Hashcat capture old format: format specification

Native format of Hashcat password "recovery" utility A sample of file for testing can be downloaded from https://web.archive.org/web/20150220013635if_/http://hashcat.net:80/misc/example_hashes/hashcat.hccap

Application

["Hashcat", "aircrack-ng"]

File extension

hccap

KS implementation details

License: Unlicense

This page hosts a formal specification of Hashcat capture old format using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.

Block diagram

Format specification in Kaitai Struct YAML

meta:
  id: hccap
  title: Hashcat capture old format
  license: Unlicense
  file-extension: hccap
  application:
    - Hashcat
    - aircrack-ng
  endian: le
  encoding: utf-8
doc: |
  Native format of Hashcat password "recovery" utility
  A sample of file for testing can be downloaded from https://web.archive.org/web/20150220013635if_/http://hashcat.net:80/misc/example_hashes/hashcat.hccap
doc-ref: https://hashcat.net/wiki/doku.php?id=hccap
seq:
  - id: records
    type: hccap
    repeat: eos
types:
  hccap:
    seq:
      - id: essid
        type: strz
        size: 36
        
      - id: ap_mac
        size: 6
        doc: the bssid(MAC) of the access point 
      
      - id: stantion_mac 
        size: 6
        doc: the MAC address of a client connecting to the access point 
        
      - id: stantion_nonce
        size: 0x20
      
      - id: ap_nonce
        size: 0x20
        
      - id: eapol
        size: 256
        type: eapol_frame
        
      - id: eapol_size
        type: u4
        doc: size of eapol

      - id: keyver
        type: u4
        doc: the flag used to distinguish WPA from WPA2 ciphers. Value of 1 means WPA, other - WPA2
      
      - id: keymic
        size: 16
        doc: the final hash value. MD5 for WPA and SHA-1 for WPA2 (truncated to 128 bit)

  eapol_frame:
    instances:
      body:
        pos: 0
        size: _parent.eapol_size