Hashcat Cracking On Linux
Part 1 - Wireless Penetration Testing
Part 2 - Cracking Wireless Networks With Kali
Let us now quickly go through the basics of the tool that makes all this possible. Hashcat is insanely powerful tool that supports cracking a vast number of different types of hashes, and WPA is just one of them. Beside plain direct cracking, hashcat also contains smartly developed rules which can be used to maximally utilize the hardware and optimize the cracking process, as well as a number of powerful tools which can for example perform smart permutations of the words contained in the wordlist, or combine different wordlists to create two or three words passwords and so on. People often tend to choose more than one word, like appending the kids birthday to their surname or some other word, etc, and these abilities make Hashcat invaluable tool in the hands of a creative person.
Beside Hashcat itself, you should also have hashcat-tools collection, which you’ll use all the time, for example whenever you need to convert airodump’s capture files to the format that’s readable to hashcat. First, we will pull the hashcat-tools from Git with a simple:
git clone https://github.com/hashcat/hashcat-utils.git
Then, enter it’s src directory and run make:
cd hashcat-utils/src make
We just armed ourselves with the needed applications, and it’s time for some practice! Hopefully you still remember what we’ve done with that airodump, right? Convert your capture files (those that end with .cap) to .hccapx format, with this simple command:
./cap2hccapx.bin /path-to/capture.cap /path-to/capture.hccapx
If everything went well, you will see that converter created new files:
./cap2hccapx.bin /path-to/capture.cap /path-to/capture.hccapx Networks detected: 1 [*] BSSID=0c:9a:54:0b:b2:e5 ESSID=ad1b70 (Length: 15) --> STA=0c:ff:8a:23:b7:0f, Message Pair=0, Replay Counter=0 --> STA=0c:ff:8a:23:b7:0f, Message Pair=2, Replay Counter=0 Written 2 WPA Handshakes to: /path-to/capture.hccapx
Incredibly, but here we are, finally, we have the handshakes, in hashcat’s format, and we can begin cracking networks.
Fire up the terminal, and issue:
hashcat -o cracked.txt -a 0 -m 2500 capture.hccapx wordlist.txt
This command will start the hashcat and:
- -o, tell it to write results to a file called cracked.txt
- -a 0, tell it that we are doing a direct attack
- -m 2500, tell it we are cracking a WPA2 capture file
- start cracking capture.hccapx with passwords from wordlist.txt file
If everything is alright, after devices listing, optimizers, dictionary cache stuff etc, you will be presented with a simple line, saying:
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>
● As you can imagine, pressing S will give you a status of current cracking, list you time when you started, estimation how long will it take for the whole wordlist to be processed, current speed of cracking, progress in percents, etc
● Pressing P will off course pause the cracking, so that you can use your full computer resources elsewhere temporarily. Pressing R again will resume the process, continue where you left off...
● When your attack is comprised of more than one wordlist or more than one mask, pressing B will bypass current attack and switch to the next one.
● Checkpoint is a feature that enables you to continue where you left off, which is an awesome feature, knowing how long the cracking process can take. You can freely shut down your computer, and you’ll be able to restore the process later on without losing anything. You can even continue on another machine, as long as you have all the files with you. Hashcat intelligently creates files which enable it to continue where it stopped. In order to resume the process, you need to use --session and --resume functions.
Let us now examine the images above more closely. In the second image, you can see we used the following command:
./hashcat.bin -o gotcha.txt -a 0 --hwmon-temp-abort=90 -D 1 -w 4 -m 16800 ad1b70.16800 20.txt
Let us see what this actually does:
-o gotcha.txt tells Hashcat to write the results in a file named gotcha.txt.
-a 0 tells Hashcat to use a direct dictionary attack, using words from the dictionary provided against the capture, without any recombinations, permutations and so on
--hwmon-temp-abort=90 clearly tells Hashcat to abort the cracking process if the temperature of the device used rises above 90 degrees celsius.
-D 1 tells Hashcat to use the device with ID 1, which can be any of the detected GPU’s or CPU’s. In our example seen on the second image, we used the detected Xeon CPU for the cracking process
-w 4 tells Hashcat how much system resources it can use for the cracking. Beginning with 1, with which you will not even notice that something goes on in the background, going up to 4 which should make the system noticeably slower
-m 16800 tells Hashcat to use PMKID cracking mode. Hashcat has many builtin cracking modes, 2500 signifies cracking .hccxap WPA2 handshake file, 16800 signifies cracking PMKID capture and so on. For the full list of modes, issue the command: hashcat --help, this will provide you with more than enough details to start
Now, at this point I'm sure you’re wondering why you ventured into this in the first place, is there an end to this, light at the end of the tunnel and so on?!?
Sorry mate, there is no end.
The whole field evolves with time. As soon as new security measures are invented, so are the ways to bypass them.
And this is all great!
These are toys for us grown-up kids, more the merrier! :-)
See you very soon in the next part, when we will talk about cracking networks with PMKID, without having to capture the handshake first, and more.
Stay tuned! :-)