Hashcat capture file: Python parsing library

Native format of Hashcat password "recovery" utility

Application

["Hashcat", "aircrack-ng"]

File extension

hccapx

KS implementation details

License: Unlicense

This page hosts a formal specification of Hashcat capture file using Kaitai Struct. This specification can be automatically translated into a variety of programming languages to get a parsing library.

Usage

Parse a local file and get structure in memory:

data = Hccapx.from_file("path/to/local/file.hccapx")

Or parse structure from a bytes:

from kaitaistruct import KaitaiStream, BytesIO

raw = b"\x00\x01\x02..."
data = Hccapx(KaitaiStream(BytesIO(raw)))

After that, one can get various attributes from the structure by invoking getter methods like:

data.records # => get records

Python source code to parse Hashcat capture file

hccapx.py

# This is a generated file! Please edit source .ksy file and use kaitai-struct-compiler to rebuild

from pkg_resources import parse_version
from kaitaistruct import __version__ as ks_version, KaitaiStruct, KaitaiStream, BytesIO


if parse_version(ks_version) < parse_version('0.7'):
    raise Exception("Incompatible Kaitai Struct Python API: 0.7 or later is required, but you have %s" % (ks_version))

class Hccapx(KaitaiStruct):
    """Native format of Hashcat password "recovery" utility
    
    .. seealso::
       Source - https://hashcat.net/wiki/doku.php?id=hccapx
    """
    def __init__(self, _io, _parent=None, _root=None):
        self._io = _io
        self._parent = _parent
        self._root = _root if _root else self
        self._read()

    def _read(self):
        self.records = []
        i = 0
        while not self._io.is_eof():
            self.records.append(self._root.HccapxRecord(self._io, self, self._root))
            i += 1


    class HccapxRecord(KaitaiStruct):
        def __init__(self, _io, _parent=None, _root=None):
            self._io = _io
            self._parent = _parent
            self._root = _root if _root else self
            self._read()

        def _read(self):
            self.magic = self._io.ensure_fixed_contents(b"\x48\x43\x50\x58")
            self.version = self._io.read_u4le()
            self.ignore_replay_counter = self._io.read_bits_int(1) != 0
            self.message_pair = self._io.read_bits_int(7)
            self._io.align_to_byte()
            self.len_essid = self._io.read_u1()
            self.essid = self._io.read_bytes(self.len_essid)
            self.padding1 = self._io.read_bytes((32 - self.len_essid))
            self.keyver = self._io.read_u1()
            self.keymic = self._io.read_bytes(16)
            self.mac_ap = self._io.read_bytes(6)
            self.nonce_ap = self._io.read_bytes(32)
            self.mac_station = self._io.read_bytes(6)
            self.nonce_station = self._io.read_bytes(32)
            self.len_eapol = self._io.read_u2le()
            self.eapol = self._io.read_bytes(self.len_eapol)
            self.padding2 = self._io.read_bytes((256 - self.len_eapol))