Batch ESSID Processing using wlangenpmkocl ?

Batch ESSID Processing using wlangenpmkocl ? - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat-utils, maskprocessor, statsprocessor, md5stress, wikistrip (https://hashcat.net/forum/forum-28.html)
+--- Thread: Batch ESSID Processing using wlangenpmkocl ? (/thread-13183.html)

Batch ESSID Processing using wlangenpmkocl ? - mr.isodoro - 05-30-2025

Hi All,

I'm using ZerBea's wlangenpmkocl tool to generate a pmk file.

And this works great for a single ESSID using:
wlangenpmkocl -e ESSID_NAME -i MY_WORDLIST.txt -a OUTPUT.pmk

And then running Hashcat with it:
hashcat -m 22000 ESSID.hash OUTPUT.pmk

But I'm looking to batch the process of pmk output for multiple ESSID's and wondering if it's possible with this tool?

If not what tool you would recommend for this? Or a better process for multiple ESSID's.....

I've tried airolib-ng but the generation time is too long with --batch as it doesn't appear to use GPU.

[Edit] Thinking about I may have just answered my own question: Script it in Bash...

Cheers,
Izzy

RE: Batch ESSID Processing using wlangenpmkocl ? - mr.isodoro - 05-30-2025

Just for anyone else learning/investigating this avenue, I was misguided!

Whilst I did cobble together a scripted workflow process based on thinking I could 'speed up' the overall process - this was not the case.

Generating an 8 digit only PMK file (NVidia 2060) took approx. 9mins for a specific ESSID.
Running Hashcat using this generated PMK file took a few seconds.

Running Hashcat brute-force however (with equivalent mask as the PMK) direct took 7mins.

Only thing I couldn't work out was extracting the password as it only showed as the PMK hashed value in Hashcat.

Live and learn...

RE: Batch ESSID Processing using wlangenpmkocl ? - ZerBea - 06-06-2025

Hashcat's hash mode 22001 is designed to verify an existing(!) PMK. Either you know it or you have calculated a list of PMKs for a certain ESSID (like you did it).

Once the PMKD has been confirmed by hashcat, just do a grep 12....PMK_FOUND_BY_HASHCAT....FF on the list calculated by wlangenpmkocl:

Example
Get hash from examples hashes:

Code:
22000     WPA-PBKDF2-PMKID+EAPOL 1 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***

Get ESSID name:

Code:
$ hcxpmktool -l WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***

HASH FORMAT.: PMKID (WPA*01)

ESSID.......: hashcat-essid

MAC_AP......: fc690c158264

MAC_CLIENT..: f4747f87f9f4

PMKID.......: 4d4fe7aac3a2cecab195321ceb99a7d0 (not confirmed)

get a word list (e.g. from wpa-sec) and decompress it:

Code:
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz

$ gunzip cracked.txt.gz

calculate some PMKs from wpa-sec word list:

Code:
$ wlangenpmkocl -e hashcat-essid -A pmk_psklist -a pmklist -i cracked.txt

using: NVIDIA GeForce RTX 4080

674409 plainmasterkeys generated, 31 password(s) skipped

run hashcat on the hash and the pmklist :

Code:
$ hashcat -m 22001 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** pmklist

hashcat (v6.2.6-851-g6716447df) starting

...

4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc

Session..........: hashcat

Status...........: Cracked

Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)

Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid

Time.Started.....: Fri Jun  6 11:00:49 2025 (1 sec)

Time.Estimated...: Fri Jun  6 11:00:50 2025 (0 secs)

Kernel.Feature...: Pure Kernel

Guess.Base.......: File (pmklist)

Guess.Queue......: 1/1 (100.00%)

Speed.#1.........: 70845.7 kH/s (0.00ms) @ Accel:128 Loops:1024 Thr:512 Vec:1

Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)

Progress.........: 337205/674409 (50.00%)

Rejected.........: 0/337205 (0.00%)

Restore.Point....: 0/674409 (0.00%)

Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1

Candidate.Engine.: Device Generator

Candidates.#1....: aa3b97899f9b12cfcbe40de1f5889b80848d35b0a66d7a6c03d0f83e0fba45a1 -> 8e97a93742aa92241cc79f8dda7001bb9be09f3877ed292f4e3fb647d4901e4d

Hardware.Mon.#1..: Temp: 36c Fan: 30% Util:  4% Core:2505MHz Mem:10801MHz Bus:16

Started: Fri Jun  6 11:00:49 2025

Stopped: Fri Jun  6 11:00:50 2025

get the PMK & PSK from the pmk_psklist:

Code:
$ cat pmk_psklist | grep 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc

88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc:hashcat!

get the PSK only from the pmk_psklist:

Code:
$ cat pmk_psklist | grep 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc | awk 'BEGIN { FS = ":" } ; { print $NF }' 

hashcat!