Since version 6.0.0, hashcat accepts the new hash mode 22000:
22000 | WPA-PBKDF2-PMKID+EAPOL 22001 | WPA-PMK-PMKID+EAPOL
Benefits of hash mode 22000:
Difference between hash mode 22000 and hash mode 22001:
In order to be able to use the hash mode 22000 to the full extent, you need the following tools:
Optionally there is hcxlabtool, which you can use as an experienced user or in headless operation instead of hcxdumptool: https://github.com/ZerBea/wifi_laboratory
For users who don't want to struggle with compiling hcxtools from sources there is an online converter: https://hashcat.net/cap2hashcat/
If you choose the online converter, you may need to remove some data from your dump file if the file size is too large. Most of the time, this happens when data traffic is also being recorded.
You can reduce the size with tshark:
tshark -r dumpfile.cap/pcap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng
Do not clean up the cap / pcap file (e.g. with wpaclean), as this will remove useful and important frames from the dump file. Do not use filtering options while collecting WiFi traffic.
Do not merge (pcapng) dump files files, as this destroy useful information.
The hcxdumptool / hcxlabtool offers several attack modes that other tools do not.
This includes the PMKID attack, which is described here: https://hashcat.net/forum/thread-7717.html
It also includes AP-less client attacks and a lot more.
The traffic is saved in pcapng format. This format is used by Wireshark / tshark as the standard format. Additional information (NONCE, REPLAYCOUNT, MAC, hash values calculated during the session) are stored in pcapng option fields. The hcxpcapngtool uses these option fields to calculate the best hash values in order to avoid unbreakable hashes at best.
In addition, Hashcat is told how to handle the hash via the message pair field. When hcxdumptool is connected to a GPS device, it also saves the GPS coordinates of the frames.
Examples of the target and how traffic is captured:
1.Stop all services that are accessing the WLAN device (e.g .: NetworManager and wpa_supplicant.service)
$ sudo systemctl stop NetworkManager.service $ sudo systemctl stop wpa_supplicant.service
2. Start the attack and wait for you to receive PMKIDs and / or EAPOL message pairs, then exit hcxdumptool
Do not set monitor mode by third party tools.
Do not run hcxdumptool on a virtual interface.
Do not run hcxdudmptool at the same time in combination with tools that take access to the interface (except Wireshark, tshark).
$ hcxdumptool -i INTERFACE_NAME -w dumpfile.pcapng --rds=1 -F
3. Restart stopped services to reactivate your network connection
$ sudo systemctl start wpa_supplicant.service $ sudo systemctl start NetworkManager.service
4. Convert the traffic to hash format 22000
$ hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng
Make sure you are in the correct working directory (pwd will show you the working directory and ls the content of it).
5. Run Hashcat on the list of words obtained from WPA traffic
$ hashcat -m 22000 hash.hc22000 wordlist.txt
Make sure you are in the correct working directory (pwd will show you the working directory and ls the content of it).
For more options, see the tools help menu (-h or –help) or this thread.
Get more examples from here.
Run Hashcat on an excellent WPA word list or check out their free online service:
Code: $ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz $ hashcat -m 22000 test.hc22000 cracked.txt.gz
Get more examples from here: https://github.com/hashcat/hashcat/issues/2923
Explanation of the hc22000 hash line
WPA*01*PMKID*MAC_AP*MAC_CLIENT*ESSID***MESSAGEPAIR WPA*02*MIC*MAC_AP*MAC_CLIENT*ESSID*NONCE_AP*EAPOL_CLIENT*MESSAGEPAIR
Explanation of the MESSAGEPAIR fields
bitmask of message pair field PMKID (WPA*01): 0: reserved 1: PMKID taken from AP 2: reserved 4: PMKID taken from CLIENT (wlan.da: possible MESH or REPEATER) 5: reserved 6: reserved 7: reserved bitmask of message pair field EAPOL (WPA*02): 2,1,0: 000 = M1+M2, EAPOL from M2 (challenge) 001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 010 = M2+M3, EAPOL from M2 (authorized) 011 = M2+M3, EAPOL from M3 (authorized) - unused 100 = M3+M4, EAPOL from M3 (authorized) - unused 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 3: reserved 4: ap-less attack (set to 1) - nonce-error-corrections not required 5: LE router detected (set to 1) - nonce-error-corrections required only on LE 6: BE router detected (set to 1) - nonce-error-corrections required only on BE 7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory
Examples to work on hc22000 hash files:
Filter hash file by PMKID
$ grep 'WPA\*01' hash.hc22000 > pmkid.hc22000 or $ hcxhashtool -i hash.hc22000 --type=1 -o pmkid.hc22000
Filter hash file by EAPOL
$ grep 'WPA\*02' hash.hc22000 > eapol.hc22000 or $ hcxhashtool -i hash.hc22000 --type=2 -o eapol.hc22000
Filter by authorized EAPOL MESSAGEPAIR
$ grep '2$' hash.hc22000 or $ hcxhashtool -i hash.hc22000 --authorized -o authorized.hc22000
Filter by challenge EAPOL MESSAGEPAIR
$ grep '0$' hash.hc22000 or $ hcxhashtool -i hash.hc22000 --challenge -o challenge.hc22000
Filter by MAC
$ grep '\*112233445566\*' hash.hc22000 > mac.hc22000 or $ hcxhashtool -i hash.hc22000 --mac-ap=112233445566 -o macap.hc22000 or $ hcxhashtool -i hash.hc22000 --mac-client=112233445566 -o macclient.hc22000
Use of the original .cap and .hccapx formats is no longer supported. Files in .cap format can be converted for modern use; .hccapx cannot.
hashcat is very flexible, so I'll cover three most common and basic scenarios:
$ hashcat -m 22000 hash.hc22000 cracked.txt.gz on Windows add: $ pause
Execute the attack using the batch file, which should be changed to suit your needs.
$ hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d on Windows add: $ pause
This will pipe digits-only strings of length 8 to hashcat. Replace the ?d as needed.
It would be wise to first estimate the time it would take to process using a calculator.
TBD: add some example timeframes for common masks / common speed
This is similar to a Dictionary attack, but the commands look a bit different:
$ hashcat -m 22000 hash.hc22000 -r rules/best64.rule cracked.txt.gz on Windows add: $ pause
This will mutate the wordlist with best 64 rules, which come with the hashcat distribution.
Change as necessary and remember, the time it will take the attack to finish will increase proportionally with the amount of rules.
This page was partially adapted from this forum post, which also includes some details for developers.