Batch ESSID Processing using wlangenpmkocl ?
#1
Hi All,

I'm using ZerBea's wlangenpmkocl tool to generate a pmk file.

And this works great for a single ESSID using:
wlangenpmkocl -e ESSID_NAME -i MY_WORDLIST.txt -a OUTPUT.pmk

And then running Hashcat with it:
hashcat -m 22000 ESSID.hash OUTPUT.pmk

But I'm looking to batch the process of pmk output for multiple ESSID's and wondering if it's possible with this tool?

If not what tool you would recommend for this? Or a better process for multiple ESSID's.....

I've tried airolib-ng but the generation time is too long with --batch as it doesn't appear to use GPU.

[Edit] Thinking about I may have just answered my own question: Script it in Bash...

Cheers,
Izzy
Reply
#2
Just for anyone else learning/investigating this avenue, I was misguided!

Whilst I did cobble together a scripted workflow process based on thinking I could 'speed up' the overall process - this was not the case.

Generating an 8 digit only PMK file (NVidia 2060) took approx. 9mins for a specific ESSID.
Running Hashcat using this generated PMK file took a few seconds.

Running Hashcat brute-force however (with equivalent mask as the PMK) direct took 7mins.

Only thing I couldn't work out was extracting the password as it only showed as the PMK hashed value in Hashcat.

Live and learn...
Reply
#3
Hashcat's hash mode 22001 is designed to verify an existing(!) PMK. Either you know it or you have calculated a list of PMKs for a certain ESSID (like you did it).

Once the PMKD has been confirmed by hashcat, just do a grep 12....PMK_FOUND_BY_HASHCAT....FF on the list calculated by wlangenpmkocl:

Example
Get hash from examples hashes:
Code:
22000     WPA-PBKDF2-PMKID+EAPOL 1 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***

Get ESSID name:
Code:
$ hcxpmktool -l WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***

HASH FORMAT.: PMKID (WPA*01)
ESSID.......: hashcat-essid
MAC_AP......: fc690c158264
MAC_CLIENT..: f4747f87f9f4
PMKID.......: 4d4fe7aac3a2cecab195321ceb99a7d0 (not confirmed)


get a word list (e.g. from wpa-sec) and decompress it:
Code:
$ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz
$ gunzip cracked.txt.gz

calculate some PMKs from wpa-sec word list:
Code:
$ wlangenpmkocl -e hashcat-essid -A pmk_psklist -a pmklist -i cracked.txt
using: NVIDIA GeForce RTX 4080
674409 plainmasterkeys generated, 31 password(s) skipped

run hashcat on the hash and the pmklist :
Code:
$ hashcat -m 22001 WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** pmklist
hashcat (v6.2.6-851-g6716447df) starting
...
4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747f87f9f4:hashcat-essid:88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)
Hash.Target......: 4d4fe7aac3a2cecab195321ceb99a7d0:fc690c158264:f4747...-essid
Time.Started.....: Fri Jun  6 11:00:49 2025 (1 sec)
Time.Estimated...: Fri Jun  6 11:00:50 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pmklist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 70845.7 kH/s (0.00ms) @ Accel:128 Loops:1024 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 337205/674409 (50.00%)
Rejected.........: 0/337205 (0.00%)
Restore.Point....: 0/674409 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: aa3b97899f9b12cfcbe40de1f5889b80848d35b0a66d7a6c03d0f83e0fba45a1 -> 8e97a93742aa92241cc79f8dda7001bb9be09f3877ed292f4e3fb647d4901e4d
Hardware.Mon.#1..: Temp: 36c Fan: 30% Util:  4% Core:2505MHz Mem:10801MHz Bus:16

Started: Fri Jun  6 11:00:49 2025
Stopped: Fri Jun  6 11:00:50 2025

get the PMK & PSK from the pmk_psklist:
Code:
$ cat pmk_psklist | grep 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc:hashcat!

get the PSK only from the pmk_psklist:
Code:
$ cat pmk_psklist | grep 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc | awk 'BEGIN { FS = ":" } ; { print $NF }'
hashcat!
Reply