You are here: Home » Wireless Attacks » hcxtools


hcxtools Description

Small set of tools convert packets from captures (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch ("bleeding-jumbo").

Support for hashcat hash-modes: 2500, 2501, 4800, 5500, 12000, 16100, 16800, 16801

Support for John the Ripper hash-modes: WPAPSK-PMK, PBKDF2-HMAC-SHA1, chap, netntlm, tacacs-plus


Author: ZerBea

License: MIT

hcxtools Help

hcxtools is a common name of a set of tools, each executes only one specific function, and each has option set.

hcxpcaptool Help

hcxpcaptool shows info of pcap/pcapng file and convert it to other hashformats accepted by hashcat and John the Ripper.


hcxpcaptool <options>
hcxpcaptool <options> [input.pcap] [input.pcap] ...
hcxpcaptool <options> *.cap
hcxpcaptool <options> *.*


-o <file> : output hccapx file (hashcat -m 2500/2501)
-O <file> : output raw hccapx file (hashcat -m 2500/2501)
-x <file> : output hccap file (hashcat -m 2500)
-X <file> : output raw hccap file (hashcat -m 2500)
-z <file> : output PMKID file (hashcat hashmode -m 16800/16801)
-j <file> : output john WPAPSK-PMK file (john wpapsk-opencl)
-J <file> : output raw john WPAPSK-PMK file (john wpapsk-opencl)
-E <file> : output wordlist (autohex enabled) to use as input wordlist for cracker
-I <file> : output unsorted identity list
-U <file> : output unsorted username list
-P <file> : output possible WPA/WPA2 plainmasterkey list
-T <file> : output management traffic information list
          : european date : timestamp : mac_sta : mac_ap : essid
-g <file> : output GPS file
            format = GPX (accepted for example by Viking and GPSBabel)
-H <file> : output dump raw packets in hex
-V        : verbose (but slow) status output
-h        : show this help
-v        : show version

--time-error-corrections=<digit>  : maximum allowed time gap (default: 600s)
--nonce-error-corrections=<digit> : maximum allowed nonce gap (default: 8)
                                  : should be the same value as in hashcat
--netntlm-out=<file>              : output netNTLMv1 file (hashcat -m 5500, john netntlm)
--md5-out=<file>                  : output MD5 challenge file (hashcat -m 4800)
--md5-john-out=<file>             : output MD5 challenge file (john chap)
--tacacsplus-out=<file>           : output TACACS+ authentication file (hashcat -m 16100, john tacacs-plus)

bitmask for message pair field:

  • 0: MP info (
  • 1: MP info (
  • 2: MP info (
  • 3: x (unused)
  • 4: ap-less attack (set to 1) – no nonce-error-corrections neccessary
  • 5: LE router detected (set to 1) – nonce-error-corrections only for LE neccessary
  • 6: BE router detected (set to 1) – nonce-error-corrections only for BE neccessary
  • 7: not replaycount checked (set to 1) – replaycount not checked, nonce-error-corrections definitely neccessary

Do not use hcxpcaptool in combination with third party cap/pcap/pcapng cleaning tools!

hcxpsktool Help

hcxpsktool calculates candidates for hashcat based on commandline input, hccapx file and/or 16800 hash file (experimental).


hcxpsktool <options>


-i <file> : input EAPOL hash file (hccapx)
-z <file> : input PMKID hash file
-e <file> : input ESSID
-b <file> : input MAC access point
            format: 112233445566
-o <file> : output PSK file
            default: stdout
            output list must be sorted unique!

--weakpass: include weak password candidates
--eudate  : include complete european dates
--usdate  : include complete american dates

hcxhashcattool Help

hcxhashcattool calculate PMKs from hashcat -m 2500 potfile.


hcxhashcattool <options>


-p <file> : input hashcat potfile
            accepted potfiles: 2500 or 16800
-P <file> : output PMK file (PMK:ESSID:PSK)
-h        : show this help
-v        : show version

wlanhcx2cap Help

wlanhcx2cap converts hccapx to cap.


wlanhcx2cap <options>


-i <file>   : input hccapx file
-O <file>   : output all possible handshakes to a single cap file
-o <prefix> : output prefix cap file (mac_ap - mac_sta - messagepair or wf.cap is added to the prefix)
            : not all possible handshakes are written to a cap file - only one each messagepair
            : prefix - mac_ap - mac_sta - messagepair or wf (wlandumpforced handshake).cap
            : example: pfx-xxxxxxxxxxxx-xxxxxxxxxxxx-xx.cap
-h          : this help

wlanhc2hcx Help

wlanhc2hcx converts hccap to hccapx.


wlanhc2hcx <options> [input.hccap(x)] [input.hccap(x)] ...
       wlanhc2hcx <options> *.cap
       wlanhc2hcx <options> *.*


-o <file> : output hccapx file
-e <file> : output ESSID list

wlanwkp2hcx Help

wlanwkp2hcx converts wpk (ELMCOMSOFT EWSA projectfile) to hccapx.


wlanwkp2hcx <options> [input.wkp] [input.wkp] ...
       wlanwkp2hcx <options> *.wkp


-o <file> : output hccapx file
-e <file> : output essidlist

wlanhcx2essid Help

wlanhcx2essid merges hccapx containing the same ESSID.


wlanhcx2essid <options>


-i <file> : input hccapx file
-s <file> : input second hccapx file
-o <file> : output hccapx file (merged by essid)
-I        : show info about hccapx file

wlanhcx2ssid Help

wlanhcx2ssid strips BSSID, ESSID, OUI.


wlanhcx2ssid <options>


-i <file>     : input hccapx file
-p <path>     : change directory for outputfiles
-a            : output file by mac_ap's
-s            : output file by mac_sta's
-o            : output file by vendor's (oui)
-e            : output file by essid's
-E <essid>    : output file by part of essid name
-X <essid>    : output file by essid name (exactly)
-x <digit>    : output by essid len (0 <= 32)
-A <mac_ap>   : output file by single mac_ap
-S <mac_sta>  : output file by single mac_sta
-O <oui>      : output file by single vendor (oui)
-V <name>     : output file by single vendor name or part of vendor name
-L <mac_list> : input list containing mac_ap's (need -l)
              : format of mac_ap's each line: 112233445566
-l <file>     : output file (hccapx) by mac_list (need -L)
-w <file>     : write only forced from clients to hccapx file
-W <file>     : write only forced from access points to hccapx file
-r <file>     : write only replaycount checked to hccapx file
-R <file>     : write only not replaycount checked to hccapx file
-N <file>     : output stripped file (only one record each mac_ap, mac_sta, essid, message_pair combination)
-n <file>     : output stripped file (only one record each mac_sta, essid)
-g <file>     : write only handshakes with pairwise key flag set
-G <file>     : write only handshakes with groupkey flag set
-0 <file>     : write only MESSAGE_PAIR_M12E2 to hccapx file
-1 <file>     : write only MESSAGE_PAIR_M14E4 to hccapx file
-2 <file>     : write only MESSAGE_PAIR_M32E2 to hccapx file
-3 <file>     : write only MESSAGE_PAIR_M32E3 to hccapx file
-4 <file>     : write only MESSAGE_PAIR_M34E3 to hccapx file
-5 <file>     : write only MESSAGE_PAIR_M34E4 to hccapx file
-k <file>     : write keyversion based on key information field (use only basename)
              : output: basename.x.hccapx
              : WPA1 RC4 Cipher, HMAC-MD5..... basename.1.hccapx
              : WPA2 AES Cipher, HMAC-SHA1.... basename.2.hccapx
              : WPA2 AES Cipher, AES-128-CMAC2 basename.3.hccapx
              : all other are unknown
-F <file>     : remove bad records and write only flawless records to hccapx file
-D <file>     : remove duplicates from the same authentication sequence
              : you must use nonce-error-corrections on that file!
-h            : this help

wlanhcxinfo Help

wlanhcxinfo shows detailed info from contents of hccapxfile.


wlanhcxinfo <options>


-i <file> : input hccapx file
-j <file> : input john file (doesn't support all list options)
-o <file> : output info file (default stdout)
-a        : list access points
-A        : list anonce
-s        : list stations
-S        : list snonce
-M        : list key mic
-R        : list replay count
-w        : list wpa version
-P        : list key key number
-p        : list messagepair
-l        : list essid len
-e        : list essid
-h        : this help

wlanhcxmnc Help

wlanhcxmnc help to calculate hashcat's nonce-error-corrections value on byte number xx of an anonce.


wlanhcxmnc <options>


-i <file>   : input hccapx file
-o <file>   : input hccapx file
-a <xdigit> : mac_ap to correct
-b <digit>  : nonce byte to correct
-n <xdigit> : nonce hex value
-I          : show mac_ap and anonces
-h          : this help

wlanhashhcx Help

wlanhashhcx generate hashlist from hccapx hashfile (md5_64 hash:mac_ap:mac_sta:essid).


wlanhashhcx <options>


-i <file> : input hccapx file
-S <file> : output info for identified hccapx handshake to file
-h        : this help

wlanhcxcat Help

wlanhcxcat is a simple password recovery tool for WPA/WPA2/WPA2 SHA256 AES-128-CMAC (hash-modes 2500, 2501).


wlanhcxcat <options>


-i <file> : input hccapx file
-w <file> : input wordlist, plainmasterkeylist oder mixed word-/plainmasterkeylist
          : wordlist input is very slow
-e        : input ESSID
-p        : input password
-P        : input plainmasterkey
-o <file> : output recovered network data
-h        : this help

input option matrix

-e and -p
-e and -P
-e and -w

wlanpmk2hcx Help

wlanpmk2hcx converts plainmasterkey and ESSID for use with hashcat hash-mode 12000 or john PBKDF2-HMAC-SHA1.


wlanpmk2hcx <options>


-i <file>  : input combilist (pmk:essid)
-o <file>  : output hashcat hashfile (-m 12000)
-j <file>  : output john hashfile (pbkdf2-hmac-sha1)
-e <essid> : input single essid (networkname: 1 .. 32 characters)
-p <pmk>   : input plainmasterkey (64 xdigits)
-h         : this help

wlanjohn2hcx Help

wlanjohn2hcx converts john wpapsk hashfiles for use with hashcat hash-modes 2500, 2501.


wlanjohn2hcx <options> [input.john] [input.john] ...


-o <file> : output hccapx file
-e <file> : output ESSID list

wlancow2hcxpmk Help

wlancow2hcxpmk converts pre-computed cowpatty hashfiles for use with hashcat hash-mode 2501.


wlancow2hcxpmk <options>


-i <file> : input cowpatty hashfile
-w <file> : output passwordlist file
-W <file> : output pmk:password file
-p <file> : output pmk file
-s        : print pmk's to stdout
-h        : this help file

wlanhcx2john Help

wlanhcx2john converts hccapx to format expected by John the Ripper.


wlanhcx2john <options> [input.hccapx] [input.hccapx] ...


-o <file> : output john file

wlanhcx2psk Help

wlanhcx2psk calculates candidates for hashcat based on the hccapx file (deprecated: will be replaced by hcxpsktool, soon).


wlanhcx2psk <options>


-i <file> : input hccapx file
-o <file> : output plainkeys to file
-s        : output plainkeys to stdout (pipe to hashcat)
-w        : include generic weak passwords
-W        : include complete wps keys
-D        : include complete european dates
-d        : include complete american dates
-N        : include NETGEARxx weak candidates
-F        : include Fibertel weak candidates
-h        : this help
-v        : version

wlancap2wpasec Help

wlancap2wpasec uploads multiple caps to


wlancap2wpasec <options> [input.cap] [input.cap] ...
       wlancap2wpasec <options> *.cap
       wlancap2wpasec <options> *.*


-k <key>     : wpa-sec user key
-u <url>     : set user defined URL
               default =
-t <seconds> : set connection timeout
               default = 30 seconds
-R           : remove cap if upload was successful
-h           : this help

whoismac Help

whoismac shows vendor information and/or download oui reference list.


whoismac <options>


-d            : download
              : and save to ~/.hcxtools/oui.txt
              : internet connection required
-m <mac>      : mac (six bytes of mac addr) or 
              : oui (fist three bytes of mac addr)
-p <hashline> : input PMKID hashline
-P <hashline> : input EAPOL hashline from potfile
-v <vendor>   : vendor name
-h            : this help screen

hcxtools Usage Example

Show detailed description of hashcat hashfile (NPAAE.hccapx):

wlanhcxinfo -i NPAAE.hccapx

Example output:

total hashes read from file.......: 1
handshakes from clients...........: 0
little endian router detected.....: 0
big endian router detected........: 0
zeroed ESSID......................: 0
802.1x Version 2001...............: 1
802.1x Version 2004...............: 0
WPA1 RC4 Cipher, HMAC-MD5.........: 0
WPA2 AES Cipher, HMAC-SHA1........: 1
WPA2 AES Cipher, AES-128-CMAC.....: 0
group key flag set................: 0
message pair M12E2................: 1 (0 not replaycount checked)
message pair M14E4................: 0 (0 not replaycount checked)
message pair M32E2................: 0 (0 not replaycount checked)
message pair M32E3................: 0 (0 not replaycount checked)
message pair M34E3................: 0 (0 not replaycount checked)
message pair M34E4................: 0 (0 not replaycount checked)

Show the hash list (format md5_64 hash:mac_ap:mac_sta:essid) of a file (NPAAE.hccapx):

wlanhashhcx -i NPAAE.hccapx

Example output:


Read the file test.pcapng and create the test.16800 file of the PMKID hash for hacking into hashcat with hash mode -m 16800 (-z test.16800):

hcxpcaptool -z test.16800 test.pcapng

Example output:

start reading from test.pcapng
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.10-arch1-1-ARCH
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 4868
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 36
probe requests...............: 51
probe responses..............: 53
association requests.........: 821
association responses........: 1787
reassociation requests.......: 1
reassociation responses......: 2
authentications (OPEN SYSTEM): 1589
authentications (BROADCOM)...: 1589
EAPOL packets................: 526
EAPOL PMKIDs.................: 4
4 PMKID(s) written to test.16800

How to install hcxtools

Installation on Kali Linux

sudo apt install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev
git clone
cd hcxtools/
sudo make install

Installation on BlackArch

sudo pacman -S hcxtools



Also recommended: