Cracking WPA2 WPA handshake with Hashcat
cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:
- Dictionary attack
- Mask attack
Grab some Wordlists, like
Read this guide Cracking Wifi WPA2 WPA passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.
First we need to find out which mode to use for WPA2 WPA handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux guide. Here’s a short rundown:
cudahashcat --help | grep WPA
So it’s 2500.
Now use the following command to start the cracking process:
cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt
Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.
You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. :)
Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.
Now this is the main part of this guide. Using Brute Force MASK attack.
To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:
cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d
-m = 2500 means we are attacking a WPA2 WPA handshake file.
-a = 3 means we are using
Brute Force Attack mode (this is compatible with MASK attack).
capture.hccap = This is your
converted .cap file. We generated it using
?d?d?d?d?d?d?d?d = This is your MASK where
d = digit. That means this password is all in numbers. i.e.
I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as
Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:
In my case, the command is as follows:
cudahashcat -m 2500 -a 3 /root/hs/out.hccap /usr/share/oclhashcat/masks/blackmoreops-1.hcmask
Sample .hcmask file
You can check the content of a sample
.hcmask file using the following command:
tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask
Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.
Location of Cracked passwords
Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is
This guide explains a lot. But you should read read Wiki and Manuals from www.hashcat.net to get a better understanding of MASK and Rule based attacks because that’s the biggest strength of Hashcat.
Thanks for reading. Feel free to share this article. More on similar series:
Cracking Wifi WPA/WPA2 passwords
- Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty
- Cracking Wireless WPA2 WPA passwords with Hashcat
- Cracking Wifi WPA/WPA2 passwords using Reaver-WPS