Automic VaultAutomic Vault

brew

Install hcxtools with Homebrew, apt, dnf, Nix, pacman

Utils for conversion of cap/pcap/pcapng WiFi dump files. Version 7.1.2 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install hcxtools

local Homebrew formula metadata

Linux

Debian aptverified · 92%
sudo apt install hcxtools

Debian stable package indexes · hcxtools · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install hcxtools

Fedora Rawhide package metadata · hcxtools · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#hcxtools

nixpkgs package indexes · pkgs/by-name/hc/hcxtools/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S hcxtools

Arch Linux sync databases · hcxtools · source: geo.mirror.pkgbuild.com

overview

Package summary

Utils for conversion of cap/pcap/pcapng WiFi dump files

Commands and aliases

  • hcxeiutool
  • hcxhash2cap
  • hcxhashtool
  • hcxpcapngtool
  • hcxpmktool
  • hcxpottool
  • hcxpsktool
  • hcxwltool
  • whoismac
  • wlancap2wpasec

history

Project history and usage

hcxtools is a Linux-focused suite for converting Wi-Fi capture files into hash formats consumed by Hashcat and John the Ripper. The upstream description frames it as an analysis toolkit for finding weak points in one's own wireless networks rather than as a password-cracking engine.

Project history

The GitHub repository was created in April 2017. Its scope settled around the conversion and post-processing side of WPA/WPA2 auditing: hcxpcapngtool converts capture files, hcxhashtool filters hash files, hcxpmktool verifies PSKs or PMKs, hcxpottool handles pot files, and related tools handle wordlist candidates, vendor lookup, and upload workflows.

The toolkit is closely paired with ZerBea's hcxdumptool, which performs packet capture and layer-2 WPA protocol tests. The documented workflow is hcxdumptool to hcxpcapngtool to hcxhashtool, optionally to hcxpsktool or hcxeiutool, and then to Hashcat or John the Ripper.

hcxtools evolved with Hashcat's WPA formats. The README emphasizes Hashcat mode 22000/22001 over older 2500/2501 and 16800/16801 formats, while the changelog records later work on FT-PSK PMKID and EAPOL conversion for mode 37100 and ongoing handling of EAPOL length limits.

Adoption history

The package spread through security-oriented Linux distributions and general package managers because it solves a specific interoperability problem: turning packet captures into forms that established cracking and auditing tools can read. The batch input records Homebrew, Debian, Fedora, Nix, Arch, and Ubuntu packaging, but upstream itself warns that operating systems outside its Linux target are unsupported.

Its audience is narrower than a general network utility. Upstream expects knowledge of radio technology, 802.11 protocol behavior, key derivation, Linux drivers, capture filters, and related tooling. That technical bar shaped adoption among wireless-security practitioners and package users who already know the Hashcat/JtR workflow.

How it is used

hcxtools does not capture traffic, crack hashes, attack WEP or WPS, or decrypt encrypted traffic. Instead, it converts, filters, verifies, and prepares artifacts: pcapng/pcap/cap input, PMKID and EAPOL hash lines, pot files, ESSID-derived candidate lists, vendor OUI lookups, and wpa-sec upload workflows.

The upstream README is explicit that output files may be appended to, that dump files should not be merged in ways that destroy custom block hash assignments, and that nonce-error correction is not performed by the tools. These details are why package users often care about exact upstream versions matching hcxdumptool and Hashcat behavior.

Why package nerds care

hcxtools is package-nerd significant because it sits at a brittle boundary between kernel Wi-Fi capture behavior, pcapng file semantics, WPA handshake interpretation, and Hashcat/JtR hash formats. Small changes in any layer can make a packaged version too old for a user's capture workflow.

The suite is also notable as a source-built C toolkit with many small executables rather than one command. Packaging therefore exposes a toolbox: hcxpcapngtool for conversion, hcxhashtool for filtering, hcxhash2cap for reverse conversion, hcxpottool for pot files, whoismac for OUI data, and more.

Timeline

  • 2017: hcxtools repository created.
  • 2019: 5.x releases published through GitHub releases.
  • 2020: 6.0.0 and 6.1.x releases published.
  • 2021: 6.2.x releases published.
  • 2024: README simplified distribution-specific compile instructions and pointed users back to their distribution dependency names.
  • 2025: 7.0.0 added support for relayed EAPOL messages.
  • 2026: changelog recorded FT-PSK PMKID and EAPOL conversion work for Hashcat mode 37100.

Related projects

  • hcxdumptool captures the wireless packets that hcxtools converts and filters.
  • Hashcat consumes the WPA/WPA2 hash formats that hcxtools prepares.
  • John the Ripper is the other major password-auditing tool named in the README.
  • wpa-sec is an upload target documented by the toolkit for testing captured material against common weak-key data.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
hcxeiutoolcliglobal executable
hcxhash2capcliglobal executable
hcxhashtoolcliglobal executable
hcxpcapngtoolcliglobal executable
hcxpmktoolcliglobal executable
hcxpottoolcliglobal executable
hcxpsktoolcliglobal executable
hcxwltoolcliglobal executable
whoismaccliglobal executable
wlancap2wpaseccliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version7.1.2
manager updated
local dataok
upstreamcurrent
latest detected7.1.2

https://github.com/ZerBea/hcxtools

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:hcxtools
Version7.1.2
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/hcxtools
Homepagehttps://github.com/ZerBea/hcxtools
Repositoryhttps://github.com/ZerBea/hcxtools
Upstream docshttps://github.com/ZerBea/hcxtools#readme
LicenseMIT
Source archivehttps://github.com/ZerBea/hcxtools/archive/refs/tags/7.1.2.tar.gz
Dependenciesopenssl@3
Build dependenciespkgconf
Uses from macOScurl
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namehcxtools
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

hcxtools 6.3.5-1

Tools for converting captures to use with hashcat or John the Ripper

https://github.com/ZerBea/hcxtools

sudo apt install hcxtools
  • Section: net
  • Architecture: amd64
  • 5 dependencies
  • 1 optional deps
  • normalized package name match
  • Matched by: Hcxtools
Debian stable package indexes · deb.debian.org · Debian stable package indexes: hcxtools from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

hcxtools

nix profile install nixpkgs#hcxtools
  • normalized package name match
  • Matched by: Hcxtools
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/hc/hcxtools/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Ubuntu apt95%

hcxtools 6.2.7-2build3

Tools for converting captures to use with hashcat or John the Ripper

https://github.com/ZerBea/hcxtools

sudo apt install hcxtools
  • Section: universe/net
  • Architecture: amd64
  • 5 dependencies
  • 1 optional deps
  • normalized package name match
  • Matched by: Hcxtools
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: hcxtools from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
dnf95%

hcxtools 7.1.2-1.fc45

Set of tools to convert packets from capture files to hash files

https://github.com/ZerBea/hcxtools

sudo dnf install hcxtools
  • License: MIT
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: hcxtools
  • 6 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Hcxtools
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: hcxtools from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

hcxtools 7.1.2-1

Portable solution for capturing wlan traffic and conversion to hashcat and John the Ripper formats

https://github.com/ZerBea/hcxtools

sudo pacman -S hcxtools
  • License: MIT
  • Architecture: x86_64
  • 5 dependencies
  • normalized package name match
  • Matched by: Hcxtools
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: hcxtools from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment