Jump to content
Nytro

Cracking WPA WPA2 with Hashcat on Kali Linux

Recommended Posts

Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords)

This entry was posted in Cracking How to Kali Linux Linux and tagged Cracking Hashcat How to Wifi on March 27, 2014 by blackMORE Ops.

Cracking-WPA-WPA2-with-oclHashcat-cudaHashcat-or-Hashcat-on-Kali-Linux-BruteForce-MASK-based-attack-blackMORE-Ops-6.jpg

Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords)

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake .cap files. Only constraint is, you need to convert a .cap file to a .hccap file format. This is rather easy.

Contents

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux.

I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.

To enable GPU Cracking, you need to install either CUDA for NVIDIA or AMDAPPSDK for AMD graphics cards. I’ve covered those in in my previous posts.

NVIDIA Users:

  1. Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver
  2. Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda

AMD Users:

  1. Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6
  2. Install AMD APP SDK in Kali Linux
  3. Install Pyrit in Kali Linux
  4. Install CAL++ in Kali Linux

Why use Hashcat to crack WPA/WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files?

  1. Because we can?
  2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up.

Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz

?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ

?d = 0123456789

?s = !”#$%&'()*+,-./:;??@[\]^_`{|}~

?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d

What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords – All uppercase

If your password is all letters in CAPS such as: ABCFEFGH or LKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:

?u?u?u?u?u?u?u?u

It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as: abcdefgh or dfghpoiu or bnmiopty..etc. then you can use the following MASK:

?l?l?l?l?l?l?l?l

It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6 or n4j2k5l6 …etc. then you can use the following MASK:

?l?d?l?d?l?d?l?d

Passwords – Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6 or N4J2K5L6 …etc. then you can use the following MASK:

?u?d?u?d?u?d?u?d

Passwords – Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:

?a?a?a?a?a?a?a?a Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following:

abc?l?l?l?l?l

abc?u?u?u?u?u

abc?d?d?d?d?d

abc?l?u??d??d?l

abc?d?d?l?u?l

There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords.

You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers.

Example: Abcde123

Your mask will be:

?u?l?l?l?l?d?d?d This will make cracking significantly faster. Social engineering is the key here.

That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files. Following WiFite section was taken from a previous guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux which was one of the best guides about cracking Wifi passwords out there.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa You could also type in

wifite wpa2

If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes

wifite Once you type in following is what you’ll see.

1-Wifite-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops.jpg

So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below

2-Wifite-Screen-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops.jpg

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

3-WiFite-Choice-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops.jpg

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WIfite. It now asks me,

What do you want to do?

  1. [c]ontinue attacking targets
  2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

4-WiFite-continue-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops.jpg

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

5-WiFite-captured-handshake-Cracking-Wifi-WPAWPA2-passwords-using-pyrit-and-cowpatty-blackMORE-Ops.jpg

Now that we have a capture file with handshake on it, we can do a few things.

Cleanup your cap file using wpaclean

Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.

Here’s how to do it:

To convert your .cap files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap> Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

In my case, the command is as follows:

wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap

Convert .cap file to .hccap format

We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand.

To convert it to .hccap format with “aircrack-ng” we need to use the -J option

aircrack-ng <out.cap> -J <out.hccap> Note the -J is a capitol J not lower case j.

In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out

Cracking-WPAWPA2-with-oclHashcat-cudaHashcat-or-Hashcat-on-Kali-Linux-BruteForce-MASK-based-attack-blackMORE-Ops-1.jpg

Cracking WPA/WPA2 handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:

  1. Dictionary attack
  2. Mask attack

Dictionary attack

Grab some Wordlists, like Rockyou.

Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.

First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux guide. Here’s a short rundown:

cudahashcat --help | grep WPA So it’s 2500.

Now use the following command to start the cracking process:

cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt

Cracking-WPAWPA2-with-oclHashcat-cudaHashcat-or-Hashcat-on-Kali-Linux-BruteForce-MASK-based-attack-blackMORE-Ops-2.jpg

Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.

You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. icon_smile.gif

Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack

Now this is the main part of this guide. Using Brute Force MASK attack.

To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:

Sample:

cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d Where -m = 2500 means we are attacking a WPA/WPA2 handshake file.

-a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack).

capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng.

?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678 etc.

I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask.

/usr/share/oclhashcat/masks/blackmoreops-1.hcmask Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:

ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap /usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Cracking-WPAWPA2-with-oclHashcat-cudaHashcat-or-Hashcat-on-Kali-Linux-BruteForce-MASK-based-attack-blackMORE-Ops-3.jpg

Sample .hcmask file

You can check the content of a sample .hcmask file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

Cracking-WPAWPA2-with-oclHashcat-cudaHashcat-or-Hashcat-on-Kali-Linux-BruteForce-MASK-based-attack-blackMORE-Ops-4.jpg

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot

Cracking-WPAWPA2-with-oclHashcat-cudaHashcat-or-Hashcat-on-Kali-Linux-BruteForce-MASK-based-attack-blackMORE-Ops-5.jpg

Conclusion

This guide explains a lot. But you should read read Wiki and Manuals from www.hashcat.net to get a better understanding of MASK and Rule based attacks because that’s the biggest strength of Hashcat.

Thanks for reading. Feel free to share this article.

Sursa: Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) | blackMORE Ops

Edited by Nytro
Link to post
Share on other sites

Facut-am o masinuta (modesta) de rontait cu ocl-hashcat. Problema delicata (in sensul mai mult art? decat ?tiin??) este sa define?ti masca. Nici prea "voluptoas?" ca atunci diferentele fa?? de bruteforcing nu mai sunt sesizabile (gen cu BF in 1000 de ani, cu masca in 413 ani, thanks a lot), nici prea "anorexica" pentru c? atunci stai o saptamana, nu pici pe solutie si te oftici ca puteai sa minezi un sfert de Bitcoin in aceeasi perioada.

Una peste alta cred c? asta este unul dintre cele mai bune exemple in care social engineering + technical skills = love.

Link to post
Share on other sites
a reusit cineva? prin metoda MASK... sau exista dictionar cat de cat complex pentru retele din Romania?

Am impresia ca deja sunt cu duiumul cei care au reusit :D

Cuda sau oclhascat...nu neaparat in Kali - doar masochistii se chinuie sa scrie comenzile astea multe in konsola :))

Exista si dictionare adecvate parolelor din RO...merge treaba acceptabil !

Un exemplu cu dictionar :

hk1.png

Link to post
Share on other sites
Pentru a utiliza aceasta metoda ai nevoie de un stick...modem sau ceva de genul? la backtrack stiam ca cere asa ceva...

Pentru a utiliza aceasta metoda , exista o singura conditie fara de care nu se poate ! :))

Trebuie sa ai un computer care e dotat cu o placa grafica dedicata , Nvidia sau ATI Radeon, care accepta ultimele drivere...

Deci e o problema numai de hardware .Nici macar sistemul operativ nu e un impediment.

Un handshake , un dictionar sau o sintaxa ,... oricand le poti obtine .

Link to post
Share on other sites

@sorelian conditia se aplica doar daca nu vrei sa stai 10000000 de ani ... poti folosi hashcat si doar cu procesorul din dotare ! daca ai placa dedicata asta nu inseamna ca are cuda sau ocl si daca nu detii asa ceva sansele ca sa spargi o parola cu mask sau direct bruteforce sunt extrem de mici (dar nu e imposibil ... daca ai un passlist decent)

"doar masochistii se chinuie sa scrie comenzile astea multe in konsola" ... we love pain ... we love struggle ... cuz what doesn`t kill you makes you stronger !!

Link to post
Share on other sites

Mda...dar, daca ai numai procesorul simplu , folosesti aircrack-ng sau crunchscript .Eventual pyrit...Ehhh .

"doar masochistii se chinuie sa scrie comenzile astea multe in konsola" ... we love pain ... we love struggle ... cuz what doesn`t kill you makes you stronger !!

aplausos-2.gifhi.gifhi.gifhi.gif

Link to post
Share on other sites
deci sa inteleg ca numai este nevoie de o antenuta cu un anume chipset ci doar de o anume placa video. nu?

Nu , sa nu intelegi asa . Esti intro mica confuzie....

Ai nevoie in continuare de antenuta cu un anume chipset :P

Abia dupa ce antenuta isi face treaba , adica dupa ce ai obtinut un handshake ,ai posibilitatea sa folosesti asa numitul

atack de dictionar cu aircrack-ng , sau....

daca ai placa grafica performanta, folosesti Hashcat , o metoda ce iti mareste in mod ametitor viteza de calcul .

Despre aceasta metoda de utilizare a GPU e vorba in acest subiect .

Link to post
Share on other sites

@coffee: Ai fi surprins ... majoritatea routerelor de la romtelecom de exemplu vin cu parole standard pe wpa/2 , cu un passlist/mask in 16 ore cu cudahashcat si GeForce GTX 660M 2bg am prin 3 parole ... intradevar putea dura mult mai mult si am avut noroc mare dar se mai intampla !

Edited by co4ie
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...