The simplest hashcat commands are:
by wordlist:
$ hashcat -m 22000 hashfile.22000 wordlist
by pattern (e.g. 8 digit PSK)
$ hashcat -m 22000 hashfile.22000 -a 3 ?d?d?d?d?d?d?d?d
by pattern, if you know a part (e.g.: name and date) of the PSK
$ hashcat -m 22000 hashfile.22000 -a 3 Agneta?d?d?d?d
by wordlist (e.g. prenames) + rule (e.g. dates)
$ hashcat -m 22000 hashfile.22000 prenamelist -r date.rule
I recommend to do some investigations about the ROUTER (default PSK, default PSK keyspace, possbile default PSK pattern), about the CLIENTs which belong to the NETWORK (does a CLIENT transmit the PSK in the clear).
Are you able to confuse a CLIENT, so that you can retrieve the PSK from him?
Does the administrator use the default ESSID or does he use an user defined one?
Is wpa-sec able to recover the PSK, by testing some common wordlists?
https://wpa-sec.stanev.org/?nets
Please also read this comment:
https://hashcat.net/forum/thread-10151-p...l#pid52834
BTW:
hashcat is a tool to recover a password from a hash file.
It is not a tool to attack a NETWORK directly.
The attack vector and the conversion to a hash file (e.g. 22000) is an important part. If one of them or both failed, hashcat will not be able to recover the PSK.
I'm interested how you performed the attack on the air interface.
Which tool have you used to attack the NETWORK?
Which tool have you used to convert the EAPOL MESSAGE PAIR to hccapx?
Which WiFi adapter have you used?
Have you attacked the AP or the CLIENTs or both?
Does the AP transmit a PMKID?
I asked, because I talked with Atom about hash modes 250x and 1680x. We both wonder why so many users still run this deprecated modes.
by wordlist:
$ hashcat -m 22000 hashfile.22000 wordlist
by pattern (e.g. 8 digit PSK)
$ hashcat -m 22000 hashfile.22000 -a 3 ?d?d?d?d?d?d?d?d
by pattern, if you know a part (e.g.: name and date) of the PSK
$ hashcat -m 22000 hashfile.22000 -a 3 Agneta?d?d?d?d
by wordlist (e.g. prenames) + rule (e.g. dates)
$ hashcat -m 22000 hashfile.22000 prenamelist -r date.rule
I recommend to do some investigations about the ROUTER (default PSK, default PSK keyspace, possbile default PSK pattern), about the CLIENTs which belong to the NETWORK (does a CLIENT transmit the PSK in the clear).
Are you able to confuse a CLIENT, so that you can retrieve the PSK from him?
Does the administrator use the default ESSID or does he use an user defined one?
Is wpa-sec able to recover the PSK, by testing some common wordlists?
https://wpa-sec.stanev.org/?nets
Please also read this comment:
https://hashcat.net/forum/thread-10151-p...l#pid52834
BTW:
hashcat is a tool to recover a password from a hash file.
It is not a tool to attack a NETWORK directly.
The attack vector and the conversion to a hash file (e.g. 22000) is an important part. If one of them or both failed, hashcat will not be able to recover the PSK.
I'm interested how you performed the attack on the air interface.
Which tool have you used to attack the NETWORK?
Which tool have you used to convert the EAPOL MESSAGE PAIR to hccapx?
Which WiFi adapter have you used?
Have you attacked the AP or the CLIENTs or both?
Does the AP transmit a PMKID?
I asked, because I talked with Atom about hash modes 250x and 1680x. We both wonder why so many users still run this deprecated modes.