DOKK / manpages / debian 12 / hcxtools / hcxpcapngtool.1.en
HCXPCAPNGTOOL(1) User Commands HCXPCAPNGTOOL(1)

hcxpcapngtool - hcx tools set

hcxpcapngtool 6.2.7 (C) 2022 ZeroBeat convert pcapng, pcap and cap files to hash formats that hashcat and JtR use usage: hcxpcapngtool <options> hcxpcapngtool <options> input.pcapng hcxpcapngtool <options> *.pcapng hcxpcapngtool <options> *.pcap hcxpcapngtool <options> *.cap hcxpcapngtool <options> *.*

short options: -o <file> : output WPA-PBKDF2-PMKID+EAPOL hash file (hashcat -m 22000)

get full advantage of reuse of PBKDF2 on PMKID and EAPOL

-E <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker

retrieved from every frame that contain an ESSID

-R <file> : output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker

retrieved from PROBEREQUEST frames only

-I <file> : output unsorted identity list to use as input wordlist for cracker -U <file> : output unsorted username list to use as input wordlist for cracker -D <file> : output device information list

format MAC MANUFACTURER MODELNAME SERIALNUMBER DEVICENAME UUID

-h : show this help -v : show version

long options: --all : convert all possible hashes instead of only the best one

use hcxhashtool to filter hashes need hashcat --nonce-error-corrections >= 8

--eapoltimeout=<digit> : set EAPOL TIMEOUT (milliseconds)

: default: 5000 ms

--nonce-error-corrections=<digit> : set nonce error correction

: default: 0

--ignore-ie : do not use CIPHER and AKM information

CIPHER and/OR AKM information, and can lead to uncrackable hashes

--max-essids=<digit> : maximum allowed ESSIDs

disregard ESSID changes and take ESSID with highest ranking

--eapmd5=<file> : output EAP MD5 CHALLENGE (hashcat -m 4800) --eapmd5-john=<file> : output EAP MD5 CHALLENGE (john chap) --eapleap=<file> : output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm) --tacacs-plus=<file> : output TACACS PLUS (hashcat -m 16100, john tacacs-plus) --nmea=<file> : output GPS data in NMEA format

to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx,gpxver=1.1 -F hcxdumptool.gpx to display the track, open file.gpx with viking

--csv=<file> : output ACCESS POINT information in CSV format

columns: YYYY-MM-DD HH:MM:SS MAC_AP ESSID ENC_TYPE CIPHER AKM COUNTRY_INFO CHANNEL RSSI GPS(DM.m) GPS(D.d) GPSFIX SATCOUNT HDOP ALTITUDE UNIT to convert it to other formats, use bash tools or scripting languages GPS FIX: 0 = fix not available or invalid 1 = fix valid (GPS SPS mode) 2 = fix valid (differential GPS SPS Mode) 3 = not supported 4 = not supported 5 = not supported 6 = fix valid (Dead Reckoning Mode)

--log=<file> : output logfile --raw-out=<file> : output frames in HEX ASCII

: format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM

--raw-in=<file> : input frames in HEX ASCII

: format: TIMESTAMP*LINKTYPE*FRAME*CHECKSUM

--pmkid=<file> : output deprecated PMKID file (delimter *) --hccapx=<file> : output deprecated hccapx v4 file --hccap=<file> : output deprecated hccap file --john=<file> : output deprecated PMKID/EAPOL (JtR wpapsk-opencl/wpapsk-pmk-opencl) --prefix=<file> : convert everything to lists using this prefix (overrides single options):

: output PMKID/EAPOL hash file
: output wordlist (autohex enabled on non ASCII characters) to use as input wordlist for cracker
: output unsorted identity list to use as input wordlist for cracker
: output unsorted username list to use as input wordlist for cracker
: output EAP MD5 CHALLENGE (hashcat -m 4800)
: output EAP LEAP and MSCHAPV2 CHALLENGE (hashcat -m 5500, john netntlm)
--nmea=<file.nmea> : output GPS data in NMEA format

--help : show this help --version : show version

bitmask of message pair field: 2,1,0:

000 = M1+M2, EAPOL from M2 (challenge) 001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 010 = M2+M3, EAPOL from M2 (authorized) 011 = M2+M3, EAPOL from M3 (authorized) - unused 100 = M3+M4, EAPOL from M3 (authorized) - unused 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed

3: reserved 4: ap-less attack (set to 1) - nonce-error-corrections not required 5: LE router detected (set to 1) - nonce-error-corrections required only on LE 6: BE router detected (set to 1) - nonce-error-corrections required only on BE 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory

Do not edit, merge or convert pcapng files! This will remove optional comment fields! Detection of bit errors does not work on cleaned dump files! Do not use hcxpcapngtool in combination with third party cap/pcap/pcapng cleaning tools (except: tshark and/or Wireshark)! It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this. Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark Recommended tool to filter converted hash by several options: hcxhashtool Recommended tool to get default or standard PSKs: hcxpsktool Recommended tool to calculate wordlists based on ESSID: hcxeiutool Recommended tools to retrieve PSK from hash: hashcat, JtR

October 2022 hcxpcapngtool 6.2.7 (C) 2022 ZeroBeat