Combining Hccapx Files for Simpler Hashcat Cracking

During a recent engagement, I found that combining hccapx files would make my life a little easier. Unfortunately, I couldn't find an easy way to do that directly from cap files.

Combining Hccapx Files - Introduction

As you can see from my ls output, I had a lot of capture files from various days and locations.

Rays-MacBook-Pro:Captures doyler$ ls
corp_target-01.cap                    target_main_2017_Nov_07-16:16:29-01.csv           target_main_2017_Nov_07-17:32:16-01.kismet.csv        target_main_2017_Nov_08-07:35:15-01.kismet.csv
target_Nov7.tar.gz                    target_main_2017_Nov_07-16:16:29-01.kismet.csv        target_main_2017_Nov_07-17:32:16-01.kismet.netxml     target_main_2017_Nov_08-07:35:15-01.kismet.netxml
target_main_2017_Nov_07-16:16:29-01.cap           target_main_2017_Nov_07-17:32:16-01.csv           target_main_2017_Nov_08-07:35:15-01.csv

Initially, I just converted the few main .cap files into .hccapx files and attempted to crack them. Unfortunately, I wasn't able to get any hits on the quick runs on my laptop.

In this case, I wanted to send over the captures to our password cracking rig, and have them run on that. I could have just converted each file to a hccapx file and then concatenated them, but it seemed like a cleaner solution was possible.

Scripting the Convert and Combining

Finally, I decided to throw together a quick bash script to loop through the files, convert them using cap2hccapx, concatenate the output files, and remove the original .hccapx files.

for network in $NETWORKS
  #echo $network
  for f in $FILES
    #echo $f
    ~/tools/hashcat-utils/src/cap2hccapx.bin $f $f-temp.hccapx $network
for i in $HCCAPX
  cat "$i" >> combined.hccapx
  rm "$i"

Running the Script

Once I finished the script, I ran it through my directory to make sure it worked.

Rays-MacBook-Pro:Captures doyler$ ./
Networks detected: 1
[*] BSSID=a4:6c:xx:xx:xx:xx ESSID=NETWORK01 (Length: 9)
 --> STA=28:16:xx:xx:xx:xx, Message Pair=2, Replay Counter=0
Written 1 WPA Handshakes to: ./corp_target-01.cap-TEST.hccapx
Networks detected: 52
[*] BSSID=78:ba:xx:xx:xx:xx ESSID=COMPANYNET002 (Length: 13)
Written 0 WPA Handshakes to: ./target_site3_2017_Nov_08-16:09:12-01-FIXED.cap-TEST.hccapx

As you can see, my script combined the files and the only .hccapx left in the directory was the one.

Rays-MacBook-Pro:Captures doyler$ cat combined.hccapx
Rays-MacBook-Pro:Captures doyler$ ls -al *.hccapx
-rw-r--r--  1 doyler  doyler  2751 Dec  6 12:49 combined.hccapx

Combining Hccapx Files - Conclusion

While the script isn't my best work, it is definitely something that I could see myself using in future engagements.

Normally you would be fine with multiple .hccapx files, but if you are sending them off to someone/something else, then this can make life a little easier.

Other than that, if you have any suggestions for the script or my methodology, then let me know.

Finally, you can find the code and updates in my GitHub repository.

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.