___________ __________ _____ ________ ________ .____ ___________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

hcxpcapngtool Cheatsheet

← Back to cheatsheets

← Home

hcxpcapngtool converts and analyzes WiFi captures. It extracts WPA/WPA2 handshakes, PMKID hashes, and converts pcapng files to formats compatible with hashcat and other password cracking tools.

Basic Usage

  • hcxpcapngtool -o <output> <input> - Convert to hashcat format
  • hcxpcapngtool -o hash.hc22000 capture.pcapng - Convert to hc22000 (PMKID)
  • hcxpcapngtool -o hash.hc22000 -z capture.pcapng - Convert with EAPOL (handshake)

Input/Output Options

  • -o <file> - Output file
  • -k <file> - Output PMKID to file
  • -E <file> - Output ESSID wordlist
  • -I <file> - Output identity wordlist
  • -P <file> - Output passwords
  • -Z <file> - Output weak passphrases
  • -z <file> - Output EAPOL hashes (handshake)

Analysis Options

  • --info - Show capture information
  • --timeline - Show timeline of captures
  • --list - List all captured networks
  • --filter=<bssid> - Filter by BSSID
  • --filter-ap=<bssid> - Filter AP by BSSID
  • --filter-client=<mac> - Filter client by MAC
  • --psk - Show PSK (if known)

Hash Format Conversion

  • -o <file>.hc22000 - Output in hc22000 format (PMKID + EAPOL)
  • -o <file>.16800 - Output in 16800 format (PMKID)
  • -o <file>.2500 - Output in 2500 format (WPA/WPA2 handshake)
  • -o <file>.hccapx - Output in hccapx format (legacy)

PMKID Extraction

  • hcxpcapngtool -o pmkid.hc22000 capture.pcapng - Extract PMKID
  • PMKID captured in first EAPOL message from AP
  • No client needed for PMKID capture
  • Format: PMKID*MAC_AP*MAC_CLIENT*ESSID*PSK

Handshake Extraction

  • hcxpcapngtool -o handshake.hc22000 -z capture.pcapng - Extract handshake
  • Requires complete 4-way handshake
  • Combined with PMKID in hc22000 format

Common Examples

Basic Conversion

hcxpcapngtool -o hash.hc22000 capture.pcapng

Convert with Handshake

hcxpcapngtool -o hash.hc22000 -z capture.pcapng

Show Capture Info

hcxpcapngtool --info capture.pcapng

List Networks

hcxpcapngtool --list capture.pcapng

Extract PMKID Only

hcxpcapngtool -o pmkid.hc22000 -k pmkid.txt capture.pcapng

Extract ESSID Wordlist

hcxpcapngtool -E essid_list.txt capture.pcapng

Filter by BSSID

hcxpcapngtool --filter-ap=AA:BB:CC:DD:EE:FF -o hash.hc22000 capture.pcapng

Convert Multiple Files

hcxpcapngtool -o combined.hc22000 capture1.pcapng capture2.pcapng

Legacy Format

hcxpcapngtool -o hash.hccapx capture.pcapng

Hashcat Integration

PMKID Attack

hashcat -m 22000 hash.hc22000 wordlist.txt

Handshake Attack

hashcat -m 22000 hash.hc22000 wordlist.txt

hc22000 format supports both PMKID and handshakes

File Formats

  • hc22000 - Modern format (PMKID + EAPOL handshake), hashcat mode 22000
  • 16800 - PMKID only, hashcat mode 16800
  • 2500 - WPA/WPA2 handshake, hashcat mode 2500
  • hccapx - Legacy format, hashcat mode 2500
  • pcapng - Original capture format (Wireshark compatible)

Workflow

  1. Capture with hcxdumptool: hcxdumptool -i wlan0mon -o capture.pcapng
  2. Convert with hcxpcapngtool: hcxpcapngtool -o hash.hc22000 capture.pcapng
  3. Crack with hashcat: hashcat -m 22000 hash.hc22000 wordlist.txt

Tips

  • hc22000 format is preferred (supports both PMKID and handshakes)
  • Use --info to verify capture quality before converting
  • PMKID doesn't require complete handshake (faster capture)
  • Use -z flag to include EAPOL handshake hashes
  • Filter by BSSID to extract specific networks
  • Combine multiple captures into single hash file
  • Use --list to see what networks were captured
  • Extract ESSID wordlist for targeted attacks
  • Always test on authorized networks only
  • hc22000 format works with hashcat mode 22000

← Back to cheatsheets

← Home