Other multicapconverter - all in one tool

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Hi,
I'm (re)witting this thread just as the old one is no longer exists (due to the forum migration)

multicapconverter is a portable python tool that you can use to convert your capture file to any of the hashcat supported formats.
it was mainly based on the cap2hccapx tool, with more features added such as pcapng support and much more listed below

Python:
usage: multicapconverter.py --input capture.cap --export
                            {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}
                            [--output capture.hcwpax] [--all]
                            [--filter-by filter-by filter]
                            [--group-by {none,bssid,essid,handshake}]
                            [--do-not-clean] [--ignore-ie] [--ignore-ts]
                            [--quiet] [--version] [--help]

Convert a cap/pcap/pcapng capture file to a hashcat
hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

required arguments:
  --input capture.cap, -i capture.cap
                        Input capture file
  --export {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}, -x {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}

optional arguments:
  --output capture.hcwpax, -o capture.hcwpax
                        Output file
  --all, -a             Export all handshakes even unauthenticated ones
  --filter-by filter-by filter, -f filter-by filter
                        --filter-by {bssid XX:XX:XX:XX:XX:XX, essid ESSID}
  --group-by {none,bssid,essid,handshake}, -g {none,bssid,essid,handshake}
  --do-not-clean        Do not clean output
  --ignore-ie           Ignore information element (AKM Check) (Not
                        Recommended)
  --ignore-ts           Ignore timestamps check (Not Recommended)
  --quiet, -q           Enable quiet mode (print only output files/data)
  --version, -v         show program's version number and exit
  --help, -h            show this help message and exit

Features
  • Supports cap/pcap/pcapng
  • Supports combined cap/pcap/pcapng files
  • Supports gz compressed cap/pcap/pcapng files
  • Export as hccap (hashcat mode = 2500 (legacy))
  • Export as hccapx (hashcat mode = 2500)
  • Export as hcpmkid (hashcat mode = 16800)
  • Export as hcwpax (hashcat mode = 22000)
  • Export as hceapmd5 (hashcat mode = 4800)
  • Export as hceapleap (hashcat mode = 5500)
  • Export only authenticated handshakes or all handshakes
  • Output files can be filtered/grouped
  • Supports hcxdumptool
Examples
We have a capture file 'capture.cap' which includes 4 handshakes:

#BSSIDESSIDAUTHENTICATED
100:00:00:00:AA:AAWifiN
200:00:00:00:AA:AAWifiY
300:00:00:00:BB:BBInternetY
400:00:00:00:CC:CCWifiY
By default the original c version write all the hccapx into one file no matter what. If you need a single separated handshake you will have to use a hex editor and take the required 393 bytes by yourself.. Well not anymore

Also the original c version export all the handshakes even if they are not authenticated, in this python version it's a bit different, as the default is to ignore unauthenticated handshakes but can be exported by using the --all flag

1) Extract each handshake into a separated file (Auth Only)
Code:
python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

2) Extract each handshake into a separated file (All)
Code:
python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 1
00-00-00-00-AA-AA_1.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

3) Extract all handshakes into one file (just like the old c version)
Code:
python3 multicapconverter.py -i capture.cap --group-by none -x hccapx --all
...
Output hccapx files:
capture.hccapx // 1, 2, 3 and 4

4) Extract handshakes based on BSSID
Code:
python3 multicapconverter.py -i capture.cap --group-by bssid -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA.hccapx // 1 and 2
00-00-00-00-BB-BB.hccapx // 3
00-00-00-00-CC-CC.hccapx // 4

5) Extract handshakes based on ESSID
Code:
python3 multicapconverter.py -i capture.cap --group-by essid -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 1, 2 and 4
Internet.hccapx // 3

6) Extract handshakes based on ESSID having a specific BSSID
Code:
python3 multicapconverter.py -i capture.cap --group-by essid --filter-by bssid 00:00:00:00:CC:CC -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 4


Notes
  • --group-by works only for hccap and hccapx output
  • --all works only for hccap, hccapx and hcwpax (WPA*02) output
  • by default, if a capture have both WPA*01 and WPA*02 (hcwpax format), WPA*02 will be ignored on the exportation process. If you want to export both, use --do-not-clean
  • by default, multicapconverter ignores packets with zeroed timestamps. If you want to process such packets, use --ignore-ts (Not Recommended)
  • by default, multicapconverter exports only pmkids that are PSK/PSK256 related (AKM check). If you want to ignore AKM check, use --ignore-ie (Not Recommended)

Extra
If you are using Linux and you want to use the tool from different places (instead from only the working directory), simply copy the python script to your bin path:
Bash:
sudo cp multicapconverter.py /usr/bin/
sudo chmod +x /usr/bin/multicapconverter.py
sudo ln -s /usr/bin/multicapconverter.py /usr/bin/multicapconverter
Now you can simply use multicapconverter, example: multicapconverter -i capture.pcapng -x hcwpax


Source Code
https://github.com/s77rt/multicapconverter/
 
Last edited:

WreckTangle

Active member
Joined
Jan 24, 2020
Messages
95
Reaction score
23
Credits
737
This is brilliant thank you!

Could you possibly make it output hccap for those of us who do not have modern GPU's?

Outputting all to seperate .cap files by ESSID etc would also be useful.
 

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Could you possibly make it output hccap for those of us who do not have modern GPU's?
hccap? hmm okay, i just need to find the old structure and some time

Outputting all to seperate .cap files by ESSID etc would also be useful.
do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?
 

WreckTangle

Active member
Joined
Jan 24, 2020
Messages
95
Reaction score
23
Credits
737
hccap? hmm okay, i just need to find the old structure and some time

Oh thank you very much!

do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?

The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.
 

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Oh thank you very much!



The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.
I have added the export option hccap (-x hccap) as requested

regarding the naming:
file name is ESSID if chosen option is to group by essid (the filename is being filtered so there is some cases where the filename is not exactly as the essid)
else the name is MAC
(see the examples above)

also the tool does not convert to cap.
it does convert from cap/pcap/pcapng (gzipped files are also accepted) to hcwpax/hccapx/hccap/hcpmkid format
 

WreckTangle

Active member
Joined
Jan 24, 2020
Messages
95
Reaction score
23
Credits
737
Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)
 

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)
I got your pm.
You are welcome ;)
In fact if you have any more ideas, i would be happy to implement ^^ thanks :)
 

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Version 0.2.1 has been released :)

Added Option: --wordlist or -E :: Extract wordlist / AP-LESS possible passwords. (same as hcxpcapngtool -E)
Fixed: Timestamps calculations and nonce error correction values
(full changelog)

output example:
Code:
$ multicapconverter -i test1.pcapng -x hcwpax
[i] Networks detected: 1                                                    
[i] WPA: 1, EAP-MD5: 0, EAP-LEAP: 0

|*| BSSID=a0:f3:c1:50:3e:62 ESSID=hascat (Length: 6)
| | EAPOL-M1: 3, EAPOL-M2: 2, EAPOL-M3: 1, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 1, REASSOC: 0, PROBE: 1
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=62483, Time Gap=6012, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=1, Time Gap=2503, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=2, Replay Counter=1, Time Gap=3623, Authenticated=Y

hcWPAx:
WPA*02*f6b32d9fc030aa42a250f1e93785bc2d*a0f3c1503e62*b0c090467cab*686173636174*e2616837cfdc78cbb193040c5b6b4c91c0cf49e4a6266267c31b6638910560ef*0103007502010a00000000000000000001138433a9c7269ea16b1b99fa8370cf5f01c4a433493806c835f01fc1d6508a03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028000*02
 

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Version 1.0.0 is now available !
Two major features: (full changelog)
  • MAC VENDOR LOOKUP
  • MAC GEOLOCATION LOOKUP (--locate)
Regarding MAC GEOLOCATION LOOKUP an api is required, just pm me to get your private api (free 100 requests included)
Currently there is an active public api for free but temporarily, as it's gonna probably cost $0.01 per lookup (i shall post more info soon here)

Here how it looks:
Code:
$ multicapconverter -i ZTE1-01.cap -x hcwpax --locate
[i] Networks detected: 1                                                     

|*| BSSID=dc:02:8e:fe:17:94 ESSID=ZTE1 (zte corporation)
| | GEOLOCATION: Egypt (30.027778, 31.22566)
| | EAPOL-M1: 1, EAPOL-M2: 4, EAPOL-M3: 2, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 2, REASSOC: 0, PROBE: 15
| ! WARNING! Not enough EAPOL-M1 frames. This makes it impossible to calculate nonce-error-correction values.
| > STA=2c:fd:ab:82:0b:42, Message Pair=0, Replay Counter=1, Time Gap=10750, Authenticated=N [Skipped]
| > STA=2c:fd:ab:82:0b:42, Message Pair=2, Replay Counter=1, Time Gap=13314, Authenticated=Y

hcWPAx:
WPA*02*cfee46947a82b76bdb9cf769f85b9bba*dc028efe1794*2cfdab820b42*5a544531*60e118f368c749ec9e881cb33f29d5ea9723948c3950a120d0582591e29be812*01030077fe01090020000000000000000165c4e599af0b242a4d01db81033b8ba390de79c93c6e7df25ccac014732278850000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*02
 

kevi

Active member
Joined
Apr 3, 2020
Messages
50
Reaction score
18
Credits
463
Hi,
I'm (re)witting this thread just as the old one is no longer exists (due to the forum migration)

multicapconverter is a portable python tool that you can use to convert your capture file to any of the hashcat supported formats.
it was mainly based on the cap2hccapx tool, with more features added such as pcapng support and much more listed below

Python:
usage: multicapconverter.py --input capture.cap --export
                            {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}
                            [--output capture.hcwpax] [--all]
                            [--filter-by filter-by filter]
                            [--group-by {none,bssid,essid,handshake}]
                            [--do-not-clean] [--ignore-ie] [--ignore-ts]
                            [--quiet] [--version] [--help]

Convert a cap/pcap/pcapng capture file to a hashcat
hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

required arguments:
  --input capture.cap, -i capture.cap
                        Input capture file
  --export {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}, -x {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}

optional arguments:
  --output capture.hcwpax, -o capture.hcwpax
                        Output file
  --all, -a             Export all handshakes even unauthenticated ones
  --filter-by filter-by filter, -f filter-by filter
                        --filter-by {bssid XX:XX:XX:XX:XX:XX, essid ESSID}
  --group-by {none,bssid,essid,handshake}, -g {none,bssid,essid,handshake}
  --do-not-clean        Do not clean output
  --ignore-ie           Ignore information element (AKM Check) (Not
                        Recommended)
  --ignore-ts           Ignore timestamps check (Not Recommended)
  --quiet, -q           Enable quiet mode (print only output files/data)
  --version, -v         show program's version number and exit
  --help, -h            show this help message and exit

Features
  • Supports cap/pcap/pcapng
  • Supports combined cap/pcap/pcapng files
  • Supports gz compressed cap/pcap/pcapng files
  • Export as hccap (hashcat mode = 2500 (legacy))
  • Export as hccapx (hashcat mode = 2500)
  • Export as hcpmkid (hashcat mode = 16800)
  • Export as hcwpax (hashcat mode = 22000)
  • Export as hceapmd5 (hashcat mode = 4800)
  • Export as hceapleap (hashcat mode = 5500)
  • Export only authenticated handshakes or all handshakes
  • Output files can be filtered/grouped
  • Supports hcxdumptool
Examples
We have a capture file 'capture.cap' which includes 4 handshakes:

#BSSIDESSIDAUTHENTICATED
100:00:00:00:AA:AAWifiN
200:00:00:00:AA:AAWifiY
300:00:00:00:BB:BBInternetY
400:00:00:00:CC:CCWifiY
By default the original c version write all the hccapx into one file no matter what. If you need a single separated handshake you will have to use a hex editor and take the required 393 bytes by yourself.. Well not anymore

Also the original c version export all the handshakes even if they are not authenticated, in this python version it's a bit different, as the default is to ignore unauthenticated handshakes but can be exported by using the --all flag

1) Extract each handshake into a separated file (Auth Only)
Code:
python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

2) Extract each handshake into a separated file (All)
Code:
python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 1
00-00-00-00-AA-AA_1.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

3) Extract all handshakes into one file (just like the old c version)
Code:
python3 multicapconverter.py -i capture.cap --group-by none -x hccapx --all
...
Output hccapx files:
capture.hccapx // 1, 2, 3 and 4

4) Extract handshakes based on BSSID
Code:
python3 multicapconverter.py -i capture.cap --group-by bssid -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA.hccapx // 1 and 2
00-00-00-00-BB-BB.hccapx // 3
00-00-00-00-CC-CC.hccapx // 4

5) Extract handshakes based on ESSID
Code:
python3 multicapconverter.py -i capture.cap --group-by essid -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 1, 2 and 4
Internet.hccapx // 3

6) Extract handshakes based on ESSID having a specific BSSID
Code:
python3 multicapconverter.py -i capture.cap --group-by essid --filter-by bssid 00:00:00:00:CC:CC -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 4


Notes
  • --group-by works only for hccap and hccapx output
  • --all works only for hccap, hccapx and hcwpax (WPA*02) output
  • by default, if a capture have both WPA*01 and WPA*02 (hcwpax format), WPA*02 will be ignored on the exportation process. If you want to export both, use --do-not-clean
  • by default, multicapconverter ignores packets with zeroed timestamps. If you want to process such packets, use --ignore-ts (Not Recommended)
  • by default, multicapconverter exports only pmkids that are PSK/PSK256 related (AKM check). If you want to ignore AKM check, use --ignore-ie (Not Recommended)

Extra
If you are using Linux and you want to use the tool from different places (instead from only the working directory), simply copy the python script to your bin path:
Bash:
sudo cp multicapconverter.py /usr/bin/
sudo chmod +x /usr/bin/multicapconverter.py
sudo ln -s /usr/bin/multicapconverter.py /usr/bin/multicapconverter
Now you can simply use multicapconverter, example: multicapconverter -i capture.pcapng -x hcwpax


Source Code
https://github.com/s77rt/multicapconverter/
Can this tool verify handshake in HCCAPX file like gpuhash and give stats
 

Attachments

  • gp.png
    gp.png
    454.9 KB · Views: 13

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
kevi
multicapconverter is desinged to handle cap files not hccapx.

If you have the cap file then you can use multicapconverter to convert your cap file to a valid hccapx file with valid handshakes only as follow:
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g essid
or
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g handshake

Also note that hccapx will be deprecated, it's better to switch to hcwpax (hashcat mode = 22000)
python3 multicapconverter.py -i your_cap_file.cap -x hcwpax
or you can use capJS online tool https://s77rt.github.io/capJS/
 

kevi

Active member
Joined
Apr 3, 2020
Messages
50
Reaction score
18
Credits
463
kevi
multicapconverter is desinged to handle cap files not hccapx.

If you have the cap file then you can use multicapconverter to convert your cap file to a valid hccapx file with valid handshakes only as follow:
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g essid
or
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g handshake

Also note that hccapx will be deprecated, it's better to switch to hcwpax (hashcat mode = 22000)
python3 multicapconverter.py -i your_cap_file.cap -x hcwpax
or you can use capJS online tool https://s77rt.github.io/capJS/
I don't have cap files after converting to hccapx deleted them
Now I need to reverify them for handshakes since some of hccapx doesnot have handshakes like the above in image
Just asking that if this tool had that capability to verift just like gpuhash.me site which verifies hccapx
 

Reconsniper

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,093
Reaction score
226
Credits
1,428
Or use this, hccapx2cap, place it in the /bin/ on linux
type in terminal: hccapx2cap your.cap my_new.cap
It will be in your Home folder. Enjoy :)
 

Attachments

  • hccapx2cap.zip
    5.3 KB · Views: 6

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Version 1.1.0 has been released.

[1.1.0] - 22/10/2020
Fixed: HCXDUMPTOOL Custom Block identification
Changed: OUI_DB_FILE set to an absolute path
 

HashRecovery

Active member
Contributor
Joined
Dec 30, 2019
Messages
1,476
Reaction score
157
Credits
671
Top