hcxtools
hcxtools Description
A set of tools for converting captured Wi-Fi frames. It is able to convert between different formats and hashes for use with the latest versions of Hashcat or John the Ripper.
The letters in the title mean:
- h = hash
- c = capture, convert and calculate candidates – now the capture function is divided into a separate program hcxdumptool.
- x = different hashtypes
These tools are 100% compatible with hashcat and John the Ripper and are recommended by the Hashcat author. Released new versions of hcxtools are very closely synchronized with the latest versions of hashcat on Git (meaning: the latest hcxtools match the latest hashcat beta) and the John the Ripper (“bleeding-jumbo”) Git branch.
The following hash modes are supported for hashcat: 4800, 5500, 2200x, 16100, 250x (deprecated), 1680x (deprecated)
The following hash modes are supported for John the Ripper: WPAPSK-PMK, PBKDF2-HMAC-SHA1, chap, netntlm, tacacs-plus.
It supports hashes (one file per archive) compressed in gzip (.gz) format.
Homepage: https://github.com/ZerBea/hcxtools
Author: ZerBea
License: MIT
List of hcxtools toolkit
Tool | Description |
---|---|
hcxpcapngtool | Converts captured wireless frames with handshakes and PMKIDs to hashes of the new hashcat 22000 format. |
hcxhashtool | Shows information about PMKID/EAPOL hashes and provides various filtering operations with new PMKID/EAPOL hashes. |
hcxpsktool | Generates password candidates for hashcat and john to brute force based on hcxpcapngtool output or command line input. |
hcxpmktool | Calculate and verify a PSK and/or a PMK |
hcxeiutool | Prepares dictionaries obtained from the output of the hcxpcapngtool command when using the -E, -I, and -U options for use in a hashcat + rule or JtR + rule. |
hcxwltool | Calculates candidates for hashcat and john based on mixed wordlists |
hcxhash2cap | Converts hash file (PMKID&EAPOL, PMKID, EAPOL-hccapx, EAPOL-hccap, WPAPSK-john) to cap |
wlancap2wpasec | Upload multiple (gzip compressed) pcapng, pcap and cap files to https://wpa-sec.stanev.org |
whoismac | Show vendor information and/or download oui reference list |
hcxtools Help
hcxtools is a common name of a set of tools, each executes only one specific function, and each has option set.
hcxpcapngtool Help
Converts captured wireless frames with handshakes and PMKIDs to hashes of the new hashcat 22000 format.
Usage:
hcxpcapngtool <options> hcxpcapngtool <options> input.pcapng hcxpcapngtool <options> *.pcapng hcxpcapngtool <options> *.pcap hcxpcapngtool <options> *.cap hcxpcapngtool <options> *.*
Options:
short options: -o <file> : output WPA-PBKDF2-PMKID+EAPOL hash file (hashcat -m 22000) get full advantage of reuse of PBKDF2 on PMKID and EAPOL -E <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker retrieved from every frame that contain an ESSID -R <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker retrieved from PROBEREQUEST frames only -I <file> : output unsorted identity list to use as input wordlist for cracker -U <file> : output unsorted username list to use as input wordlist for cracker -D <file> : output device information list format MAC MANUFACTURER MODELNAME SERIALNUMBER DEVICENAME UUID -h : show this help -v : show version long options: --all : convert all possible hashes instead of only the best one that can lead to much overhead hashes use hcxhashtool to filter hashes need hashcat --nonce-error-corrections >= 8 --eapoltimeout=<digit> : set EAPOL TIMEOUT (milliseconds) : default: 5000 ms --nonce-error-corrections=<digit> : set nonce error correction warning: values > 0 can lead to uncrackable handshakes : default: 0 --ignore-ie : do not use CIPHER and AKM information this will convert all frames regadless of CIPHER and/OR AKM information, and can lead to uncrackable hashes --max-essids=<digit> : maximum allowed ESSIDs default: 1 ESSID disregard ESSID changes and take ESSID with highest ranking --eapmd5=<file> : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapmd5-john=<file> : output EAP MD5 CHALLENGE (john chap) --eapleap=<file> : output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) --tacacs-plus=<file> : output TACACS PLUS (hashcat -m 16100, john tacacs-plus) --nmea=<file> : output GPS data in NMEA format format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx,gpxver=1.1 -F hcxdumptool.gpx to display the track, open file.gpx with viking --csv=<file> : output ACCESS POINT information in CSV format delimiter: tabulator (0x08) columns: YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI GPS(DM.m) GPS(D.d) GPSFIX SATCOUNT HDOP ALTITUDE UNIT to convert it to other formats, use bash tools or scripting languages GPS FIX: 0 = fix not available or invalid 1 = fix valid (GPS SPS mode) 2 = fix valid (differential GPS SPS Mode) 3 = not supported 4 = not supported 5 = not supported 6 = fix valid (Dead Reckoning Mode) --log=<file> : output logfile --raw-out=<file> : output frames in HEX ASCII : format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM --raw-in=<file> : input frames in HEX ASCII : format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM --pmkid=<file> : output deprecated PMKID file (delimter *) --hccapx=<file> : output deprecated hccapx v4 file --hccap=<file> : output deprecated hccap file --john=<file> : output deprecated PMKID/EAPOL (JtR wpapsk-opencl/wpapsk-pmk-opencl) --prefix=<file> : convert everything to lists using this prefix (overrides single options): -o <file.22000> : output PMKID/EAPOL hash file -E <file.essid> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker -I <file.identitiy> : output unsorted identity list to use as input wordlist for cracker -U <file.username> : output unsorted username list to use as input wordlist for cracker --eapmd5=<file.4800> : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapleap=<file.5500> : output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) --tacacs-plus=<file.16100> : output TACACS+ (hashcat -m 16100, john tacacs-plus) --nmea=<file.nmea> : output GPS data in NMEA format --help : show this help --version : show version
Bitmask of message pair field:
2,1,0: 000 = M1+M2, EAPOL from M2 (challenge) 001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 010 = M2+M3, EAPOL from M2 (authorized) 011 = M2+M3, EAPOL from M3 (authorized) - unused 100 = M3+M4, EAPOL from M3 (authorized) - unused 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 3: reserved 4: ap-less attack (set to 1) - nonce-error-corrections not required 5: LE router detected (set to 1) - nonce-error-corrections required only on LE 6: BE router detected (set to 1) - nonce-error-corrections required only on BE 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory
Do not edit, merge or convert pcapng files! This will remove optional comment fields!
Detection of bit errors does not work on cleaned dump files!
Do not use hcxpcapngtool in combination with third party cap/pcap/pcapng cleaning tools (except: tshark and/or Wireshark)! It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this.
Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark
Recommended tool to filter converted hash by several options: hcxhashtool
Recommended tool to get default or standard PSKs: hcxpsktool
Recommended tool to calculate wordlists based on ESSID: hcxeiutool
Recommended tools to retrieve PSK from hash: hashcat, JtR
hcxpcapngtool usage examples
Convert captured wireless frames (dumpfile.pcapng file) to hashes (will be saved to dumpfile.pcapng file) with extraction of password candidates (will be saved to wordlist.txt file):
hcxpcapngtool -o hash.hc22000 -E wordlist.txt dumpfile.pcapng
hcxhashtool Help
Shows information about PMKID/EAPOL hashes and provides various filtering operations with new PMKID/EAPOL hashes.
Usage:
hcxhashtool <options>
Options:
-i <file> : input PMKID/EAPOL hash file -o <file> : output PMKID/EAPOL hash file -E <file> : output ESSID list (autohex enabled) -d : download http://standards-oui.ieee.org/oui.txt and save to ~/.hcxtools/oui.txt internet connection required -h : show this help -v : show version --essid-group : convert to ESSID groups in working directory full advantage of reuse of PBKDF2 not on old hash formats --oui-group : convert to OUI groups in working directory not on old hash formats --mac-group-ap : convert APs to MAC groups in working directory not on old hash formats --mac-group-client : convert CLIENTs to MAC groups in working directory not on old hash formats --type=<digit> : filter by hash type bitmask: 1 = PMKID 2 = EAPOL default PMKID and EAPOL (1+2=3) --hcx-min=<digit> : disregard hashes with occurrence lower than hcx-min/ESSID --hcx-max=<digit> : disregard hashes with occurrence higher than hcx-max/ESSID --essid-len : filter by ESSID length default ESSID length: 0...32 --essid-min : filter by ESSID minimum length default ESSID minimum length: 0 --essid-max : filter by ESSID maximum length default ESSID maximum length: 32 --essid=<ESSID> : filter by ESSID --essid-part=<part of ESSID> : filter by part of ESSID --essid-list=<file> : filter by ESSID file --mac-ap=<MAC> : filter AP by MAC format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) --mac-client=<MAC> : filter CLIENT by MAC format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) --mac-list=<file> : filter by MAC file format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) --mac-skiplist=<file> : exclude MAC from file format: 001122334455, 00:11:22:33:44:55, 00-11-22-33-44-55 (hex) --oui-ap=<OUI> : filter AP by OUI format: 001122, 00:11:22, 00-11-22 (hex) --oui-client=<OUI> : filter CLIENT by OUI format: 001122, 00:11:22, 00-11-22 (hex) --vendor=<VENDOR> : filter AP or CLIENT by (part of) VENDOR name --vendor-ap=<VENDOR> : filter AP by (part of) VENDOR name --vendor-client=<VENDOR> : filter CLIENT by (part of) VENDOR name --authorized : filter EAPOL pairs by status authorized (M2M3, M3M4, M1M4) --challenge : filter EAPOL pairs by status CHALLENGE (M1M2, M1M2ROGUE) --rc : filter EAPOL pairs by replaycount status checked --rc-not : filter EAPOL pairs by replaycount status not checked --apless : filter EAPOL pairs by status M1M2ROGUE (M2 requested from CLIENT) --info=<file> : output detailed information about content of hash file no filter options available --info=stdout : stdout output detailed information about content of hash file no filter options available --info-vendor=<file> : output detailed information about ACCESS POINT and CLIENT VENDORs no filter options available --info-vendor-ap=<file> : output detailed information about ACCESS POINT VENDORs no filter options available --info-vendor-client=<file> : output detailed information about ACCESS POINT VENDORs no filter options available --info-vendor=stdout : stdout output detailed information about ACCESS POINT and CLIENT VENDORs no filter options available --info-vendor-ap=stdout : stdout output detailed information about ACCESS POINT VENDORs no filter options available --info-vendor-client=stdout : stdout output detailed information about ACCESS POINT VENDORs no filter options available --psk=<PSK> : pre-shared key to test due to PBKDF2 calculation this is a very slow process no nonce error corrections --pmk=<PMK> : plain master key to test no nonce error corrections --hccapx=<file> : output to deprecated hccapx file --hccap=<file> : output to ancient hccap file --hccap-single : output to ancient hccap single files (MAC + count) --john=<file> : output to deprecated john file --vendorlist : stdout output complete OUI list sorted by OUI --help : show this help --version : show version
hcxhashtool usage examples
Viewing hash information:
hcxhashtool --info=stdout -i RT-728005.hc22000
Extracting the hash of the Access Point named ak84 from the hash.hc22000 hash file and saving a separate hash to the ak84.hc22000 file:
hcxhashtool -i hash.hc22000 --essid=ak84 -o ak84.hc22000
hcxpsktool Help
Generates password candidates for hashcat and john to brute force based on hcxpcapngtool output or command line input.
Usage:
hcxpsktool <options>
Options:
-c <file> : input PMKID/EAPOL hash file (hashcat -m 22000) -i <file> : input EAPOL hash file (hashcat) -j <file> : input EAPOL hash file (john) -z <file> : input PMKID hash file (hashcat and john) -e <char> : input ESSID -b <xdigit> : input MAC access point format: 112233445566 -o <file> : output PSK file default: stdout output list must be sorted unique! -h : show this help -v : show version --maconly : print only candidates based on ACCESS POINT MAC --noessidcombination: exclude ESSID combinations --netgear : include weak NETGEAR / ORBI / NTGR_VMB / ARLO_VMB candidates --spectrum : include weak MySpectrumWiFi / SpectrumSetup / MyCharterWiFi candidates list will be > 1.7GB --digit10 : include weak 10 digit candidates (INFINITUM, ALHN, INEA, VodafoneNet, VIVACOM) list will be > 1GB --phome : include weak PEGATRON HOME candidates --tenda : include weak TENDA candidates --ee : include weak EE BrightBox candidates list will be > 3GB --weakpass : include weak password candidates --eudate : include complete european dates --usdate : include complete american dates --wpskeys : include complete WPS keys --egn : include Bulgarian EGN --help : show this help --version : show version
If hcxpsktool recovered your password, you should change it immediately!
hcxpsktool usage examples
1.
The next command will generate passwords for the hash of one AP, located in the RT-728005.hash file, and save passwords to the RT-728005.pass file:
hcxpsktool -c RT-728005.hash -o RT-728005.pass
Launch a dictionary attack using the generated password list:
hashcat --hwmon-temp-abort=100 -a 0 -m 22000 -d 1 RT-728005.hash RT-728005.pass
2.
The command will generate password candidates based on several hashes from the hash.hc22000 file and save the generated passwords to the all.txt file:
hcxpsktool -c hash.hc22000 -o all.txt
Deleting duplicates:
cat all.txt | sort | uniq > all-cleaned.txt
Launch a dictionary attack using the generated password list:
hashcat --hwmon-temp-abort=100 -a 0 -m 22000 -d 1 hash.hc22000 all-cleaned.txt
hcxpmktool Help
Calculate and verify a PSK and/or a PMK
Usage:
hcxpmktool <options>
Options:
short options: -i <hash line> : input hashcat hash line (-m 22000) -e <ESSID> : input ESSID -p <PSK> : input Pre Shared Key -m <PMK> : input Plain Master KEY long options: --help : show this help --version : show version
hcxeiutool Help
Prepares dictionaries obtained from the output of the hcxpcapngtool command when using the -E, -I, and -U options for use in a hashcat + rule or JtR + rule.
Usage:
hcxpmktool <options>
Options:
-i <file> : input wordlist -d <file> : output digit wordlist -x <file> : output xdigit wordlist -c <file> : output character wordlist (A-Za-z - other characters removed) -s <file> : output character wordlist (A-Za-z - other characters replaced by 0x0d) recommended option for processing with rules -h : show this help -v : show version --help : show this help --version : show version
hcxeiutool usage examples
hcxdumptool -i <interface> -o dump.pcapng --enable_status=31 hcxpcapngtool -o hash.22000 -E elist dump.pcapng hcxeiutool -i elist -d digitlist -x xdigitlist -c charlist -s sclist cat elist digitlist xdigitlist charlist sclist > wordlisttmp hashcat --stdout -r <rule> charlist >> wordlisttmp hashcat --stdout -r <rule> sclist >> wordlisttmp cat wordlisttmp | sort | uniq > wordlist hashcat -m 22000 hash.22000 wordlist
hcxwltool Help
Calculates candidates for hashcat and john based on mixed wordlists
Usage:
hcxwltool <options>
Options:
-i <file> : input wordlist -o <file> : output wordlist to file -h : show this help -v : show version --straight : output format untouched --digit : output format only digits --xdigit : output format only xdigits --lower : output format only lower --upper : output format only upper --capital : output format only capital --length=<digit> : password length (8...32) --help : show this help --version : show version
hcxwltool usage examples
hcxwltool -i wordlist --straight | sort | uniq | hashcat -m 22000 hashfile.hc22000 hcxwltool -i wordlist --digit --length=10 | sort | uniq | hashcat -m 22000 hashfile.hc22000 hcxwltool -i wordlist --digit | sort | uniq | hashcat -m 22000 hashfile.hc22000 hcxwltool -i wordlist --xdigit | sort | uniq | john --stdin --format=wpapsk-opencl john.hashfile
hcxhash2cap Help
Converts hash file (PMKID&EAPOL, PMKID, EAPOL-hccapx, EAPOL-hccap, WPAPSK-john) to cap.
Usage:
hcxhash2cap <options>
Options:
-c <file> : output cap file if no cap file is selected, output will be written to single cap files format: mac_sta.cap (mac_sta.cap_x) -h : show this help -v : show version --pmkid-eapol=<file> : input PMKID EAPOL combi hash file --pmkid=<file> : input PMKID hash file --hccapx=<file> : input hashcat hccapx file --hccap=<file> : input hashcat hccap file --john=<file> : input John the Ripper WPAPSK hash file --help : show this help --version : show version
wlancap2wpasec Help
Upload multiple (gzip compressed) pcapng, pcap and cap files to https://wpa-sec.stanev.org
Usage:
wlancap2wpasec <options> [input.pcapng] [input.pcap] [input.cap] [input.pcapng.gz]... wlancap2wpasec <options> *.pcapng wlancap2wpasec <options> *.gz wlancap2wpasec <options> *.*
Options:
-k <key> : wpa-sec user key -u <url> : set user defined URL default = https://wpa-sec.stanev.org -t <seconds> : set connection timeout default = 30 seconds -e <email address> : set email address, if required -R : remove cap if upload was successful -h : this help -h : show version
Do not merge different cap files to a single cap file.
This will lead to unexpected behavior on ESSID changes or different link layer types.
To remove unnecessary packets, run tshark:
tshark -r input.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w output.pcapng
To reduce the size of the cap file, compress it with gzip:
gzip capture.pcapng
whoismac Help
Show vendor information and/or download oui reference list.
Usage:
whoismac <options>
Options:
-d : download http://standards-oui.ieee.org/oui/oui.txt : and save to ~/.hcxtools/oui.txt : internet connection required -m <mac> : mac (six bytes of mac addr) or : oui (fist three bytes of mac addr) -p <hashline> : input PMKID and/or EAPOL hashline (hashmode 22000 or 16800) -P <hashline> : input EAPOL hashline from potfile (hashcat <= 5.1.0) -e <ESSID> : input ESSID -x <xdigit> : input ESSID in hex -e <ESSID> : input ESSID -v <vendor> : vendor name -h : this help screen
How to install hcxtools
Installation on Kali Linux
sudo apt install hcxtools
Installation on BlackArch
sudo pacman -S hcxtools
Installation on Debian, Linux Mint, Ubuntu and their derivatives
sudo apt install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev libssl1.1 git git clone https://github.com/ZerBea/hcxtools cd hcxtools/ make sudo make install
Screenshots
hcxpcapngtool screenshot:
hcxhashtool screenshots:
Tutorials
- Hacking Wi-Fi without users
- USB Wi-Fi Adapters with monitor mode and wireless injection (100% compatible with Kali Linux)
- Wi-Fi security audit improved: new tools, hash, and techniques
- Wi-Fi security audit with Hashcat and hcxdumptool
Related tools
- WiFite (52.5%)
- mdk3 (52.5%)
- Aircrack-ng (Suite of Tools) (52.5%)
- Aircrack-ng (Tool) (52.5%)
- infernal-twin (52.5%)
- HAITI (RANDOM - 47.5%)
Comments are Closed