Hashcat's hash mode 22001 is designed to verify an existing(!) PMK. Either you know it or you have calculated a list of PMKs for a certain ESSID (like you did it).
Once the PMKD has been confirmed by hashcat, just do a grep 12....PMK_FOUND_BY_HASHCAT....FF on the list calculated by wlangenpmkocl:
Example
Get hash from examples hashes:
Code:
22000 WPA-PBKDF2-PMKID+EAPOL 1 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
Get ESSID name:
Code:
$ hcxpmktool -l WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***
HASH FORMAT.: PMKID (WPA*01)
ESSID.......: hashcat-essid
MAC_AP......: fc690c158264
MAC_CLIENT..: f4747f87f9f4
PMKID.......: 4d4fe7aac3a2cecab195321ceb99a7d0 (not confirmed)
get a word list (e.g. from wpa-sec) and decompress it:
Code:
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz
$ gunzip cracked.txt.gz
calculate some PMKs from wpa-sec word list:
Code:
$ wlangenpmkocl -e hashcat-essid -A pmk_psklist -a pmklist -i cracked.txt
using: NVIDIA GeForce RTX 4080
674409 plainmasterkeys generated, 31 password(s) skipped
run hashcat on the hash and the pmklist :
Code:
$ hashcat -m 22001 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** pmklist
hashcat (v6.2.6-851-g6716447df) starting
...
4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)
Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid
Time.Started.....: Fri Jun 6 11:00:49 2025 (1 sec)
Time.Estimated...: Fri Jun 6 11:00:50 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 70845.7 kH/s (0.00ms) @ Accel:128 Loops:1024 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 337205/674409 (50.00%)
Rejected.........: 0/337205 (0.00%)
Restore.Point....: 0/674409 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: aa3b97899f9b12cfcbe40de1f5889b80848d35b0a66d7a6c03d0f83e0fba45a1 -> 8e97a93742aa92241cc79f8dda7001bb9be09f3877ed292f4e3fb647d4901e4d
Hardware.Mon.#1..: Temp: 36c Fan: 30% Util: 4% Core:2505MHz Mem:10801MHz Bus:16
Started: Fri Jun 6 11:00:49 2025
Stopped: Fri Jun 6 11:00:50 2025
get the PMK & PSK from the pmk_psklist:
Code:
$ cat pmk_psklist | grep 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc:hashcat!
get the PSK only from the pmk_psklist:
Code:
$ cat pmk_psklist | grep 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc | awk 'BEGIN { FS = ":" } ; { print $NF }'
hashcat!