Default format on hash mode 22000 is not(!) hccapx (wpa_handshake-01-tplink5g.hccapx is outdated hccapx binary format to be used on hashmode 2500)
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Please notice that your PSK is already recovered by hashcat an stored to hashcat potfile. Hashcat told you this:
Recovered........: 1/1 (100.00%) Digests
To get benefit of the new hash format, use hcxpcapngtool or online converter
https://hashcat.net/cap2hashcat/
to convert the content of the dump file to hc22000 format.
Code:
$ hcxpcapngtool -o test.22000 wpa_handshake-01.cap
hcxpcapngtool 6.2.5-9-ga5fb5be reading from wpa_handshake-01.cap...
summary capture file
--------------------
file name.................................: wpa_handshake-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 15.12.2021 16:03:10
timestamp maximum (GMT)..................: 15.12.2021 16:03:40
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianess (capture system)...............: little endian
packets inside...........................: 7619
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON (detected on 5/6 GHz channel).....: 48
ACTION (total)...........................: 49
PROBERESPONSE (total)....................: 20
DEAUTHENTICATION (total).................: 2560
AUTHENTICATION (total)...................: 72
AUTHENTICATION (OPEN SYSTEM).............: 72
REASSOCIATIONREQUEST (total).............: 15
REASSOCIATIONREQUEST (PSK)...............: 15
WPA encrypted............................: 35
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
EAPOLTIME gap (measured maximum usec)....: 1440
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL pairs written to combi hash file....: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.
Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.
Warning: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
session summary
---------------
processed cap files...................: 1
Your hashcat version (6.1.1) is outdated.
Please update to latest version and everything will be fine:
Code:
$ hashcat -m 22000 test.22000 wordlist2.txt
hashcat (v6.2.5-27-gacc592e96) starting
...
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: test.22000
Time.Started.....: Thu Dec 16 15:42:42 2021 (2 secs)
Time.Estimated...: Thu Dec 16 15:42:44 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (wordlist2.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 130.0 kH/s (11.25ms) @ Accel:16 Loops:128 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 274733/468750 (58.61%)
Rejected.........: 78125/274733 (28.44%)
Restore.Point....: 209197/468750 (44.63%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 35385484 -> 44484834
Hardware.Mon.#1..: Temp: 33c Util: 63% Core:1560MHz Mem:3500MHz Bus:8
Started: Thu Dec 16 15:42:41 2021
Stopped: Thu Dec 16 15:42:45 2021
As expected hashcat has successfully recovered the PSK:
Recovered........: 1/1 (100.00%) Digests
To confirm the converted hc22000 and PSK is really correct, run hcxhashtool:
Code:
$ hcxhashtool -i test.22000 --psk=38432583
BTW:
Aircrack-ng is a complete suite of tools to assess WiFi network security.
Aircrack-ng suite should be the first choice, if you are new to WiFi stuff, because the suite is easy to use (e.g script to set monitor mode). You will learn much about WiFi.
Because all tools of the suite work perfectly together and complement each other, it should be the first choice, if one decide to stay inside this suite:
airodump-ng (dump to simple cap format) -> aireplay-ng (simple attack) -> aircrack-ng (recover the PSK)
But if you decide "to leave the suite" (dump/attack/convert using aircrack-ng suite tools -> recover the PSK by hashcat), you should consider to use hcxtools instead. This tools are designed to work perfectly as WiFi-preprocessor on hashcat/JtR:
hcxdumptool (intelligent attack and dump to advanced pcapng format) -> hcxpcapngtool (convert to new hc22000 format) -> hashcat (recover the PSK from PMKID and/or EAPOL MESSAGE PAIR)
Please notice that we use special comment fields in pcapng dump files (by hcxdumptool) and a MESSAGE PAIR field in hc22000 hash files (by hcxpcapngtool) to share important information between the tools and hashcat. Aircrack-ng suite doesn't support this and this information will get lost when moving data from aircrack-ng suite to hashcat.
Please take a closer look at this warning:
Code:
Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER,
renew ANONCE and set PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.
You're injecting to many DEAUTHENTICATION frames (this always happens on stupid DEAUTHENTICATION tools which do not take care about incoming frames, e.g. PMKID or EAPOL MESSAGE already received, and proceed injecting DEAUTHENTICATION frames).