Wireless Attackswifiwpapmkideapolhashcatjohncaptureconversion

hcxtools

Tools for converting wireless captures to hashcat or John the Ripper formats. Portable solution for capturing WLAN traffic and conversion to hashcat (recommended) and John the Ripper formats.

Description

hcxtools provides a suite of utilities for processing WLAN captures, extracting PMKID and EAPOL handshakes, and converting them into crackable hash formats for tools like hashcat (-m 22000) and John the Ripper. It supports various input formats including pcapng, pcap, and cap files, enabling security researchers and penetration testers to analyze WiFi authentication data.

Key use cases include converting captures from hcxdumptool to hash files, generating wordlists from ESSIDs and probe requests, filtering hashes by ESSID, MAC, or vendor, and testing PSKs or PMKs. Tools like hcxpcapngtool extract hashes and metadata, while hcxhashtool offers advanced filtering and grouping for optimized cracking workflows.

The package emphasizes lossless conversion where possible, but notes limitations like no nonce error corrections and issues with edited or merged capture files. It integrates with Wireshark/tshark for viewing and recommended practices include compressing dumps with gzip.

How It Works

hcxtools processes 802.11 frames from pcapng/pcap/cap files to extract PMKID (from RSN IE) and EAPOL message pairs (M1-M4), computing WPA-PBKDF2-PMKID+EAPOL hashes (hashcat -m 22000). It handles bitmasks for message pairs (e.g., 000=M1+M2, 101=M3+M4 authorized), applies filters on ESSID length, MAC, OUI, vendor, and replaycount status. Outputs include autohex-enabled wordlists from ESSIDs/probes, GPS NMEA data, and CSV AP info. Tools like hcxeiutool generate candidate lists from ESSIDs, hcxpsktool default PSKs, without nonce corrections—relying on hashcat for that.

Installation

bash

sudo apt install hcxtools

Flags

-i <file>input wordlist (hcxeiutool)

-d <file>output digit wordlist (hcxeiutool)

-x <file>output xdigit wordlist (hcxeiutool)

-c <file>output character wordlist A-Za-z other characters removed (hcxeiutool)

-s <file>output character wordlist A-Za-z other characters replaced by 0x0a recommended for rules (hcxeiutool)

-c <file>output cap file if no cap file selected output to single cap files mac_sta.cap (hcxhash2cap)

--pmkid-eapol=<file>input PMKID EAPOL 22000 combi hash file (hcxhash2cap)

-i <file>input PMKID/EAPOL hash file (hcxhashtool)

-o <file>output PMKID/EAPOL hash file (hcxhashtool)

-E <file>output ESSID list autohex enabled or stdout (hcxhashtool)

-o <file>output WPA-PBKDF2-PMKID+EAPOL hash file hashcat -m 22000 (hcxpcapngtool)

-E <file>output wordlist autohex enabled on non ASCII from every frame containing ESSID (hcxpcapngtool)

-R <file>output wordlist autohex enabled from PROBEREQUEST frames only (hcxpcapngtool)

--allconvert all possible hashes instead of only the best one (hcxpcapngtool)

-l <hash line>input hashcat hash line -m 22000 (hcxpmktool)

--hcpotin=<file>input potfile in hashcat pot file format PMK*ESSID:PSK (hcxpottool)

Examples

Generate digit, xdigit, character, and special character wordlists from input elist for rule processing

hcxeiutool -i elist -d digitlist -x xdigitlist -c charlist -s sclist

Convert pcapng dump to hashcat -m 22000 hash file and ESSID wordlist

hcxpcapngtool -o hash.22000 -E elist dump.pcapng

Filter PMKID/EAPOL hash file by specific ESSID and output filtered hash

hcxhashtool -i hashfile -o filtered.hc22000 --essid=TargetSSID

Combine generated wordlists into temporary wordlist for cracking

cat elist digitlist xdigitlist charlist sclist > wordlisttmp

Append rule-generated candidates from charlist to wordlist

hashcat --stdout -r <rule> charlist >> wordlisttmp

Sort and unique the combined wordlist for hashcat

cat wordlisttmp | sort | uniq > wordlist

Crack WPA hashes using generated wordlist

hashcat -m 22000 hash.22000 wordlist

Generate default/weak PSK candidates from hash file

hcxpsktool -c hash.22000 -o psk_candidates.txt

Updated 2026-04-16kali.org ↗