Trouble Capturing PMKID on TP-Link Archer A5: Hashcat Works Only with Handshake

[stass99]

Hello everyone,
I’m having trouble performing a PMKID attack on my TP-Link Archer A5 router (WPA2 encryption). When clients are connected to the network, everything works fine: I capture a full handshake, and Hashcat successfully finds the password using a dictionary. However, when I try to perform the attack without any clients connected, I can’t seem to capture the PMKID properly.
Here’s what I’m doing step by step:

1. Check available interfaces:
   iwconfig
   
2. Enable monitor mode on
   wlan1
   :
   sudo airmon-ng start wlan1
   
3. Stop services that might interfere:
   sudo systemctl stop NetworkManager.service
   sudo systemctl stop wpa_supplicant.service
   
4. Start listening to the network:
   sudo hcxdumptool -i wlan1mon -w test.pcapng --rds=1 -F
   
5. To force the router to send a PMKID, I connect a phone and enter an incorrect password.
   
6. Convert the captured file (
   test.pcapng
   ) to a Hashcat-compatible format:
   hcxpcapngtool -o test.hc22000 test.pcapng
   
7. Run a dictionary attack using Hashcat:
   hashcat --hwmon-temp-abort=80 -a 0 -m 22000 -d 1 test.hc22000 65.txt
   

The issue is that Hashcat finds the incorrect password I entered on the phone, even though the correct password is present in the dictionary. This makes me think that the attack is being performed using a full handshake rather than just the PMKID.
My question is: How can I perform a PMKID attack without any clients connected?
I noticed that in the Hashcat documentation, there are modes specifically for PMKID:

Copy
16800 | WPA-PMKID-PBKDF2 
16801 | WPA-PMKID-PMK
However, when I try to use these modes, Hashcat throws an error and insists on using
-m 22000
. I’ve spent half a day trying to figure this out, but I’m stuck. Am I missing something?
Here’s my Hashcat version:

Copy
(rz17㉿balu)-[~] 
└─$ hashcat -V 
v6.2.6
Any help or advice would be greatly appreciated! Thank you in advance.

[ZerBea]

Not every router is configured to use PMKIDs. Your TP-Link Archer A5 is among them.

iwconfig is deprecated and should not be used any longer. It has been replaced by iw!

There is no need ro run third party tools to set monitor mode because hcxdumptool/hcxlabtool do this. Just stop all services that take access to the device. That is mentioned in --help:

Code:

Important recommendation:
-------------------------
Do not set monitor mode by third party tools or third party scripts!
Do not use virtual interfaces (monx, wlanxmon, prismx, ...)!
Do not use virtual machines or emulators!
Do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)!
Do not use tools to change the virtual MAC (like macchanger)!
Do not merge (pcapng) dump files, because this destroys assigned hash values!

Use hcxhashtool to filter authorized handshakes only (as mentioned in --help):

Code:

--authorized                 : filter EAPOL pairs by status authorized (M2M3, M3M4, M1M4)

That prevent that hashcat is running on challenges (possible wrong PSK by CLIENT).

More information about filtering is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

If you know the operating channel of the target (e.g. from --rcascan) it doesn't make sense to scan the entire frequency range by option -F.
The attack is faster if you set the operating channel/band by option -c

More information is here:
https://github.com/ZerBea/hcxdumptool/discussions/492
and here:
https://github.com/ZerBea/hcxdumptool/discussions/485


Run tshark (on hcxdumptool's pcapng file) to show PMKIDs:

Code:

$ tshark -r dumpfile.pcapng -Y "wlan.rsn.ie.pmkid" -T fields -E header=y -e wlan.bssid -e wlan.rsn.ie.pmkid | sort -u

Or run tshark in parallel (second terminal) with hcxdumptool to show PMKIDs on the fly:

Code:

$ tshark -i INTERFACENAME -f "wlan type data" -T fields -E header=y -e wlan.bssid -e wlan.rsn.ie.pmkid

More information is here:
https://github.com/ZerBea/hcxdumptool/discussions/495