Professional Documents
Culture Documents
encryption or protocols a great deal. In short WPA and WPA2 both have a maximum
of 256bit encrypted with a maximum of 64 characters in the password. The
encryption is really only 64bit but x 4 because of the way the authentication
functions as a 4 way handshake.
Before starting with oclHashcat. I would suggest to test for a WPS/Wifi Protected
Setup' using Reaver and more recently the Pixie-dust method as it can effectively
crunch the 11,000 WPS pins and extract the WPA pre shared key a lot faster than a
complex WPA/WPA2 password. If WPS is secure I would suggest to then move onto
WPA/WPA2 this method or the Evil twin method that clones the AP.
The tool Hashcat has been around for sometime and is CPU based, oclHashcat makes
use of modern GPU processors and makes use of its physics abilities to crack most
modern encrypted user/pass hashes.
Method 1 - I use kali linux 2.1 myself so will be listing the linux commands. First up is
to capture a WPA/WPA2 4 way handshake authentication in a .cap file. First up, Start
monitor mode with airmon-ng. Then sniff the air waves with airodump-ng.
Method 2 - I'll list a few methods here as the GUI tool are very simple. There is
aircrack based GUI tools wifite and Fern, I prefer method 1. For windows users, You
can setup a linux in a virtual machine within windows or there is a app for android
called 'Wi-Fi PCAP Capture' that makes use of a Alfa RTL8187L wifi adapter. But
would need to convert the .cap file into .hccap via the oclHashcat conversion page
and it comes back in a download as a .hccap file.
#~:$wifite -wpa
or
#~:$fern-wifi-cracker
or
#~:$gerix-wifi-cracker-ng
Next, Is to convert the WPA capture file containing the WPA/WPA2 handshake to a file
to .hccap format so oclhashcat/hashcat can work with it.
If your using windows, You could effectively capture a WPA handshake with a
Android phone app and a Alfa RTL8187L wifi adapter. The oclHashcat site has a page
you can upload upto 5mb wpa.cap files and then download the back file back as
a .hccap
In these next steps we will make use of oclhashcat/hashcat to crack the WPA/WPA2
handshake.hccap.
The -m switch is for hash type, We can easliy find the information needed for
using the -m switch with WPA. This can easily be done with other hashes MD5
etc.
STEP 4 - Here we will make use of oclHashcat/Hashcat. It is a versitile tool set and
can be used with or without a wordlist. It can create wordlists on the go without
slowing down and storring massive dictionary files.
There many wordlists that can be found on the web, But why store them in files
when oclHashcat creates them on the fly. Another thing to keep in mind about
wordlists, Not all wordlists you find online will be created for WPA/WPA2 as they
need to start a 8 characters in length.
Note - A modern GPU such as R9290x at full speed can munch through 180,000 WPA
attempts per second. This can vary depending a small amount depending on drivers
at the time. This can be corrected with the -u switch to get full speed. The -u switch
ends with amount of RAM on the gpu. For me my AMD R( is 4096mb. For eg. -u 4096.
#:oclhashcat -m 2500 -u 4096 /root/Hccap/filename.hccap /root/Numeric8-10char.txt
With wordlist the results will vary depending on the strength of your GPU and if the
password is in your list at all. It flys through small lists, You can make a list.txt of
compile wordlist/or hashes of the same type and pipe that into the command.
or
I prefer to not clog up hdd space with massive wordlist., Below is a table of the built
in character sets for oclHashcat. There is various masking options to create .txt files
to go through your preferred charsets. I wont get in to that now but the masking
options work well.
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()+,-./:;??@\^ `{|}~
:
?l?l?l?l?l?l?l?l = a-z, 8 Characters in length.
Lets just say you password is 12345678. You can use the custom mask option ?d?d?d?
d?d?d?d?d
Note- For a mask/Brute-force options you will need to use the -a 3 switch.
The Hybrid options gel well also, It jumbles wordlist with masks or brute force
methods.
Attack modes:
0 = Straight
1 = Combination
3 = Brute-force
6 = Hybrid dict + mask
7 = Hybrid mask + dict
Summary
This tool does it's slowest work when put up against WPA/WPA2 because of the 4
way handshake slowing it down. It does extremely well with other hash types For eg
Md5 is cracked at 10million attempts per second and NTLM is a bit faster than Md5.
The oclHashcat website has some more in depth .info.