LabEx
Log InJoin Free

Crack a PMKID Hash using Hashcat

Beginner
Practice Now

Introduction

In this lab, you will learn the fundamentals of cracking a WPA/WPA2 PMKID (Pairwise Master Key Identifier) hash using Hashcat, a powerful and versatile password recovery tool. A PMKID is part of the WPA/WPA2 authentication process and can sometimes be captured from an access point without a client needing to be present. Cracking a PMKID is often more efficient than cracking a full 4-way handshake.

You will walk through the entire process, from preparing a hash file to executing a dictionary attack with Hashcat. This hands-on experience will provide you with a practical understanding of how password cracking works in a controlled, educational environment. All activities in this lab are for educational purposes only.

Convert the PMKID Capture to a Hashcat-compatible Format

In this step, you will learn about the format required for Hashcat to crack PMKID hashes. Typically, PMKIDs are extracted from raw network capture files (e.g., .pcapng files). A tool like hcxpcapngtool is used to convert the capture into a plain text hash format that Hashcat can process.

The command to do this would look like: hcxpcapngtool -o <output_hash_file> <input_capture_file.pcapng>

For this lab, to ensure a smooth process, we have already performed this conversion for you. The resulting hash is saved in a file named pmkid.hash in your current directory (~/project).

Let's examine the contents of this file to understand its structure. Use the cat command to display the file's content.

cat pmkid.hash

You will see the following output, which is a single line representing the PMKID hash:

d5b6c18645897310626525389ebb3461*a0b1c2d3e4f5*f9e8d7c6b5a4*4d795377656574486f6d65

This format is PMKID*MAC_AP*MAC_STA*SSID_HEX. Each part is separated by an asterisk, providing Hashcat with all the necessary information to perform the attack.

Select the Correct Hashcat Mode for WPA-PMKID which is -m 16800

In this step, you will identify the correct mode for cracking PMKID hashes in Hashcat. Hashcat supports hundreds of different hash algorithms, and each one is assigned a unique mode number. Providing the correct mode is essential for Hashcat to work correctly.

You can find the list of all supported hash types and their corresponding modes by using the --help option with the hashcat command. To narrow down the list, you can pipe the output to grep and search for a specific keyword like "PMKID".

Run the following command to find the mode for WPA-PMKID:

hashcat --help | grep "WPA-PMKID"

The output will show the relevant hash mode:

16800 | WPA-PMKID-PBKDF2                                     | Network Protocols

As you can see from the output, the mode number for WPA-PMKID-PBKDF2 is 16800. You will use this mode number with the -m option in your Hashcat command.

Construct the Hashcat Command with the Hash File

In this step, you will begin constructing the hashcat command. The basic syntax for a dictionary attack is hashcat [options] <hash_file> <wordlist_file>.

So far, you have identified two key components:

  1. The hash mode: -m 16800
  2. The hash file: pmkid.hash

Let's put these together. We also need to specify an attack mode using the -a option. A dictionary attack is mode 0, so we will use -a 0. This is the default attack mode, but it's good practice to specify it explicitly.

Let's try running the command with just the hash mode and the hash file. This will fail, but it's a good way to confirm our syntax and see what Hashcat expects next.

hashcat -m 16800 pmkid.hash

Hashcat will start and then exit with a usage message, because it's missing a required argument for this attack type.

hashcat (v6.2.6) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
...
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

Try --help for more help.

The error indicates that for the default attack mode (dictionary), a wordlist or directory is required. This confirms our command structure is correct so far and leads us directly to the next step: providing a wordlist.

Specify a Wordlist for the Dictionary Attack

In this step, you will complete the Hashcat command by adding a wordlist. A dictionary attack works by taking each word from a given file (the "wordlist" or "dictionary") and testing it as a potential password against the hash.

For this lab, a small wordlist file named wordlist.txt has been created for you in the ~/project directory. Let's inspect its contents.

cat wordlist.txt

You will see a short list of potential passwords:

secret
123456
password123
qwertyuiop
labex

One of these words is the correct password for our hash. Now you can build the full command by appending the wordlist file name to the command from the previous step.

The complete command is: hashcat -m 16800 -a 0 pmkid.hash wordlist.txt

  • -m 16800: Specifies the WPA-PMKID hash type.
  • -a 0: Specifies the dictionary attack mode.
  • pmkid.hash: The file containing the hash to crack.
  • wordlist.txt: The dictionary file containing password candidates.

In the final step, you will execute this command to crack the hash.

Run Hashcat and Analyze the Cracking Results

In this step, you will execute the complete Hashcat command and analyze the output to find the cracked password. It's time to put everything together and start the cracking process.

Run the full command in your terminal:

hashcat -m 16800 -a 0 pmkid.hash wordlist.txt

Hashcat will initialize, display session information, and begin testing the passwords from wordlist.txt. Since the wordlist is very small, the process will be almost instantaneous. Once the correct password is found, Hashcat will display it and report the status as "Cracked".

The output will look similar to this:

...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: d5b6c18645897310626525389ebb3461*a0b1c2d3e4f5*...
Time.Started.....: ...
Time.Estimated...: 0 secs
Guess.Base.......: File (wordlist.txt)
...
Recovered........: 1/1 (100.00%) Digests
...

d5b6c18645897310626525389ebb3461*a0b1c2d3e4f5*f9e8d7c6b5a4*4d795377656574486f6d65:password123

All hashes have been recovered.
...

The most important line is d5b6c18645897310626525389ebb3461*...:password123, which shows the original hash followed by a colon and the recovered password: password123.

Hashcat automatically saves cracked passwords. To view previously cracked hashes without running the attack again, you can use the --show option.

hashcat -m 16800 pmkid.hash --show

This command will instantly display the cracked hash and password pair:

d5b6c18645897310626525389ebb3461*a0b1c2d3e4f5*f9e8d7c6b5a4*4d795377656574486f6d65:password123

Summary

Congratulations on successfully cracking a PMKID hash! In this lab, you gained hands-on experience with Hashcat and learned the essential steps involved in a dictionary attack.

You have learned how to:

  • Recognize the Hashcat-compatible format for PMKID hashes.
  • Identify the correct Hashcat mode for a specific hash type (-m 16800 for WPA-PMKID).
  • Construct a full Hashcat command for a dictionary attack (-a 0).
  • Execute the attack using a hash file and a wordlist.
  • Analyze the output and view cracked passwords using the --show option.

While this lab used a small, simple example, the same principles apply to real-world scenarios, which would involve much larger wordlists and more powerful hardware. The skills you've learned provide a solid foundation for understanding password security and ethical hacking practices.