Skip to content

hashcat Quick Reference

Cracking

# Wordlist attack
hashcat -m 22000 hashes.22000 wordlist.txt

# Wordlist + rules
hashcat -m 22000 hashes.22000 wordlist.txt -r rules/best64.rule

# Brute-force 8-digit numeric
hashcat -m 22000 hashes.22000 -a 3 '?d?d?d?d?d?d?d?d'

# Pre-computed PMK (skips PBKDF2, 100-1000x faster)
hashcat -m 22001 hashes.22000 pmk_table.txt

# FT-PSK (requires hashcat PR #4645)
hashcat -m 37100 hashes.37100 wordlist.txt

# EAP-MD5
hashcat -m 4800 eapmd5.hashes wordlist.txt

# MSCHAPv2 / LEAP
hashcat -m 5500 mschapv2.hashes wordlist.txt

Results

# Show cracked passwords
hashcat -m 22000 hashes.22000 --show

# Output format: hash:password

WiFi Modes

Mode Name Input Speed
22000 WPA-PBKDF2 Passphrase Slow (PBKDF2 4096 iter)
22001 WPA-PMK Raw 64-hex PMK 100-1000x faster
37100 FT-PSK Passphrase Same as 22000
4800 EAP-MD5 Passphrase Fast
5500 MSCHAPv2 Passphrase Fast (DES)

Mask Placeholders

Placeholder Character set
?d Digits (0-9)
?l Lowercase (a-z)
?u Uppercase (A-Z)
?s Special (!@#$...)
?a All printable

Hash Filtering

# Split by type
grep 'WPA\*01' hashes.22000 > pmkid_only.22000
grep 'WPA\*02' hashes.22000 > eapol_only.22000

# Filter by authorization status
hcxhashtool -i hashes.22000 --authorized -o authorized.22000
hcxhashtool -i hashes.22000 --challenge -o challenge.22000

# Filter by AP MAC
hcxhashtool -i hashes.22000 --mac-ap=112233445566 -o target_ap.22000

# Hash info summary
hcxhashtool -i hashes.22000 --info

Deduplication

# Correct dedup (fields 3-8, ignoring message_pair byte)
awk -F'*' '!seen[$3,$4,$5,$6,$7,$8]++' raw.22000 > unique.22000

# Naive sort -u overcounts by ~27% — don't use it

ESSID Wordlist from Captures

# Extract SSIDs with WPAWolf
wpawolf --22000-out /dev/null -E essids.txt -W wordlist.txt captures/

# Or with tshark
tshark -r capture.pcapng -Y "wlan.ssid" \
    -T fields -e wlan.ssid 2>/dev/null | sort -u > essids.txt

Full hashcat reference