How to Hack a Clientless Wi-Fi (WPA/WPA2)

How to Hack a Clientless Wi-Fi (WPA/WPA2)


There are numerous attacks on Wi-Fi. The most widespread attack is the attack on WPA/WPA2 technology since it is used in the huge majority of wireless access points. When a Client connects to a WPA/WPA2-enabled Access Point, EAPOL, security protocol, is used during which step-by-step data exchange is carried out between an Access Point and a Client that intends to connect.



  • No more consistent users needed – because the attacker unswervingly communicates with the aka “client-less” attack – AP
  • No more waiting for a comprehensive 4-way handshake between the regular user and the AP
  • No more ultimate retransmissions of Extensible Authentication Protocol (EAP) over LAN (EAPoL) frames which can lead to uncrackable results
  • No more ultimate inacceptable passwords sent by the consistent user
  • No more lost EAPOL frames when the regular user or the “client-less” attack – AP is too distant from the cyber attacker
  • No more fixing of nonce and replay counter values needed (resulting in slightly higher speeds)
  • No more special output format (hccapx, pcap, etc.) – final data will appear as regular hex encoded string

We all know that traditional and old method of WPA2 attacks rely on capturing handshakes is still the most feasible to guarantee results. Nevertheless, the method of capturing PMKID’s is easier if you are not within client’s range – particularly with extremely directional antennas like Parabolic, Yagi, etc.


STEP 1: Turn into Monitor Mode

Kali Linux:

airmon-ng check kill

airmon-ng start wlan0

STEP 2:  Use HCXDumpTool to capture PMKIDs

By default, the following syntax we can use with HCXDumpTool syntax will work:


Now, we require only one target to carry out the attack. Consequently, I will note the target AP Mac Address.

image 1

Now we will carry out the attack with HCXDumpTool

Note: validate the filter list does not have blank or empty lines in it and also remove “:” from mac address.

image 2

We now run HCXDumpTool again, using the following switches and waiting for a PMKID.
The switches are:

–filterlist= To postulate file comprises the Mac Addresses
–filtermode=2 To postulate Mac Addresses in –filter list are our targets, ignore everything else:

image 3

STEP 3: Extract the PMKID hash value from capture

To do this, we use HCXTools OR you can upload your packet capture file to the following link.


The instance below is using HCXTools:

image 4

STEP 4 – Crack the hash with Hashcat

Presuming you have a wordlist called Bestpassword.txt, your Hashcat command would look like this:

image 5

If you are fortunate enough to have password plaintext in wordlist then you can find the plaintext in hascat.potfile.

Even though the attack scenario is fast. Cracking password success still rely on password complexity.

You can follow us on InstagramLinkedinTwitter & Reddit for daily Cybersecurity, Hacking news, and Hacking Tips & tricks updates


Your Information and data is 100% secure and private