WPA2-PSK PMKID Attack with Kali Live + Alfa AC1200


This short post goes over the workflow I use for the PMKID attack using an Alfa AC1200 (AWUS036ACH) card with a bootable Kali USB and bettercap + hcxdumptool. I have noticed more results using hcxdumptool compared to wifi.assoc all in bettercap, but I still prefer to view and log the output in bettercap, so this workflow helps make the most of both tools.

There's plenty out there about this attack (see resources at bottom), so nothing particularly novel here.

As always, you must only execute this workflow on networks where you have permission.


  1. Laptop
  2. Kali Live USB
  3. Alfa AC1200 (AWUS036ACH)


  1. Boot into Kali.
  2. Connect to a network with Internet access to download packages.
  3. Execute install.sh script.
  4. Ensure that the card is connected when prompted.
  5. Confirm that card is running in monitor mode with iwconfig.

Capturing Hashes

  1. Execute capture.sh script.
  2. When complete, enter wifi.show; wifi.recon off; q in bettercap.
  3. When script is finished, it will list all APs where PMKIDs were captured.
  4. Hashes will be found in the *.pmkid.txt files.
  5. Session logs will be found in the *-session_{TOOL}.log files.

Cracking Hashes

  1. Use hashcat with mode 16800, e.g. hashcat -m16800 hashes.txt wordlist.txt --show --force.


Past posts

  1. CVE-2019-9730: LPE in Synaptics Sound Device Driver
  2. CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver
  3. Understanding the Current Era of Binary Exploitation
  4. How-To Assess System Images: Overview
  5. Using Symbolic Execution to Recover IOCTLs in HEVD
  6. CVE-2017-11907 WPAD.dat Generator for Responder
  7. High-Level Approaches for Finding Vulnerabilities
  8. Resources for Learning Reverse Engineering
  9. CVE-2016-5563/4/5: RCE and Cardholder Data Exfiltration in Oracle OPERA
  10. java.lang.Runtime.exec() Payload Workarounds
  11. A Diagram for Sabotaging Cryptosystems
  12. PoliCTF 2015 Android Reversing Writeup