The WPA/WPA2 4-way authentication handshake between AP (authenticator) and client (supplicant) is used to generate encryption keys. These keys are then used to encrypt data sent over wireless medium.
In the previous tutorial, we installed the aircrack-ng suite to capture and crack the 4-way authentication handshake to obtain passphrase needed to access a wireless network. More specifically, we accelerated the process of generating handshake messages using aireplay-ng tool and captured the handshake using airodump-ng. As a final step, we performed dictionary attack with aircrack-ng command to find a passphrase. Finally, we found the passphrase 'submarine' which is listed in a well-known dictionary - rockyyou.txt.
Cracking the passphrase with aircarck-ng is performed entirely by CPU. Our WPA cracking speed is 4212 keys per seconds with the CPU Intel I7(TM)-4600U @2.10GHz (Picture 1).
> aircarck-ng -S
-S : WPA cracking speed test
Picture 1 - Checking WPA Cracking Speed Performed by CPU
Let's say that our passphrase consists of lower-case letters ([a-z], 26 characters total) and the total passphrase length is 8 letters. They are 26*26*26*26*26*26*26*26 = (26^8) total combinations or 208827064576. With the speed of 4212 keys per seconds, it would take more than one and 1/2 year to find the key.
time_for_8_letters_passphrase = 208827064576 / 4212 / 3600 / 24 / 365 = 1.57 [years]
Moreover, if the passphrase contains upper-case letters and digits as well, the S parameter is then 62 instead of 26. The cracking the 8 letters passphrase would take 1643 years.
Brute-forcing our passphrase 'submarine' (9 lower-case letters) would take 40 years. In addition, if we do not know the exact length of the passphrase, the overall cracking time will rise. It consist of the sum of time intervals needed to test each passphrase length:
overall_cracking time = time_for_1_letter_passphrase + time_for_2_letters_passphrase + time_for_2_letters_passphrase ... + time_for_9_letters_passphrase
Obviously, my CPU Intel I7(TM)-4600U @2.10GHz cannot perform a brute force attack against an 8-letter passphrase (minimum WPA / WPA2 passphrase length) in a feasible time. As a possible workaround, we can use a dictionary attack hoping that the passphrase is listed in the dictionary. However, the process of cracking passphrase can be accelerated by using GPU (graphic card). The chips on a GPU can perform specific types of operations much faster, and in a much more parallel way.
The speed test of WPA2 cracking for GPU AMD Radeon 8750M (Device 1, ) and Intel integrated GPU Intel(R) HD Graphics 4400 (Device 3) with hashcat is shown on the Picture 2.
> hashcat.exe -m 2500 -b -w 4
- b : run benchmark of selected hash-modes
- m 2500 : hash mode - WPA-EAPOL-PBKDF2
- w 4 : workload profile 4 (nightmare)
Picture 2 - Hashcat Speed Test for WPA Cracking
The ATI GPU gives us 18213 hashes per second while Intel GPU 3980. The overall WPA2 cracking speed computed by hashcat installed on Windows 10 is 22 193 h/s.
Important! The plugins 2500/2501 and 16800/16801 are supported up to Hashcat 6.2.3. If you are using Hashcat version 6.2.4 or later, please note that the plugins 2500/2501 and 16800/16801 are outdated and no longer functional. As a result, you cannot use the hash mode 2500 or the hashes in hccapx format. Therefore, if your Hashcat version is 6.2.4 or later, replace the 2500 plugin with 22000 in all hashcat examples.
Furthermore, you need to convert the handshake in the output_file-01.7z file to the hash format supported by Hashcat 6.0.0 and later. Therefore, skip section 1 of this guide and follow the instructions in section 3.2 of the WPA2 Cracking On NVIDIA with CUDA guide. Or just replace output_file-01.hccapx from the section 1 with the file output_file-01.hc22000.zip. The file output_file-01.hc22000.zip contains the hash supported by Hashcat 6.0.0 and later which we created from Handshake message captured in the output_file-01.7z file.
1. Converting cap with Handshake to Hashacat hccapx Format
First of all, we need to run Hashcat against 4-way handshake that we have already captured with airodump-ng ((aircrack-ng). I explained the steps behind capturing the handshake in a the tutorial - Cracking WPA/WP2 Pre-shared Key.
Note: Captured 4-way handshake is within archive file - output_file-01.7z.
Hashcat up to version 6.2.3 accepts WPA/WPA2 hashes in hashcat's own "hccapx" file format. Therefore, we need to compile cap2hccapx from Hashcat-utils. This suite contains a set of small utilities that are useful in advanced password cracking.
The next steps apply to the Linux operating system.
$ sudo apt install git gcc
$ git clone https://github.com/hashcat/hashcat-utils.git
$ cd hashcat-utils/src/
$ gcc cap2hccapx.c -o cap2hccapx.bin
Now, we have our cap2hccapx.bin utility ready so we can convert captured handshake file from cap to hccapx format (Picture 3).
$ ./cap2hccapx.bin output_file-01.cap output_file-01.hccapx
Picture 3 - Converting cap File to hccapx
Note: Here can download the file output_file-01.hccapx. The passphrase is a dictionary word - submarine.
2. WPA/WPA2 Handshake Cracking with Dictionary
Firstly, download the dictionary rrockyyout.txt and hashcat. Extract hashcat and run it against captured 4-way WPA/WPA2 authentication handshake (Picture 4):
> hashcat.exe -m 2500 output_file-01.hccapx rockyou.txt
Picture 4 - Cracking WPA2 Passphrase Using Dictionary
It took 15 seconds to find passphrase 'submarine' from all 14344384 passwords. The passphrase is stored in the file: hashcat.potfile. The file is created when passphrase is found (Picture 5).
Picture 5 - Checking Cracked Passphrase in hashcat.potfile File
Note: You can also show a cracked passphrase by adding the --show switch to the original command:
> hashcat.exe -m 2500 output_file-01.hccapx rockyou.txt --show
3. Brute Forcing WPA/WPA2 Handshake
The length of pre-shared key is from 8 to 63 characters. In your case, it is 9 lower-case letters. Below are variables starting with ? letter followed by one of the built-in charset (l, u, d, s, a).
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
The custom charsets are 1, 2, 3, 4. So the custom variable 1 is defined as $1. 2 as $2 etc.
Thie command below will start cracking WPA/WPA passphrase (- m 2500) that is exactly 9 nine lower-case letters.
> hashcat.exe -m 2500 -a 3 output_file-01.hccapx ?l?l?l?l?l?l?l?l?l
-a 3: attack mode 3 - brute-force
-m 2500: hash mode WPA-EAPOL-PBKDF2
?l?l?l?l?l?l?l?l?l - nine lower-case letters
Note: Char | in mask ?l?l?l?l?l?l?l?l?l is a small letter L and not pipe (vertical bar).
The statement above can be written as:
> hashcat.exe -m 2500 -a 3 --increment --increment-min 9 --increment-max 9 output_file-01.hccapx --custom-charset1 ?l ?1?1?1?1?1?1?1?1?1
-a 3: attack mode 3 - brute-force
-m 2500: hash mode WPA-EAPOL-PBKDF2
-- increment - number of letter will increment
--increment-min 9 - hashcat starts with minimum length 9
--increment-max 9 - maximum password length is 9 characters
--custom-charset1 - defines lower case letters only (?l)
Note: You can omit the keyword --increment-max 9, it is redudant.
Let's say that our passphrase is between 8 and 12 characters and it contains lower-case, upper-case letters and digits as well. The following syntax tell hashcat to use all possible combinations from the custom charset 1 that we have specified and increment its length up until the length of our mask ?1?1?1?1?1?1?1?1?1?1?1?1.
> hashcat.exe -m 2500 -a 3 --increment --increment-min 8 --increment-max 12 output_file-01.hccapx --custom-charset1 ?l?d?u ?1?1?1?1?1?1?1?1?1?1?1?1
Note: You can replace keyword --custom-charset1 with its shorter version -1.
It would take more than 8 years to crack WPA2 passphrase which is 9 lower-case letters with the hash speed about 22000 h/s (Picture 6).
Picture 6 - Estimated Time for Cracking Passphrase with 8 Lower-case Letters
The estimated cracking time can be reduced to 118 days when we know that part of the passphrase, e.g we know the passphrase starts with the letter 's'.
> hashcat.exe -m 2500 -a 3 output_file-01.hccapx --increment --increment-min 9 --custom-charset1 ?l s?1?1?1?1?1?1?1?1
or shorter version:
> hashcat.exe -m 2500 -a 3 output_file-01.hccapx s?l?l?l?l?l?l?l?l
In this case, it would take 108 days to find the passphrase. However, hashcat can find passphrase in less than 30 seconds (Picture 7).
Picture 7 - WPA2 Passphrase Found in 30 Seconds
End.