Combining Hccapx Files for Simpler Hashcat Cracking

During a recent engagement, I found that combining hccapx files would make my life a little easier. Unfortunately, I couldn’t find an easy way to do that directly from cap files.

Combining Hccapx Files – Introduction

As you can see from my ls output, I had a lot of capture files from various days and locations.

Rays-MacBook-Pro:Captures doyler$ ls
corp_target-01.cap                    target_main_2017_Nov_07-16:16:29-01.csv           target_main_2017_Nov_07-17:32:16-01.kismet.csv        target_main_2017_Nov_08-07:35:15-01.kismet.csv
target_Nov7.tar.gz                    target_main_2017_Nov_07-16:16:29-01.kismet.csv        target_main_2017_Nov_07-17:32:16-01.kismet.netxml     target_main_2017_Nov_08-07:35:15-01.kismet.netxml
...
target_main_2017_Nov_07-16:16:29-01.cap           target_main_2017_Nov_07-17:32:16-01.csv           target_main_2017_Nov_08-07:35:15-01.csv

Initially, I just converted the few main .cap files into .hccapx files and attempted to crack them. Unfortunately, I wasn’t able to get any hits on the quick runs on my laptop.

In this case, I wanted to send over the captures to our password cracking rig, and have them run on that. I could have just converted each file to a hccapx file and then concatenated them, but it seemed like a cleaner solution was possible.

Scripting the Convert and Combining

Finally, I decided to throw together a quick bash script to loop through the files, convert them using cap2hccapx, concatenate the output files, and remove the original .hccapx files.

#!/bin/bash
FILES=./*.cap
NETWORKS="NETWORK1 NETWORK2 GUESTNETWORK"
for network in $NETWORKS
do
  #echo $network
  for f in $FILES
  do
    #echo $f
    ~/tools/hashcat-utils/src/cap2hccapx.bin $f $f-temp.hccapx $network
  done
done
HCCAPX=./*.hccapx
for i in $HCCAPX
do
  cat "$i" >> combined.hccapx
  rm "$i"
done

Running the Script

Once I finished the script, I ran it through my directory to make sure it worked.

Rays-MacBook-Pro:Captures doyler$ ./convert_combine.sh
Networks detected: 1
[*] BSSID=a4:6c:xx:xx:xx:xx ESSID=NETWORK01 (Length: 9)
 --> STA=28:16:xx:xx:xx:xx, Message Pair=2, Replay Counter=0
Written 1 WPA Handshakes to: ./corp_target-01.cap-TEST.hccapx
Networks detected: 52
...
[*] BSSID=78:ba:xx:xx:xx:xx ESSID=COMPANYNET002 (Length: 13)
Written 0 WPA Handshakes to: ./target_site3_2017_Nov_08-16:09:12-01-FIXED.cap-TEST.hccapx

As you can see, my script combined the files and the only .hccapx left in the directory was the one.

Rays-MacBook-Pro:Captures doyler$ cat combined.hccapx
NETWORK1??????
...
????50????
Rays-MacBook-Pro:Captures doyler$ ls -al *.hccapx
-rw-r--r--  1 doyler  doyler  2751 Dec  6 12:49 combined.hccapx

Combining Hccapx Files – Conclusion

While the script isn’t my best work, it is definitely something that I could see myself using in future engagements.

Normally you would be fine with multiple .hccapx files, but if you are sending them off to someone/something else, then this can make life a little easier.

Other than that, if you have any suggestions for the script or my methodology, then let me know.

Finally, you can find the code and updates in my GitHub repository.

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.