hashcat Forum
Crack WPA2 (.hc22000 file) with list not completing - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Crack WPA2 (.hc22000 file) with list not completing (/thread-10496.html)

Pages: 1 2

Crack WPA2 (.hc22000 file) with list not completing - Joe_Baker - 12-02-2021

I have a WPA2 hash file .hc22000 (so mode 22000) but when I try to find the password located in a small list of 5 words it just keeps running but doesn't complete it. I let the command run for an hour before closing it, it kept loading on "Initializing backend runtime for device #1. Please be patient...". I'm using the command:
"hashcat -a 0 -m 22000 hashfile.hc22000 wordlist.txt". Does someone have experience with these .hc22000 files or maybe something wrong with my command?

The hash looks like following:
"WPA*02*<bunch of letters and numbers with a * from time to time>*02"

Text file looks like following:
"
RandomWord
anotherRandomWord
password
notMyPassword
another
"

The command is running when I'm in the folder of hashcat (hashcat-6.2.5) and the files used are located in this folder as well. I get no error codes except  "nvmlDeviceGetFanSpeed(): Not Supported" but this shouldn't be an issue from what I've read.

I'm using a i7-9750h and RTX2060 so you would expect that it wouldn't take that long to get a hash from a 5 word long list (let alone a huge list like rockyou).

P.S. I'm new to hashcat so it's possible I'm missing some obvious steps.

RE: Crack WPA2 (.hc22000 file) with list not completing - v71221 - 12-08-2021

Try to play with -D option.
At first, to show info about detected backend devices, run
Code:
hashcat.exe -I

Then choose your device.
In my case
-D 1  means use CPU, works!
-D 2  means use GPU, doesn't work, Device #2: Not enough allocatable device memory for this attack.

For simplicity, you can enter the hash and password directly into the command line.
Code:
hashcat.exe  -D 1  -a 3  -m 22000  "WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964***"  "hashcat!"

It takes about 16 minutes in my case and it works. Status: Cracked
This is an example hash you can find here:
https://hashcat.net/wiki/doku.php?id=example_hashes
or just
Code:
hashcat.exe  -m 22000  --example-hashes

By the way, I'm also new to hashcat.
I'm using Windows and a 10-year-old laptop with an Intel Celeron CPU and an Intel GPU.
I was not able to use hashcat on Linux. Every time I got an "illegal hardware instruction" error.

Now the fun part.
pmkid-hash (format .hc22000) from real dump (captured by hcxdumptool) is not cracked. Status: Exhausted
eapol-hash (format .hc22000) from the same real dump is cracked. Status: Cracked

So far I have not been able to crack pmkid.
I tried wordlist attack, brute-force attack, different dumpfiles, however result is the same. Status: Exhausted
I can crack eapol-hash, but something wrong with pmkid-hash. May be the main reason is my weak hardware.
Please answer what status you saw when you ran the commands below on your hardware. Cracked or Exhausted ?


Code:
hashcat.exe  -D 1  -a 3  -m 22000  "WPA*01*f8dc238fb156874627b5ff251b8ab53c*020000000001*020000000020*61703031***"  "12345678"

hashcat.exe  -D 1  -a 3  -m 22000  "WPA*02*6ec572e97e2ede5a6099bf964fa880fd*020000000001*020000000020*61703031*013ebd2420f2dedcfb7ad5cf967c902c5f40031574352a492e809b58b0e74e4a*0103007502010a00000000000000000000f97e365fcdcfcf2ccb91fa35c25c345eaf34b638c15926eb43a1cc78876d7c86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac023c00*02"  "12345678"


Explanation of the hc22000 hash line you can find here
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Please read this post as an example of troubleshooting of dictionary attack.
https://hashcat.net/forum/thread-8602.html

RE: Crack WPA2 (.hc22000 file) with list not completing - ZerBea - 12-08-2021

Now the fun part.
pmkid-hash (format .hc22000) from real dump (captured by hcxdumptool) is not cracked. Status: Exhausted
eapol-hash (format .hc22000) from the same real dump is cracked. Status: Cracked

Indeed funny, but related to 802.11 attack mode and conversion mode:
PMKID retrieved from ACCESS POINT.
EAPOL MESSAGE PAIR retrieved from CLIENT M2.
It the CLIENT is authorized, the PSK should be the same on both. If not, you'll get two different PSKs. The same will happen if the PSK is changed during capturing time.
(BTW: both MACs look very synthetic - which let me assume that you're running a test environment)
By default hcxdumptool/hcxlabtool attack both (AP and CLIENT) and hcxpcapngtool convert everything.
All tools are analysis tools and it is mandatory that you know what you are doing (choosing the attack vector, converting the hash, selecting the desired hash to feed hashcat). Otherwise the result will be completely unexpected.

RE: Crack WPA2 (.hc22000 file) with list not completing - v71221 - 12-08-2021

@ZerBea
Thank you for your prompt reply. Yes, I am a newcomer, diligently studying hcxdumptool/hcxtools and using a test environment. Three notebooks with wifi-adapters, 1st with Linux and hcxdumptool/hcxtools, 2nd with Windows as wifi access point, and 3rd with Windows as client. For clarity and readability I changed MACs on AP and CLIENT.

AP is created by these commands on Windows 7

Code:
netsh wlan set hostednetwork mode=allow ssid=ap01 key=12345678 keyUsage=temporary
netsh wlan start hostednetwork

I ran this command to capture AP-CLIENT session.

Code:
$ sudo hcxdumptool  -i wlan0  -o dump.pcapng  --silent  --enable_status=127  -c 1

I used silent "passive" mode because client hung if I ran hcxdumptool in "active" mode.
Could you kindly provide me with "proper" syntax of hcxdumptool options if I'm targeting PMKID only.

By the way, I noticed that
hcxhash2cap with option "--pmkid=" gives an error "reading hash line 1 failed".
hcxhash2cap with option "--pmkid-eapol=" works fine.
Input file in both cases is the same one-line-file pmkid.22000


Code:
$ hcxhash2cap --pmkid=pmkid.22000 -c test.cap
reading hash line 1 failed: WPA*01*f8dc238fb156874627b5ff251b8ab53c*020000000001*020000000020*61703031***

$ hcxhash2cap --pmkid-eapol=pmkid.22000 -c test2.cap
PMKIDs/EAPOL messages written to capfile(s): 1 (0 skipped)


RE: Crack WPA2 (.hc22000 file) with list not completing - ZerBea - 12-08-2021

--pmkid option is for old 16800 hash lines. It will give an ERROR on hc22000 files.
By latest commit:
https://github.com/ZerBea/hcxtools/commit/9e118e11672cd8c3933d2fb194372f342a6f71ad
I added an additional information to --help:

Redgifs Old Ui Full ((install))

Users seeking to restore "Old UI" functionality to RedGifs, including native fullscreen controls, are utilizing third-party browser scripts, such as the Greasy Fork HTML5 layout, to bypass V3 interface restrictions. Other methods include using uBlock Origin to remove overlay blockers or leveraging external Reddit clients to display content

. Explore user-driven solutions on Reddit to regain full-screen functionality, such as this discussion thread [Link:

To access the "old UI" or a layout similar to the classic RedGifs experience, you can typically use the "Legacy" or "Mobile Classic" versions of the site. While the platform has undergone several updates, many users prefer the denser, grid-based layout of the previous version. Ways to Access the Old UI

Legacy Domain: Check if ://redgifs.com is active; RedGifs occasionally maintains this subdomain during major transition periods to allow users to use the previous interface.

Search Filters: On the main site, look for the "Layout" toggle (often found in the settings gear or sidebar). Switching from "Grid" to "List" or "Classic" can often replicate the older look.

User Scripts: Many "solid pieces" of advice for this specific issue involve using browser extensions like Tampermonkey. You can find scripts on sites like GreasyFork that force the old UI or remove new features like the "Infinite Scroll" or the "Auto-play" behavior that replaced the old click-to-play style. redgifs old ui full

Browser Extensions: "RedGifs Old UI" extensions are sometimes available on the Chrome Web Store or Firefox Add-ons gallery, which automatically reformat the page to the 2019-2021 era design. Key Differences to Look For

Navigation: The old UI featured a prominent top bar with direct links to "Recent," "Top," and "Verified" without the heavy sidebar navigation of the current build.

Grid Density: The classic UI allowed for much smaller thumbnails, showing more content on the screen at once compared to the "Modern" responsive design.

Redgifs — A Look Back at Its Classic User Interface

Published: April 2026
Author: Tech & Culture Desk Users seeking to restore "Old UI" functionality to

5. Lessons Learned From the Classic Design

  1. Performance Trumps Fancy Features
    The old UI’s lean codebase demonstrated that speed directly influences user satisfaction, especially for media‑heavy platforms.

  2. Consistency Is Key
    Sticking to a unified color scheme and layout across pages built a strong visual identity, making the site instantly recognisable.

  3. Community Features Can Be Subtle Yet Powerful
    By embedding hearts, reposts, and comment overlays directly into the thumbnail hover state, Redgifs kept interaction frictionless.

  4. Minimalism Doesn’t Mean “Empty”
    The classic UI proved that a minimalist design can still feel rich when it leverages animation (hover previews) and micro‑interactions (neon glow on hover).

5. Summary of "Old UI" URL hacks

If you want to avoid the "TikTok-style" modern video player on RedGifs and want the classic video player: Performance Trumps Fancy Features The old UI’s lean

  1. Avoid v3.redgifs.com links. If a link sends you here, try manually editing the URL in the address bar to www.redgifs.com.
  2. Direct Video Links: If you want to download or view the raw video without the UI comments/sidebar:
    • You can often use tools like "RedGifs Downloader" browser extensions.
    • Or, on the Desktop UI, right-click the video -> "Open video in new tab." This strips away the UI entirely, leaving just the full-screen video file.

6. What the Future Might Hold

Given the mixed reactions to the 2023 overhaul, Redgifs has hinted at a “Hybrid UI” roadmap:

  • Optional Dark Mode – Letting users toggle between the beloved classic palette and the newer light theme.
  • Modular Navigation – A customizable top‑bar where users can pin their favorite tabs.
  • Performance‑First Updates – Refactoring the player and feed to re‑introduce lazy‑load techniques without sacrificing new features.

If the platform can blend the speed and aesthetic of the old UI with the accessibility improvements of the new design, it may recapture the best of both worlds.

Why Users Are Desperate for It

The new UI is optimized for vertical, TikTok-style consumption. For desktop users with a 27-inch monitor, the new UI feels wasteful. There is too much white space, forced cropping of horizontal videos, and an algorithm that pushes "suggested" content into your main feed. The "old UI full" was honest: it showed you exactly what you searched for, in the highest density possible.

1. Key characteristics of the old UI

  • Clean, minimal layout emphasizing media thumbnails and concise metadata.
  • Grid-based browsing with consistent thumbnail sizing allowing quick visual scanning.
  • Lightweight pages optimized for fast load times on low-bandwidth connections.
  • Inline playback controls (hover-to-play, mute/unmute) with minimal overlays.
  • Simple progress indicators and quick GIF looping without heavy buffering.
  • Straightforward navigation: categories, tags, user uploads, and trending lists visible on main pages.
  • Fewer intrusive ads and modal dialogs compared to later iterations.
  • Compact uploader and content-management tools for creators.

7. Ethical and policy considerations

  • Respect terms of service when using extensions or archived snapshots.
  • Avoid circumventing content protections for unauthorized downloads.
  • Keep community guidelines in mind when reposting or repurposing media.

C. The "Gfycat" Redirect Loop

Many Old Reddit posts still link to gfycat.com URLs. Since Gfycat is dead, these links should redirect to RedGifs.

  • If they don't load: The specific Gfycat ID was not migrated to RedGifs servers during the acquisition. The content is permanently lost.
  • If they load but look weird: You are seeing a RedGifs re-encode.

If you use --silent, hcxdumptool will become a simple dump tool like tshark, Wireshark, tcpdump. PMKIDs are not requested and a possible packet loss has to be expected.
To request PMKIDs only:
$ sudo hcxdumptool -i INTERFACE -o dump.pcapng --disable_client_attacks --disable_deauthentication --enable_status=95

For sure, some attack modes are extreme aggressive (as hell). They prevent that a CLIENT is able to connect to a NETWORK or they will let a CLIENT crash completely.

BTW:
I'm interested in a dump file from netsh hostednetwork. Can you please add a pcapng file from:
netsh wlan set hostednetwork mode=allow ssid=ap01 key=12345678 keyUsage=temporary

Usually the PMKID and the MIC should be calculated using the same PMK. It looks like this is not the case on netsh, which could be a bug inside of this tool.

From what I read here:
https://stackoverflow.com/questions/23168152/use-netsh-wlan-set-hostednetwork-to-create-a-wifi-hotspot-and-the-authenti
only this types are supported by netsh:
Radio types supported : 802.11n 802.11g 802.11b
By default, PMKID caching is not activated.

RE: Crack WPA2 (.hc22000 file) with list not completing - ZerBea - 12-08-2021

Great. The dump files are very appreciated.
I'll take a look at them.
Thanks.

RE: Crack WPA2 (.hc22000 file) with list not completing - ZerBea - 12-08-2021

I have finished the analysis.
The PMKID calculated by netsh is wrong!
Looks like Windows has a problem with PMKIDs (not only on WPA2 Enterprise) since Windows 7:
https://social.technet.microsoft.com/Forums/windows/en-US/c200b4c0-91af-42e9-863b-2b77451a5613/windows-7-not-sending-the-correct-pmkid

Calculated PMKID by netsh (in WPA KEY DATA field packet 29 file 1, packet 27 file 2):
f8dc238fb156874627b5ff251b8ab53c

Calculated PMKID by function:
ca5396d611cf330aebefd48ebbfb0e63
Code:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Corrected hash line to reproduce that hashcat will not fail:
Code:
WPA*01*ca5396d611cf330aebefd48ebbfb0e63*020000000001*020000000020*61703031***

To answer your questions:
1. It doesn't matter if you capture PMKIDROGUE or PMKID. Both are suitable for PMKID-attacks.
correct
PMKIDROGUE = PMKID requested by hcxdumptool
PMKID = PMKID captured after CLIENT request

2. In my case, pmkid-hash was not cracked (Status: Exhausted), probably due to a bug.
correct, because netsh calculated a wrong PMKID!!!


Now I have to find a way to detect this garbage.

RE: Crack WPA2 (.hc22000 file) with list not completing - v71221 - 12-09-2021

@ZerBea
I think we should start another thread called "PMKID Attack, Best Practices, Miscellaneous".
In the meantime, could you advise something to the author of the current thread (Joe_Baker) based on your experience?

For educational purposes, it is desirable to calculate PMK and PMKID manually.
I found this link http://jorisvr.nl/wpapsk.html
Could you please share your method. Perhaps you have written your own utility.
Such a utility along with the source code would be a great help for newbies like me.

RE: Crack WPA2 (.hc22000 file) with list not completing - ZerBea - 12-09-2021

"In the meantime, could you advise something to the author of the current thread (Joe_Baker) based on your experience?"
To gain the necessary basic knowledge, hashcat FAQ are very helpful:
https://hashcat.net/wiki/doku.php?id=fre...s#overview
I couldn't explain it better than what is described in this general guide.
BTW:
It makes it very difficult to give an advice, because of missing information about the OS, version of NVIDA driver and version of CUDA SDK.

There is no need to open a new thread, because nearly everything is already explained.
Since Atom persuaded me to publish hcxtools (nearly the same time when hashcat went open source) I started a thread:
https://hashcat.net/forum/thread-6661.html
It describe how to use hcxtools and how to build a WiFi analysis environment.

Another thread followed after we (again thanks to Atom and RealEnder) discovered the PMKID attack:
https://hashcat.net/forum/thread-7717.html

A WPA1/2 basic tutorial is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Inside this threads are several links to get more background information about the functions "behind the scenes".

My advice is to read this basics and to play around with the examples mentioned above and here:
https://hashcat.net/wiki/doku.php?id=example_hashes

My second advice is to learn and understand Linux step by step:
https://wiki.archlinux.org/title/Installation_guide
BTW:
A successful installation of K A L I by graphical installer is far away from learning and understanding Linux.

That include openssl crypto:
https://www.openssl.org/docs/man3.0/man7/crypto.html
because it provide all functions to calculate and verify PMKs and PMKIDs.

"Perhaps you have written your own utility."
To find out how a PMK is calculated, please take a look at the source code of wlangenpmk (CPU based):
https://github.com/ZerBea/hcxkeys
Code:
$ wlangenpmk -e ap01 -p 12345678

essid (networkname)....: ap01
password...............: 12345678
plainmasterkey (SHA1)..: 5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93

or wlangenpmkocl (OpenCL based):
Code:
$ wlangenpmkocl -e ap01 -p 12345678
using: NVIDIA GeForce GTX 1080 Ti

essid (networkname)....: ap01
password...............: 12345678
plainmasterkey (SHA1)..: 5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93

There are similar functions (CPU based) in hcxpcapngtool, hcxhashtool and hcxpmkidtool as well as in hcxdumptool.

RE: Crack WPA2 (.hc22000 file) with list not completing - v71221 - 12-11-2021

@ZerBea
Great! Thanks!
In the meantime, I discovered that the freshly installed Windows 11 Enterprise no longer sends PMKID (in contrast to Windows 7 Enterprise). At least by default. Please see the attachment. If you need dumps, please let me know.

Could you please explain what "2412/1" means in the log of hcxdumptool (v6.2.5).
For example, line like this

Code:
22:09:57 2412/1  0015999e54c4 000bf4ad5332 TEST_AP [ROGUE PROBERESPONSE]

What's the point of specifying [ROGUE PROBERESPONSE] in the log if hcxdumptool works with the --silent option
From my newcomer point of view, it makes more sense to specify [PROBEREQUEST] instead.