This will be a walkthrough used to obtain wireless handshakes and PMKID using Aircrack-ng and crack it using Hashcat


This is for educational purposes and only to be performed on networks you have permission to do so.


My notes on Wireless in general can be found here.

My notes on Hashcat can be found here.

This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.

I myself have and recommend these adapters:

Aircrack-ng

Handshake

First we must find our adapter interface name and enable monitor mode on it.

sudo airmon-ng start (interface name)

Now we start scanning for networks

sudo airodump-ng (interface name)

Once we have found our target, we press CTRL+C to stop the scan

Now we focus our scan onto our target

sudo airodump-ng -c (channel) -w (SSID.cap) --bssid (bssid) (interface)

We can name the .cap file whatever we want, I typically just name it the targets SSID

Now we can see here at the bottom, we see BSSID, STATION, PWR, Rate, Lost, etc. this indicates if a device is connected to that network. This may not always show devices but is helpful to keep an eye on.

At this point we can simply wait for a device to connect to the network to obtain the handshake, or we send deauth packets to the network to force a device to reconnect to the network to obtain the handshake. We can do this in various ways.

In a second terminal:

sudo aireplay-ng -0 10 -a (bssid) (interface) will send 10 deauthentication packets to the network and stop.

sudo aireplay-ng -0 0 -a (bssid) (interface) will continuously send deauthentication packets to the network until you tell it to stop using CTRL+C

We can also deauthenticate a specific device that is connected to the network with sudo aireplay-ng -0 1 -a (bssid) -c (client station MAC) (interface).

Once we have obtained the handshake, we will see our airodump terminal change, it will specify in the top right with WPA Handshake: BSSID.

Note: We can also obtain PMKID with this method as well:

This is handshake is saved into the .cap file we specified we when target our airodump-ng scan.

Hash Cracking

So we now have our handshake in .cap format, we can crack the hash and find out the password.

Aircrack

We’ll start with aircrack-ng as that is what we originally captured our handshake with. When we chose the -w output with the SSID name, or whatever name you chose, the files are saved in whatever directory you ran that airodump-ng command from. You may have multiple files in there with that SSID name. Eg. Pixel.cap-01.cap, Pixel.cap-02.cap, Pixel.cap-03.cap, etc. The handshake SHOULD be in the most recent one, the one with the highest number. So lets run aircrack against that .cap file.

sudo aircrack-ng -w (wordlist) (.cap file)

Now depending on the password and the dictionary you chose, this may take some time. I chose to attack my phones hotspot as I am allowed to attack my own devices and made the password simple enough that the basic rockyou.txt file could crack it with ease. Once it has found it the cracking will stop and will tell you the password.

Hashcat

We have our PMKID in the .pcapng format, we can use hashcat to crack it. First we must use the hcxpcapng tool from HCXtools.

hcxpcapng -o CrackMe (.pcapng file)

Dictionary

If we want to use a dictionary attack, like using rockyou.txt for example

hashcat -a 0 -w 3 -m 22000 (hash file) (wordlist)

Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated “Recovered.Total” to see the recovered keys”

We can run the same command again with –show appended to the end to see our cracked passwords.

Brute Force

If we wanted to run a brute force attack rather than a dictionary attack, it’s a similar command

hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'

Replace the ?l with whatever we deem fit.

* ?l = a-z
* ?u = A-Z
* ?d = 0-9
* ?h = 0-9a-f
* ?H = 0-9A-F
* ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~
* ?a = ?l?u?d?s
* ?b = 0x00 - 0xff

This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat. Especially when using rules like OneRuleToRuleThemAllStill and modern wordlists like rockyou2021.txt.