hc22000_content

"/home/yossef/notes/personal/hacking/hc22000_content.md"

path: personal/hacking/hc22000_content.md

- **fileName**: hc22000_content
- **Created on**: 2025-08-11 01:08:18

Understanding the .hc22000 WPA/WPA2 Handshake Format

Below is the structure of an HC22000 WPA/WPA2 hash (used by Hashcat).
Each line represents a handshake in a specific format:

WPA025af5a44cc769017c862af13c7977673c807d141a11ccd68cb662faf06d6f7a65c0c29f185a7dbdd28a13cdeff1360418858ef2ac2f4531d073c039917188306c0103007502010a00000000000000000001e824b5376e1a19b967a4c07d286bd929019645a550876507c8be3dc81d4f5aac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000c2
Part Example Value Explanation
Protocol WPA Identifies that this is a WPA/WPA2 handshake hash.
Key Version 02 Indicates the handshake type:
01 = WPA (TKIP)
02 = WPA2 (CCMP/AES).
PMKID / MIC 5af5a44cc769017c862af13c7977673c The Message Integrity Code (MIC) calculated during the handshake — used to verify correctness of the password guess.
AP MAC (BSSID) 807d141a11cc The MAC address of the Wi-Fi Access Point.
Client MAC d68cb662faf0 The MAC address of the client (station) that connected to the AP.
SSID (hex) 6d6f7a65 The Wi-Fi network name in hexadecimal. Decoding gives "moze".
EAPOL MIC c0c29f185a7dbdd28a13cdeff1360418858ef2ac2f4531d073c039917188306c The MIC from the EAPOL (Extensible Authentication Protocol over LAN) frame, used for verification.
EAPOL Payload 01030075... Full raw EAPOL handshake data (everything after MIC, including nonces and key data).
Replay Counter / Flags c2 Indicates handshake replay counter or additional flags used by the protocol.

How .hc22000 is Generated

# this the content for the file
WPA*<version>*<PMKID/MIC>*<AP_MAC>*<Client_MAC>*<SSID_hex>*<EAPOL_MIC>*<EAPOL_payload>*<flags>

continue:./hashcatch.md
before:./jwt_hack.md