEACON (total)...........................: 2
BEACON on 2.4 GHz channel (from IE_TAG)..: 8
BEACON (hcxhash2cap).....................: 2
EAPOL messages (total)...................: 3
EAPOL RSN messages.......................: 3
EAPOLTIME gap (measured maximum msec)....: 0
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 2
EAPOL M2 messages (total)................: 1
EAPOL pairs (total)......................: 1
EAPOL pairs (best).......................: 1
EAPOL pairs written to old format JtR....: 1 (RC checked)
EAPOL M12E2 (challenge - ANONCE from M1).: 1
RSN PMKID (total)........................: 1
RSN PMKID (best).........................: 1
RSN PMKID written to old format JtR......: 1

Information: limited dump file format detected!
This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng

Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/

Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Information: missing frames!
This dump file does not contain important frames like authentication, association or reassociation.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing. That makes it hard to recover the PSK.
Duration of the dump tool was a way too short to capture enough additional information.

Information: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
https://hashcat.net/forum/thread-6361.html
Duration of the dump tool was a way too short to capture enough additional information.

Information: missing EAPOL M3 frames!
This dump file does not contain EAPOL M3 frames (possible packet loss).
It strongly recommended to recapture the traffic or to use --all option to convert all possible EAPOL MESSAGE PAIRs.


session summary
---------------
processed cap files...................: 1

$ john --no-log -w:word.list --format=wpapsk-opencl test2.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 HMAC-SHA256/AES-CMAC OpenCL])
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Note: Minimum length forced to 8 by format
LWS=256 GWS=155648 (608 blocks)
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
hashcat!         (TP-LINK_HASHCAT_TEST)    
hashcat!         (?)    
2g 0:00:00:01 DONE (2025-09-20 14:42) 1.143g/s 355766p/s 711533c/s 711533C/s Dev#1:66°C fancyraven434..plattenspieler
Use the "--show" option to display all of the cracked passwords reliably
Session completed

convert the hashes from the cap file using wpacap2john and run john against them:

Code:

$ wpapcap2john test.cap > test3.john
File test.cap: raw 802.11
Dumping RSN IE PMKID at 0.000001 BSSID FC:69:0C:15:82:64 ESSID 'hashcat-essid' STA F4:74:7F:87:F9:F4
Dumping M1/M2 at 0.000004 BSSID 64:66:B3:8E:C3:FC ESSID 'TP-LINK_HASHCAT_TEST' STA 22:5E:DC:49:B7:AA

2 ESSIDS processed and 2 AP/STA pairs processed
1 handshakes written, 1 RSN IE PMKIDs

$ john --no-log -w:word.list --format=wpapsk-opencl test3.john
Device 1@tux1: NVIDIA GeForce RTX 4080
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (wpapsk-opencl, WPA/WPA2/PMF/PMKID PSK [PBKDF2-SHA1 HMAC-SHA256/AES-CMAC OpenCL])
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Note: Minimum length forced to 8 by format
LWS=256 GWS=155648 (608 blocks)
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
hashcat!         (TP-LINK_HASHCAT_TEST)    
hashcat!         (hashcat-essid)    
2g 0:00:00:01 DONE (2025-09-20 14:44) 1.081g/s 336536p/s 673072c/s 673072C/s Dev#1:65°C fancyraven434..plattenspieler
Use the "--show" option to display all of the cracked passwords reliably
Session completed

You may have noticed that in any case, john has successful recovered the PSKs.

BTW:
If you have further going questions, please use the example hashes. It as against the forum rules to post "real captured hashes" if they are not from your own network!

[oayz]

Hi ZerBea, thanks for expanded reply, I'm sorry I have omitted few details which probably caused the confusion:

1) I'm running on Windows, source code is compiled under CYGWIN. I have provided EXEs long time ago, can provide latest version again

2) I've fetched latest source about a month ago, it's "-v" looks Frankenstein, version is from 2021 by year is correct:
    hcxpcapngtool 6.2.4-62-g4fe754d (C) 2025 ZeroBeat
    I think I use old Make (seems like year comes from it but version is not from PRODUCTION_YEAR) but code is OK

3) Just fetched latest and getting 7.0.1 buth w/o hex (SHA?)
    hcxpcapngtool 7.0.1 (C) 2025 ZeroBeat
    Converting to JOHN - same result as previously reported

4) I haven't try to run JOHN, I was just concerned generated hash looked different than my "normal" JOHN hashes.

I'm happy to know that JOHN can read various forms of the same WPA hashes, though, as a perfectionists and proponents of simplicity, wonder what the purpose of this? 

BTW, by normal JOHN I assume one generated by john's wpapcap2john.exe:
nokopiallow:4b59ba...5407a4204db*3c37...31b5*b0e...cb27*6e6...6c6f77:b0e..cb27:3c3..31b5:3c3..31b5::test.cap

Just in case my JOHN:
John the Ripper 1.9.0-jumbo-1+bleeding-173b5629e8 2024-01-18 00:08:42 +0100 OMP [cygwin 64-bit x86_64 AVX AC]

[ZerBea]

As long as john can handle both (PMKID) formats, there is no need to add the long format to hcxtools. I recommend testing john with the (22000) examples hashes. Everything is running fast and smooth.

cons:
Regarding WPA EAPOL MESSAGEs you should know that john is internally using the ancient hccap binary format. In combination with the conversion to an ASCII hash file format this produce unnecessary overhead and conversion time. Luckily that is on the todo list (feature request).
Unfortunately john is not able to do nonce-error-corrections (NC). So it is a good idea to use hcxpcapngtool --all to convert pcapng files to john's format.

pros:
Due to full reuse of PBKDF2 when running against a hash file that contains more than one hash with the same ESSID, john's single mode attack (--single or --single:all) is much faster (with the NC hints mentioned above) than hashcat's association attack (-a9). And it is easier to use, because it is not necessary to pre-process the hash file to get a MAC address list or an ESSID list hashcat can work on.

[oayz]

Got it thanks. Pros/cons part is especially valuable - always something new to learn