RWSPS: WPA/2 Cracking Using HashCat [ch5pt2]

Hello reader and welcome to part 2 from chapter 5 of the WiFi Security and Pentesting Series.
If you remember in the previous part, we learned Speeding up WPA/2 Cracking Using Pre-generated PMKs. Which certainly uses CPU as the primary part for the calculations of the PMKs. It surely gives us speed for cracking as while using PMKs for cracking we are not performing actual calculations in real-time.
This brings us to some drawbacks of using PMKs, as follows:

• SSID Specific. You cannot use PMKs generated for SSID, say “rootsh3ll” for another SSID like “Belkin“.
• Case-Sensitive. Cannot be used even a single letter is up/lower case. Ex: Won’t work for “Rootsh3ll“ if PMKs are created for “rootsh3ll“.
• Time used is the same. As processing power of CPU is same in both cases, the time required for creating PMKs are equal even if you crack using Aircrack or creating PMKs(with GenPMK).
• Huge HD Space required. As we are pre-calculating the PMKs and storing them on HD, it requires a lot of space on your HD and that too for a specific SSID. Which is not an option all the time.
• Less helpful in today’s scenario. Nowadays routers are being shipped with unique SSID. Ex: Belkin_04A2 for preventing routers from these kind of attacks or atleast delay the cracking duration.

You might be thinking now that If this is so, then why would I even consider PMKs for cracking ?
Well, as I said above this is Less helpful, that means in some cases.
Cases like:

• Simple SSIDs. Ex: MTNL, Airtel, Linksys etc
• Before trying any complex task to crack the PSK, if you have PMKs already stored. Give them a shot
• Mobile numbers are still very common passwords.

Still, even if this gives us speed this method is a bit slow. You don’t always have a friend ready to give you a pre-generated PMK file for a specific SSID just when you have captured the handshake, right ? yeah, it’s very rare!
Here is when you need to stop using your CPU and test the processing power of you GPU.
If you are not aware of using GPUs for cracking purposes let me tell you, Yes GPUs can be used for cracking password hashes and are being used now from a while.
There are plenty of tools which uses GPU to boost the cracking speed and lets you crack in way much lesser time that your CPU would have the job finished.
Tools like:

• Pyrit
• BarsWF
• HashCat
• igHashGPU

How ? Simple! Your CPU has 2,4,8 cores, means parallel computing units where GPUs have them in thousands, if not hundreds.

NOTE: My GeForce GT 525M have 296 cores, and it is pretty old Graphics card, Speed: ~6000 PMK/s. NVidia Titan X is the Best single graphics card with cracking speed up to 2,096,000 hashes/sec.

Using GPU for Cracking WPA/2 Passwords

Being in the scope of the series we will stick to WPA/2 cracking with GPU in this chapter. For learning difference between CPU and GPU cracking you can visit the following post I’d previously written on FromDev.com.
CPU vs. GPU Password Hash Cracking – FromDev.com
Tools described above are used for cracking various kinds of passwords.
There are 2 tools used for Cracking WPA/2-PSK using GPU from the above list

• Pyrit
• HashCat

As the post title suggests we will go with HashCat.

What is HashCat ?

Hashcat is a self-proclaimed command line based world’s fastest password cracker.
It is the world’s first and only GPGPU based rule engine and available for Linux, OSX, and Windows free-of-cost. It comes in 2 variants

• CPU Based
• GPU Based

There is no difference when passing commands to Hashcat because it automatically uses the best method to crack passwords, either CPU or GPU depending on the Graphics driver you have installed or not.
Hashcat is fast and extremely flexible- to writer made it in such a way that allows distributed cracking. There are multiple version of HashCat, each optimized and suited for different methods of cracking (dictionary, single hash, distributed etc). I highly recommend Hashcat  over Pyrit for its flexibility.

Why use HashCat at first place ?

As already told above, because of it’s flexibility and vast support of algorithms.
But why Hashcat when I just want to crack WPA/2 most of the times ?
If you have used or haven’t used Pyrit yet, let me tell you one thing. Pyrit is perhaps the fastest WPA/2 cracker available on the internet but it uses dictionary or wordlist to crack the passwords even if you use PMKs or directly run the cracker you need to have a large amount of dictionaries to test the validity of the hash.
For storing hashes you need a lot of disk space. As you can see in the image below, there is a few wordlists that almost take >25 GB on the disk(Extracted), and it take more than 2-3 days to run through them all even with GPU.

You can download some useful wordlists here.
But most of the times there are some pattern(default passwords) we like to test for validity. Patterns like:

• Mobile number
• Date of Birth
• Default password patterns like “56324FHe“
• 10 digit default password by ISP
• and so on

Here is when We have to leave Pyrit with it’s dictionaries and get our hands-on with HashCat.
HashCat have a brilliant feature called mask-attack, which allows us to create user-defined patterns to test for password validity and you know what the best thing is ? It requires 0 Bytes on your hard drive.
How ?
Before we go through this we need to understand that in some cases we need Wordlists. Its only when we are 100% certain that it has some kind of pattern we can use this type of attack. So of you know a certain ISP has 10 random numbers and only a few letters, you could do it to save space on your HD.
WPA/2 cracking is a tedious task and uses maximum power of the system when we use Hashcat for the purpose and sometimes it needs to take down the load from the system to switch tasks. hashcat stands best here for it’s remarkable feature.

• It supports pause/resume while cracking
• Supports sessions and restore

We will see this feature in this tutorial. Keep reading.

Supported Attack types

• Dictionary based attack
• Brute-force/Mask attack
• Hybrid dict + mask
• Hybrid mask + dict
• Permutation attack
• Rule-based attack
• Toggle-case attack

These are too name a few. Hashcat supports way too many algorithms to get your hash cracked.

NOTE: Traditional Brute-force attack is outdated and is replaced by Mask attack in Hashcat. Wee will see later in this post in details about this.

Variants

As told above Hashcat comes in 2 vaiants:

1. Hashcat -A CPU based password cracker
2. Oclhashcat/CudaHashcat – GPU accelerated tool

Setting up the Lab

Installing Graphics driver

You have basically 2 choices

1. Install graphics driver in Kali Linux directly, i.e your Pentesting distro.
2. Install graphics driver in Windows or OSX.

I have Kali Sana installed in my Virtual machine and unfortunately no virtual machine supports using graphics card or GPU acceleration inside the virtual OS. So I’ll be sticking with Hashcat on windows. You can still do the same task with exact same commands on Kali Linux(or any Linux OS) or OSX with properly installed proprietary drivers.
I haven’t written any article on how to install graphics drier in Kali Linux as BlackmoreOps already have a great article on same. so you can follow the links and try installing the same on your version of Kali.
NVidia Users:

• Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver
• Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda

AMD Users:

• Install AMD ATI proprietary fglrx driver in Kali Linux 1.x/2.x
• Install AMD APP SDK in Kali Linux
• Install CAL++ in Kali Linux

Download HashCat

You can download Hashcat from it’s official website: http://hashcat.net/
File is highly compressed using 7z compression. So make sure you have atleast 1 GB before extracting the downloaded file.
You can use 7zip extractor to decompress the .7z file. Download it here: http://www.7-zip.org/download.html
P.S: It is free of use and better than WinRAR.

Cleanup your cap file using wpaclean

Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.
Here’s how to do it:
To convert your .cap files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap>

1	wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

Convert .cap file to .hccap file

Now assuming that you have installed appropriate graphics driver for the selected OS, moving on to the nest step. We need to convert the previously captured handshake i.e .cap file to a format that hashcat could understand and it is .hccap file format.
Nothing difficult or time taking. Command to convert .cap to .hccap goes like this

• aircrack-ng -J <output.hccap> <path/to/.cap file>

Here output.hccap is the output filename with .hccap file format and input.cap is the handshake originally captured.
Log in to Kali Linux, open Terminal and type:
aircrack-ng -J “rootsh3ll-01.hccap”  “rootsh3ll-01.cap”

Note: rootsh3ll-01.cap is located on Desktop. Check location of your .cap file.

Now we have .hccap file, installed graphics driver and downloaded hashcat. Let’s begin the cracking.

Cracking WPA/2 Passwords using Hashcat

We will cover the following topics:

• WPA/2 Cracking with Dictionary attack using Hashcat.
• WPA/2 Cracking with Mask attack using Hashcat.
• WPA/2 Cracking with Hybrid attack using Hashcat.
• WPA/2 Cracking Pause/resume in Hashcat (One of the best features)
• WPA/2 Cracking save sessions and restore.

WPA/2 dictionary attack using Hashcat

Open cmd and direct it to Hashcat directory, copy .hccap file and wordlists and simply type in cmd

• cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap  wordlist.txt wordlist2.txt

Here I have NVidia’s graphics card so I use CudaHashcat command followed by 64, as I am using Windows 10 64-bit version. yours will depend on graphics card you are using and Windows version(32/64).
cudaHashcat64.exe – The program, In the same folder theres a cudaHashcat32.exe for 32 bit OS and cudaHashcat32.bin / cudaHashcat64.bin for Linux. oclHashcat*.exe for AMD graphics card.
-m 2500 = The specific hashtype. 2500 means WPA/WPA2.

In case you forget the WPA2 code for Hashcat.
Windows CMD: cudaHashcat64.exe –help | find “WPA”
Linux Terminal:cudaHashcat64.bin –help | grep “WPA”
It will show you the line containing “WPA” and corresponding code.

Handshake-01.hccap = The converted *.cap file.
wordlist.txt wordlist2.txt= The wordlists, you can add as many wordlists as you want. To simplify it a bit, every wordlist you make should be saved in the CudaHashcat folder.
After executing the command you should see a similar output:

Wait for Hashcat to finish the task. You can pass multiple wordlists at once so that Hashcat will keep on testing next wordlist until the password is matched.

WPA/2 Mask attack using Hashcat

As told earlier, Mask attack is a replacement of the traditional Brute-force attack in Hashcat for better and faster results.
let’s have a look at what Mask attack really is.
In Terminal/cmd type:

• cudaHashcat64.exe -m 2500 <rootsh3ll-01.hccap> -a 3 ?d?l?u?d?d?d?u?d?s?a

-a 3 is the Attack mode, custom-character set (Mask attack)
?d?l?u?d?d?d?u?d?s?a  is the character-set we passed to Hashcat. Let’s understand it in a bit of detail that

• What is a character set in Hashcat ?
• Why it is useful ?

What is a character set in Hashcat ?

?d ?l ?u ?d ?d ?d ?u ?d ?s ?a = 10 letters and digits long WPA key. Can be 8-63 char long.
The above text string is called the “Mask”. Every pair we used in the above examples will translate into the corresponding character that can be an Alphabet/Digit/Special character.
For remembering, just see the character used to describe the charset
?d: For digits
?s: For Special characters
?u: For Uppercase alphabets
?l: For Lowercase alphabets
?a: all of the above.
Simple! isn’t it ?
Here is the actual character set which tells exactly about what characters are included in the list:

?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s

1 2 3 4 5

?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s

Here are a few examples of how the PSK would look like when passed a specific Mask.
PSK = ?d?l?u?d?d?d?u?d?s?a
0aC575G2/@
9zG432H0*K
8sA111W1$4
3wD001Q5+z
So now you should have a good understanding of the mask attack, right ?
Let’s dig a bit deeper now.

Mixing Mask attack with Custom characters.

Let’s say, we somehow came to know a part of the password. So, it would be better if we put that part in the attack and randomize the remaining part in Hashcat, isn’t it ?
Sure! it is very simple. Just put the desired characters in the place and rest with the Mask.

He ?d ?l 123 ?d ?d ?u ?d C is the custom Mask attack we have used. Here assuming that I know the first 2 characters of the original password then setting the 2nd and third character as digit and lowercase letter followed by “123” and then “?d ?d ?u ?d” and finally ending with “C” as I knew already.
What we have actually done is that we have simply placed the characters in the exact position we knew and Masked the unknown characters, hence leaving it on to Hashcat to test further.
Here is one more example for the same:
Let’s say password is “Hi123World” and I just know the “Hi123” part of the password, and remaining are lowercase letters. Assuming length of password to be 10.
So I would simply use the command below

cudaHashcat64.exe -m 2500 <handshake.hccap> -a 3 Hi123?u?u?u?u?u

1	cudaHashcat64.exe -m 2500 <handshake.hccap> -a 3 Hi123?u?u?u?u?u

Where ?u will be replaced by lowercase letters, one by one till the password is matched or the possibilities are exhausted.
Moving on even further with Mask attack i.r the Hybrid attack.
In hybrid attack what we actually do is we don’t pass any specific string to hashcat manually, but automate it by passing a wordlist to Hashcat.
Hashcat picks up words one by one and test them to the every password possible by the Mask defined.
Example:

• cudaHashcat64.exe -m 2500 handshake.hccap -a 1 password.txt ?d?l?d?l

-a 1 : The hybrid attack
password.txt : wordlist
?d?l?d?l = Mask  (4 letters and numbers)
The wordlist contains 4 words.

carlos bigfoot guest onion

1 2 3 4

carlos bigfoot guest onion

Now it will use the words and combine it with the defined Mask and output should be this:
carlos2e1c
bigfoot0h1d
guest5p4a
onion1h1h
It is cool that you can even reverse the order of the mask, means you can simply put the mask before the text file. Hashcat will bruteforce the passwords like this:
7a2ecarlos
8j3abigfoot
0t3wguest
6a5jonion
You getting the idea now, right ?
Using so many dictionary at one, using long Masks or Hybrid+Masks takes a long time for the task to complete. It is not possible for everyone every time to keep the system on and not use for personal work and the Hashcat developers understands this problem very well. So, they came up with a brilliant solution which no other password recovery tool offers built-in at this moment. That is the Pause/Resume feature

WPA/2 Cracking Pause/resume in Hashcat (One of the best features)

This feature can be used anywhere in Hashcat. It isn’t just limited to WPA/2 cracking. Even if you are cracking md5, SHA1, OSX, wordpress hashes. As soon as the process is in running state you can pause/resume the process at any moment.
Just press [p] to pause the execution and continue your work.
To resume press [r]. All the commands are just at the end of the output while task execution. See image below

You might sometimes feel this feature as a limitation as you still have to keep the system awake, so that the process doesn’t gets cleared away from the memory.
And we have a solution for that too. Create session!

WPA/2 Cracking save Sessions and Restore.

Creating and restoring sessions with hashcat is Extremely Easy.
Just ass –session at the end of the command you want to run followed by the session name.
Example:

• cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla

Here I named the session “blabla”. You can see in the image below that Hashcat has saved the session with the same name i.e blabla and running.

Now you can simply press [q] close cmd, ShutDown System, comeback after a holiday and turn on the system and resume the session. That easy!

NOTE: Once execution is completed session will be deleted.

How to restore ?
Above command – “–restore”. Here it goes:

• cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla –restore

Hashcat will now check in its working directory for any session previously created and simply resume the Cracking process.
Simple enough ? Yes it is.
This is all for Hashcat. Hope you understand it well and performed it along. No need to be sad if you don’t have enough money to purchase those expensive Graphics cards for this purpose you can still try cracking the passwords at high speeds using the clouds. You just have to pay accordingly.

Cloud for Cracking WPA/2-PSK

You can even leverage cloud for the same purpose. You just have to pay for the service you use as it requires a lot of money, electricity to keep the system up and running and keeping it fast at the same time.
A Website that provide the similar service is http://cloudcracker.com/.
They charge $17 for 300 Million words in 20 minutes. Which means 250,000 PMK/Second. Sounds nice! isnt it ?
Well this is a service so they surely have their part of profit. If you are at a shortage of money you can try even cheaper service.
Don’t worry this cheap is actually better than the expensive if you are able to do it accordingly.
That is Amazon Elastic Computing 2(EC2) or AWS (Amazon Web Services). Here you need to do all the things manually after logging into the remote host that yo0u have purchased.
You have to install the tools and dependencies accordingly and give commands to the master server to perform the cracking. You can aso create upto 1000 instances to distribute the load and increase the cracking speed. Price will change accordingly.
But in short let me tell you if you are willing to do this Super Interesting stuff, it will cost you maximum of $1 an hour for even greater speeds than cloudcracker.
Here is a video to help you understand better the concept of load distribution and command the master server. Hope you are getting the concept.


Here is one more for you to see the cracking process running on Amazon EC2, It’s an old video but worth watch and understand the concept.

Forgot to tell you one good news. Amazon EC2 is FREE for first month. It will just ask you for the credit/debit card info as a validation proof. But don’t worry no extra penny will be deducted until you extend to new plan.
So I would encourage you to do some research on this specific topic after getting over of Hashcat. It is the real Fun believe me!
If you love all this crazy stuff You will love that too.
Hope this was helpful enough!
Keep Learning. See you in the next chapter with the Aircrack Boost Script!

Useful Links:

Router:
TP-LINK TL-MR3420 300 MB/s Wireless Router 2x 5dBi antennas
Network Adapters:
Alfa AWUSO36NH High Gain B/G/N USB / Alfa AWUS036NHA B/G/N USB
High Gain Antenna:
Alfa 9dBi WiFi Omni-Directional High-Gain Antenna
USB Drive (32 GB):
SanDisk Ultra Fit  USB 3.0  32GB Pen Drive
Graphics Card

NVidia: GeForce GTX TITAN X 12GB (BEST single GPU for Cracking)

AMD: Radeon HD 6990 830M 4 GB (3X HD6990 equivalent to 1x-Titan X) [Cheap]

Fuente: http://www.rootsh3ll.com/2015/10/rwsps-wpa2-cracking-using-hashcat-cloud-ch5pt2/