/multicapconverter

Tool used to Convert a cap/pcap/pcapng capture file to a hashcat hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

Primary LanguagePythonMIT LicenseMIT

multicapconverter.py

Tool used to Convert a cap/pcap/pcapng capture file to a hashcat hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file (re)written in Python (based on c version)

usage: multicapconverter.py --input capture.cap --export
                            {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}
                            [--output capture.hcwpax] [--all]
                            [--filter-by filter-by filter]
                            [--group-by {none,bssid,essid,handshake}]
                            [--wordlist wordlist.txt] [--do-not-clean]
                            [--ignore-ie] [--ignore-ts] [--quiet]
                            [--update-oui] [--locate] [--version] [--help]

Convert a cap/pcap/pcapng capture file to a hashcat
hcwpax/hccapx/hccap/hcpmkid/hceapmd5/hceapleap file

required arguments:
  --input capture.cap, -i capture.cap
                        Input capture file
  --export {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}, -x {hcwpax,hccapx,hccap,hcpmkid,hceapmd5,hceapleap}

optional arguments:
  --output capture.hcwpax, -o capture.hcwpax
                        Output file
  --all, -a             Export all handshakes even unauthenticated ones
  --filter-by filter-by filter, -f filter-by filter
                        --filter-by {bssid XX:XX:XX:XX:XX:XX, essid ESSID}
  --group-by {none,bssid,essid,handshake}, -g {none,bssid,essid,handshake}
  --wordlist wordlist.txt, -E wordlist.txt
                        Extract wordlist / AP-LESS possible passwords (autohex
                        enabled on non ASCII characters)
  --do-not-clean        Do not clean output
  --ignore-ie           Ignore information element (AKM Check) (Not
                        Recommended)
  --ignore-ts           Ignore timestamps check (Not Recommended)
  --quiet, -q           Enable quiet mode (print only output files/data)
  --update-oui          Update OUI Database
  --locate              Locate networks geolocations
  --version, -v         show program's version number and exit
  --help, -h            show this help message and exit

Features

  • Supports cap/pcap/pcapng
  • Supports combined cap/pcap/pcapng files
  • Supports gz compressed cap/pcap/pcapng files
  • Supports hcxdumptool
  • Export as hccap (hashcat mode = 2500 (legacy))
  • Export as hccapx (hashcat mode = 2500)
  • Export as hcpmkid (hashcat mode = 16800)
  • Export as hcwpax (hashcat mode = 22000)
  • Export as hceapmd5 (hashcat mode = 4800)
  • Export as hceapleap (hashcat mode = 5500)
  • Export only authenticated handshakes or all handshakes
  • Output files can be filtered/grouped
  • Extract wordlist / AP-LESS possible passwords
  • MAC VENDOR LOOKUP
  • MAC GEOLOCATION LOOKUP (requires hashC API)

Configuration

Setting hashC_APIKEY

(only required for MAC GEOLOCATION LOOKUP)
After getting your api key from hashC (via website or email) Open your command prompt / terminal and execute:

For Linux

export hashC_APIKEY=YOUR_APIKEY_HERE

For Mac

export hashC_APIKEY=YOUR_APIKEY_HERE

For Windows

set hashC_APIKEY=YOUR_APIKEY_HERE

Usage Examples

We have a capture file 'capture.cap' which includes 4 handshakes:

# BSSID ESSID AUTHENTICATED
1 00:00:00:00:AA:AA Wifi N
2 00:00:00:00:AA:AA Wifi Y
3 00:00:00:00:BB:BB Internet Y
4 00:00:00:00:CC:CC Wifi Y

By default the original c version write all the hccapx into one file no matter what. If you need a single separated handshake you will have to use a hex editor and take the required 393 bytes by yourself.. Well not anymore

Also the original c version export all the handshakes even if they are not authenticated, in this python version it's a bit different, as the default is to ignore unauthenticated handshakes but can be exported by using the --all flag

1) Extract each handshake into a separated file (Auth Only)

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

2) Extract each handshake into a separated file (All)

python3 multicapconverter.py -i capture.cap --group-by handshake -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA_0.hccapx // 1
00-00-00-00-AA-AA_1.hccapx // 2
00-00-00-00-BB-BB_0.hccapx // 3
00-00-00-00-CC-CC_0.hccapx // 4

3) Extract all handshakes into one file (just like the old c version)

python3 multicapconverter.py -i capture.cap --group-by none -x hccapx --all
...
Output hccapx files:
capture.hccapx // 1, 2, 3 and 4

4) Extract handshakes based on BSSID

python3 multicapconverter.py -i capture.cap --group-by bssid -x hccapx --all
...
Output hccapx files:
00-00-00-00-AA-AA.hccapx // 1 and 2
00-00-00-00-BB-BB.hccapx // 3
00-00-00-00-CC-CC.hccapx // 4

5) Extract handshakes based on ESSID

python3 multicapconverter.py -i capture.cap --group-by essid -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 1, 2 and 4
Internet.hccapx // 3

6) Extract handshakes based on ESSID having a specific BSSID

python3 multicapconverter.py -i capture.cap --group-by essid --filter-by bssid 00:00:00:00:CC:CC -x hccapx --all
...
Output hccapx files:
Wifi.hccapx // 4

Miscellaneous

  • Extract wordlist --wordlist wordlist.txt
  • Update OUI Database --update-oui
  • Locate networks locations --locate

Notes

  • Time Gap is in microseconds
  • --group-by works only for hccap and hccapx output
  • --all works only for hccap, hccapx and hcwpax (WPA*02) output
  • --locate and --update-oui works only if -q/--quiet is not set
  • by default, if a capture have both WPA*01 and WPA*02 (hcwpax format), WPA*02 will be ignored on the exportation process. If you want to export both, use --do-not-clean
  • by default, multicapconverter ignores packets with zeroed timestamps. If you want to process such packets, use --ignore-ts (Not Recommended)
  • by default, multicapconverter exports only pmkids that are PSK/PSK256 related (AKM check). If you want to ignore AKM check, use --ignore-ie (Not Recommended)

TIPS

  • use --quiet for better performance