How To Crack WPA/WPA2 With HashCat. The tutorial will illustrate how to install and configure HashCat on a Windows client and crack the captured PMKID or.hccap files using a wordlist dictionary attack. “Hashcat is the self-proclaimed world’s fastest password recovery tool. Wpa2 wordlist free download. Libya-wordlist all Libyan wordlists for wpa wpa2. Wordlist-txt from 12 dic u can crack your wpa wpa2. Downloads: 15 This Week Last.
by hash3liZer . 18 November 2018
In this tutorial, we will automate the wireless cracking process using WiFite. Cracking wireless can exceptionally be tricky when it comes to automation for multiple Access Points. A device like Raspberry Pi could be more compact and helpful in any such cases. Consider a device which can be taken anywhere freely with a binded script in it to check for default/weak wireless passphrases.
WiFite :-
WiFite is an automated WiFi Cracking tool written in Python. It is basically a combination of various famous pentest tools like airmon, aircrack and reaver etc. It is widely used for cracking WEP and WPA (WPS) wireless networks. WiFite version 2 has been released and is likely to be already installed if you are running Kali or Parrot linux distros.
However, since i want this tutorial to be followed by the users of Raspberry Pi and Ubuntu as well, we will make a head-start installing installing WiFite.
STEP 1
WiFite Installation
The project is available on github: https://github.com/derv82/wifite2
Clone the repository using git:
Now, install some pre-requisities required for PMKID attack:
There are some of the required tools for WiFite to properly run and some others are optional. You can find this list on the link given above. The utilities iwconfig and ifconfig would already be installed. However, if you are running short of aircrack suite, that can be installed easily using apt package manager:
Now, to install WiFite:
This will install WiFite as a normal Linux command by creating a symlink to /usr/bin/ directory. You can verify it by printing the manual:
STEP 2
Monitor mode
You would need you wireless card to be operating in monitor mode which can be done with airmon-ng:
STEP 3
WPA/WPA2 Cracking using handshake
The standard way being used by most of the scripts is to capture a handshake and compute the encoded keys to brute force the actual key. However, lately a new method was discovered which uses PMKID to accomplish the task. To Brute force WPA/WPA2 networks using handshake, run the below command:
Arguments:
- -i: Monitor mode interface to use.
- --random-mac: Randomize the Wireless Adapter MAC address.
- --clients-only: Target networks with stations only.
- --wpa: Target WPA/WPA2 networks only. WPS included.
- --dict: Wordlist to use for cracking MIC hash.
STEP 4
WPS Cracking
WPS protocol was developed to provide user with the ease of connecting to Access Points. Hownever, the protocol is itself vulnerable on a variety of misconfigured routers. WiFite uses pixie dust and WPS Pin attack against WPS networks. To only target wps networks:
Arguments:
- --nodeauths: Do not send deauthentication packets.
- --wps: Only target WPS networks.
- --wps-only: Only use Pin brute force and pixie dust attack.
STEP 5
WPA/WPA2 cracking using PMKID
Lately, a new method was discovered by Jen Steube for cracking WPA/WPA2. The difference in between handshake and PMKID is that handshake requires the whole 4-way handshake to compute the key to be bruteforced. However, with this new trick an attacker make the Access Point transfer the first EAPOL message which contains the key to be bruteforced. PMKID attack requires two more tools. Install hcxtools:
Then install hcxdumptool:
To crack WiFi Networks using pmkid attack:
Arguments:
- --pmkid: Only use PMKID to crack wireless networks.
- --pmkid-timeout: Timeout for first Message to receive.
- --dict: Wordlist with passwords to brute force.
STEP 6
Cracking Networks
To see which networks are cracked, just execute this command:
Conclusion
WiFite is an awesome wireless cracking tool which automates the cracking stuff using other pentest utilities. It can easily be integrated with a compact device like Raspberry pi and could be very useful tool for a number of reasons.
How To Crack WPA/WPA2 With HashCat
The tutorial will illustrate how to install and configure HashCat on a Windows client and crack the captured PMKID or .hccap files using a wordlist dictionary attack.
“Hashcat is the self-proclaimed world’s fastest password recovery tool. It had a proprietary code base until 2015, but is now released as free software. Versions are available for Linux, OS X, and Windows and can come in CPU-based or GPU-based variants.”
The WPA2 handshake can be captured on a Linux compatible client like Kali Linux with a supported WiFi card running on VirtualBox. Then converted to the right format depending on the captured method and moved over to the Windows client to be cracked.
Use the guides Capturing WPA2 and Capturing WPA2 PMKID to capture the WPA2 handshake. For this test we will use the famous “Rockyou” wordlist.
DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.
Step 1: Download HashCat
Hashcat do not require any installation, it is a portable program it requires you to unpack the downloaded archive.
- First you need to download Hashcat binaries from https://hashcat.net/hashcat/
- Navigate to the location where you saved the downloaded file, and unzip the file
Step 2: Download Wordlist
They are numerous wordlists out on the web, for this test we are going to use the famous “rockyou”.
- Open the hashcat folder on your harddrive and create a new folder called “wordlist”
- Download therockyou.txt wordlist from this Link.
- Save the downloaded file in the new folder“wordlist”
Step 3: Prepare Your Captured WPA2 Handshake
Depending on the method you used to capture the handshake you either must format the cap file to 2500 hash-mode or the PMKID file to hashcat 16800 hash-mode .
For how to format the files please see the guides Capturing WPA2 and Capturing WPA2 PMKID.
In this lab we are using a captured PMKID and a pcpa handshake formatted to hashcat readable format. “HonnyP01.hccapx ” and ” HonnyP02.16800″.
I’m using two different home routers from D-Link and Technicolor for this experiment, both WiFi routers are owed by me.
- The “HonnyP01.hccapx” file is captured from the D-Link router.
- The ” HonnyP02.16800″ file is captured from the Technicolor router.
Step 4: Start Hashcat
You need to run hashcat in CMD or PowerShell. In this example we will use CMD to execute our commands and crack the handshake.
Open CMD and navigate to the hashcat folder.
Type hashcat64 -h to display all options
Step 5: Crack WPA2
In the First example we will illustrate how to get the password from a converted pcap file “.hccapx”.
Copy your converted file to the hashcat folder, in this example i am copying the file HonnyP01.hccapx to my hashcat folder.
Next we will start hashcat and use the wordlist rockyou, type in the parameters below in CMD.
- hashcat64 the binary
- -m 2500 the format type
- -w 3 workload-profile 3
- HonnyP01.hccapx the formatted file
- “wordlistrockyou.txt” the path to the wordlist
Wpa Dictionary Wordlist
Hashcat will start processing the file, if you are successful the terminal will display the hash and the password.
Free Wordlist For Wpa Crack 2017
Here we can see that hashcat was able to match the hash to a password in the wordlist, in this lab the password to the D-Link WiFi is “password”. You can chose to let the application run trough the wordlist or press “q” to quit.
You can display the cracked password with the “show” command or by running the same command again, all cracked hashes will be stored in the “hashcat.potfile” in the hashcat folder.
To display the cracked password in CDM type the command bellow.
In the next example we will run the same command except now we use the 16800 mode to run the dictionary attack against formatted PMKID file captured from the Technicolor router.
- hashcat64 the binary
- -m 16800 the format type
- -w 3 workload-profile 3
- HonnyP02.16800 the formatted file
- “wordlistrockyou.txt” the path to the wordlist
Here we can see that the cracked password is “adsladsl” for the Technicolor router.
Extra: Brute Force Attack And Rule based attack
You can let hashcat brute force the file with the command bellow.
Or use ruled base attack.
Conclusion
Wifi Password Wordlist
Your home or office WiFi can be hacked if you are using a weak password, as always a strong and complex password is still the best defense against an attacker.
DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.