Other multicapconverter - all in one tool

hashC.co.uk

Active member
Cracker
Joined
Dec 30, 2019
Messages
1,392
Reaction score
51
Hi,
I'm (re)witting this thread just as the old one is no longer exists (due to the forum migration)

multicapconverter is a portable python tool that you can use to convert your capture file to any of the hashcat supported formats.
it was mainly based on the cap2hccapx tool, with more features added such as pcapng support and much more listed below

Python:
usage: multicapconverter.py --input capture.cap --export
                            {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}
                            [--output capture.hcwpax] [--all]
                            [--filter-by filter-by filter]
                            [--group-by {none,bssid,essid,handshake}]
                            [--do-not-clean] [--ignore-ie] [--ignore-ts]
                            [--quiet] [--version] [--help]

Convert a cap/pcap/pcapng capture file to a hashcat
hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

required arguments:
  --input capture.cap, -i capture.cap
                        Input capture file
  --export {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}, -x {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}

optional arguments:
  --output capture.hcwpax, -o capture.hcwpax
                        Output file
  --all, -a             Export all handshakes even unauthenticated ones
  --filter-by filter-by filter, -f filter-by filter
                        --filter-by {bssid XX:XX:XX:XX:XX:XX, essid ESSID}
  --group-by {none,bssid,essid,handshake}, -g {none,bssid,essid,handshake}
  --do-not-clean        Do not clean output
  --ignore-ie           Ignore information element (AKM Check) (Not
                        Recommended)
  --ignore-ts           Ignore timestamps check (Not Recommended)
  --quiet, -q           Enable quiet mode (print only output files/data)
  --version, -v         show program's version number and exit
  --help, -h            show this help message and exit
Features
  • Supports cap/pcap/pcapng
  • Supports combined cap/pcap/pcapng files
  • Supports gz compressed cap/pcap/pcapng files
  • Export as hccap (hashcat mode = 2500 (legacy))
  • Export as hccapx (hashcat mode = 2500)
  • Export as hcpmkid (hashcat mode = 16800)
  • Export as hcwpax (hashcat mode = 22000)
  • Export as hceapmd5 (hashcat mode = 4800)
  • Export as hceapleap (hashcat mode = 5500)
  • Export only authenticated handshakes or all handshakes
  • Output files can be filtered/grouped
  • Supports hcxdumptool
Examples
We have a capture file 'capture.cap' which includes 4 handshakes:

#BSSIDESSIDAUTHENTICATED
100:00:00:00:AA:AAWifiN
200:00:00:00:AA:AAWifiY
300:00:00:00:BB:BBInternetY
400:00:00:00:CC:CCWifiY
By default the original c version write all the hccapx into one file no matter what. If you need a single separated handshake you will have to use a hex editor and take the required 393 bytes by yourself.. Well not anymore

Also the original c version export all the handshakes even if they are not authenticated, in this python version it's a bit different, as the default is to ignore unauthenticated handshakes but can be exported by using the --all flag

1) Extract each handshake into a separated file (Auth Only)
Code:
python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4
2) Extract each handshake into a separated file (All)
Code:
python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 1
00-00-00-00-AA-AA_1.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4
3) Extract all handshakes into one file (just like the old c version)
Code:
python3 multicapconverter.py -i capture.cap --group-by none -x hccapx --all
...
Output hccapx files:
capture.hccapx // 1, 2, 3 and 4
4) Extract handshakes based on BSSID
Code:
python3 multicapconverter.py -i capture.cap --group-by bssid -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA.hccapx // 1 and 2
00-00-00-00-BB-BB.hccapx // 3
00-00-00-00-CC-CC.hccapx // 4
5) Extract handshakes based on ESSID
Code:
python3 multicapconverter.py -i capture.cap --group-by essid -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 1, 2 and 4
Internet.hccapx // 3
6) Extract handshakes based on ESSID having a specific BSSID
Code:
python3 multicapconverter.py -i capture.cap --group-by essid --filter-by bssid 00:00:00:00:CC:CC -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 4

Notes
  • --group-by works only for hccap and hccapx output
  • --all works only for hccap, hccapx and hcwpax (WPA*02) output
  • by default, if a capture have both WPA*01 and WPA*02 (hcwpax format), WPA*02 will be ignored on the exportation process. If you want to export both, use --do-not-clean
  • by default, multicapconverter ignores packets with zeroed timestamps. If you want to process such packets, use --ignore-ts (Not Recommended)
  • by default, multicapconverter exports only pmkids that are PSK/PSK256 related (AKM check). If you want to ignore AKM check, use --ignore-ie (Not Recommended)

Extra
If you are using Linux and you want to use the tool from different places (instead from only the working directory), simply copy the python script to your bin path:
Bash:
sudo cp multicapconverter.py /usr/bin/
sudo chmod +x /usr/bin/multicapconverter.py
sudo ln -s /usr/bin/multicapconverter.py /usr/bin/multicapconverter
Now you can simply use multicapconverter, example: multicapconverter -i capture.pcapng -x hcwpax


Source Code
https://github.com/s77rt/multicapconverter/
 
Last edited:

WreckTangle

Member
Joined
Jan 24, 2020
Messages
11
Reaction score
0
This is brilliant thank you!

Could you possibly make it output hccap for those of us who do not have modern GPU's?

Outputting all to seperate .cap files by ESSID etc would also be useful.
 

hashC.co.uk

Active member
Cracker
Joined
Dec 30, 2019
Messages
1,392
Reaction score
51
Could you possibly make it output hccap for those of us who do not have modern GPU's?
hccap? hmm okay, i just need to find the old structure and some time

Outputting all to seperate .cap files by ESSID etc would also be useful.
do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?
 

WreckTangle

Member
Joined
Jan 24, 2020
Messages
11
Reaction score
0
hccap? hmm okay, i just need to find the old structure and some time
Oh thank you very much!

do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?
The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.
 

hashC.co.uk

Active member
Cracker
Joined
Dec 30, 2019
Messages
1,392
Reaction score
51
Oh thank you very much!



The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.
I have added the export option hccap (-x hccap) as requested

regarding the naming:
file name is ESSID if chosen option is to group by essid (the filename is being filtered so there is some cases where the filename is not exactly as the essid)
else the name is MAC
(see the examples above)

also the tool does not convert to cap.
it does convert from cap/pcap/pcapng (gzipped files are also accepted) to hcwpax/hccapx/hccap/hcpmkid format
 

WreckTangle

Member
Joined
Jan 24, 2020
Messages
11
Reaction score
0
Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)
 

hashC.co.uk

Active member
Cracker
Joined
Dec 30, 2019
Messages
1,392
Reaction score
51
Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)
I got your pm.
You are welcome ;)
In fact if you have any more ideas, i would be happy to implement ^^ thanks :)
 

hashC.co.uk

Active member
Cracker
Joined
Dec 30, 2019
Messages
1,392
Reaction score
51
Version 0.2.1 has been released :)

Added Option: --wordlist or -E :: Extract wordlist / AP-LESS possible passwords. (same as hcxpcapngtool -E)
Fixed: Timestamps calculations and nonce error correction values
(full changelog)

output example:
Code:
$ multicapconverter -i test1.pcapng -x hcwpax
[i] Networks detected: 1                                                    
[i] WPA: 1, EAP-MD5: 0, EAP-LEAP: 0

|*| BSSID=a0:f3:c1:50:3e:62 ESSID=hascat (Length: 6)
| | EAPOL-M1: 3, EAPOL-M2: 2, EAPOL-M3: 1, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 1, REASSOC: 0, PROBE: 1
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=62483, Time Gap=6012, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=1, Time Gap=2503, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=2, Replay Counter=1, Time Gap=3623, Authenticated=Y

hcWPAx:
WPA*02*f6b32d9fc030aa42a250f1e93785bc2d*a0f3c1503e62*b0c090467cab*686173636174*e2616837cfdc78cbb193040c5b6b4c91c0cf49e4a6266267c31b6638910560ef*0103007502010a00000000000000000001138433a9c7269ea16b1b99fa8370cf5f01c4a433493806c835f01fc1d6508a03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028000*02
 

hashC.co.uk

Active member
Cracker
Joined
Dec 30, 2019
Messages
1,392
Reaction score
51
Version 1.0.0 is now available !
Two major features: (full changelog)
  • MAC VENDOR LOOKUP
  • MAC GEOLOCATION LOOKUP (--locate)
Regarding MAC GEOLOCATION LOOKUP an api is required, just pm me to get your private api (free 100 requests included)
Currently there is an active public api for free but temporarily, as it's gonna probably cost $0.01 per lookup (i shall post more info soon here)

Here how it looks:
Code:
$ multicapconverter -i ZTE1-01.cap -x hcwpax --locate
[i] Networks detected: 1                                                     

|*| BSSID=dc:02:8e:fe:17:94 ESSID=ZTE1 (zte corporation)
| | GEOLOCATION: Egypt (30.027778, 31.22566)
| | EAPOL-M1: 1, EAPOL-M2: 4, EAPOL-M3: 2, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 2, REASSOC: 0, PROBE: 15
| ! WARNING! Not enough EAPOL-M1 frames. This makes it impossible to calculate nonce-error-correction values.
| > STA=2c:fd:ab:82:0b:42, Message Pair=0, Replay Counter=1, Time Gap=10750, Authenticated=N [Skipped]
| > STA=2c:fd:ab:82:0b:42, Message Pair=2, Replay Counter=1, Time Gap=13314, Authenticated=Y

hcWPAx:
WPA*02*cfee46947a82b76bdb9cf769f85b9bba*dc028efe1794*2cfdab820b42*5a544531*60e118f368c749ec9e881cb33f29d5ea9723948c3950a120d0582591e29be812*01030077fe01090020000000000000000165c4e599af0b242a4d01db81033b8ba390de79c93c6e7df25ccac014732278850000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*02
 
Top