Other multicapconverter - all in one tool

[HashRecovery]

Hi,
I'm (re)witting this thread just as the old one is no longer exists (due to the forum migration)

multicapconverter is a portable python tool that you can use to convert your capture file to any of the hashcat supported formats.
it was mainly based on the cap2hccapx tool, with more features added such as pcapng support and much more listed below

usage: multicapconverter.py --input capture.cap --export
                            {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}
                            [--output capture.hcwpax] [--all]
                            [--filter-by filter-by filter]
                            [--group-by {none,bssid,essid,handshake}]
                            [--do-not-clean] [--ignore-ie] [--ignore-ts]
                            [--quiet] [--version] [--help]

Convert a cap/pcap/pcapng capture file to a hashcat
hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

required arguments:
  --input capture.cap, -i capture.cap
                        Input capture file
  --export {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}, -x {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}

optional arguments:
  --output capture.hcwpax, -o capture.hcwpax
                        Output file
  --all, -a             Export all handshakes even unauthenticated ones
  --filter-by filter-by filter, -f filter-by filter
                        --filter-by {bssid XX:XX:XX:XX:XX:XX, essid ESSID}
  --group-by {none,bssid,essid,handshake}, -g {none,bssid,essid,handshake}
  --do-not-clean        Do not clean output
  --ignore-ie           Ignore information element (AKM Check) (Not
                        Recommended)
  --ignore-ts           Ignore timestamps check (Not Recommended)
  --quiet, -q           Enable quiet mode (print only output files/data)
  --version, -v         show program's version number and exit
  --help, -h            show this help message and exit

Features

• Supports cap/pcap/pcapng
• Supports combined cap/pcap/pcapng files
• Supports gz compressed cap/pcap/pcapng files
• Export as hccap (hashcat mode = 2500 (legacy))
• Export as hccapx (hashcat mode = 2500)
• Export as hcpmkid (hashcat mode = 16800)
• Export as hcwpax (hashcat mode = 22000)
• Export as hceapmd5 (hashcat mode = 4800)
• Export as hceapleap (hashcat mode = 5500)
• Export only authenticated handshakes or all handshakes
• Output files can be filtered/grouped
• Supports hcxdumptool

Examples
We have a capture file 'capture.cap' which includes 4 handshakes:

#	BSSID	ESSID	AUTHENTICATED
1	00:00:00:00:AA:AA	Wifi	N
2	00:00:00:00:AA:AA	Wifi	Y
3	00:00:00:00:BB:BB	Internet	Y
4	00:00:00:00:CC:CC	Wifi	Y

By default the original c version write all the hccapx into one file no matter what. If you need a single separated handshake you will have to use a hex editor and take the required 393 bytes by yourself.. Well not anymore

Also the original c version export all the handshakes even if they are not authenticated, in this python version it's a bit different, as the default is to ignore unauthenticated handshakes but can be exported by using the --all flag

1) Extract each handshake into a separated file (Auth Only)

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

2) Extract each handshake into a separated file (All)

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 1
00-00-00-00-AA-AA_1.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

3) Extract all handshakes into one file (just like the old c version)

python3 multicapconverter.py -i capture.cap --group-by none -x hccapx --all
...
Output hccapx files:
capture.hccapx // 1, 2, 3 and 4

4) Extract handshakes based on BSSID

python3 multicapconverter.py -i capture.cap --group-by bssid -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA.hccapx // 1 and 2
00-00-00-00-BB-BB.hccapx // 3
00-00-00-00-CC-CC.hccapx // 4

5) Extract handshakes based on ESSID

python3 multicapconverter.py -i capture.cap --group-by essid -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 1, 2 and 4
Internet.hccapx // 3

6) Extract handshakes based on ESSID having a specific BSSID

python3 multicapconverter.py -i capture.cap --group-by essid --filter-by bssid 00:00:00:00:CC:CC -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 4

Notes

• --group-by works only for hccap and hccapx output
• --all works only for hccap, hccapx and hcwpax (WPA*02) output
• by default, if a capture have both WPA*01 and WPA*02 (hcwpax format), WPA*02 will be ignored on the exportation process. If you want to export both, use --do-not-clean
• by default, multicapconverter ignores packets with zeroed timestamps. If you want to process such packets, use --ignore-ts (Not Recommended)
• by default, multicapconverter exports only pmkids that are PSK/PSK256 related (AKM check). If you want to ignore AKM check, use --ignore-ie (Not Recommended)

Extra
If you are using Linux and you want to use the tool from different places (instead from only the working directory), simply copy the python script to your bin path:

sudo cp multicapconverter.py /usr/bin/
sudo chmod +x /usr/bin/multicapconverter.py
sudo ln -s /usr/bin/multicapconverter.py /usr/bin/multicapconverter

Now you can simply use multicapconverter, example: multicapconverter -i capture.pcapng -x hcwpax


Source Code
https://github.com/s77rt/multicapconverter/

 

[WreckTangle]

This is brilliant thank you!

Could you possibly make it output hccap for those of us who do not have modern GPU's?

Outputting all to seperate .cap files by ESSID etc would also be useful.

 

[HashRecovery]

Could you possibly make it output hccap for those of us who do not have modern GPU's?

hccap? hmm okay, i just need to find the old structure and some time

Outputting all to seperate .cap files by ESSID etc would also be useful.

do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?

 

[WreckTangle]

hccap? hmm okay, i just need to find the old structure and some time

Oh thank you very much!

do you mean to separate hccapx ? as this feature is already available --group-by essid
or you really meant cap files?

The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.

 

[HashRecovery]

Oh thank you very much!



The naming feature request was for cap and hccap not just hccap(X) if that is possible. Actually maybe it is better to output AP_MAC rather than ESSID as there can be problems with some characters in the names. hcxtools uses auto hex but it is probably much simpler and just as useful for your tool to name outputted hccap or cap by AP_MAC.

I am learning all this stuff and being able to convert to anything from anything is very useful and interesting.

Thank you very much for your work on this tool and for sharing.

I have added the export option hccap (-x hccap) as requested

regarding the naming:
file name is ESSID if chosen option is to group by essid (the filename is being filtered so there is some cases where the filename is not exactly as the essid)
else the name is MAC
(see the examples above)

also the tool does not convert to cap.
it does convert from cap/pcap/pcapng (gzipped files are also accepted) to hcwpax/hccapx/hccap/hcpmkid format

 

[WreckTangle]

Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)

 

[HashRecovery]

Thank you very much hashC.co.uk. I sent you a PM the other day to say thanks but I am unsure if you recieved it. Didn't want you to think I wasn't grateful :)

I got your pm.
You are welcome ;)
In fact if you have any more ideas, i would be happy to implement ^^ thanks :)

 

[laci1]

I give it a go! Thanks!

 

[HashRecovery]

Version 0.2.1 has been released :)

Added Option: --wordlist or -E :: Extract wordlist / AP-LESS possible passwords. (same as hcxpcapngtool -E)
Fixed: Timestamps calculations and nonce error correction values
(full changelog)

output example:

$ multicapconverter -i test1.pcapng -x hcwpax
[i] Networks detected: 1                                                    
[i] WPA: 1, EAP-MD5: 0, EAP-LEAP: 0

|*| BSSID=a0:f3:c1:50:3e:62 ESSID=hascat (Length: 6)
| | EAPOL-M1: 3, EAPOL-M2: 2, EAPOL-M3: 1, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 1, REASSOC: 0, PROBE: 1
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=62483, Time Gap=6012, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=0, Replay Counter=1, Time Gap=2503, Authenticated=N [Skipped]
| > STA=b0:c0:90:46:7c:ab, Message Pair=2, Replay Counter=1, Time Gap=3623, Authenticated=Y

hcWPAx:
WPA*02*f6b32d9fc030aa42a250f1e93785bc2d*a0f3c1503e62*b0c090467cab*686173636174*e2616837cfdc78cbb193040c5b6b4c91c0cf49e4a6266267c31b6638910560ef*0103007502010a00000000000000000001138433a9c7269ea16b1b99fa8370cf5f01c4a433493806c835f01fc1d6508a03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac028000*02

 

[HashRecovery]

Version 1.0.0 is now available !
Two major features: (full changelog)

• MAC VENDOR LOOKUP
• MAC GEOLOCATION LOOKUP (--locate)

Regarding MAC GEOLOCATION LOOKUP an api is required, just pm me to get your private api (free 100 requests included)
Currently there is an active public api for free but temporarily, as it's gonna probably cost $0.01 per lookup (i shall post more info soon here)

Here how it looks:

$ multicapconverter -i ZTE1-01.cap -x hcwpax --locate
[i] Networks detected: 1                                                     

|*| BSSID=dc:02:8e:fe:17:94 ESSID=ZTE1 (zte corporation)
| | GEOLOCATION: Egypt (30.027778, 31.22566)
| | EAPOL-M1: 1, EAPOL-M2: 4, EAPOL-M3: 2, EAPOL-M4: 0
| | BEACON: 1, ASSOC: 2, REASSOC: 0, PROBE: 15
| ! WARNING! Not enough EAPOL-M1 frames. This makes it impossible to calculate nonce-error-correction values.
| > STA=2c:fd:ab:82:0b:42, Message Pair=0, Replay Counter=1, Time Gap=10750, Authenticated=N [Skipped]
| > STA=2c:fd:ab:82:0b:42, Message Pair=2, Replay Counter=1, Time Gap=13314, Authenticated=Y

hcWPAx:
WPA*02*cfee46947a82b76bdb9cf769f85b9bba*dc028efe1794*2cfdab820b42*5a544531*60e118f368c749ec9e881cb33f29d5ea9723948c3950a120d0582591e29be812*01030077fe01090020000000000000000165c4e599af0b242a4d01db81033b8ba390de79c93c6e7df25ccac014732278850000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018dd160050f20101000050f20201000050f20201000050f202*02

 

[Reconsniper]

Outstanding tool , Great work

 

[kevi]

Hi,
I'm (re)witting this thread just as the old one is no longer exists (due to the forum migration)

multicapconverter is a portable python tool that you can use to convert your capture file to any of the hashcat supported formats.
it was mainly based on the cap2hccapx tool, with more features added such as pcapng support and much more listed below

usage: multicapconverter.py --input capture.cap --export
                            {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}
                            [--output capture.hcwpax] [--all]
                            [--filter-by filter-by filter]
                            [--group-by {none,bssid,essid,handshake}]
                            [--do-not-clean] [--ignore-ie] [--ignore-ts]
                            [--quiet] [--version] [--help]

Convert a cap/pcap/pcapng capture file to a hashcat
hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

required arguments:
  --input capture.cap, -i capture.cap
                        Input capture file
  --export {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}, -x {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}

optional arguments:
  --output capture.hcwpax, -o capture.hcwpax
                        Output file
  --all, -a             Export all handshakes even unauthenticated ones
  --filter-by filter-by filter, -f filter-by filter
                        --filter-by {bssid XX:XX:XX:XX:XX:XX, essid ESSID}
  --group-by {none,bssid,essid,handshake}, -g {none,bssid,essid,handshake}
  --do-not-clean        Do not clean output
  --ignore-ie           Ignore information element (AKM Check) (Not
                        Recommended)
  --ignore-ts           Ignore timestamps check (Not Recommended)
  --quiet, -q           Enable quiet mode (print only output files/data)
  --version, -v         show program's version number and exit
  --help, -h            show this help message and exit

Features

• Supports cap/pcap/pcapng
• Supports combined cap/pcap/pcapng files
• Supports gz compressed cap/pcap/pcapng files
• Export as hccap (hashcat mode = 2500 (legacy))
• Export as hccapx (hashcat mode = 2500)
• Export as hcpmkid (hashcat mode = 16800)
• Export as hcwpax (hashcat mode = 22000)
• Export as hceapmd5 (hashcat mode = 4800)
• Export as hceapleap (hashcat mode = 5500)
• Export only authenticated handshakes or all handshakes
• Output files can be filtered/grouped
• Supports hcxdumptool

Examples
We have a capture file 'capture.cap' which includes 4 handshakes:

#	BSSID	ESSID	AUTHENTICATED
1	00:00:00:00:AA:AA	Wifi	N
2	00:00:00:00:AA:AA	Wifi	Y
3	00:00:00:00:BB:BB	Internet	Y
4	00:00:00:00:CC:CC	Wifi	Y

By default the original c version write all the hccapx into one file no matter what. If you need a single separated handshake you will have to use a hex editor and take the required 393 bytes by yourself.. Well not anymore

Also the original c version export all the handshakes even if they are not authenticated, in this python version it's a bit different, as the default is to ignore unauthenticated handshakes but can be exported by using the --all flag

1) Extract each handshake into a separated file (Auth Only)

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

2) Extract each handshake into a separated file (All)

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 1
00-00-00-00-AA-AA_1.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

3) Extract all handshakes into one file (just like the old c version)

python3 multicapconverter.py -i capture.cap --group-by none -x hccapx --all
...
Output hccapx files:
capture.hccapx // 1, 2, 3 and 4

4) Extract handshakes based on BSSID

python3 multicapconverter.py -i capture.cap --group-by bssid -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA.hccapx // 1 and 2
00-00-00-00-BB-BB.hccapx // 3
00-00-00-00-CC-CC.hccapx // 4

5) Extract handshakes based on ESSID

python3 multicapconverter.py -i capture.cap --group-by essid -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 1, 2 and 4
Internet.hccapx // 3

6) Extract handshakes based on ESSID having a specific BSSID

python3 multicapconverter.py -i capture.cap --group-by essid --filter-by bssid 00:00:00:00:CC:CC -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 4

Notes

• --group-by works only for hccap and hccapx output
• --all works only for hccap, hccapx and hcwpax (WPA*02) output
• by default, if a capture have both WPA*01 and WPA*02 (hcwpax format), WPA*02 will be ignored on the exportation process. If you want to export both, use --do-not-clean
• by default, multicapconverter ignores packets with zeroed timestamps. If you want to process such packets, use --ignore-ts (Not Recommended)
• by default, multicapconverter exports only pmkids that are PSK/PSK256 related (AKM check). If you want to ignore AKM check, use --ignore-ie (Not Recommended)

Extra
If you are using Linux and you want to use the tool from different places (instead from only the working directory), simply copy the python script to your bin path:

sudo cp multicapconverter.py /usr/bin/
sudo chmod +x /usr/bin/multicapconverter.py
sudo ln -s /usr/bin/multicapconverter.py /usr/bin/multicapconverter

Now you can simply use multicapconverter, example: multicapconverter -i capture.pcapng -x hcwpax


Source Code
https://github.com/s77rt/multicapconverter/

Can this tool verify handshake in HCCAPX file like gpuhash and give stats

 

[HashRecovery]

kevi
multicapconverter is desinged to handle cap files not hccapx.

If you have the cap file then you can use multicapconverter to convert your cap file to a valid hccapx file with valid handshakes only as follow:
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g essid
or
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g handshake

Also note that hccapx will be deprecated, it's better to switch to hcwpax (hashcat mode = 22000)
python3 multicapconverter.py -i your_cap_file.cap -x hcwpax
or you can use capJS online tool https://s77rt.github.io/capJS/

 

[kevi]

kevi
multicapconverter is desinged to handle cap files not hccapx.

If you have the cap file then you can use multicapconverter to convert your cap file to a valid hccapx file with valid handshakes only as follow:
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g essid
or
python3 multicapconverter.py -i your_cap_file.cap -x hccapx -g handshake

Also note that hccapx will be deprecated, it's better to switch to hcwpax (hashcat mode = 22000)
python3 multicapconverter.py -i your_cap_file.cap -x hcwpax
or you can use capJS online tool https://s77rt.github.io/capJS/

I don't have cap files after converting to hccapx deleted them
Now I need to reverify them for handshakes since some of hccapx doesnot have handshakes like the above in image
Just asking that if this tool had that capability to verift just like gpuhash.me site which verifies hccapx

 

[HashRecovery]

I don't have cap files after converting to hccapx deleted them

In that case, use https://github.com/s77rt/hccapxsplitter

$ python3 hccapxsplitter.py -i your_hccapx.hccapx -g essid --auth

Handshakes: 14 (6 authenticated)

Output hccapx files:
my_network.hccapx

Written 6 WPA Handshakes to 1 files

 

[kevi]

In that case, use https://github.com/s77rt/hccapxsplitter

$ python3 hccapxsplitter.py -i your_hccapx.hccapx -g essid --auth

Handshakes: 14 (6 authenticated)

Output hccapx files:
my_network.hccapx

Written 6 WPA Handshakes to 1 files

this is what I wanted thank you

 

[Reconsniper]

Or use this, hccapx2cap, place it in the /bin/ on linux
type in terminal: hccapx2cap your.cap my_new.cap
It will be in your Home folder. Enjoy :)

 

[HashRecovery]

Version 1.1.0 has been released.

[1.1.0] - 22/10/2020
Fixed: HCXDUMPTOOL Custom Block identification
Changed: OUI_DB_FILE set to an absolute path

 

[HashRecovery]

New version available. v1.2.0

- Added an option to overwrite ESSID tags (useful for cloaked ESSID)
- Set default export option to hcwpax
- Removed mac geolocation lookup

GitHub - s77rt/multicapconverter: Tool used to Convert a cap/pcap/pcapng capture file to a hashcat hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

Tool used to Convert a cap/pcap/pcapng capture file to a hashcat hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file - s77rt/multicapconverter

github.com