by hash3liZer . 09 September 2019
WPA/WPA2 cracking has been a focus point in the community since many years. And we have tools to aim that focus like aircrack and hashcat. Some new advancements have been made to aid that focus in the past couple of years.
- 2 comments for 'Linset 0.10 - WPA / 2 Brute Force Hack without' Balas. January 13, 2016 at 7:09 AM. Download WPA/WEP/WPA2 Wordlist Dictionary For Easy Crack. Dumpper Dumpper v.70.1 For Windows. Crack WPA/WPA2 with Wifite. WPA 100% Decrypted.
- WPA2-PSK BRUTE FORCE. Find target's WIFI's password using brute force attack. I wanted to create this project to raise the awareness about security. I found that it's easy for a newbie programmer can crack for wifi password so you should protect yourself from internet. Now this project can only run on Windows.
- In this method we will be using both crunch and aircrack-ng inside Kali Linux to brute-force WPA2 passwords. But before we proceed let me quickly introduce you to our tools: crunch - is a wordlist generator from a character set. Aircrack-ng - a 802.11 WEP / WPA-PSK key cracker.
Brute force, unless you know a lot about the password and it's incredibly stupid (i.e. You know for certain it's an 8 character set of numbers) is going to be a non-starter. Don't forget, strictly speaking there 'shouldn't' be a way to break the password, so if none of these options seem viable, it just means you've got decent security.
So, Cracking WPA/WPA2 has been quite a topic now. In this tutorial, we are going to cover one of the infamous tools 'hashcat' for cracking WPA/WPA2.
Hashcat which is primarily built for brute forcing different kind of hashes using different kind of attack vectors, supports cracking for two of badly known WPA/WPA2 attacks. Well, for the list of available hashes, you can check the hash modes section in the manual:
In previous, you might have seen or even worked with aircrack to crack WPA/WPA2 by capturing a 4-way handshake. But that was not anywhere close to how perfect could this tool be for the purpose. Besides, hashcat is a GPU + CPU maintained tool which makes it a lot more faster.
In short, if you own a GPU, always go for hashcat or else you could use an online service or buy out some GPU based server on Internet.
We will cover up with two famous WPA/WPA attacks, precisely the cracking of MIC (4-way handshake) and PMKID (1st packet/handshake). So, let's begin.
Installation
Hashcat is built to work on Windows, Linux and as well as on Mac. You can go to hashcat.net and download the binaries and follow the instruction for your operating system. What we are going to do here is clone a fresh copy of hashcat from github and manually install it on a debain based linux.
Preferably, you should use Kali Or Parrot but a similar distro like Ubuntu will work as well.
Update Your Repo's and install the following dependencies:
Clone hashcat from github and move to directory:
Finally, compile the binaries and we are all set with hashcat.
You may try printing the help manual for hashcat to check whether you have it installed perfectly or not.
Hcxtools:
Now, let's clone and compile hcxtools from github. It is basically a set of various files to convert and generate another version of the supplied input. We will use it to convert the captured traffic into a format understandable by hashcat.
First, clone the repo and move the hcxtools directory:
And finally, run the make command to compile binaries and make necessary changes in path.
After having the requirements installed, we move to the cracking part. Below this, i am dividing the tutorial into two parts, first we will crack the WPA/WPA2 using MIC aka 4-way handshake. While in second, i'll do cracking using PMKID.
PART A
Let's clear how the MIC cracking actually works. So, in this case, we need a valid 4-way handshake. The handshake consists of many keys that are interchanged during the authentication between the client and access point.
These independent keys are used to generate a common key named 'Message Integrity Code (MIC)'. This generated MIC is used to validate the given password by cracker.
The algorithm to compute MIC is quite long and tricky and i've have covered that up in another tutorial here. So, let the cracking begin.
STEP 1
Conversion to hccapx format
Supposing you already have a captured 4-way handshake using some tool like airodump, but you still need the proper format to supply it to hashcat. To convert it to a proper format (hccapx), you need another tool.
There are already some online services that you may use: https://hashcat.net/cap2hccapx/
But still in case you are wondering to do it locally, clone the hashcat-utils repo from github:
Finally, compile the binaries. After compiling, you will have the binaries under same directory. The binary file that we need is cap2hccapx.bin. To make sure, you have it correctly compiled, try to execute the file, it will throw you back the syntax:
So, after having it installed, use the below given syntax to convert the .cap file to .hccapx hashcat capture format.
So, this will generate a file by the name 'hashfile.hccapx', which is what we are going to use with hashcat. Now, you may move to whatever directory you want, since will be cracking the final format now.
STEP 2
Cracking WPA/WPA2 (handshake) with hashcat
With hashcat, there is a possibily of various attack vectors. We could do a straight dictionary attack, brute-force attack, combinator attack or even masks attack, i.e. making rules to find various possibilities of trying different characters at different positions.
Anyhow, let's study the actual cracking of WPA/WPA2 handshake with hashcat.
Dictionary Attack:
As named, you need a wordlist for it to work. Considering you have solid list of possible wifi passphrases, or if not, you can download the famous ones: https://www.wirelesshack.org/wpa-wpa2-word-list-dictionaries.html
Launch the following command for dictionary attack:
- -a: specifies cracking mode. In our case it's dictionary mode and '/path/to/dict.txt' is complete path to the wordlist.
- -m: hash mode. Specifies what type of hash we are dealing with.
In Case You Receive issues regarding Intel CPU or 'No devices found/left', use --force argument to force the usage of your device.
Brute-Force Attack:
The Brute-force is different than the dictionary attack. Here, we try to replace every character at every possible position in a specified length from a given charset. For example, in a string of length 8, we can try every character from A-Z at every postion in this string.
That's how brute-forcing works and hence very time-consuming. Launch the following command to start your first attempt for brute-forcing:
- -a: specifies the cracking mode and here the value 3 indicates, we are running a brute-force attack.
- ?d?d?d?d?d?d?d?d: is the brute-forcing rule here. It specifies what kind of values to check, where to replace and also assumes how much time could it take to crack the key.
The above mask i.e. '?d?d?d?d?d?d?d?d' states to check a string of length 8 with a digit at every position. You can study about mask attack here: Hashcat Mask Attack.
PART B
Part A was about the handshake cracking. Whilst now, we are going to crack PMKID with hashcat. The PMKID is located in the 1st packet of 4-way handshake and hence it's kind of more useful because we don't need a complete handshake.
The algorithm to compute PMKID is given which is quite easier than that of MIC.
Let the cracking begin for PMKID.
STEP 1
Getting the PMKID hash
The first thing to proceed with PMKID cracking is the pmkid hash. To generate it we need the first packet of the 4-way handshake. Considering you already have that, we will extract the hash from the captured file.
If you are not aware of how to capture the first packet of 4-way handshake, follow this tutorial.
Let's do the conversion. Execute the below command
This will generate a file by the name pmkid.hash that we will use with hashcat to do the cracking.
STEP 2
Cracking WPA/WPA2 (PMKID) with hashcat
Just like previous part, we will apply the same rules here except for the hash mode argument. The hash mode value for PMKID cracking is 16800.
Dictionary Attack:
As per syntax we have back in the PART A section for dictionary attack, we will use that very same syntax except for the -m argument which defines what kind of hash we want to crack. We will be cracking pmkid (16800) this time.
While this would crack the key by looping through each line given in the wordlist.
Brute-Force Attack:
We will do same here as last section i.e. providing a mask to crack the hash. This time, just to show how powerful these masks could be, i'll use a different one. So, execute the command for brute-force attack:
The above mask will create combinations of string of length 8 with every alphabet at every possible position. And this sounds like a huge combination that may take a lot of time to complete. To make the attack more faster, we can use the GPU.
CPU/GPU
Now, getting into CPU/GPU thing, we just need to know that GPU is a lot more faster than CPU and hashcat have the ability to do cracking on your GPU. Hashcat has following three device modes which can be changed via -d argument:
- 1: CPU which is by default, selected.
- 2: GPU
- 3: DSP, Co-processor.
You can use one of these devices according to what's more suitable for you. For example,
To accomplish PMKID attack on GPU. That's it, i.e. cracking WPA/WPA2 via hashcat.
Conclusion
The conclusion that can be drawn out of all above is that hashcat is not just limited for a number of hashes, infact it's applicable to a wide range of hashes and other possibilities including mixes and concatenated strings. We learned to crack WPA/WPA2 using hashcat.
Besides, hashcat is known of it's power, stability and speed by operating on GPU. It also gives us the possibility of mask attack which let us play with possibilities of testing thousand of thousands strings against the hash.
For Any Questions, Queries, mistakes, you can comment down.
Last year, I wrote an article covering popular wireless hacking tools to crack or recover password of wireless network. We added 13 tools in that article which were popular and work great. Now I am updating that post to add few more in that list.
I will not explain about wireless security and WPA/WEP. You can read the existing article on wireless hacking tools to learn about them. In this post, I am updating the existing list to add few more powerful tools. I am adding seven new tools in the existing list to give you a single list of the most used wireless cracking tools.
1. Aircrack
Aircrack is the most popular and widely-known wireless password cracking tool. It is used as 802.11 WEP and WPA-PSK keys cracking tool around the globe. It first captures packets of the network and then try to recover password of the network by analyzing packets. It also implements standard FMS attacks with some optimizations to recover or crack password of the network. optimizations include KoreK attacks and PTW attack to make the attack much faster than other WEP password cracking tools. This tool is powerful and used most widely across the world. This is the reason I am adding it at the top of the list.
It offers console interface. If you find this tool hard to use, you can try the available online tutorials. Company behind this tool also offers online tutorial to let you learn by yourself.
Download: http://www.aircrack-ng.org/
2. AirSnort
AirSnort is another popular wireless LAN password cracking tool. It can crack WEP keys of Wi-Fi802.11b network. This tool basically operates by passively monitoring transmissions and then computing the encryption key when enough packets have been gathered. This tool is freely available for Linux and Windows platform. It is also simple to use. The tool has not been updated for around three years, but it seems that company behind this tool is now interested in further development. This tool is also directly involved in WEP cracking and hence used widely.
Download AirSnort: http://sourceforge.net/projects/airsnort/
3. Kismet
Kismet is another Wi-Fi 802.11 a/b/g/n layer 2 wireless network sniffer and intrusion detection system. This tool is basically used in Wi-Fi troubleshooting. It works fine with any Wi-Fi card supporting rfmon mode. It is available for Windows, Linux, OS X and BSD platforms. This tool passively collects packets to identify standard network and also detects the hidden networks. Built on a client server modular architecture, this tool can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. It is an open source tool and supports recent faster wireless standards.
Download Kismet: http://www.kismetwireless.net/download.shtml
4. Cain & Able
Cain & Able is another popular tool used for cracking wireless network passwords. This tool was developed to intercept the network traffic and then use the brute forcing to discover the passwords. This is why this tool helps a lot while finding the password of wireless network by analyzing the routing protocols. This tool can also be used to crack other kind of passwords. It is one of the most popular password cracking tools.
This tool is not just for WEP cracking but various other features are also there. It is basically used for Windows password cracking. This is the reason this tool is so popular among users.
Download Cain & Able: http://www.oxid.it/cain.html
5. WireShark
WireShark is a very popular tool in networking. It is the network protocol analyzer tool which lets you check different things in your office or home network. You can live capture packets and analyze packets to find various things related to network by checking the data at the micro-level. This tool is available for Windows, Linux, OS X, Solaris, FreeBSD and other platforms.
If you are thinking to try this tool, I recommend you to first read about networking and protocols. WireShark requires good knowledge of network protocols to analyze the data obtained with the tool. If you do not have good knowledge of that, you may not find this tool interesting. So, try only if you are sure about your protocol knowledge.
Wireshark does is one of the most popular tool in networking and this is why it was included in this list in higher position.
Download Wireshark: https://www.wireshark.org/
6. Fern WiFi Wireless Cracker
Fern WiFi Wireless Cracker is another nice tool which helps with network security. It lets you see real-time network traffic and identify hosts. Basically this tool was developed to find flaws in computer networks and fixes the detected flaws. It is available for Apple, Windows and Linux platforms.
it is able to crack and recover WEP/WPA/WPS keys easily. It can also run other network based attacks on wireless or Ethernet based networks. For cracking WPA/WPA2, it uses WPS based on dictionary based attacks. For WEP cracking, it uses Fragmentation, Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack.
This tool is in active development. SO, you can expect timely update with new features. Pro version of the tool is also available which offers much features.
Download Fern WiFi Wireless cracker: http://www.fern-pro.com/downloads.php
7. CoWPAtty
CoWPAtty is another nice wireless password cracking tool. It is an automated dictionary attack tool for WPA-PSK to crack the passwords. It runs on Linux OS and offers a less interesting command line interface to work with. It runs on a word-list containing thousands of password to use in the attack. If the password is in the password’s word-list, this tool will surely crack the password. But this tool is slow and speed depends on the word list and password’s strength. Another reason for slow process is that the hash uses SHA1 with a seed of SSID. It means the same password will have a different SSIM. So, you cannot simply use the rainbow table against all access points. So, the tool uses the password dictionary and generates the hash for each word contained in the dictionary by using the SSID. This tool is simple to use with available commands.
With the newer version of the tool CoWPAtty tried to improve the speed by using a pre-computed hash file to avoid the computation at the time of cracking. This pre-computed file contains around 172000 dictionary file for around 1000 most popular SSIDs. But for successful attack, your SSID must be in that list. If your SSID is not in those 1000, you are unlucky. Still, you can try this tool to see how it works.
Download CoWPAtty: http://sourceforge.net/projects/cowpatty/
8. Airjack
Crack Wpa2 Brute Force Vodafone Download Windows 10
Airjack is a Wi-Fi 802.11 packet injection tool. It is used to perform DOS attack and MIM attack. This wireless cracking tool is very useful in injecting forged packets and making a network down by denial of service attack. This tool can also be used for a man in the middle attack in the network. This tool is popular and powerful both.
Download AirJack: http://sourceforge.net/projects/airjack/
9. WepAttack
WepAttack is another working open source Linux tool for breaking 802.11 WEP keys. Like few other tools in the list, this tool also performs an active dictionary attack. It tests millions of words from its dictionary to find the working key for the network. Only a working WLAN card is required to work with WepAttack to perform the attack. Limited usability but works awesome on supported WLAN cards.
Download WepAttack: http://wepattack.sourceforge.net/
10. NetStumbler
NetStumbler is another wireless password cracking tool available only for Windows platform. It helps in finding open wireless access points. This tool is freely available. Basically NetStumbler is used for wardriving, verifying network configurations, finding locations with a poor network, detecting unauthorized access points, and more.
This tool is not very effective now. Main reason is that last stable release of the tool was back in April 2004 around 11 years ago. So, it does not work with 64-bit Windows OS. It can also be easily detected with most of the wireless intrusion detection systems available. So, you can use this tool for learning purpose on home network to see how it works.
A trimmed down version dubbed as ‘MiniStumbler’ of the tool is also available. This tool is too old but it still works fine on supported systems. So, I included it in this list.
Download NetStumbler: http://www.stumbler.net/
11. inSSIDer
inSSIDer is one of the most popular Wi-Fi scanner for Microsoft Windows and OS X platforms. This tool was released under open source license and also awarded as “Best Open Source Software in Networking”. Later it became premium tool and now costs $19.99. The inSSIDer Wi-Fi scanner can do various tasks, including finding open Wi-Fi access points, tracking signal strength, and saving logs with GPS records. Basically this tool is used by network administrators to find the issues in the wireless networks
Download inSSIDer: http://www.inssider.com/
12. Wifiphisher
Wifiphisher is another nice hacking tool to get password of a wireless network. This tool can execute fast automated phishing attack against a Wi-Fi wireless network to steal passwords. This tool comes pre-installed on Kali Linux. It is free to use and is available for Windows, MAC and Linux.
Download and read more about WiFiphisher:
https://github.com/sophron/wifiphisher
https://github.com/sophron/wifiphisher
13. KisMac
KisMac is tool very much similar to Kismet, we added in the list above. It offers features similar to Kismet and is used as wireless network discovery hacking tool. As the name suggests, this tool is only available for Mac. It scans for networks passively only on supported wireless cards and then try to crack WEP and WPA keys by using brute force or exploiting any flaw.
Download KisMac:
http://kismac-ng.org/
http://kismac-ng.org/
14. Reaver
Reaver is an open-source tool for performing brute force attack against WPS to recover WPA/WPA2 pass keys. This tool is hosted on Google Code and may disappear soon if developer has not migrated it to another platform. It was last updated around 4 years ago. Similar to other tools, this tool can be a good alternate to other tools in the list which use same attack method.
Download Reaver:
https://code.google.com/p/reaver-wps/downloads/list
https://code.google.com/p/reaver-wps/downloads/list
15. Wifite
Crack Wpa2 Brute Force Vodafone Download Apk
Wifite is also a nice tool which supports cracking WPS encrypted networks via reaver. It works on Linux based operating systems. It offers various nice features related to password cracking.
Download Wifite: https://github.com/derv82/wifite
We have a complete article on Wifite. Read wifite walkthrough.
16. WepDecrypt
WepDecrypt is another wireless LAN tool written in C language. This tool can guess the WEP keys by performing dictionary attack, distributed network attack, key generator and some other methods. This tool needs few libraries to work. You can read more details on the download page. Tool is not so popular but it is good for beginners to see how dictionary attack works.
Download and read more about WepDecrypt:
http://wepdecrypt.sourceforge.net/wepdecrypt-manual.html
http://wepdecrypt.sourceforge.net/wepdecrypt-manual.html
17. OmniPeek
OmniPeek is a packet sniffer and network packets analyzer tool. This tool is only available for Windows platform and is available for commercial use only. It also requires you to have good knowledge of network protocols and understanding of network packets. It works with most of the network interface cards available in market. With available plugins, this tool can become more powerful. Around 40 plugins are already available to extend the functions of this tool.
Download OmniPeek: http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer
18. CloudCracker
CloudCracker is an online password cracking tool to crack WPA keys of Wireless network. This tool can also be used to crack various other kind of password hashes. You only need to upload the handshake file and enter the network name to start the attack. With 3000 million words long dictionary, this tool is most likely to crack the password. This tool is also used for MD5, SHA and few other cracking. It is also an effective tool and worth to mention if we talk about wireless cracking tools.
See CloudCracker: https://crack.sh/
19. CommonView for Wi-Fi
CommonView for Wi-Fi is also a popular wireless network monitor and packer analyzer tool. It comes with easy to understand and use GUI to work with. This tool is basically for Wi-Fi network admins and security professionals who want to monitor and troubleshoot network related problems. It works fine with Wi-Fi 802.11 a/b/g/n/ac networks. It captures every single packet and lets you see useful information of the network. You can also get useful information like protocol distribution, access points, signal strength and more. This tool offers key information about a network and has a good value for network admins.
Download CommonView: http://www.tamos.com/products/commwifi/
20. Pyrit
Pyrit is also a very good tool which lets you perform attack on IEEE 802.11 WPA/WPA2-PSK authentication. This tool is available for free and is hosted on Google Code. SO, it could be disappearing in coming months. It works on range of platforms including FreeBSD, MacOS X and Linux.
It performs brute-force attack to crack the WPA/WPA-2 passwords. It is very effective and I recommend you to try it once. Due to its effectiveness, it was necessary to mention this tool in this list.
Download Pyrit:
https://code.google.com/p/pyrit/
https://code.google.com/p/pyrit/
Final words
In this post, I added twenty working wireless cracking tools available for free or in open source licenses. You can try these tools to get access to a wireless network without knowing its password. Most of the tools are capable of cracking wireless network passwords but password cracking time may vary depending on the password’s complexity and length. Few tools cannot be directly used in cracking wireless passwords but packet analysis helps in guessing password.
I also recommend the use of these tools just for learning purpose. We do not encourage illegal activities and do not support these kind of people. Hacking wireless network to get unauthorized access is a cyber-crime. So, do not put yourself into a risk.
If you are into network security profession, you must know about these tools.
I tried my best to provide most of the available popular wireless hacking tools. If you have any suggestion, you can comment below to suggest us.