Cracking WPA/WPA2 with hashcat

Expected file format

Since version 6.0.0, hashcat accepts the new hash mode 22000:

 22000 | WPA-PBKDF2-PMKID+EAPOL
 22001 | WPA-PMK-PMKID+EAPOL

Benefits of hash mode 22000:

  • The hash line combines PMKIDs and EAPOL MESSAGE PAIRs in a single file
  • Having all the different handshake types in a single file allows for efficient reuse of PBKDF2 to save GPU cycles
  • It is no longer a binary format that allows various standard tools to be used to filter or process the hashes
  • It is no longer a binary format which makes it easier to copy / paste anywhere as it is just text
  • The best tools for capturing and filtering WPA handshake output in hash mode 22000 format (see tools below)

Difference between hash mode 22000 and hash mode 22001:

  • Use hash mode 22000 to recover a Pre-Shared-Key (PSK). Length of a PSK can be 8 up to 63 characters
  • Use hash mode 22001 to verify an existing (pre-calculated) Plain Master Key (PMK). Length of a PMK is always 64 xdigits

In order to be able to use the hash mode 22000 to the full extent, you need the following tools:

Optionally there is hcxlabtool, which you can use as an experienced user or in headless operation instead of hcxdumptool: https://github.com/ZerBea/wifi_laboratory

For users who don't want to struggle with compiling hcxtools from sources there is an online converter: https://hashcat.net/cap2hashcat/

If you choose the online converter, you may need to remove some data from your dump file if the file size is too large. Most of the time, this happens when data traffic is also being recorded.

You can reduce the size with tshark:

tshark -r dumpfile.cap/pcap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng

Do not clean up the cap / pcap file (e.g. with wpaclean), as this will remove useful and important frames from the dump file. Do not use filtering options while collecting WiFi traffic.

The hcxdumptool / hcxlabtool offers several attack modes that other tools do not.

This includes the PMKID attack, which is described here: https://hashcat.net/forum/thread-7717.html

It also includes AP-less client attacks and a lot more.

The traffic is saved in pcapng format. This format is used by Wireshark / tshark as the standard format. Additional information (NONCE, REPLAYCOUNT, MAC, hash values calculated during the session) are stored in pcapng option fields. The hcxpcapngtool uses these option fields to calculate the best hash values in order to avoid unbreakable hashes at best.

In addition, Hashcat is told how to handle the hash via the message pair field. When hcxdumptool is connected to a GPS device, it also saves the GPS coordinates of the frames.

Capture example

Examples of the target and how traffic is captured:

1.Stop all services that are accessing the WLAN device (e.g .: NetworManager and wpa_supplicant.service)

$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service

2. Start the attack and wait for you to receive PMKIDs and / or EAPOL message pairs, then exit hcxdumptool

Do not set monitor mode by third party tools.

Do not run hcxdumptool on a virtual interface.

Do not run hcxdudmptool at the same time in combination with tools that take access to the interface (except Wireshark, tshark).

$ hcxdumptool -i interface -o dumpfile.pcapng --active_beacon --enable_status=15

3. Restart stopped services to reactivate your network connection

$ sudo systemctl start wpa_supplicant.service
$ sudo systemctl start NetworkManager.service

4. Convert the traffic to hash format 22000

$ hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng

5. Run Hashcat on the list of words obtained from WPA traffic

$ hashcat -m 22000 hash.hc22000 wordlist.txt

For more options, see the tools help menu (-h or –help) or this thread.

Get more examples from here.

Run Hashcat on an excellent WPA word list or check out their free online service:

Code: $ wget https://wpa-sec.stanev.org/dict/cracked.txt.gz $ hashcat -m 22000 test.hc22000 cracked.txt.gz

Get more examples from here: https://github.com/hashcat/hashcat/issues/2923

Working with hash files

Explanation of the hc22000 hash line

WPA*01*PMKID*MAC_AP*MAC_CLIENT*ESSID***
WPA*02*MIC*MAC_AP*MAC_CLIENT*ESSID*NONCE_AP*EAPOL_CLIENT*MESSAGEPAIR

Explanation of the MESSAGEPAIR field

bitmask of message pair field:
2,1,0:
 000 = M1+M2, EAPOL from M2 (challenge)
 001 = M1+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed 
 010 = M2+M3, EAPOL from M2 (authorized)
 011 = M2+M3, EAPOL from M3 (authorized) - unused
 100 = M3+M4, EAPOL from M3 (authorized) - unused
 101 = M3+M4, EAPOL from M4 (authorized) - usable if NONCE_CLIENT is not zeroed
3: reserved
4: ap-less attack (set to 1) - nonce-error-corrections not required
5: LE router detected (set to 1) - nonce-error-corrections required only on LE
6: BE router detected (set to 1) - nonce-error-corrections required only on BE
7: not replaycount checked (set to 1) - replaycount not checked, nonce-error-corrections mandatory

Examples to work on hc22000 hash files:

Filter hash file by PMKID

$ grep 'WPA\*01' hash.hc22000 > pmkid.hc22000
or
$ hcxhashtool -i hash.hc22000 --type=1 -o pmkid.hc22000

Filter hash file by EAPOL

$ grep 'WPA\*02' hash.hc22000 > eapol.hc22000
or
$ hcxhashtool -i hash.hc22000 --type=2 -o eapol.hc22000

Filter by authorized EAPOL MESSAGEPAIR

$ grep '2$' hash.hc22000
or
$ hcxhashtool -i hash.hc22000 --authorized -o authorized.hc22000

Filter by challenge EAPOL MESSAGEPAIR

$ grep '0$' hash.hc22000
or
$ hcxhashtool -i hash.hc22000 --challenge -o challenge.hc22000

Filter by MAC

$ grep '\*112233445566\*'  hash.hc22000 > mac.hc22000
or
$ hcxhashtool -i hash.hc22000 --mac-ap=112233445566 -o macap.hc22000
or
$ hcxhashtool -i hash.hc22000 --mac-client=112233445566 -o macclient.hc22000

The .cap and .hccapx

Use of the original .cap and .hccapx formats is discouraged.

Attack examples

hashcat is very flexible, so I'll cover three most common and basic scenarios:

Dictionary attack

  • Grab a wordlist, like C-nets from wpa-sec.stanev.org.
  • Put it into the hashcat folder.
  • On Windows, create a batch file “attack.bat”, open it with a text editor, and paste the following:
$ hashcat -m 22000 hash.hc22000 cracked.txt.gz
on Windows add:
$ pause

Execute the attack using the batch file, which should be changed to suit your needs.

Brute-Force attack

  • Create a batch file “attack.bat”, open it with a text editor, and paste the following:
$ hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d
on Windows add:
$ pause

This will pipe digits-only strings of length 8 to hashcat. Replace the ?d as needed.

It would be wise to first estimate the time it would take to process using a calculator.

TBD: add some example timeframes for common masks / common speed

Rule-based attack

This is similar to a Dictionary attack, but the commands look a bit different:

$ hashcat -m 22000 hash.hc22000 -r rules/best64.rule cracked.txt.gz
on Windows add:
$ pause

This will mutate the wordlist with best 64 rules, which come with the hashcat distribution.

Change as necessary and remember, the time it will take the attack to finish will increase proportionally with the amount of rules.

What are rules?

Other references

This page was partially adapted from this forum post, which also includes some details for developers.

Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain