Table of Contents

Cracking WPA/WPA2 with hashcat

Expected file format

Since version 6.0.0, hashcat accepts the new hash mode 22000:

 22000 | WPA-PBKDF2-PMKID+EAPOL
 22001 | WPA-PMK-PMKID+EAPOL

Benefits of hash mode 22000:

Difference between hash mode 22000 and hash mode 22001:

In order to be able to use the hash mode 22000 to the full extent, you need the following tools:

Optionally there is hcxlabtool, which you can use as an experienced user or in headless operation instead of hcxdumptool: https://github.com/ZerBea/wifi_laboratory

For users who don't want to struggle with compiling hcxtools from sources there is an online converter: https://hashcat.net/cap2hashcat/

If you choose the online converter, you may need to remove some data from your dump file if the file size is too large. Most of the time, this happens when data traffic is also being recorded.

You can reduce the size with tshark:

tshark -r dumpfile.cap/pcap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng

Do not clean up the cap / pcap file (e.g. with wpaclean), as this will remove useful and important frames from the dump file. Do not use filtering options while collecting WiFi traffic.

Do not merge (pcapng) dump files files, as this destroy useful information.

The hcxdumptool / hcxlabtool offers several attack modes that other tools do not.

This includes the PMKID attack, which is described here: https://hashcat.net/forum/thread-7717.html

It also includes AP-less client attacks and a lot more.

The traffic is saved in pcapng format. This format is used by Wireshark / tshark as the standard format. Additional information (NONCE, REPLAYCOUNT, MAC, hash values calculated during the session) are stored in pcapng option fields. The hcxpcapngtool uses these option fields to calculate the best hash values in order to avoid unbreakable hashes at best.

In addition, Hashcat is told how to handle the hash via the message pair field. When hcxdumptool is connected to a GPS device, it also saves the GPS coordinates of the frames.

Capture example

Examples of the target and how traffic is captured:

1.Stop all services that are accessing the WLAN device (e.g .: NetworManager and wpa_supplicant.service)

$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service

2. Start the attack and wait for you to receive PMKIDs and / or EAPOL message pairs, then exit hcxdumptool

Do not set monitor mode by third party tools.

Do not run hcxdumptool on a virtual interface.

Do not run hcxdudmptool at the same time in combination with tools that take access to the interface (except Wireshark, tshark).

$ hcxdumptool -i INTERFACE_NAME -w dumpfile.pcapng --rds=1 -F

3. Restart stopped services to reactivate your network connection

$ sudo systemctl start wpa_supplicant.service
$ sudo systemctl start NetworkManager.service

4. Convert the traffic to hash format 22000

$ hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng

Make sure you are in the correct working directory (pwd will show you the working directory and ls the content of it).

5. Run Hashcat on the list of words obtained from WPA traffic

$ hashcat -m 22000 hash.hc22000 wordlist.txt

Make sure you are in the correct working directory (pwd will show you the working directory and ls the content of it).

For more options, see the tools help menu (-h or –help) or this thread.

Get more examples from here.

Run Hashcat on an excellent WPA word list or check out their free online service:

Code: $ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz $ hashcat -m 22000 test.hc22000 cracked.txt.gz

Get more examples from here: https://github.com/hashcat/hashcat/issues/2923

Working with hash files

Explanation of the hc22000 hash line

WPA*01*PMKID*MAC_AP*MAC_CLIENT*ESSID***MESSAGEPAIR
WPA*02*MIC*MAC_AP*MAC_CLIENT*ESSID*NONCE_AP*EAPOL_CLIENT*MESSAGEPAIR

Explanation of the MESSAGEPAIR fields

bitmask of message pair field PMKID (WPA*01):
0: reserved
1: PMKID taken from AP
2: reserved
4: PMKID taken from CLIENT (wlan.da: possible MESH or REPEATER)
5: reserved
6: reserved
7: reserved


bitmask of message pair field EAPOL (WPA*02):
2,1,0:
 000 = M1+M2, EAPOL from M2 (challenge)
 001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 
 010 = M2+M3, EAPOL from M2 (authorized)
 011 = M2+M3, EAPOL from M3 (authorized) - unused
 100 = M3+M4, EAPOL from M3 (authorized) - unused
 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory

Examples to work on hc22000 hash files:

Filter hash file by PMKID

$ grep 'WPA\*01' hash.hc22000 > pmkid.hc22000
or
$ hcxhashtool -i hash.hc22000 --type=1 -o pmkid.hc22000

Filter hash file by EAPOL

$ grep 'WPA\*02' hash.hc22000 > eapol.hc22000
or
$ hcxhashtool -i hash.hc22000 --type=2 -o eapol.hc22000

Filter by authorized EAPOL MESSAGEPAIR

$ grep '2$' hash.hc22000
or
$ hcxhashtool -i hash.hc22000 --authorized -o authorized.hc22000

Filter by challenge EAPOL MESSAGEPAIR

$ grep '0$' hash.hc22000
or
$ hcxhashtool -i hash.hc22000 --challenge -o challenge.hc22000

Filter by MAC

$ grep '\*112233445566\*'  hash.hc22000 > mac.hc22000
or
$ hcxhashtool -i hash.hc22000 --mac-ap=112233445566 -o macap.hc22000
or
$ hcxhashtool -i hash.hc22000 --mac-client=112233445566 -o macclient.hc22000

The .cap and .hccapx

Use of the original .cap and .hccapx formats is no longer supported. Files in .cap format can be converted for modern use; .hccapx cannot.

Attack examples

hashcat is very flexible, so I'll cover three most common and basic scenarios:

Dictionary attack

$ hashcat -m 22000 hash.hc22000 cracked.txt.gz
on Windows add:
$ pause

Execute the attack using the batch file, which should be changed to suit your needs.

Brute-Force attack

$ hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d
on Windows add:
$ pause

This will pipe digits-only strings of length 8 to hashcat. Replace the ?d as needed.

It would be wise to first estimate the time it would take to process using a calculator.

TBD: add some example timeframes for common masks / common speed

Rule-based attack

This is similar to a Dictionary attack, but the commands look a bit different:

$ hashcat -m 22000 hash.hc22000 -r rules/best64.rule cracked.txt.gz
on Windows add:
$ pause

This will mutate the wordlist with best 64 rules, which come with the hashcat distribution.

Change as necessary and remember, the time it will take the attack to finish will increase proportionally with the amount of rules.

What are rules?

Other references

This page was partially adapted from this forum post, which also includes some details for developers.