WPA-PSK

Create custom wordlist to recover the cleartext passphrase from a captured WPA handshake or PMKID.

Base wordlist

Create a small wordlist with a few simple words such as:

Info

Only use uppercase when it makes sense (e.g. EvilCorp), the next step will handle the uppercase for first character.

Example:

evil
corp
evilcorp
EvilCorp
EC
washington
DC

In addition, add the following generic words to the custom wordlist:

wifi
wireless
mobile
mob
internet
network
net
password
pass
pwd
key
welcome

Amplify

Use hashcat to amplify the wordlist with capitalized words:

cat <base.lst> >> <amplified.lst>
hashcat -a 0 <base.lst> -j 'c' --stdout >> <amplified.lst>

See hashcat rule-based attack documentation for additional functions.

Combine

cat <amplified.txt> >> <combined.txt>
Without separator - princeprocessor

Use princeprocessor to combine words together and create a larger wordlist:

princeprocessor --elem-cnt-min=[MIN WORD] --elem-cnt-max=[MAX WORD] -o <combined.lst> <amplified.lst>

Example: ECwifi, EvilCorpInternet, …

With separator - hashcat

Use hashcat to combine words together with commonly used separators:

hashcat -a 1 <amplified.lst> <amplified.lst> -j '$@' --stdout >> <combined.lst>
hashcat -a 1 <amplified.lst> <amplified.lst> -j '$4' --stdout >> <combined.lst>
hashcat -a 1 <amplified.lst> <amplified.lst> -j '$-' --stdout >> <combined.lst>
hashcat -a 1 <amplified.lst> <amplified.lst> -j '$_' --stdout >> <combined.lst>

Example: Wifi4EvilCorp, Internet@EC, …

Rules

Finally, use hashcat to apply derivation rules:

hashcat -a 0 <combined.lst> -r <hashcat.rule> --stdout >> <rule.lst>

Recommendations: