+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Trouble Capturing PMKID on TP-Link Archer A5: Hashcat Works Only with Handshake (/thread-12510.html)
Trouble Capturing PMKID on TP-Link Archer A5: Hashcat Works Only with Handshake - stass99 - 02-17-2025
Hello everyone,
I’m having trouble performing a PMKID attack on my TP-Link Archer A5 router (WPA2 encryption). When clients are connected to the network, everything works fine: I capture a full handshake, and Hashcat successfully finds the password using a dictionary. However, when I try to perform the attack without any clients connected, I can’t seem to capture the PMKID properly.
Here’s what I’m doing step by step:
- Check available interfaces:
iwconfig
- Enable monitor mode on
wlan1
:
sudo airmon-ng start wlan1
- Stop services that might interfere:
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service
- Start listening to the network:
sudo hcxdumptool -i wlan1mon -w test.pcapng --rds=1 -F
- To force the router to send a PMKID, I connect a phone and enter an incorrect password.
- Convert the captured file (
test.pcapng
) to a Hashcat-compatible format:
hcxpcapngtool -o test.hc22000 test.pcapng
- Run a dictionary attack using Hashcat:
hashcat --hwmon-temp-abort=80 -a 0 -m 22000 -d 1 test.hc22000 65.txt
My question is: How can I perform a PMKID attack without any clients connected?
I noticed that in the Hashcat documentation, there are modes specifically for PMKID:
Copy
16800 | WPA-PMKID-PBKDF2
16801 | WPA-PMKID-PMK
However, when I try to use these modes, Hashcat throws an error and insists on using
-m 22000
. I’ve spent half a day trying to figure this out, but I’m stuck. Am I missing something?
Here’s my Hashcat version:
Copy
(rz17㉿balu)-[~]
└─$ hashcat -V
v6.2.6
Any help or advice would be greatly appreciated! Thank you in advance.
RE: Trouble Capturing PMKID on TP-Link Archer A5: Hashcat Works Only with Handshake - ZerBea - 02-17-2025
Not every router is configured to use PMKIDs. Your TP-Link Archer A5 is among them.
iwconfig is deprecated and should not be used any longer. It has been replaced by iw!
There is no need ro run third party tools to set monitor mode because hcxdumptool/hcxlabtool do this. Just stop all services that take access to the device. That is mentioned in --help:
Code:
Important recommendation:
-------------------------
Do not set monitor mode by third party tools or third party scripts!
Do not use virtual interfaces (monx, wlanxmon, prismx, ...)!
Do not use virtual machines or emulators!
Do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)!
Do not use tools to change the virtual MAC (like macchanger)!
Do not merge (pcapng) dump files, because this destroys assigned hash values!Use hcxhashtool to filter authorized handshakes only (as mentioned in --help):
Code:
--authorized : filter EAPOL pairs by status authorized (M2M3, M3M4, M1M4)More information about filtering is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
If you know the operating channel of the target (e.g. from --rcascan) it doesn't make sense to scan the entire frequency range by option -F.
The attack is faster if you set the operating channel/band by option -c
More information is here:
https://github.com/ZerBea/hcxdumptool/discussions/492
and here:
https://github.com/ZerBea/hcxdumptool/discussions/485
Run tshark (on hcxdumptool's pcapng file) to show PMKIDs:
Code:
$ tshark -r dumpfile.pcapng -Y "wlan.rsn.ie.pmkid" -T fields -E header=y -e wlan.bssid -e wlan.rsn.ie.pmkid | sort -uOr run tshark in parallel (second terminal) with hcxdumptool to show PMKIDs on the fly:
Code:
$ tshark -i INTERFACENAME -f "wlan type data" -T fields -E header=y -e wlan.bssid -e wlan.rsn.ie.pmkidhttps://github.com/ZerBea/hcxdumptool/discussions/495