Trouble Capturing PMKID on TP-Link Archer A5: Hashcat Works Only with Handshake

[stass99]

Hello everyone,
I’m having trouble performing a PMKID attack on my TP-Link Archer A5 router (WPA2 encryption). When clients are connected to the network, everything works fine: I capture a full handshake, and Hashcat successfully finds the password using a dictionary. However, when I try to perform the attack without any clients connected, I can’t seem to capture the PMKID properly.
Here’s what I’m doing step by step:

1. Check available interfaces:
   iwconfig
   
2. Enable monitor mode on
   wlan1
   :
   sudo airmon-ng start wlan1
   
3. Stop services that might interfere:
   sudo systemctl stop NetworkManager.service
   sudo systemctl stop wpa_supplicant.service
   
4. Start listening to the network:
   sudo hcxdumptool -i wlan1mon -w test.pcapng --rds=1 -F
   
5. To force the router to send a PMKID, I connect a phone and enter an incorrect password.
   
6. Convert the captured file (
   test.pcapng
   ) to a Hashcat-compatible format:
   hcxpcapngtool -o test.hc22000 test.pcapng
   
7. Run a dictionary attack using Hashcat:
   hashcat --hwmon-temp-abort=80 -a 0 -m 22000 -d 1 test.hc22000 65.txt
   

The issue is that Hashcat finds the incorrect password I entered on the phone, even though the correct password is present in the dictionary. This makes me think that the attack is being performed using a full handshake rather than just the PMKID.
My question is: How can I perform a PMKID attack without any clients connected?
I noticed that in the Hashcat documentation, there are modes specifically for PMKID:

Copy
16800 | WPA-PMKID-PBKDF2 
16801 | WPA-PMKID-PMK
However, when I try to use these modes, Hashcat throws an error and insists on using
-m 22000
. I’ve spent half a day trying to figure this out, but I’m stuck. Am I missing something?
Here’s my Hashcat version:

Copy
(rz17㉿balu)-[~] 
└─$ hashcat -V 
v6.2.6
Any help or advice would be greatly appreciated! Thank you in advance.