What happens after hcxdumptool has been started:
it requests the regulatory domain settings (to figure out what is allowed)
it requests the the capabilities of the attack device
it sets monitor mode (active monitor mode if possible)
it sets lowest bit rate and smallest bandwidth (to increase range)
it scans for the target(s)
upper display:
if a target is in range an under attack a + appears in the R column
it requests the PMKID from the target - a + appears in the 1 column
if the target support PMKID caching a + P appears in the P column
it reconnects to the target connected CLIENTs (if that fails tries to disconnect them)
if it got a 4way handshake a + appears in the 3 column
a plus in the S column show that the AP uses a WPA-PSK mode
lower display:
if the CLIENT respond to an EAP request, a + appears in the E column
if the CLIENT connects to hcxdumptool a + appears in the 2 column
If you got a plus in the P, 3 or 2 column you can stop hcxdumptool and convert the pcapng file to hashcat's hc22000 format.
Either you can use hashcat's online converter (that runs hcxpcapngtool):
https://hashcat.net/cap2hashcat/
or you can use hcpcapngtool
https://github.com/ZerBea/hcxtools
Now you can start your offline attacks running hashcat's different attack modes as described here:
https://hashcat.net/wiki/
e.g. word list attack:
If the PSK is inside the word list, hashcat will show it.
An up to date word list (c-nets) is here:
https://wpa-sec.stanev.org/?dicts
or here
https://hashmob.net/resources/hashmob
it requests the regulatory domain settings (to figure out what is allowed)
it requests the the capabilities of the attack device
it sets monitor mode (active monitor mode if possible)
it sets lowest bit rate and smallest bandwidth (to increase range)
it scans for the target(s)
upper display:
if a target is in range an under attack a + appears in the R column
it requests the PMKID from the target - a + appears in the 1 column
if the target support PMKID caching a + P appears in the P column
it reconnects to the target connected CLIENTs (if that fails tries to disconnect them)
if it got a 4way handshake a + appears in the 3 column
a plus in the S column show that the AP uses a WPA-PSK mode
lower display:
if the CLIENT respond to an EAP request, a + appears in the E column
if the CLIENT connects to hcxdumptool a + appears in the 2 column
If you got a plus in the P, 3 or 2 column you can stop hcxdumptool and convert the pcapng file to hashcat's hc22000 format.
Either you can use hashcat's online converter (that runs hcxpcapngtool):
https://hashcat.net/cap2hashcat/
or you can use hcpcapngtool
https://github.com/ZerBea/hcxtools
Code:
$ hcxpcapngtool -o test.hc22000 dumpfile.pcang
Now you can start your offline attacks running hashcat's different attack modes as described here:
https://hashcat.net/wiki/
e.g. word list attack:
Code:
$ hascat -m 22000 test.hc22000 wordlist
An up to date word list (c-nets) is here:
https://wpa-sec.stanev.org/?dicts
or here
https://hashmob.net/resources/hashmob