Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based attack on Wifi passwords)

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or Cracking WPA2 WPA with Hashcat – handshake .cap files. Only constraint is, you need to convert a .cap file to a .hccap file format. This is rather easy.  Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based attack on Wifi passwords) -blackMORE Ops - 6

Hashcat

Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. It is available free of charge, although it has a proprietary codebase. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others.

Hashcat has made its way into the news many times for the optimizations and flaws discovered by its creator, which become exploited in subsequent hashcat releases. (For example, the flaw in 1Password’s hashing scheme.)

Attack types

Hashcat offers multiple attack modes for obtaining effective and complex coverage over a hash’s keyspace. These modes are:

  • Brute-Force attack
  • Combinator attack
  • Dictionary attack
  • Fingerprint attack
  • Hybrid attack
  • Mask attack
  • Permutation attack
  • Rule-based attack
  • Table-Lookup attack
  • Toggle-Case attack

The traditional bruteforce attack is considered outdated, and the Hashcat core team recommends the Mask-Attack as a full replacement.

Variants

Hashcat comes in two main variants:

  • Hashcat – A CPU-based password recovery tool
  • oclHashcat – A GPU-accelerated tool

Many of the algorithms supported by Hashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Bcrypt is a good example of this. Due to factors such as data dependant branching, serialization, and Memory (to name just a few), oclHashcat is not a catchall replacement for Hashcat.

Hashcat is available for Linux, OSX and Windows. oclHashcat is only available for Linux and Windows due to improper implementations in OpenCL on OSX

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in 802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.

 

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show step on Cracking WPA2 WPA with Hashcat (handshake files) (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux.

I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.

To enable GPU Cracking, you need to install either CUDA for NVIDIA or AMDAPPSDK for AMD graphics cards. I’ve covered those in in my previous posts.

NVIDIA Users:

  1. Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver
  2. Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda

AMD Users:

  1. Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6
  2. Install AMD APP SDK in Kali Linux
  3. Install Pyrit in Kali Linux
  4. Install CAL++ in Kali Linux

 

Why use Hashcat for cracking WPA WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA2 WPA handshake files. So why are we using Hashcat to crack WPA2 WPA handshake files?

  1. Because we can?
  2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up.

Hashcat allows you to use the following built-in charsets to attack a WPA2 WPA handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !”#$%&'()*+,-./:;⇔?@[\]^_`{|}~

?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d

What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords – All uppercase

If your password is all letters in CAPS such as: ABCFEFGH or LKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:

?u?u?u?u?u?u?u?u

It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as: abcdefgh or dfghpoiu or bnmiopty..etc. then you can use the following MASK:

?l?l?l?l?l?l?l?l

It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6 or n4j2k5l6 …etc. then you can use the following MASK:

?l?d?l?d?l?d?l?d

Passwords – Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6 or N4J2K5L6 …etc. then you can use the following MASK:

?u?d?u?d?u?d?u?d

Passwords – Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:

?a?a?a?a?a?a?a?a

Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following:

abc?l?l?l?l?l
abc?u?u?u?u?u
abc?d?d?d?d?d
abc?l?u??d??d?l
abc?d?d?l?u?l

There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA2 WPA passwords.

You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers.

Example: Abcde123

Your mask will be:

?u?l?l?l?l?d?d?d

This will make cracking significantly faster. Social engineering is the key here.

That’s enough with MASK’s. Now let’s capture some WPA2 WPA handshake files. Following WiFite section was taken from a previous guide Cracking Wifi WPA2 WPA passwords using pyrit cowpatty in Kali Linux which was one of the best guides about cracking Wifi passwords out there.

Check Also

Steganography in Kali Linux - Hiding data in image - blackMORE Ops

Steganography in Kali Linux – Hiding data in image

Steganography is the practice of concealing a file, message, image, or video within another file, …

Cracking password using John the Ripper in Kali Linux - blackMORE Ops

Cracking password in Kali Linux using John the Ripper

John the Ripper is a free password cracking software tool. Initially developed for the Unix …

31 comments

  1. what if the password is: ‘abc123efgh’ what mask is best to crack it.? Will ?l?d?l?d?l?d?l? be able to crack it??

  2. :~/Desktop# oclhashcat -m 2500 /root/Desktop/12AC7F.hccap /root/Desktop/newrockyou.txt
    oclHashcat v1.30 starting…
    Device #1: Tahiti, 2904MB, 1100Mhz, 32MCU
    STOP! Unsupported or incorrect installed GPU driver detected!
    You are STRONGLY encouraged to use the official supported GPU driver for good reasons
    See oclHashcat’s homepage for official supported GPU drivers
    You can use –force to override this but do not post error reports if you do so

    RADEON R9 280X gigabyte with installed drivers for pyrit.

    any idea what is missing ?

  3. You’ll never crack awpa password you dumb

  4. What ?a missing is space character. Most passphrase contains space characters. Therefore, ?a will never be able to crack a very common passphrase which has a space character.

  5. when i try this commnad:- cudahashcat –help | grep WPA
    Output will be …
    bash: cudahashcat: command not found
    help me!

  6. Hello everybody!

    I would like to capture encrypted frames, but I can’t. Help me, please.
    Used the commands:

    ifconfig wlan0 down
    iwconfig wlan0 mode monitor
    ifconfig wlan0 up

    airodump-ng –bssid 9c:d6:43:a8:9d:60 -c 4 -w test2015 wlan0

    My pcap file show only control frames: Clear-to-send, ack; and beacon frames.

    I would like capture a bit stream encrypted 1001110110101001 by data frames…. How can I do it?

    Thank you very much.

  7. Your explanation is way better than the shit they gave back in wiki.Thanks for your patience.Appreciate it.

  8. Can anyone help me eith issue with hashcat and cudahashcat64 i have all drivers installed correctly but hashcat is 1000 time faster than cudahashcat. to crack 8 letter including upercase and digits passwords takes 10 years in cudahashcat but when piped to pyrit using hahscat 1hr 12 Minutes the VGA driver is gtx760 and works with no errors.
    Also running hashcat displays 42million words per second when crunching
    But in cudahashcat it shows around 40,000 pks .
    Hardware intel i7 4820k 16 Gb ram Nvidia gtx 760 1gb ram

  9. Is this possible without an Nvidia or Amd graphic card ? because i am using an standard intel videocard hope ro hear you soon

  10. When running the conversion from .cap to .hccap, I get a “Failed to create Hashcat capture file” error :(

    Any help?

  11. This video leads me here, just posting so you know that the tutorial works

  12. Amazing tutorial! Thank you so much!

    Is there any disadvantage using just hashcat instead of oclhashcat or cudahashcat ?

  13. Hi first of all many thanks for taking the time for this tutorial.

    I am currently stuck in that I try to use the cudahashcat command but the parameters set up for a brute force attack, but i get “bash: cudahashcat: command not found”.

    I have followed the previous instructions and have my graphics card showing as a CUDA device when i use the pyrit list_cores command and also when running a benchmark.

    My card is a GTX 970 and I am running on Kali 4.4.0 amd-64

    Using “hashcat” works fine but I assume that it is not using my GPU.

    Any help would be appreciated!

    Thanks

  14. Any device running a WN823N chip is confirmed on mon and injection.

  15. With the command aircrack-ng I will always get this:
    Opening hs/haha.cap
    Read 0 packets.

    No networks found, exiting.

    Any sugestions what’s going on here?

    • By the way I’ve used wifite -wpa -cowpatty to got my Handshakes. This worked instandly. Maybe is this the failure, I don’t know.

  16. I’m amazed, I must say. Seldom do I come across a blog that’s both educative and amusing, and without
    a doubt, you’ve hit the nail on the head. The problem is an issue that too
    few men and women are speaking intelligently about. I’m very happy
    I stumbled across this in my search for something concerning this.

  17. hey ho%**

    i got hashcat running nicely. i have a converted handshake file i want sorted but i want to know
    how much faster is cudahashct? than regular hashcat?

    salutation and supplications

  18. Am getting this error as hashcat is starting

    ERROR: clGetDeviceIDs () : -1 : CL_DEVICE_NOT_FOUND

    Where could i have gone wrong? What is it exactly am I missing?
    Thank in advance

  19. i got this question, how fast, in keys per sec, is cudahashcat quicker than usual cpu hashcat?

    many thanks and cranks

  20. Hello,
    I have same gpu gtx210. But i get this error: hashcat: this device local mem size is too small.

Leave a Reply. (Anonymous comments allowed). Use WP, Twitter, FaceBook or Google+ for faster responses.