When input is UTF-8, cutting on character count - even when it is not aligned with byte count - would be useful. This could be added to cutb as a flag, or could be a separate utility.

This script produces some of the desired behavior:

$ cat multicutb
#!/bin/bash

if [ -z "$1" -o -z "$2" ]; then
    echo "Usage: $0 [offset] [length]"
    echo "(similar to cutb from hashcat utils)"
    exit 1
fi
offset=$1
length=$2

grep -Po "^.{$offset}\K.{$length}"

$ echo Τηεοδ29 | multicutb 1 3
ηεο

(but doesn't cover the negative-offset functionality)

Replace "tbd" in the Description section with a link to the wiki: https://hashcat.net/wiki/doku.php?id=hashcat_utils

I have a pcap containing only handshakes (using Wireshark's eapol display filter). When run with this file as input, cap2hccapx prints "Networks detected: 0" and writes nothing. When run with the exact same capture session but no filter (all the packets captured during the session, no eapol filter) it works as expected. What packets other than the handshake does cap2hccapx require to detect networks? And, if you happen to know, what Wireshark filter will include these?

When using large cap files for translating into the hccapx format I get errors:

$ cap2hccapx test.cap test.hccapx
test.cap: Value too large for defined data type

test.cap is around 3.3 GB. The binary was compiled from latest source.

Can you add a tool to get the "total hashes" displayed in Progress in hashcat ?
Because I distribute work with -s -l parameters and I would like to verify server-side if work has been done correctly.

So the tool could work like this, you give attack type (here bruteforce), current mask (so current length), skip parameters and limit parameter and it could display the first hash and the last hash number.

Command: "progress -m 0 -a 3 -s 5000 -l 1000000 ?a?a?a?a?a?a?a?a"
Output: "481863613928816/482539223750000"

For exemple.
Thank you.

When I try to convert some .pcap files, I am unable to get any WPA handshakes I obtained using Pwnagotchi. For some networks it does, but for most of them it says 0 WPA handshakes. Is it because they're not using the WPA standard and I am using the wrong utility. I have been using the cap2hccapx.exe command.

Per chick3nman's request for me to submit this; the cleanup-rules is missing newer rule functions and could use an update.

Apparently it's missing the new(er) rule 3 option and may need other updates as well

https://hashcat.net/wiki/doku.php?id=hashcat_utils#cleanup-rules

Expected behavior: cleanup-rules should validate rules as expected and allow for all rules the current version of hashcat supports

hashcat has a great new function: --nonce-error-corrections
cap2hccapx doesn't support this new function fully, as the tool checks the replaycount and only strips that packets containing the right value.
Please add option to ignore replaycount check to take advantage of this new great hashcat features.
Best regrads
ZerBea

This trac ticket #649 was transferred from trac to github:

date: 2015-08-04
reporter: minga
ticket body:
" Cleanup-rules is filtering out some rules oclhashcat thinks are valid.

For example:
$0 $0 $0 $0 $0 $0 $0 (length 20)

It is rejected because it is too long - but in reality, it shrinks to:
$0$0$0$0$0$0$0 which is 14 chars - and DOES work.

some other examples:

$ $0 $3 (append SPACE 0 3)

Notice there are TWO spaces after the first dollar sign. I think this is the
root cause of all the rules that were rejected, but are still valid.

More double spaces:

o8 ]
o8 *01
o8 } *10
o8 *23
o8 $4
o8 ,4 -9
o8 ,5
o8 +6
o8 ] o1e
o8 o6n
o8 o72 Z1
o8 r x32
o8 srR
o8 Y2
o8 y3
o8 Z1 o72

+0 +0 +0 +0 +0 +0 +0 +0 (too long)
$1 $2 $3 $4 $! $@ $# $$ (too long)

Someone's rule generate space-seperates all rules - which is causing the problem."

This ticket was accepted by "atom" on the trac ticketing system.

I think there must be a bug that counts even each and every space (instead of just the rules).
Thx

I was recently using fuzz to conduct security testing on hashset, and found a stack overflow error in cap2hccapx.bin. The specific information is as follows:

./cap2hccapx.bin poc  /dev/null

=================================================================
==32351==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffe18f at pc 0x0000004d1324 bp 0x7ffffffedab0 sp 0x7ffffffedaa8
READ of size 2 at 0x7fffffffe18f thread T0
    #0 0x4d1323 in process_packet /work/autofz/github/hashcat-utils/src/cap2hccapx.c:741:50
    #1 0x4d1323 in main /work/autofz/github/hashcat-utils/src/cap2hccapx.c:1118:5
    #2 0x7ffff6ee583f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #3 0x41c068 in _start (/work/autofz/github/hashcat-utils/src/cap2hccapx.bin+0x41c068)

Address 0x7fffffffe18f is located in stack of thread T0 at offset 66511 in frame
    #0 0x4c874f in main /work/autofz/github/hashcat-utils/src/cap2hccapx.c:875

  This frame has 10 object(s):
    [32, 64) 'zero.i.i' (line 593)
    [96, 195) 'auth_packet_orig.i.i' (line 612)
    [240, 290) 'essid.i' (line 747)
    [336, 675) 'excpkt.i' (line 855)
    [752, 758) 'bssid.i' (line 675)
    [784, 834) 'essid' (line 902)
    [880, 904) 'pcap_file_header' (line 924)
    [944, 960) 'header' (line 987)
    [976, 66511) 'packet' (line 1017) <== Memory access at offset 66511 overflows this variable
    [66768, 67161) 'hccapx' (line 1288)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /work/autofz/github/hashcat-utils/src/cap2hccapx.c:741:50 in process_packet
Shadow bytes around the buggy address:
  0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7c30: 00[07]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff7c40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10007fff7c50: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007fff7c60: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007fff7c70: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007fff7c80: f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==32351==ABORTING

The poc that triggers the error is as follows：https://github.com/Sunzyuu/seed/blob/main/hashset_cap2hccapx_poc
I hope my report will be of some help to hashset, thank you！

Hi, I am getting this error message when trying to covnert .pcap file into .hccapx captured by bettercap (v2.26.1) and I did not found any solution.

• MacOS 10.15.1
• hashcat-utils at f2a86c7

If I git clone https://github.com/hashcat/hashcat-utils.git && cd hashcat-utils/src/ && make on my mac, it appears the default Makefile setup does not correctly move the *.bin files to the ./bin folder. I've tried editing the Makefile to fix this on a fork I made of this repo, and it was successful for me. I edited Makefile line7 from
all: clean
to
all: clean native
mv *.bin ../bin
cp -a *.pl ../bin
This worked for me. But I'm only just a learner in these matters, and I expect that my edits are probably not the best solution. If what I've done is a solution, should I submit a pull request for this? Otherwise, could you please advise how to correct this behavior on macs?

Ideally, I'd like to see this repo in homebrew. But I've had a very, very difficult time creating my own formula for this, and I suspect it's because the Makefile behavior here is not working. So, first things first.

src badmonstr$ sudo make -v
Password:
GNU Make 3.81
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

This program built for i386-apple-darwin11.3.0

When I run make it just removes all the files in bin and stops. I tried just compiling cap2haccapx.c manually but it's still not working.

(I'm fairly new to linux)

macOs how to run?

Make combinator accepts arbitrary number (n) of files

Could we possibly get a warning message printed to STDERR when the LEN_MAX is exceeded per line 161 in combinator? There has been an issue where this limit is exceeded and combinations are not printing out, but also no warning message is displayed. This could also be implemented into combinatorX where it looks like there is a 64 character limit by default.

Thanks so much for the hard work the hashcat team has put into these tools.

Error:

Failed to execute process 'cap2hccapx.exe'. Reason:
exec: Exec format error
The file 'cap2hccapx.exe' is marked as an executable but could not be run.

A recent fix in oclHashcat changed the number of accepted gpu rules to 15 (see hashcat/hashcat@f230ed7 , it was incorrectly limited to 14), furthermore from the types.h file in oclHashcat (https://github.com/hashcat/oclHashcat/blob/master/include/types.h#L664) we can see that the value for cpu rules is currently limited to 256 -1.

I will provide a fix soon.
Thx

Hi,

I made three wordlists: 12345 (885 lines/words), qaz (16 lines), wsx (16 lines).

First I combine qaz with wsx (result: qazwsx)

Combining 12345 with qazwsx is giving me wordlist with 226560 lines (correct)

Also using combinator3 combining 12345 with qaz and with wsx is giving me wordlist with 226560 lines (correct)

But when I first combine 12345 with qaz (result 12345qaz (14160 lines, correct))

And then combine 12345qaz with wsx I got wordlist with only 226048 lines (512 lines missing).

Can someone explain me why I'm getting two different results (they should be exactly the same)

Is there any restriction in single password length? I noticed that Combiner is dropping passwords when they are longer than 36 signs.

I've attached the three base wordlist.

12345.txt
missing lines.txt
qaz.txt
wsx.txt

cap2hccapx evaluates the beacon and the proberesponse to get the essid and essid_len. That's not enough:
On hidden ssid's, mailformed packets, and/or packet loss of proberesponse cap2hccapx fails to get the necessary essid.
It's a better way to get essid and essid_len from reassociationrequest or associationrequest which are sent immediately before the eapol sequence.
cap2hccapx should use the following priority (from high to low) te get essid and essid_len:

1. re-associationrequest
2. associationrequest
3. proberesponse
4. directed proberequest (proberequest to mac_ap - not to BROADCAST)
5. beacon

Best regards
ZerBea

This feature request was originally reported on the (now obsolete and offline) trac ticketing system of hashcat.net.

Tested on a big endian MIPS router. cap2hccapx succeeds in finding the handshake on x86 but not on MIPS. Guessing due to different endianness.

All other tools have an executable, combinatorX does not. Is it intended?

As brought up in this thread: https://hashcat.net/forum/thread-7437.html

Keyspace program from hashcat-utils gives different results than hashcat itself.
Tested on hashcat 3.6.0, I expect it to be even worse in newer versions of hashcat.

Example:

hashcat64.exe -m 13600 ?l?l?l?l?l?l?l?d?d --keyspace -a 3
30891577600

keyspace.exe -m 13600 ?l?l?l?l?l?l?l?d?d
45697600

Just a friendly reminder that the @ rule (RULE_OP_MANGLE_PURGECHAR) needs to be implemented in utils.

I captured a pcap using Wireshark and feeding it into cap2hccapx resulted in "Unsupported linktype detected".

$ cap2hccapx.bin input.pcap output.hccapx <bssid>
input.pcap: Unsupported linktype detected

According to source

Hexdump of the pcap header shows linktype = C0000000 (decimal 192, little endian)

D4C3B2A1 02000400 00000000 00000000 00000400 C0000000
                                             LINKTYPE

http://www.tcpdump.org/linktypes.html shows linktype 192 is DLT_PPI (Per-Packet Information information). I have no idea what this is, but is this a bug or truly unsupported scenario?

Currently the compilation fails in CentOS 6.9 64bit with the following error:

[user@CUDA src]$ make
rm -f ../bin/*
rm -f *.bin *.exe
cc -Wall -W -pipe -O2 -std=c99  -o cap2hccapx.bin cap2hccapx.c
cap2hccapx.c: In function ‘handle_auth’:
cap2hccapx.c:430: warning: implicit declaration of function ‘__builtin_bswap16’
/tmp/ccmTwrAB.o: In function `main':
cap2hccapx.c:(.text+0x325): undefined reference to `__builtin_bswap16'
cap2hccapx.c:(.text+0x33c): undefined reference to `__builtin_bswap16'
cap2hccapx.c:(.text+0x89c): undefined reference to `__builtin_bswap16'
cap2hccapx.c:(.text+0x8b4): undefined reference to `__builtin_bswap16'
cap2hccapx.c:(.text+0x8cb): undefined reference to `__builtin_bswap16'
collect2: ld returned 1 exit status
make: *** [native] Error 1
[user@CUDA src]$ gcc --version
gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-18)
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[user@CUDA src]$ 

Obviously a nice-to-have, but it would be somewhat useful to say

len 32

... as shorthand for:

len 32 32

I think this would be intuitive for many users.

redacted

💥🖥💥 Ⓟ➃ⓌⓃ🅟❶ is the name of a network in my area. I was curious to see how the special characters affected these tools. I get this message
tricky-02.cap: Oversized packet detected Networks detected: 0
when doing
cap2hccapx.exe tricky-02.cap tricky-02.hccapx
on a cap file without a handshake.

I tried the 1.9 version on a file where I am certain there was a handshake and simply got this:
Networks detected: 0
I know that airodump captured the handshake. Could this be an issue with the odd characters of the ssid or am I missing something?

example:

handshake file:

https://mega.nz/#!mhEUEIrK!LiPayFYpMMZHIF5EQ5SKHWR3AnWQ0lZaTFAFRTmMW2Q
wpa/wpa2 pass: 01418504041

working the handshake converted with aircrack option -J (.hccap) and hashcat-3.20
but dont work using cap2hccapx.bin and latest hashcat v3.30-319-g5ec763f

Plese do not write this message_pairs into hccapx:
MESSAGE_PAIR_M32E3 3
MESSAGE_PAIR_M32E3 131
MESSAGE_PAIR_M34E3 4
MESSAGE_PAIR_M34E3 132
because it's not possible to convert them back to a cap.

Please use instead:
MESSAGE_PAIR_M32E2 2
MESSAGE_PAIR_M32E2 130
MESSAGE_PAIR_M34E4 5
MESSAGE_PAIR_M34E4 133

Cheers
ZerBea

Some cleaning tools set the timestamp to zero. cap2hccapx should be able to detect this and give a warning. correct timestamp information is needed to determine the "EAPOL-Key Timeout".
Best regards
ZerBea

Hello.

cap2hccapx does not manipulate qos packets properly if it contains not only 3 address but 4 address.
I corrected this by changing this portion of code (line=804) :

else if ((frame_control & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA)
  {
    // process header: ieee80211

    //int set = 0;

    //if (frame_control & IEEE80211_FCTL_TODS)   set++;
    //if (frame_control & IEEE80211_FCTL_FROMDS) set++;

    //if (set != 1) return;

    // find offset to llc/snap header

    int llc_offset;

    if ((frame_control & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_QOS_DATA)
    {
      llc_offset = sizeof (ieee80211_qos_hdr_t);
      u16 tmp = IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS;
      if ((frame_control & tmp) == tmp) llc_offset += 6;
    }
    else
    {
      llc_offset = sizeof (ieee80211_hdr_3addr_t);
    }

    // process header: the llc/snap header

tested and works properly.
Thanks

Work only if set essid but not with bssid !!!
cap2hccapx.exe from hashcat-utils-1.9.7z

For the EAPOL-Key Timeout value, the default is 1 second or 1000 milliseconds.
The available values in in version 6.0 are between 200 and 5000 milliseconds, while codes prior to 6.0 allow for values between 1 and 5 seconds.
What this means is when it comes time to exchange the EAPOL keys between the AP and client, the AP will send the key and wait up to 1 second by default for the client to respond.
Best regards
ZerBea

cpa2hccapx is limited to a maximum of 1000 essid's.
"State of the art" capturing tools are able to capture more than 1000 nets / essid's in a very short time.
Please increase DB_ESSID_MAX up to 50000 (should be a good value).

Best regards
ZerBea

Hey 😄

would be awesome if you could consider tagging a new release, not too many stuff was implemented in the meanwhile but a release containing the segfault fix would not hurt 🐱

while answering this HC-forum-thread
https://hashcat.net/forum/thread-10577-post-54501.html
and looking at the wiki for combipow
https://hashcat.net/wiki/doku.php?id=hashcat_utils
i noticed, that combipow is missing some uniq combinations, for the given example in the wiki it misses combinations like

XYZa123
XYZb123
XYZc123
XYZab123
...

and so on, seems it missing some kind of recursiv loop or something similar