Hashcat capture file (old version): PHP parsing library

Native format of Hashcat password "recovery" utility.

A sample of file for testing can be downloaded from https://web.archive.org/web/20150220013635if_/http://hashcat.net:80/misc/example_hashes/hashcat.hccap

Application

["Hashcat", "aircrack-ng"]

File extension

hccap

KS implementation details

License: Unlicense

This page hosts a formal specification of Hashcat capture file (old version) using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.

PHP source code to parse Hashcat capture file (old version)

Hccap.php

<?php
// This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild

/**
 * Native format of Hashcat password "recovery" utility.
 * 
 * A sample of file for testing can be downloaded from https://web.archive.org/web/20150220013635if_/http://hashcat.net:80/misc/example_hashes/hashcat.hccap
 */

class Hccap extends \Kaitai\Struct\Struct {
    public function __construct(\Kaitai\Struct\Stream $_io, \Kaitai\Struct\Struct $_parent = null, \Hccap $_root = null) {
        parent::__construct($_io, $_parent, $_root);
        $this->_read();
    }

    private function _read() {
        $this->_m_records = [];
        $i = 0;
        while (!$this->_io->isEof()) {
            $this->_m_records[] = new \Hccap\HccapRecord($this->_io, $this, $this->_root);
            $i++;
        }
    }
    protected $_m_records;
    public function records() { return $this->_m_records; }
}

namespace \Hccap;

class HccapRecord extends \Kaitai\Struct\Struct {
    public function __construct(\Kaitai\Struct\Stream $_io, \Hccap $_parent = null, \Hccap $_root = null) {
        parent::__construct($_io, $_parent, $_root);
        $this->_read();
    }

    private function _read() {
        $this->_m_essid = $this->_io->readBytes(36);
        $this->_m_macAp = $this->_io->readBytes(6);
        $this->_m_macStation = $this->_io->readBytes(6);
        $this->_m_nonceStation = $this->_io->readBytes(32);
        $this->_m_nonceAp = $this->_io->readBytes(32);
        $this->_m__raw_eapolBuffer = $this->_io->readBytes(256);
        $io = new \Kaitai\Struct\Stream($this->_m__raw_eapolBuffer);
        $this->_m_eapolBuffer = new \Hccap\EapolDummy($io, $this, $this->_root);
        $this->_m_lenEapol = $this->_io->readU4le();
        $this->_m_keyver = $this->_io->readU4le();
        $this->_m_keymic = $this->_io->readBytes(16);
    }
    protected $_m_eapol;
    public function eapol() {
        if ($this->_m_eapol !== null)
            return $this->_m_eapol;
        $io = $this->eapolBuffer()->_io();
        $_pos = $io->pos();
        $io->seek(0);
        $this->_m_eapol = $io->readBytes($this->lenEapol());
        $io->seek($_pos);
        return $this->_m_eapol;
    }
    protected $_m_essid;
    protected $_m_macAp;
    protected $_m_macStation;
    protected $_m_nonceStation;
    protected $_m_nonceAp;
    protected $_m_eapolBuffer;
    protected $_m_lenEapol;
    protected $_m_keyver;
    protected $_m_keymic;
    protected $_m__raw_eapolBuffer;
    public function essid() { return $this->_m_essid; }

    /**
     * The BSSID (MAC address) of the access point
     */
    public function macAp() { return $this->_m_macAp; }

    /**
     * The MAC address of a client connecting to the access point
     */
    public function macStation() { return $this->_m_macStation; }

    /**
     * Nonce (random salt) generated by the client connecting to the access point.
     */
    public function nonceStation() { return $this->_m_nonceStation; }

    /**
     * Nonce (random salt) generated by the access point.
     */
    public function nonceAp() { return $this->_m_nonceAp; }

    /**
     * Buffer for EAPOL data, only first `len_eapol` bytes are used
     */
    public function eapolBuffer() { return $this->_m_eapolBuffer; }

    /**
     * Size of EAPOL data
     */
    public function lenEapol() { return $this->_m_lenEapol; }

    /**
     * The flag used to distinguish WPA from WPA2 ciphers. Value of
     * 1 means WPA, other - WPA2.
     */
    public function keyver() { return $this->_m_keyver; }

    /**
     * The final hash value. MD5 for WPA and SHA-1 for WPA2
     * (truncated to 128 bit).
     */
    public function keymic() { return $this->_m_keymic; }
    public function _raw_eapolBuffer() { return $this->_m__raw_eapolBuffer; }
}

namespace \Hccap;

class EapolDummy extends \Kaitai\Struct\Struct {
    public function __construct(\Kaitai\Struct\Stream $_io, \Hccap\HccapRecord $_parent = null, \Hccap $_root = null) {
        parent::__construct($_io, $_parent, $_root);
        $this->_read();
    }

    private function _read() {
    }
}