2 hours ago
I'm looking into developing an attack for WPA2 hashes, and would love to get some pointers or suggestions for things I may have missed.
My thinking is this so far, to use a small wordlist (hashmob-small) ~20MB, combined with a local to my country dictionary ~3MB with the "one rule to rule them all" rule set.
However in testing I noticed a slight issue. Lets say the password we are trying to recover is "timmy666", and I have "timmy" in my wordlist, the ruleset will generate "timmy666", but the dictionary attack will skip over "timmy" as it is shorter than 8 characters, the minimum for WPA2.
With this example we can see a word list with one word (timmy) in that generates 51995 guesses with the ruleset, but 100% rejected:
I believe this is due to the word being less than 8 characters long and the mode being WPA2, as when I do the same thing with an MD5 hash I get 0% rejected.
I did think of two work arounds. One would be to generate the dictionary file prior to running, but I don't know how large it would be, and storage is expensive and large dictionaries are a pain to deal with.
The other would be to generate them and process in a pipe like so:
But that seems slow and doesn't scale well. I'm hoping there is a better solution.
Also if this is the wrong way to go about attacking WPA2 please do let me know!
Thanks!
My thinking is this so far, to use a small wordlist (hashmob-small) ~20MB, combined with a local to my country dictionary ~3MB with the "one rule to rule them all" rule set.
However in testing I noticed a slight issue. Lets say the password we are trying to recover is "timmy666", and I have "timmy" in my wordlist, the ruleset will generate "timmy666", but the dictionary attack will skip over "timmy" as it is shorter than 8 characters, the minimum for WPA2.
With this example we can see a word list with one word (timmy) in that generates 51995 guesses with the ruleset, but 100% rejected:
Quote:today (master) λ cat wordlist.txt
timmy
today (master) λ hashcat -a 0 -m 22000 -r rules.rule hash.txt wordlist.txt
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 7.1 Linux, Release, RELOC, LLVM 20.1.8, SLEEF, DISTRO, CUDA, POCL_DEBUG) - Platform #1 [The pocl project]
======================================================================================================================================
* Device #01: cpu-haswell-Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 5794/11588 MB (5794 MB allocatable), 8MCU
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 51995
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 514 MB (10083 MB free)
Dictionary cache built:
* Filename..: wordlist.txt
* Passwords.: 1
* Bytes.....: 6
* Keyspace..: 51995
* Runtime...: 0 secs
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: hash.txt
Time.Started.....: Fri Feb 20 01:54:34 2026 (0 secs)
Time.Estimated...: Fri Feb 20 01:54:34 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 8-63 bytes)
Guess.Base.......: File (wordlist.txt)
Guess.Mod........: Rules (rules.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 0 H/s (0.00ms) @ Accel:72 Loops:1024 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 51995/51995 (100.00%)
Rejected.........: 51995/51995 (100.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-0 Iteration:0-1024
Candidate.Engine.: Device Generator
Candidates.#01...: [Copying]
Hardware.Mon.#01.: Temp: 67c Util: 21%
I believe this is due to the word being less than 8 characters long and the mode being WPA2, as when I do the same thing with an MD5 hash I get 0% rejected.
I did think of two work arounds. One would be to generate the dictionary file prior to running, but I don't know how large it would be, and storage is expensive and large dictionaries are a pain to deal with.
The other would be to generate them and process in a pipe like so:
Quote:hashcat --stdout -r OneRule.rule combined.txt | grep -E '^.{8,}$' | uniq | hashcat -a 1 -m 22000 -w 4 hash.txt
But that seems slow and doesn't scale well. I'm hoping there is a better solution.
Also if this is the wrong way to go about attacking WPA2 please do let me know!
Thanks!
