Let me start by inserting the classic Ethical Hacker disclaimer:
“Please do not use these methods illegally. If you do not own the network and/or have appropriate permission to do this, dont! I am not responsible for any of your actions!!” Easy enough right? blah blah blah, okay now on to the good stuff.”
I will point out there is at least a few dozen ways, if not more, to accomplish this task. Maybe I will show alternative methods in the future, who knows. The way that I’m going to show you today is the way I know best. BTW- This is all free software guys… sick, I know. Keep in mind your wireless card will need to support packet injection and monitoring mode. That in itself will require some research on your own by following this link:
OS: Kali GNU/Linux Rolling x64
Hashcat version 3.4
Aircrack-ng Suite 1.2 rc4
Step 1: Sniffing
Find the name of your wifi interface by opening up a terminal and typing ifconfig. You should see your interfaces listed. Most likely your wireless interface is called wlan0 or something similar. In this tutorial “wlan0” or “wlan0mon”(once in monitoring mode) will represent the wireless interface. Make sure to substitute yours in if it differs.
Open up a terminal and then use airmon-ng to put your wireless card into monitoring mode:
airmon-ng start wlan0
Monitoring mode allows you to capture packets without being connected to an access point/WiFi router. Also keep in mind the name of your interface will probably change when you turn monitoring mode on. You can confirm this by using ifconfig again. My interface changes to “wlan0mon”.
The next thing you want to do is “listen” with airodump-ng, and note a few pieces of information.
After running this command you will see a dynamic table of access points/routers. The top of the table should look something like this.
You will want to find the WiFi network you wish to target under the “ESSID” column. Once you see it you can hit the “ctrl” and “C” keys together on your keyboard to stop listening and freeze what is currently on the screen. The things you want to note from the row that corresponds to your target would be the following:
- BSSID– This is the MAC address of the AP/Router. Copy/paste/write down this elsewhere for now.
- PWR– If you are too far away from the AP/router you may have a tough time in the next step which is the most important step of all. If PWR = -1 you will have to do some research as to the issues you may come upon. Otherwise -2 through -80ish should be ok. Keep in mind that -2 would mean you have a much better signal than -80. The closer you are to the target AP/router the better chance you have of capturing the 4-way handshake in the next steps. Your options for getting better signal strength would be physically getting closer, or finding a wifi adapter or card that supports longer distances.
- #Data– This isn’t super important but I like to pay attention to it. If you see the number under data growing, it’s a good indicator that you will be able to capture the handshake more easily as there are connected clients passing traffic.
- CH– This is the channel of the network. Copy/paste this elsewhere for now.
- ENC– For this tutorial you should be testing against a network with “WPA2” listed.
Okay, now you have the proper bits of information so you can run airodump again, but this time have it only listen to the network you specify for a 4-way handshake. The 4-way handshake contains the data needed to reverse-engineer the encrypted password. You also tell airodump what to name the output from the captured data. Replace 00:00:00:00:00:00 with the BSSID you collected in the last step. Replace 11 with CH you collected in the last step. After -w type the path to where you want the handshake capture saved, as well as the name of it (/folder/desired_filename). The “-o pcap” just tells airodump to give us the file in the .cap format which we can use in later steps.
airodump-ng ––bssid 00:00:00:00:00:00 ––channel 11 -w /root/handshakefile -o pcap wlan0mon
Now you will see a similar table to the one you saw in the last step, but this time you should notice a few differences. The first difference is that only your target network should show up now. You may also notice an additional table underneath that. It will look similar to this.
This lower table shows client devices that are connected to your target AP/Router. Ideally you will have a few options to choose from. From this table you want to note a couple of things. Be sure to keep this running for now.
- PWR– If you have options, you want to go with the client that has a better signal (-35 being much better than -80).
- Frames– A client with a high frame count is another good option. The higher frame count is usually an indication that wireless traffic is flowing pretty good from the client.
- STATION – This is the MAC address of the client device. Note this down, in the next step we are going to trick the client into re-negotiating it’s connection with the access point.
If the network you are listening to is very busy you may not need to do this next step at all. Essentially at this point as mentioned before we are waiting to snag a copy of the 4-way handshake which happens when a client authenticates to an AP/router. Sometimes this will be captured simply by listening for long enough. On a very busy network, this may happen within a few minutes or faster. If you get a handshake before completing the next step with “aireplay” you can skip it and move on to “Step 2: Prep the .cap for Hashcat”.
For this example let’s say you are on a network that’s not very busy, and devices typically stay connected to the wireless network for days at a time or longer. Instead of waiting for an undetermined amount of time for a connection to happen so we can capture it, we can force it to happen (usually). So let’s go ahead and do that. We are going to “DEAUTH” the client we noted in the last step (STATION) using aireplay.
Keep the airodump window running in the background and open a new terminal. Type the following. Replace 00:00:00:00:00:00 with the BSSID and replace 11:11:11:11:11:11 with the MAC address you collected from STATION in the last step.
aireplay-ng -a 00:00:00:00:00:00 -c 11:11:11:11:11:11 ––deauth 1 wlan0mon
What you want to do now is watch for 2 things.
- In the aireplay window you will get some responses from your command. The information you want to see from the response is the ACK’s. You want the number in front of the “|” to be higher than 0. This will indicate the client received your deauth packets. If you get 0, try sending the command again.
- Not Good-
- In the airodump window you are looking for confirmation that a handshake was captured. You will most likely see the STATION disappear after you send the deauth. When it shows back up, odds are a handshake will be captured. It should show up on the top line furthest to the right when you do capture it.
Other things you can try are deauth a different client/STATION or keep waiting for a new connection to happen. I’ve had situations where the handshake was captured in seconds, and other times where it took closer to an hour of waiting for STATIONS to show up while I sent deauths, and/or waited for a handshake to come in….. hypothetically that is…. =)
Once you ensure you have the .cap file where you told airdump to put it (directory and filename you configured with the “-w” option) you can close airodump and aireplay.
Step 2: Prep the .cap for Hashcat
The cool thing about being past “Step 1: Sniffing” and having the handshake captured is that you can go anywhere now and continue your work. You no longer have to be anywhere near the AP/Router to crack the password.
Lets start by cleaning the .cap file up. It will have all sorts of useless information in it. We really only need the few packets where the handshake took place. If you want to first take a peak at what was actually captured while sniffing you can open the .cap in wireshark and view the contents. This is not required however may be interesting to some people!
Lets now use WPAClean to strip the .cap of everything besides the handshake. Replace “handshakeclean” with whatever you want the name of the cleaned up .cap to be. Replace “/root/handshakefile.cap” with the path/filename of your .cap file from airodump (again, this is what you setup with the “-w” option in airodump).
wpaclean handshakeclean /root/handshakefile.cap
You will now need to feed this “clean” handshake capture to a Hashcat tool so it can be put in the proper “hccapx” format used by newer versions of Hashcat. You can find the tool used to do this and download/compile/install from source. It is called cap2hccapx and it is part of hashcat-utils. However for simplicity sake we will use their web converter. I do not know if Hashcat keeps your uploads or records any of the data you provide them. I have felt safe using this tool personally but use at your own risk. Also note that Hashcat 3.40-rc4 or higher is needed to work with hccapx files. I believe versions before this required you convert your cap to an hccap file. If you cannot get the newest version of Hashcat you may need to research converting .cap to .hccap. I recommend using aircrack to do this with the -j option. But again, that is for you to research more if you do not have a hccapx compatible version of Hashcat. The steps (besides the conversion) should be pretty much the same if you have to use .hccap, so don’t get discouraged!
- Go to https://hashcat.net/cap2hccapx/
- upload your “clean” .cap file.
- Enter the ESSID (wifi name) – It says this is optional but I always do it since it only takes an extra 2 seconds.
- You will be prompted to download your new .hccapx file. Make sure to save it where you can find it. You will want to rename it too as it will have a random string for the file name upon downloading.
You now have a clean and compatible version of the handshake data needed to crack the password with Hashcat! Are you excited!? This very next step is where the magic happens. It is also where patience is required.
Step 3: Dictionary Attack + Rules
Before we go any further let me point out that there is still a chance you will not crack this password. If the password is very complex, very long, doesn’t exist in your dictionary file, or any combination generated from the rules applied to your dictionary file, you may wait around for days/weeks just to find your efforts “Exhausted” as Hashcat words it. “Meaning better luck next time!”
However for as long as you keep your hccapx file, you will have the ability to keep trying! So lets start. We are going to craft a hashcat command and then go over what exactly we are asking it to do. Once we kick it off, you may have plenty of time to kill anyways 🙂
Open a terminal and type the following:
hashcat -a 0 -m 2500 ––weak-hash-threshold 0 ––session WPA2session1 -o /root/cracked.txt -r best64.rule /root/handshake.hccapx /usr/share/wordlists/rockyou.txt
Lets break down what you just put together and why.
-a 0 – This is telling Hashcat the attack mode, 0 is selected for “straight”. This basically means to try all words in a list
-m 2500 – This tells Hashcat what type of hash we are trying to break, 2500 means WPA/WPA2
––weak-hash-threshold 0 – There is much to be explained here if you want to know the reasoning behind it. But just know for this tutorial we are disabling it by entering 0
––session WPA2session1 – This gives your “session” a name in the event you want to pause and come back to where you left off. More about that in a little bit.
-o /root/cracked.txt – This tells Hashcat the folder and file name where the final data will be written to for later viewing.
-r best64.rule – This applies a rule called best64. There are a number of rules that can be used, but I find this to be one of the more effective ones. What rules do are add entries to your word-list (for the current session, not permanently) based on modifications to the existing words in the list you provide (also referred to as the dictionary). Different rules apply different modifications. If you want to see all the modifications best64 makes you should be able to Google it. In a nutshell it will do things like add “01” to the end of each word, remove the first letter of each word, replaces “a” with “@”, etc.. As you can imagine this makes your word-list grow quite a bit and therefore can mean waiting longer for a successful crack.
-/root/handshake.hccapx – This is the path to the hccapx file that you downloaded from the converter.
-/usr/share/wordlists/rockyou.txt– This is the path to your word-list/dictionary file. Kali comes pre-loaded with the path and file I used in this tutorial, along with a few other word-lists in that same directory. You do not have to use rockyou.txt but it does seem to cover a good enough range of words when combined with some rules to usually be successful for simple to moderate passwords. Rockyou.txt after all is a list of real passwords that were hacked and leaked years ago. If you want some huge word-lists I recommend the BIG-WPA-LIST series. There are 3 of them which can be found freely on the web. Keep in mind bigger isn’t always better when it comes to world-lists. Although more words may seem ideal, you will most likely be adding tons of time to how long you may wait to crack (or not crack) the hashed password as Hashcat will need to compute a salted hash for every word in the dictionary and compare it to the handshake for a match.
*Tip- In a real pentest you may not have weeks to wait around for a password to be cracked. Instead what often happens is the “attacking” party will create a targeted word-list using Crunch or similar tools. But we can do a tutorial on that another time.
Once you hit the “enter” key you have officially kicked off a dictionary attack. If this is your first time, I understand the excitement if you have made it this far. You will see a few things happen and then the progress window appear. It will not update automatically so you will need to hit the “S” key to update it.
This is where patience becomes critical. You can see that if my password isn’t guessed, it can potentially take over 8 days for Hashcat to exhaust the list. Trust me when I say there may be a time where you wait for something like this and the password isn’t cracked still.
Other things you see in the window include the dictionary you are using, the rules you are using, about how fast the program is running through hashes (Speed), and progress as far as how many of the total words have been tried so far.
Earlier I mentioned naming your session. In this example the session is called WPA2session1. There has been a few times my laptop in it’s best efforts to compute hashes as fast as possible has actually shut off due to excessive heat. The last thing you want to do is start over again, especially if you were 4 days into a cracking attempt. If for any reason you simply want to pause the program you can just hit the “P” key, and then “R” to resume. But if you need to reboot, your machine turns off, you accidentally close the terminal, etc… you can start your session back up where it left off. Open a terminal and enter the following. If you named your session something different, swap that with “WPA2session1”
hashcat ––restore ––session WPA2session1
If you happen to be successful in cracking the hashed password, eventually you will see something along these lines…
…and there you have it. You should see the SSID (name of WiFi) and the password above your summary information.
Remember, there are some trade-offs to make when cracking WPA2 passwords –
bigger list = more words, better chances, longer potential waiting period
shorter list = possibly more time friendly, target needs to be researched to create targeted word-list to be most effective.
using rules = again, better chance of success but adding to potential waiting time.
not using rules = the exact password needs to exist in your word-list in order to crack, but faster than using rules.
Thanks for reading guys, let me know if you have questions and I will do my best to answer them. On the contrary if there is something I could have done or explained better let me know! There was plenty more that could have been explained here but some of the topics could have been entire articles or discussions on their own. I have plenty more exciting “How To’s” and other information to post about so stay tuned!