Hashcat capture file: C++/STL parsing library

Native format of Hashcat password "recovery" utility


["Hashcat", "aircrack-ng"]

File extension


KS implementation details

License: Unlicense

This page hosts a formal specification of Hashcat capture file using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.


Using Kaitai Struct in C++/STL usually consists of 3 steps.

  1. We need to create an STL input stream (std::istream). One can open local file for that, or use existing std::string or char* buffer.
    #include <fstream>
    std::ifstream is("path/to/local/file.hccapx", std::ifstream::binary);
    #include <sstream>
    std::istringstream is(str);
    #include <sstream>
    const char buf[] = { ... };
    std::string str(buf, sizeof buf);
    std::istringstream is(str);
  2. We need to wrap our input stream into Kaitai stream:
    #include <kaitai/kaitaistream.h>
    kaitai::kstream ks(&is);
  3. And finally, we can invoke the parsing:
    hccapx_t data(&ks);

After that, one can get various attributes from the structure by invoking getter methods like:

data.records() // => get records

C++/STL source code to parse Hashcat capture file


#ifndef HCCAPX_H_
#define HCCAPX_H_

// This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild

#include "kaitai/kaitaistruct.h"

#include <stdint.h>
#include <vector>

#error "Incompatible Kaitai Struct C++/STL API: version 0.7 or later is required"

 * Native format of Hashcat password "recovery" utility
 * \sa Source

class hccapx_t : public kaitai::kstruct {

    class hccapx_record_t;

    hccapx_t(kaitai::kstream* p__io, kaitai::kstruct* p__parent = 0, hccapx_t* p__root = 0);

    void _read();


    class hccapx_record_t : public kaitai::kstruct {


        hccapx_record_t(kaitai::kstream* p__io, hccapx_t* p__parent = 0, hccapx_t* p__root = 0);

        void _read();


        std::string m_magic;
        uint32_t m_version;
        bool m_ignore_replay_counter;
        uint64_t m_message_pair;
        uint8_t m_len_essid;
        std::string m_essid;
        std::string m_padding1;
        uint8_t m_keyver;
        std::string m_keymic;
        std::string m_mac_ap;
        std::string m_nonce_ap;
        std::string m_mac_station;
        std::string m_nonce_station;
        uint16_t m_len_eapol;
        std::string m_eapol;
        std::string m_padding2;
        hccapx_t* m__root;
        hccapx_t* m__parent;

        std::string magic() const { return m_magic; }

         * The version number of the .hccapx file format.
        uint32_t version() const { return m_version; }

         * Indicates if the message pair matching was done based on
         * replay counter or not.
         * Whenever it was set to 1 it means that the replay counter
         * was ignored (i.e. it was not considered at all by the
         * matching algorithm).
         * Hashcat currently does not perform any particular action
         * based on this bit, but nonetheless this information could be
         * crucial for some 3th party tools and for
         * analysis/statistics. There could be some opportunity to
         * implement some further logic based on this particular
         * information also within hashcat (in the future).
        bool ignore_replay_counter() const { return m_ignore_replay_counter; }

         * The message_pair value describes which messages of the 4-way
         * handshake were combined to form the .hccapx structure. It is
         * always a pair of 2 messages: 1 from the AP (access point)
         * and 1 from the STA (client).
         * Furthermore, the message_pair value also gives a hint from
         * which of the 2 messages the EAPOL origins. This is
         * interesting data, but not necessarily needed for hashcat to
         * be able to crack the hash.
         * On the other hand, it could be very important to know if
         * “only” message 1 and message 2 were captured or if for
         * instance message 3 and/or message 4 were captured too. If
         * message 3 and/or message 4 were captured it should be a hard
         * evidence that the connection was established and that the
         * password the client used was the correct one.
        uint64_t message_pair() const { return m_message_pair; }
        uint8_t len_essid() const { return m_len_essid; }
        std::string essid() const { return m_essid; }
        std::string padding1() const { return m_padding1; }

         * The flag used to distinguish WPA from WPA2 ciphers. Value of
         * 1 means WPA, other - WPA2.
        uint8_t keyver() const { return m_keyver; }

         * The final hash value. MD5 for WPA and SHA-1 for WPA2
         * (truncated to 128 bit).
        std::string keymic() const { return m_keymic; }

         * The BSSID (MAC address) of the access point.
        std::string mac_ap() const { return m_mac_ap; }

         * Nonce (random salt) generated by the access point.
        std::string nonce_ap() const { return m_nonce_ap; }

         * The MAC address of the client connecting to the access point.
        std::string mac_station() const { return m_mac_station; }

         * Nonce (random salt) generated by the client connecting to the access point.
        std::string nonce_station() const { return m_nonce_station; }

         * The length of the EAPOL data.
        uint16_t len_eapol() const { return m_len_eapol; }
        std::string eapol() const { return m_eapol; }
        std::string padding2() const { return m_padding2; }
        hccapx_t* _root() const { return m__root; }
        hccapx_t* _parent() const { return m__parent; }

    std::vector<hccapx_record_t*>* m_records;
    hccapx_t* m__root;
    kaitai::kstruct* m__parent;

    std::vector<hccapx_record_t*>* records() const { return m_records; }
    hccapx_t* _root() const { return m__root; }
    kaitai::kstruct* _parent() const { return m__parent; }

#endif  // HCCAPX_H_


// This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild

#include "hccapx.h"

hccapx_t::hccapx_t(kaitai::kstream* p__io, kaitai::kstruct* p__parent, hccapx_t* p__root) : kaitai::kstruct(p__io) {
    m__parent = p__parent;
    m__root = this;

void hccapx_t::_read() {
    m_records = new std::vector<hccapx_record_t*>();
        int i = 0;
        while (!m__io->is_eof()) {
            m_records->push_back(new hccapx_record_t(m__io, this, m__root));

hccapx_t::~hccapx_t() {
    for (std::vector<hccapx_record_t*>::iterator it = m_records->begin(); it != m_records->end(); ++it) {
        delete *it;
    delete m_records;

hccapx_t::hccapx_record_t::hccapx_record_t(kaitai::kstream* p__io, hccapx_t* p__parent, hccapx_t* p__root) : kaitai::kstruct(p__io) {
    m__parent = p__parent;
    m__root = p__root;

void hccapx_t::hccapx_record_t::_read() {
    m_magic = m__io->ensure_fixed_contents(std::string("\x48\x43\x50\x58", 4));
    m_version = m__io->read_u4le();
    m_ignore_replay_counter = m__io->read_bits_int(1);
    m_message_pair = m__io->read_bits_int(7);
    m_len_essid = m__io->read_u1();
    m_essid = m__io->read_bytes(len_essid());
    m_padding1 = m__io->read_bytes((32 - len_essid()));
    m_keyver = m__io->read_u1();
    m_keymic = m__io->read_bytes(16);
    m_mac_ap = m__io->read_bytes(6);
    m_nonce_ap = m__io->read_bytes(32);
    m_mac_station = m__io->read_bytes(6);
    m_nonce_station = m__io->read_bytes(32);
    m_len_eapol = m__io->read_u2le();
    m_eapol = m__io->read_bytes(len_eapol());
    m_padding2 = m__io->read_bytes((256 - len_eapol()));

hccapx_t::hccapx_record_t::~hccapx_record_t() {