How to decrypt my first captured eapol / pmkid handshake?

                                                                     New Buffer *                                                                                                            

Hi. I’m pretty new to security and penetration testing. The other day, I managed to capture my first EAPOL’s / PMKIDs, and I’ve been trying to decrypt these hashes. (Don’t worry, they’re my own networks)

WPA0181d7469c75a2c36f5fc3d59c4c61ba6150ebf63320a06688122631f0486f765f546b32**
WPA01df843d324e65f098e5c8b4d32b9858d050ebf63320a07a257f0af780486f765f546b32**
WPA02b5871fbffae38005e8fb9f84d851830850ebf63320a07a257f0af780486f765f546b324c11897fd13d0491d175e935130a8825c5c4687366ca2cdb337727726d336fe6*0203007502010a001000000000000000000581bae9282afd9e68b1d5f196e30099791907192964ab9463f010>

I don’t really know what I’m looking at, or why there are several hashes in each WPA.
My thinking is that one of the hashes could be the salt, and the other is the password?

I’ve been trying to crack them in hashcat, using dictionary attacks, brute-force and some masks. No matter what configuration I try to run, hashcat gives me an ETA of years.
My question is: From looking at these hashes, is there are more effective way of decrypting these passwords? What would be the next steps of a security specialist be, in trying to crack these passwords?

https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

So you could try i dictionary or password-list attack, but you could also use other aircrack-ng suite tools or even pipe things trough john the ripper.

If it is a really common password, you could find it fast, but actually bruteforcing above lets say 10 characters full asci , is gonna take longer then your own life expectancy without a chinese crypto farm , so not the best way to gain access.

Then again by using wordlists, and being a bit more creative with bruting and making rules trying like obvious combinations of years and words etc, but when they are longer random generated passwords, this way is mostly useless, if you have ton’s of diskspace you could go for immense rainbowtables but also that will take some time.

When it is full random generated 16 char or more, might aswell wait till they actually give you the pass , that will be sooner then decrypting it this way.

You could go look at network specific configurations and see if there are other options like session hijacking and reusing auth, but that becomes a lot more network and outdated hardware specific problems.

and so on…

ok, thanks