hashcat accepts WPA/WPA2 hashes in hashcat's own “hccapx” file format. Assuming that you have already captured a 4-way handshake using hcxdumptool (hcxdumptool), airodump-ng (aircrack-ng), besside-ng (aircrack-ng), Wireshark or tcpdump. It is recommended to use hcxdumptool to capture traffic.
The next step will be to convert the .cap file to the hccapx format that hashcat can understand. The easiest way to do this is to use this web interface provided by the hashcat team:
Just upload your .cap, and it will be converted to a .hccapx file.
Of course, you may not want to upload sensitive data to a web site that you do not control. If you don't mind, go for it. Otherwise, you can download the cap2hccapx utility and execute it locally, using the following steps:
or
A technical overview of the hccapx file format is also available.
The cap2hccapx utility and hcxdumptool/hcxtools are still new. At this writing, Kali has not yet updated from hccap to hccapx.
hashcat, hashcat-utils, hcxdumptool, hcxtools and hcxkeys are available via default package manager (pacman).
hashcat is very flexible, so I'll cover three most common and basic scenarios:
hashcat.exe -m 2500 capture.hccapx rockyou.txt pause
Execute the attack using the batch file, which should be changed to suit your needs.
hashcat.exe -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d pause
This will pipe digits-only strings of length 8 to hashcat. Replace the ?d as needed.
It would be wise to first estimate the time it would take to process using a calculator.
TBD: add some example timeframes for common masks / common speed
This is similar to a Dictionary attack, but the commands look a bit different:
hashcat.exe -m 2500 -r rules/best64.rule capture.hccapx rockyou.txt pause
This will mutate the RockYou wordlist with best 64 rules, which come with the hashcat distribution.
Change as necessary and remember, the time it will take the attack to finish will increase proportionally with the amount of rules.