Home / Cracking / Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based attack on Wifi passwords)

Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based attack on Wifi passwords)

Cracking WPA2 WPA handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:

  1. Dictionary attack
  2. Mask attack

Dictionary attack

Grab some Wordlists, like Rockyou.

Read this guide Cracking Wifi WPA2 WPA passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.

First we need to find out which mode to use for WPA2 WPA handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux guide. Here’s a short rundown:

cudahashcat --help | grep WPA

So it’s 2500.

Now use the following command to start the cracking process:

cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt

cracking-wpawpa2-with-oclhashcat-cudahashcat-or-hashcat-on-kali-linux-bruteforce-mask-based-attack-blackmore-ops-2

Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.

You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. :)

Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack

Now this is the main part of this guide. Using Brute Force MASK attack.

To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:

Sample:

cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

Where -m = 2500 means we are attacking a WPA2 WPA handshake file.

-a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack).

capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng.

?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678 etc.

I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask.

/usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:

ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap  /usr/share/oclhashcat/masks/blackmoreops-1.hcmask

cracking-wpawpa2-with-oclhashcat-cudahashcat-or-hashcat-on-kali-linux-bruteforce-mask-based-attack-blackmore-ops-3

Sample .hcmask file

You can check the content of a sample .hcmask file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

cracking-wpawpa2-with-oclhashcat-cudahashcat-or-hashcat-on-kali-linux-bruteforce-mask-based-attack-blackmore-ops-4

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot

cracking-wpawpa2-with-oclhashcat-cudahashcat-or-hashcat-on-kali-linux-bruteforce-mask-based-attack-blackmore-ops-5

Conclusion

This guide explains a lot. But you should read read Wiki and Manuals from www.hashcat.net to get a better understanding of MASK and Rule based attacks because that’s the biggest strength of Hashcat.

Thanks for reading. Feel free to share this article. More on similar series:

 

Cracking Wifi WPA/WPA2 passwords

 

Check Also

Steganography in Kali Linux - Hiding data in image - blackMORE Ops

Steganography in Kali Linux – Hiding data in image

Steganography is the practice of concealing a file, message, image, or video within another file, …

Cracking password using John the Ripper in Kali Linux - blackMORE Ops

Cracking password in Kali Linux using John the Ripper

John the Ripper is a free password cracking software tool. Initially developed for the Unix …

36 comments

  1. what if the password is: ‘abc123efgh’ what mask is best to crack it.? Will ?l?d?l?d?l?d?l? be able to crack it??

  2. :~/Desktop# oclhashcat -m 2500 /root/Desktop/12AC7F.hccap /root/Desktop/newrockyou.txt
    oclHashcat v1.30 starting…
    Device #1: Tahiti, 2904MB, 1100Mhz, 32MCU
    STOP! Unsupported or incorrect installed GPU driver detected!
    You are STRONGLY encouraged to use the official supported GPU driver for good reasons
    See oclHashcat’s homepage for official supported GPU drivers
    You can use –force to override this but do not post error reports if you do so

    RADEON R9 280X gigabyte with installed drivers for pyrit.

    any idea what is missing ?

  3. You’ll never crack awpa password you dumb

  4. What ?a missing is space character. Most passphrase contains space characters. Therefore, ?a will never be able to crack a very common passphrase which has a space character.

  5. when i try this commnad:- cudahashcat –help | grep WPA
    Output will be …
    bash: cudahashcat: command not found
    help me!

  6. Hello everybody!

    I would like to capture encrypted frames, but I can’t. Help me, please.
    Used the commands:

    ifconfig wlan0 down
    iwconfig wlan0 mode monitor
    ifconfig wlan0 up

    airodump-ng –bssid 9c:d6:43:a8:9d:60 -c 4 -w test2015 wlan0

    My pcap file show only control frames: Clear-to-send, ack; and beacon frames.

    I would like capture a bit stream encrypted 1001110110101001 by data frames…. How can I do it?

    Thank you very much.

  7. Your explanation is way better than the shit they gave back in wiki.Thanks for your patience.Appreciate it.

    • Problem with Wiki is you get more than you ask for! I gave a very simple but working explanation. Once someone is used to that, they can start making complex ones.
      Thanks for your compliment. Cheers,
      -BMO

  8. Can anyone help me eith issue with hashcat and cudahashcat64 i have all drivers installed correctly but hashcat is 1000 time faster than cudahashcat. to crack 8 letter including upercase and digits passwords takes 10 years in cudahashcat but when piped to pyrit using hahscat 1hr 12 Minutes the VGA driver is gtx760 and works with no errors.
    Also running hashcat displays 42million words per second when crunching
    But in cudahashcat it shows around 40,000 pks .
    Hardware intel i7 4820k 16 Gb ram Nvidia gtx 760 1gb ram

  9. Is this possible without an Nvidia or Amd graphic card ? because i am using an standard intel videocard hope ro hear you soon

  10. When running the conversion from .cap to .hccap, I get a “Failed to create Hashcat capture file” error :(

    Any help?

  11. This video leads me here, just posting so you know that the tutorial works

  12. Amazing tutorial! Thank you so much!

    Is there any disadvantage using just hashcat instead of oclhashcat or cudahashcat ?

  13. Hi first of all many thanks for taking the time for this tutorial.

    I am currently stuck in that I try to use the cudahashcat command but the parameters set up for a brute force attack, but i get “bash: cudahashcat: command not found”.

    I have followed the previous instructions and have my graphics card showing as a CUDA device when i use the pyrit list_cores command and also when running a benchmark.

    My card is a GTX 970 and I am running on Kali 4.4.0 amd-64

    Using “hashcat” works fine but I assume that it is not using my GPU.

    Any help would be appreciated!

    Thanks

  14. Any device running a WN823N chip is confirmed on mon and injection.

  15. With the command aircrack-ng I will always get this:
    Opening hs/haha.cap
    Read 0 packets.

    No networks found, exiting.

    Any sugestions what’s going on here?

    • By the way I’ve used wifite -wpa -cowpatty to got my Handshakes. This worked instandly. Maybe is this the failure, I don’t know.

  16. hey ho%**

    i got hashcat running nicely. i have a converted handshake file i want sorted but i want to know
    how much faster is cudahashct? than regular hashcat?

    salutation and supplications

  17. Am getting this error as hashcat is starting

    ERROR: clGetDeviceIDs () : -1 : CL_DEVICE_NOT_FOUND

    Where could i have gone wrong? What is it exactly am I missing?
    Thank in advance

  18. i got this question, how fast, in keys per sec, is cudahashcat quicker than usual cpu hashcat?

    many thanks and cranks

  19. Hello,
    I have same gpu gtx210. But i get this error: hashcat: this device local mem size is too small.

  20. Sir …. I have intel HD Graphic cars what should I install???? Plzzzzz

  21. windows.alert(“wdwe”)

  22. “>alert();

Use WordPress.com, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.

%d bloggers like this: