Wi-Fi security audit improved: new tools, hash, and techniques

What's New in Wi-Fi Security Auditing

The article “Hacking Wi-Fi without users” showed a new type of attack on Wi-Fi that does not require users to be deauthenticated or even present in order to capture the data needed to decrypt the wireless network password. This attack is described by atom, the author of Hashcat, the attack is added to Hashcat, and tools written by ZeroBeat are required to implement it.

Currently, Hashcat has stopped supporting plugins (hash modes) 2500/2501 and 16800/16801, which were used to brute-force a Wi-Fi password. They were replaced by a new hash mode (its number is 22000), a new hash format, new and heavily revised tools.

New tools and a new hash type to improve the efficiency of Wi-Fi penetration testing

Programmer ZeroBeat has created and is actively developing a collection of tools designed to analyze wireless traffic, attack APs and CLIENTS, capture data for password cracking, convert captured data into a hash, filter hashes according to various criteria, and perform some other actions one way or another related to security audit of WiFi networks. But with the transition to hash mode 22000 and the new hash format, no new types of attacks are presented. You might think that all this is done for some selfish purposes of ZeroBeat?

In fact, if you carefully understand the changes that are taking place, it turns out that they all have their own reasons and logic, and that ZeroBeat does a lot of really useful things to update and increase the effectiveness of attacks on Wi-Fi

Hashcat: plugins 2500/2501 and 16800/16801 are deprecated

A typical offline brute-force attack of a Wi-Fi password using a dictionary looked like this:

hashcat --force --hwmon-temp-abort=100 -D 1,2 -a 0 -m 2500 wifi.hccapx /home/mial/bin/WiFi-autopwner/dict/rockyou_cleaned.txt

And this is how the mask attack looked like:

hashcat --force --hwmon-temp-abort=100 -D 1,2 -a 3 -m 2500 wifi.hccapx ?d?d?d?d?d?d?d?d

Now any of these commands produces an error message:

The plugin 2500 is deprecated and was replaced with plugin 22000. For more details, please read: https://hashcat.net/forum/thread-10253.html

Since version 6.0.0, hashcat has offered a new hash mode 22000:


The goal is to replace the existing 2500 and 16800 hash modes (.hccap and .hccapx file formats) with the new 22000 hash mode:

  2501 | WPA-EAPOL-PMK

  16800 | WPA-PMKID-PBKDF2
  16801 | WPA-PMKID-PMK

Difference between hash mode 22000 and hash mode 22001:

You might not have noticed the new mode when hashcat 6.0.0 was released, especially since the hashcat authors didn't talk about it in detail. But since version v6.2.4 plugins 2500/2501 and 16800/16801 are outdated and stopped working.

Simply changing the mode from 2500 to 22000 on the command line won't work, you'll get an error like:

Hashfile 'wifi.hccapx' on line 1 (HCPX): Separator unmatched
Hashfile 'wifi.hccapx' on line 2 (): Separator unmatched
Hashfile 'wifi.hccapx' on line 3 (): Separator unmatched
Hashfile 'wifi.hccapx' on line 4 (): Separator unmatched
No hashes loaded.

That is, the hash has an incorrect format and cannot be used. For modes 22000/22001, a new type of hashes has been developed.

New type of Wi-Fi hash for brute-force in Hashcat

A few years ago, Hashcat introduced a new hash format, hccapx. This format has now been deprecated and has been replaced by the 22000 mode hash.

The advantages of the 22000 mode hash are as follows:

  • The hash needed for hash mode 22000 combines PMKIDs and EAPOL MESSAGE PAIR into a single file. Having all the different types of handshakes in one file allows PBKDF2 to be effectively reused to save GPU cycles.
  • It is no longer a binary format, it allows you to use various standard tools to filter or process hashes. Hashes with various characteristics (PMKID or EAPOL, with or without authorization, etc.) can be filtered with utilities like grep.
  • Since now the hash (unlike all previous types) consists of printed characters (letters, numbers, etc.), it can be copied and transferred as a simple string. This makes it easy to copy/paste anywhere since it's just text.
  • Best tools to capture and filter WPA handshake output in 22000 hash mode format.

hcxdumptool and hcxtools

You could get acquainted with the hcxdumptool tool in the article “Hacking Wi-Fi without users”. Since then, the tool has been constantly developed. In addition to attacking PMKIDs (client-less), the tool can attack CLIENTS without APs (ap-less). It can be used to attack 5 and 6 GHz Access Points with a 2.4 GHz Wi-Fi adapter. It can perform automated handshake and PMKID capture by combining them with both active attacks and client deauthentication, as well as passive listening, without emitting anything on the air.

The hcxdumptool tool has changed the approach to the Deauthentication attack and subsequent capture of handshakes. Now attacks have become “smart”, frames for client deauthentication are sent only when they are needed, without unnecessary flooding. Captured handshakes are evaluated for suitability for password cracking – now you won't waste time brute-forcing an invalid hash.

There is a mechanism for restoring handshakes, which under other conditions would be invalid.

The essence of the attack itself Deauthentication and handshake capture have not changed, but in hcxdumptool they have received a more modern implementation.

The hcxtools toolkit has undergone significant changes: many new tools, new options, some tools have been deprecated.


This is the introductory part. In the next part, we will look at the practice of attacking Wi-Fi with updated tools and a new type of hash.

The next part: Wi-Fi security audit with Hashcat and hcxdumptool

Recommended for you:

Leave a Reply

Your email address will not be published.