Other multicapconverter - all in one tool

hashC.co.uk · Jan 28, 2020

Hi,
I'm (re)witting this thread just as the old one is no longer exists (due to the forum migration)

multicapconverter is a portable python tool that you can use to convert your capture file to any of the hashcat supported formats.
it was mainly based on the cap2hccapx tool, with more features added such as pcapng support and much more listed below

Python:

usage: multicapconverter.py --input capture.cap --export
                            {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}
                            [--output capture.hcwpax] [--all]
                            [--filter-by filter-by filter]
                            [--group-by {none,bssid,essid,handshake}]
                            [--do-not-clean] [--ignore-ie] [--ignore-ts]
                            [--quiet] [--version] [--help]

Convert a cap/pcap/pcapng capture file to a hashcat
hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

required arguments:
  --input capture.cap, -i capture.cap
                        Input capture file
  --export {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}, -x {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}

optional arguments:
  --output capture.hcwpax, -o capture.hcwpax
                        Output file
  --all, -a             Export all handshakes even unauthenticated ones
  --filter-by filter-by filter, -f filter-by filter
                        --filter-by {bssid XX:XX:XX:XX:XX:XX, essid ESSID}
  --group-by {none,bssid,essid,handshake}, -g {none,bssid,essid,handshake}
  --do-not-clean        Do not clean output
  --ignore-ie           Ignore information element (AKM Check) (Not
                        Recommended)
  --ignore-ts           Ignore timestamps check (Not Recommended)
  --quiet, -q           Enable quiet mode (print only output files/data)
  --version, -v         show program's version number and exit
  --help, -h            show this help message and exit

Features

Supports cap/pcap/pcapng
Supports combined cap/pcap/pcapng files
Supports gz compressed cap/pcap/pcapng files
Export as hccap (hashcat mode = 2500 (legacy))
Export as hccapx (hashcat mode = 2500)
Export as hcpmkid (hashcat mode = 16800)
Export as hcwpax (hashcat mode = 22000)
Export as hceapmd5 (hashcat mode = 4800)
Export as hceapleap (hashcat mode = 5500)
Export only authenticated handshakes or all handshakes
Output files can be filtered/grouped
Supports hcxdumptool

Examples
We have a capture file 'capture.cap' which includes 4 handshakes:

#	BSSID	ESSID	AUTHENTICATED
1	00:00:00:00:AA:AA	Wifi	N
2	00:00:00:00:AA:AA	Wifi	Y
3	00:00:00:00:BB:BB	Internet	Y
4	00:00:00:00:CC:CC	Wifi	Y

By default the original c version write all the hccapx into one file no matter what. If you need a single separated handshake you will have to use a hex editor and take the required 393 bytes by yourself.. Well not anymore

Also the original c version export all the handshakes even if they are not authenticated, in this python version it's a bit different, as the default is to ignore unauthenticated handshakes but can be exported by using the --all flag

1) Extract each handshake into a separated file (Auth Only)

Code:

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

2) Extract each handshake into a separated file (All)

Code:

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 1
00-00-00-00-AA-AA_1.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

3) Extract all handshakes into one file (just like the old c version)

Code:

python3 multicapconverter.py -i capture.cap --group-by none -x hccapx --all
...
Output hccapx files:
capture.hccapx // 1, 2, 3 and 4

4) Extract handshakes based on BSSID

Code:

python3 multicapconverter.py -i capture.cap --group-by bssid -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA.hccapx // 1 and 2
00-00-00-00-BB-BB.hccapx // 3
00-00-00-00-CC-CC.hccapx // 4

5) Extract handshakes based on ESSID

Code:

python3 multicapconverter.py -i capture.cap --group-by essid -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 1, 2 and 4
Internet.hccapx // 3

6) Extract handshakes based on ESSID having a specific BSSID

Code:

python3 multicapconverter.py -i capture.cap --group-by essid --filter-by bssid 00:00:00:00:CC:CC -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 4

Notes

--group-by works only for hccap and hccapx output
--all works only for hccap, hccapx and hcwpax (WPA*02) output
by default, if a capture have both WPA*01 and WPA*02 (hcwpax format), WPA*02 will be ignored on the exportation process. If you want to export both, use --do-not-clean
by default, multicapconverter ignores packets with zeroed timestamps. If you want to process such packets, use --ignore-ts (Not Recommended)
by default, multicapconverter exports only pmkids that are PSK/PSK256 related (AKM check). If you want to ignore AKM check, use --ignore-ie (Not Recommended)

Extra
If you are using Linux and you want to use the tool from different places (instead from only the working directory), simply copy the python script to your bin path:

Bash:

sudo cp multicapconverter.py /usr/bin/
sudo chmod +x /usr/bin/multicapconverter.py
sudo ln -s /usr/bin/multicapconverter.py /usr/bin/multicapconverter

Now you can simply use multicapconverter, example: multicapconverter -i capture.pcapng -x hcwpax

Source Code
https://github.com/s77rt/multicapconverter/

WreckTangle · Jan 28, 2020

This is brilliant thank you!

Could you possibly make it output hccap for those of us who do not have modern GPU's?

Outputting all to seperate .cap files by ESSID etc would also be useful.

hashC.co.uk · Jan 28, 2020

WreckTangle said:
Could you possibly make it output hccap for those of us who do not have modern GPU's?

hccap? hmm okay, i just need to find the old structure and some time

WreckTangle said:
Outputting all to seperate .cap files by ESSID etc would also be useful.

do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?

WreckTangle · Jan 29, 2020

hashC.co.uk said:
hccap? hmm okay, i just need to find the old structure and some time

Oh thank you very much!

hashC.co.uk said:
do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?

The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.

hashC.co.uk · Jan 29, 2020

WreckTangle said:
Oh thank you very much!

The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.

I have added the export option hccap (-x hccap) as requested

regarding the naming:
file name is ESSID if chosen option is to group by essid (the filename is being filtered so there is some cases where the filename is not exactly as the essid)
else the name is MAC
(see the examples above)

also the tool does not convert to cap.
it does convert from cap/pcap/pcapng (gzipped files are also accepted) to hcwpax/hccapx/hccap/hcpmkid format

WreckTangle · Jan 31, 2020

Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)

hashC.co.uk · Jan 31, 2020

WreckTangle said:
Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)

I got your pm.
You are welcome ;)
In fact if you have any more ideas, i would be happy to implement ^^ thanks :)

laci1 · Feb 26, 2020

I give it a go! Thanks!

hashC.co.uk · Mar 17, 2020

Version 0.2.1 has been released :)

Added Option: --wordlist or -E :: Extract wordlist / AP-LESS possible passwords. (same as hcxpcapngtool -E)
Fixed: Timestamps calculations and nonce error correction values
(full changelog)

output example:

Code:

$ multicapconverter -i test1.pcapng -x hcwpax
[i] Networks detected: 1                                                    
[i] WPA: 1, EAP-MD5: 0, EAP-LEAP: 0

|*| BSSID=a0:f3:c1:50:3e:62 ESSID=hascat (Length: 6)
| | EAPOL-M1: 3, EAPOL-M2: 2, EAPOL-M3: 1, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 1, REASSOC: 0, PROBE: 1
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=62483, Time Gap=6012, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=1, Time Gap=2503, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=2, Replay Counter=1, Time Gap=3623, Authenticated=Y

hcWPAx:
WPA*02*f6b32d9fc030aa42a250f1e93785bc2d*a0f3c1503e62*b0c090467cab*686173636174*e2616837cfdc78cbb193040c5b6b4c91c0cf49e4a6266267c31b6638910560ef*0103007502010a00000000000000000001138433a9c7269ea16b1b99fa8370cf5f01c4a433493806c835f01fc1d6508a03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028000*02

hashC.co.uk · Mar 24, 2020

Version 1.0.0 is now available !
Two major features: (full changelog)

MAC VENDOR LOOKUP
MAC GEOLOCATION LOOKUP (--locate)

Regarding MAC GEOLOCATION LOOKUP an api is required, just pm me to get your private api (free 100 requests included)
Currently there is an active public api for free but temporarily, as it's gonna probably cost $0.01 per lookup (i shall post more info soon here)

Here how it looks:

Code:

$ multicapconverter -i ZTE1-01.cap -x hcwpax --locate
[i] Networks detected: 1                                                     

|*| BSSID=dc:02:8e:fe:17:94 ESSID=ZTE1 (zte corporation)
| | GEOLOCATION: Egypt (30.027778, 31.22566)
| | EAPOL-M1: 1, EAPOL-M2: 4, EAPOL-M3: 2, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 2, REASSOC: 0, PROBE: 15
| ! WARNING! Not enough EAPOL-M1 frames. This makes it impossible to calculate nonce-error-correction values.
| > STA=2c:fd:ab:82:0b:42, Message Pair=0, Replay Counter=1, Time Gap=10750, Authenticated=N [Skipped]
| > STA=2c:fd:ab:82:0b:42, Message Pair=2, Replay Counter=1, Time Gap=13314, Authenticated=Y

hcWPAx:
WPA*02*cfee46947a82b76bdb9cf769f85b9bba*dc028efe1794*2cfdab820b42*5a544531*60e118f368c749ec9e881cb33f29d5ea9723948c3950a120d0582591e29be812*01030077fe01090020000000000000000165c4e599af0b242a4d01db81033b8ba390de79c93c6e7df25ccac014732278850000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*02

Reconsniper · Thursday at 7:37 AM

Outstanding tool , Great work

Other multicapconverter - all in one tool

hashC.co.uk

Active member

WreckTangle

Member

hashC.co.uk

Active member

WreckTangle

Member

hashC.co.uk

Active member

WreckTangle

Member

hashC.co.uk

Active member

laci1

New member

hashC.co.uk

Active member

hashC.co.uk

Active member

Reconsniper

Active member