PMK pre-computed

WPA PMKID-Only — Hashcat Mode 22001

TL;DR — Mode 22001 is a specialised variant of mode 22000 for workflows where the Pairwise Master Key (PMK) has been pre-computed and you want to test it against PMKID hashes without re-running PBKDF2. Used in research and multi-network attack contexts; rarely the right choice for owner recovery.

What mode 22001 does differently

Standard WPA recovery (mode 22000) takes a candidate password, runs PBKDF2-HMAC-SHA1 (4096 iterations) with the SSID as salt to derive the PMK, then uses the PMK to verify against PMKID or EAPOL.

Mode 22001 skips the PBKDF2 step — input is PMK directly. This is useful when you've pre-computed PMKs from a wordlist for many SSIDs and want to test them against captured PMKIDs in a separate fast pass.

For typical owner recovery where you have one network and one captured handshake, mode 22000 is the correct choice. Mode 22001 is research/multi-target territory.

When mode 22001 makes sense

Multi-target rainbow-table-style workflows: pre-compute PMKs for top-1M passwords across common SSIDs, then test against any captured PMKID near-instantly. Used by penetration testers and security researchers studying password reuse patterns.

Not relevant for single-network owner recovery. Mode 22000 is simpler and equally effective for that case.

Frequently Asked Questions

Is mode 22001 useful for owner recovery?

Usually no. It's for advanced multi-network workflows. For your own network, mode 22000 is the right choice.

What's the throughput difference?

Mode 22001 skips PBKDF2 (the expensive step), so it's many orders of magnitude faster per candidate. But you've already paid the PBKDF2 cost when computing the PMKs.

Related references

m22000Modern unified format m2500Deprecated — use 22000

Have a handshake to recover?

Upload your .hc22000 (or .pcap/.cap/.hccapx and we'll convert) for a free analysis. Pay only if recovery succeeds.

Run a free WPA analysis