[Cracking WPA2 2/2] Cracking the Handshake

[shockli]

Hello r4p3 members. This post will show you how to crack a captured key. You can learn how to capture the key from my previous post.

Software Required:
Windows & Linux:
oclHashcat for ATI cards OR CUDAHashcat for Nvidia Cards. Both are available for download at http://hashcat.net/hashcat/. You need to have the appropriate drivers installeda.

Hardware Required:
Nvidia GTX650TI or above. The more graphics cards the better. ATI graphics cards work much better (and are cheaper). The machine I have access to is running two 980’s.

Step One: Getting the Handshake
Get the handshake. You can get this by following my previous post.

Step Two: Converting the Captured File
You need to convert the captured file so that hashcat can use it. You can do this either in hashcat or with this nice link: https://hashcat.net/cap2hccap/

Step Three: Choosing the Best Attack Type:
In my opinion a Hybrid attack works the best. A rule-based attack works very well aswell, but you need to know what you are doing. I recommend reading around a bit and choosing one that will work best for your situation (Is the person stupid, will they keep the default password, or will they have a minimum letter random-generated password?)

You will need to get a wordlist, I like the 10 Million Passwords: https://github.com/danielmiessler/SecLists/tree/master/Passwords one a lot. You can also google for a local one, I’ve found one in my local language and have had much more success with it.

Step Four: Putting Your GPU(s) to Work
Once you have chosen your method, you must now run it. I will show you how to use my favorite, the hybrid attack:

./cudahashcat.sh -m 2500 r4p3isAw3s0m3.hccap -a 7 ?d?d?d?d 10millionpasswords.dict ?d?d?d?d

(You might need to remove the ./ in Windows)

Step Five: Wait or Give Up:
You will now need to wait for it. It will take from minutes to weeks, depending on your GPU. If it doesn’t crack it in a week you can consider the owner of the WiFi network’s password to be secure (not really many of those), and might as well give up.

Extra Activity: Show off your specs (or cry about them), give us benchmark results!

./cudaHashcat -b

 

[ehthe]

Speed.GPU.#1...: 50707 H/s

god it's slow xD

 

[kingston]

Are you seriously getting 50k hashes/s? What card is that? I'm on 650Ti.

Also, learning all day long, i would like to note the possibility of using masks for bruteforcing. Never did it in practice yet but it seems cool.

Oh. Just noticed that you are in fact using a mask in your example

 

[shockli]

Are you seriously getting 50k hashes/s? What card is that? I'm on 650Ti.

Also, learning all day long, i would like to note the possibility of using masks for bruteforcing. Never did it in practice yet but it seems cool.

50k isn't very fast.. my laptop does 180

 

[ehthe]

Yeah I was trying "only mask" if I remember correctly. I got a GTX 670.

 

[kingston]

Just realized what's possible after reading this: http://ht4u.net/reviews/2013/nvidia_geforce_gtx_650_ti_boost_review/index40.php

 

[kingston]

About cracking time... if we take 26 lower case characters, 26 upper case ones, 10 digits and 10 basic special characters... that's 72 characters. Now if the password was 3 characters long it would take 373k possible passwords. But for 5 characters long pass it means 1934917632 possibilities. And 6 chars = 139314069504.

8 characters? A whooping 722204136308736 passwords = 8358 days @ 1mln/s

Let's have some fun and calculate how much would it cost to build a reasonable GPU cluster able to go for at least 300mln/s.

 

[shockli]

About cracking time... if we take 26 lower case characters, 26 upper case ones, 10 digits and 10 basic special characters... that's 72 characters. Now if the password was 3 characters long it would take 373k possible passwords. But for 5 characters long pass it means 1934917632 possibilities. And 6 chars = 139314069504.

8 characters? A whooping 722204136308736 passwords

that's why we have wordlists

 

[kingston]

that's why we have wordlists

And distributed password crackers

 

[kingston]

My shiny, new dongle just arrived today. It isn't Alfa sadly, as that will take more time and i'm yet to decide if i want 9dBi antenna with it at once. But i chose a quality dongle that uses the very same chip as one of the Alfas (Atheros) and can do both monitoring and packet injection of course. Not sure about the power though but i read up that decent TX power takes more than just standard USB port so there is more to it than it seems. All in all i held my horses a bit and will try with cheaper and easier solutions first. If all goes fine and i notice any improvement in the works - i will let you know soon

I'm hoping to see even more networks than yesterday. And i'm also hoping to find at least one, poor password. There were rumors e.g. about some UPC routers using passwords based on MACs or maybe i'm even lucky enough to own some WPS

I also have several cameras around. Would love to be able to get there. Anyone with such experiences?

Another interesting subject: city touchscreens or whatever is that called. There is one of those near me and it serves maps, ads and other crap to people. As far as i know the machine hidden inside runs Windows. I believe it could also have some wi-fi for remote administration and such.

 

[ehthe]

I hope you won't have to hit your head against a wall, like me, to make your card's driver accept higher power ;(

 

[kingston]

Some interesting reading here: https://befinitiv.wordpress.com/201...-and-patching-its-kernel-driver-and-firmware/

Especially the injection rate test has blown me away

 

[shockli]

My shiny, new dongle just arrived today. It isn't Alfa sadly, as that will take more time and i'm yet to decide if i want 9dBi antenna with it at once. But i chose a quality dongle that uses the very same chip as one of the Alfas (Atheros) and can do both monitoring and packet injection of course. Not sure about the power though but i read up that decent TX power takes more than just standard USB port so there is more to it than it seems. All in all i held my horses a bit and will try with cheaper and easier solutions first. If all goes fine and i notice any improvement in the works - i will let you know soon

I'm hoping to see even more networks than yesterday. And i'm also hoping to find at least one, poor password. There were rumors e.g. about some UPC routers using passwords based on MACs or maybe i'm even lucky enough to own some WPS

I also have several cameras around. Would love to be able to get there. Anyone with such experiences?

Another interesting subject: city touchscreens or whatever is that called. There is one of those near me and it serves maps, ads and other crap to people. As far as i know the machine hidden inside runs Windows. I believe it could also have some wi-fi for remote administration and such.

I love M$ integrated win12 systems, TV remotes work on them, was very entertaining when I was able to shut down a whole restaurant (order system, tv's, payment systems) with the touch of a button on an app on my phone.

 

[kingston]

So happy with this stuff that i have just started converting my old X41T into dedicated kali machine

 

[kingston]

A very nice target successfully pixied in less than a minute Can't believe how easy that was. Still not sure what to do next... gotta do some more reading now

I also tried to capture handshakes and this is a piece of cake too and, when you have a quite active station there, deauthing takes literally seconds. But after all i never decided to crack those dumps yet and went for WPS as i can see at least 10 targets of which most are v1.0 and i just succeeded with one of them.

And few hours later... all done connected with raw PSK and pulled the IP. Needed to adjust the MAC though as the target tried to be smart This is real fun but i have to say that i was quite lucky to hit that WPS exactly on first try as i tried several others and no go or perhaps i need to learn and practice some more. I can see that there is a popular TP-LINK router around (841N if i recall correctly) in few cases where pixie just can't do anything about. Unless that's because i used -K 1 switch.

Now i plan to work on building a soft AP. I guess this would take another wi-fi dongle and some bridging? Or could be possibly done in a way so the wlan0 could serve as an AP while being connected to the target at the same time?

 

[swarmdeco]

On my past experience, using Rainbow tables (take a look at [1]) it's way better. If they are using a standard/default SSID church-compatible, the cracking is matter of minutes.

[1] https://www.renderlab.net/projects/WPA-tables/

 

[kingston]

That sounds great. Many thanks. I will dig into this yet today. Yummy stuff... this will also take my fun to the next level as with tables measured in many GB i will probably move from live off an old/slow pendrive to the real meat and fire in an old SSD

 

[swarmdeco]

SSID Church compatible list:

 

[kingston]

This looks like it is compatible with nearly everything What a fun. Not with TP-LINK though.

 

[Qraktzyl]

I read somewhere a couple of years ago that ATI cards were not only faster than nvdia, BUT SIGNIFICANTLY faster lol. If I remember the performance were at least doubled.
I actually cracked all the wifi networks near my house. The hardest password I have found on WPA took me 2 days and it was "spirou75". LOL

I have a GTX980ti AMP EXTREME, it would be fun if you could provide a cap file and actually make a contest on who finds the pass first !