During a recent engagement, I found that combining hccapx files would make my life a little easier. Unfortunately, I couldn’t find an easy way to do that directly from cap files.
Combining Hccapx Files – Introduction
As you can see from my ls output, I had a lot of capture files from various days and locations.
Rays-MacBook-Pro:Captures doyler$ ls corp_target-01.cap target_main_2017_Nov_07-16:16:29-01.csv target_main_2017_Nov_07-17:32:16-01.kismet.csv target_main_2017_Nov_08-07:35:15-01.kismet.csv target_Nov7.tar.gz target_main_2017_Nov_07-16:16:29-01.kismet.csv target_main_2017_Nov_07-17:32:16-01.kismet.netxml target_main_2017_Nov_08-07:35:15-01.kismet.netxml ... target_main_2017_Nov_07-16:16:29-01.cap target_main_2017_Nov_07-17:32:16-01.csv target_main_2017_Nov_08-07:35:15-01.csv
Initially, I just converted the few main .cap files into .hccapx files and attempted to crack them. Unfortunately, I wasn’t able to get any hits on the quick runs on my laptop.
In this case, I wanted to send over the captures to our password cracking rig, and have them run on that. I could have just converted each file to a hccapx file and then concatenated them, but it seemed like a cleaner solution was possible.
Scripting the Convert and Combining
Finally, I decided to throw together a quick bash script to loop through the files, convert them using cap2hccapx, concatenate the output files, and remove the original .hccapx files.
#!/bin/bash FILES=./*.cap NETWORKS="NETWORK1 NETWORK2 GUESTNETWORK" for network in $NETWORKS do #echo $network for f in $FILES do #echo $f ~/tools/hashcat-utils/src/cap2hccapx.bin $f $f-temp.hccapx $network done done HCCAPX=./*.hccapx for i in $HCCAPX do cat "$i" >> combined.hccapx rm "$i" done
Running the Script
Once I finished the script, I ran it through my directory to make sure it worked.
Rays-MacBook-Pro:Captures doyler$ ./convert_combine.sh Networks detected: 1 [*] BSSID=a4:6c:xx:xx:xx:xx ESSID=NETWORK01 (Length: 9) --> STA=28:16:xx:xx:xx:xx, Message Pair=2, Replay Counter=0 Written 1 WPA Handshakes to: ./corp_target-01.cap-TEST.hccapx Networks detected: 52 ... [*] BSSID=78:ba:xx:xx:xx:xx ESSID=COMPANYNET002 (Length: 13) Written 0 WPA Handshakes to: ./target_site3_2017_Nov_08-16:09:12-01-FIXED.cap-TEST.hccapx
As you can see, my script combined the files and the only .hccapx left in the directory was the one.
Rays-MacBook-Pro:Captures doyler$ cat combined.hccapx NETWORK1?????? ... ????50???? Rays-MacBook-Pro:Captures doyler$ ls -al *.hccapx -rw-r--r-- 1 doyler doyler 2751 Dec 6 12:49 combined.hccapx
Combining Hccapx Files – Conclusion
While the script isn’t my best work, it is definitely something that I could see myself using in future engagements.
Normally you would be fine with multiple .hccapx files, but if you are sending them off to someone/something else, then this can make life a little easier.
Other than that, if you have any suggestions for the script or my methodology, then let me know.
Finally, you can find the code and updates in my GitHub repository.