Hashcat - kdaisho/Blog GitHub Wiki
- Using wordlist
- Using mask
Assuming you have .cap file from aircrack-ng suite. Hashcat won't understand .cap file format.
hcxpcapngtool -o your_captured.22000 your_captured.capIf you want only WPA-PBKDF2 (not PMKID), add --enable_status=1 to see details.
There are two ways to run Hashcat:
- Using wordlist
- Using mask
hashcat -m 22000 -a 0 your_captured.22000 your_wordlist.txt-
-a 0can be omitted (default value)
hashcat -m 22000 -a 3 your_captured.22000 ?d?d?d?d?d-?d?d?d?d?d-
?d= digit placeholder - Dash
-is literal, so it will be included as-is - This tells Hashcat:
Try every combination where the first 5 chars are digits, then a dash, then 5 more digits.
- No huge wordlist files needed
- Faster and more flexible--you can tweak masks easily
- Can combine with rules or hybrid attacks for more coverage
- To see cracked password:
hashcat --show your_captured.22000
# WPA*02*1122deafb...:mypasswordrocksThe results are saved in ~/.local/share/hashcat/hashcat.potfile (Debian). If you want to rerun Hashcat against the same file, delete the corresponding line in hashcat.potfile.
hashcat -b -m 220005c5484ca...:ea63daa4....:74c246...:<network_name>:<password>
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: apt***-01.22000
Time.Started.....: Sun Jun 8 15:49:37 2025 (4 hours, 39 mins)
Time.Estimated...: Sun Jun 8 20:29:04 2025 (0 secs)
Kernal.Feature...: Pure Kernel
Guess.Mask.......: ?d?d?d?d?d-?d?d?d?d?d [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 370.4 kH/s (9.09ms)
...
Progress.........: 6_210_011_136/10_000_000_000 (62.09%)
...
Started: Sun Jun 8 15:49:35 2025
Stopped: Sun Jun 8 20:29:06 2025-
kH/s= 1,000 hashes per second -
370.4 kH/s= 370,400 hashes per second - Higher numbers are better--it means your system is faster at trying passwords