Presentation is loading. Please wait.

Presentation is loading. Please wait.

WPA Cracking && Hashcat.

Published by慨缄 庄 Modified over 5 years ago

Similar presentations

Presentation on theme: "WPA Cracking && Hashcat."— Presentation transcript:

1 WPA Cracking && Hashcat.
Gareth Kerr – Cyber Security/Rune Security Contact:

2 Wireless Communication Info
Operates using Radio Frequency(RF) technology IEEE is a set of standards for the implementation of wireless LAN networks Otherwise known as Wi-Fi. Operates on the 2.4Ghz and 5Ghz frequency bands Supports up to 13 channels Various encryption methods implemented

3 Kali Linux Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed. Download link for Kali - Exploit Database -

4 What’s Aircrack-ng? Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools. Attacking: Replay attacks, deauthentication, fake access points and others via packet injection. Testing: Checking WiFi cards and driver capabilities (capture and injection). Cracking: WEP (Deprecated) and WPA PSK (WPA 1 and 2).

5 Interface Configuration. (Ifconfig – Iwconfig)
MODE  Description  Managed Node connects  to  a  network composed of many Access Points, with roaming.  Ad-Hoc Network composed of only one cell and without Access Point. Master The node is the synchronisation master or acts as an Access Point Repeater The node forwards packet between other wireless nodes Monitor The node is not associated with any cell and passively monitor all packets on the frequency

6 Interface Configuration. (Ifconfig – Iwconfig)
CLI Commands: ifconfig wlan0 down (Brings the interface WLAN0 down) iwconfig wlan0 mode monitor (Changes the interface operating mode to monitor) ifconfig wlan0 up (Brings the interface WLAN0 up) iwconfig Airmon-ng check kill (Kills any processes that may be using the wireless card) DEMO

7 Mac Spoofing using “Macchanger”
Anatomy of a MAC Address? 00:00:8f:13:b6:84 VENDOR:UNIQUEID macchanger --random wlan0 (Changes the Mac to a randomly assigned MAC address) macchanger -l (Lists all known Mac Vendors) macchanger --mac=00:00:8f:13:b6:84 wlan0 (Changes to a specific Mac address)

8 Testing Injection Capability of the Wireless Card.
aireplay-ng -9 -a [BSSID] -a [BSSID] -i [RECIEVING INTERFACE] [INTERFACE TO TEST] DEMO -9 Injection test. Long form is --test. -a MAC address of the access point (BSSID).  -i wlan1 is interface name of the second card if you want to determine which attacks your card supports. This interfaces acts as an AP and receives packets. interface Interface to test injection

9 Airodump-ng (Sniffing for Local Access Points)
Airodump wlan0 Deciphering the output BSSID The MAC address of the AP PWR Signal strength. Note - Some Wireless drivers to not report this.  Beacons Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality Data Number of data frames received. CH Channel the AP is operating on. 0-12 MB Maximum speed for the AP.  ENC Encryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA2 encryption. ESSID The network name. Sometimes hidden

10 Airodump-ng (Targetted Sniffing)
Now we know the details of the Access Point we wish to target. We can narrow down our output to just this BSSID. airodump-ng [CHANNEL] [BSSID] [WRITE] [INTERFACE] --channel  Channel the access point is broadcasting on. --bssid  Mac address of the target access point. --write  Writes the packet capture to a file. interface Interface you wish the use to start the packet capture. 

11 Airodump-ng Extended (Targetted Sniffing)
You should notice we now have a new area at the bottom of the output. BSSID The MAC of the AP the client is associated to.  STATION   The MAC of the client itself. PWR Signal strength.  PACKETS Number of data frames received. PROBES Network names (ESSIDs) this client has probed.

12 Obtaining the WPA Handshake (Hash).
If you are sniffing on a large network. You will find that you may obtain the handshake fairly quickly. You will know when the handshake has been obtained as Airodump-ng will inform you.

13 Aireplay-ng (Deauthentication)
Aireplay-ng is another tool in the Aircrack protocol suite. The theory behind this is we want to disconnect the device. Then when the client reconnects we capture the handshake. Will a generic user know that this has happened? Probably not. aireplay-ng --deauth [Deconnection Attempts] -a [AP MAC ADDRESS] -c [MAC ADDRESS TO TARGET] [INTERFACE] DEMO --deauth ARP disconnection attack.  -a Mac address of the target access point. -c Targetted MAC address.  interface Interface you are using.

14 “Cleaning” the Capture file.
Since we have a packet capture file (While writing during Airodump-ng). We now need to clean the file. It needs to be in a format which HASHCAT understands. CLI Commands: locate cap2hccapx.bin (Locates the binary file) mv /usr/lib/hashcat-utils/cap2hccapx.bin . (Move file to the directory) ./cap2hccapx.bin [CAPTURE FILE] [CLEANED FILE NAME] We should now have a cleaned file. We will leave this file until later when we crack it.

15 HASHCAT

16 Hash Functions

17 Hashcat Overview Hashcat is the self-proclaimed world’s fastest password recovery tool. It support hundreds of hash formats, such as MD5, the SHA family. Unix Crypt formats, Mysql (Many more). It harnesses the power of GPU’s for accelerated cracking (Cuda), can be used with a CPU however it is much slower. Hashcat will take the HASH and try to convert it back into the plain text equivalent. Works on Windows/Linux and MAC OS.

18 Hashcat Basics - Attack Modes
Hashcat comes with a number of attack modes:   0 | Straight   1 | Combination (Using Two Wordlists)   3 | Brute-force (Using a defined character set)   6 | Hybrid Wordlist + Mask   7 | Hybrid Mask + Wordlist

19 Hashcat Basics - Benchmarking
You can benchmark a hashing algorithm using hashcat. Throughout this tutorial video we will be using MD5 for demonstration purposes.  -b = Benchmark -m = Hash Number. e.g or 0 or 8900 for scrypt.  Command: hashcat -b -m 1700 Output: 1 kH/s is 1,000 (one thousand) hashes per second 1 MH/s is 1,000,000 (one million) hashes per second. 1 GH/s is 1,000,000,000 (one billion) hashes per second. 1 TH/s is 1,000,000,000,000 (one trillion) hashes per second. 1 PH/s is 1,000,000,000,000,000 (one quadrillion) hashes per second. 1 EH/s is 1,000,000,000,000,000,000 (one quintillion) hashes per second

20 Hashcat Basics - Arguments
In order for the command to execute. You must provide the appropriate parameters. Argument 1: -a (Attack Mode, 0, 1, 3, 6, 7) Argument 2: -m (Hash type, Example MD5,WPA) Argument 3: Filename | Hash Argument 4: Dictionary | Mask | Directory Complete Command: Hashcat –a 0 –m 2500 hashes.txt rockyou.txt

21 Hashcat Basics - Straight Attack Mode (-a 0)
Using the google10000.txt wordlist (Google’s most searched for words). We will run a straight attack against the MD5 Hashing Algorithm. I have compiled pre hashed MD5’s to show the attack modes. Command: hashcat -a 0 -m 0 md5hashes.txt google10000.txt DEMO

22 Hashcat Basics - Straight Attack Mode – Cracking the WPA Handshake
Using the cleaned hccap file we created earlier, we will use the straight attack mode alongside a wordlist to crack the key. Command: hashcat -a 0 -m 0 cleaned google10000.txt DEMO

23 Hashcat Basics - Straight Attack Mode & Rules
Using the same attack mode, we will use a rule to alter the wordlist. The rule will be applied to every password in the worlist, hashed and then compared to the hash file. Each rule file will generally contain hundreds or rules. For example, one rule might change all of the A’s to 4’s, or perhaps all of the S’s to $’s Wordlist containing the following words: Password, Hashcat, Is, Awesome. Rule alters the words: p4$$word, ha$hcat,is,4we$some A popular ruleset is the best64.rule, which comes with hashcat. Command: hashcat -a 0 -m 0 md5hashes.txt google1000.txt -r /usr/share/hashcat/rules/best64.rule DEMO

24 Hashcat Basics – Combinator Attack Mode (-a 1)
The combinator attack mode concatenates wordlists. It will try every variation of the each of the wordlists. If we had two wordlists: Wordlist1: Hashcat, Is, Awesome. Wordlist2: Random, Words, Combinator. Combined: hashcatrandom, hashcatwords, hashcatcombinator etc. Command: hashcat -a 1 -m 0 md5hashes.txt wordlist1.txt wordlist2.txt DEMO

25 Hashcat Basics – Combinator Utility
We can also just use the Combinator Utility to create a permanent, combined dictionary. Commands: mv /usr/lib/hashcat-utils/combinator.bin . ./combinator.bin google10000.txt google10000.txt > google10000combined.txt cat google10000combined.txt Now we can use this in the straight attack mode, since the dictionary is already combined. Hashcat -a 0 -m 0 md5hashes.txt google10000combined.txt

26 Hashcat Basics – Bruteforce (-a 3)
This is by far the slowest and most inefficient way of cracking any password. Syntax ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = ?h = abcdef ?H = ABCDEF ?s = Can also define custom character sets. Using the -1 [CHARACTERS] Command: hashcat -a 3 -m 0 md5hashes.txt -1 ?l?d?s?u ?1?1?1?1?1?1 -w 3

27 Hashcat Basics – PACK (Password Analysis Toolkit)
Using PACK to analyze datasets, meaning PACK will look for the most common patterns within a password dataset and create a mask. To understand why this is useful we will need to give you an insight into what it actually does.  So the steps we will be following in sequence are, analyzing a dataset using statsgen creating a mask using maskgen converting the mask to a hcmask file.  As this takes some time I have prepared the files just for use in this demo.

28 Hashcat Basics – PACK (Statsgen)
statsgen hashesorgwordlist --minlength=5 --maxlength=6 --hiderare -o hashesorg.masks Breakdown: So first we are giving statsgen the dataset, in this case hashesorgwordlist. Statsgen hashesorgworlist  --minlength=5 --maxlength=6  Specifying the minimum and maximum length of the passwords we wish to analyse.  --hiderare Hiderare just means do not show us statistics which are less than 1% of the data sample.  -o hashesorg.masks The last part is just telling hashcat to output the stats to a mask file.

29 Hashcat Basics – PACK (Maskgen)
Command: maskgen hashesorg.masks --optindex -o hashesorg.hcmask Breakdown: First we are giving statsgen the dataset, in this case hashesorgwordlist. Maskgen hashesorg.masks  --optindex Default switch to sort the mask. ---o hashesorg.hcmask Output file name, to then be given to hashcat.

30 Hashcat Basics – Hybrid – Wordlist & Mask
A hybrid attack mode combines the elements we have already learned about, we are taking a wordlist and appliny g mask to it. Effectively concatenating characters to the end of the words. Command: hashcat -a 6 -m 0 demohashes.txt google10000.txt hashesorg.hcmask DEMO

31 Hashcat Basics – Hybrid – Mask & Wordlist
This attack mode is the opposite of the last, we are appending a wordlist to a Mask. Command: Hashcat -a 7 -m 0 md5hashes.txt /usr/share/hashcat/masks/rockyou-1-60.hcmask-O -w 3 DEMO

32 ANY QUESTIONS?

33 Gareth Kerr – Cyber Security/RuneSecurity
Contact:

Download ppt "WPA Cracking && Hashcat."

Similar presentations

Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
Wireless LAN Security Understanding and Preventing Network Attacks.

Wireless LAN Security Understanding and Preventing Network Attacks.
SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).
Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
ACM Wi-Fi Workshop Presented By: Chris Rawlings Brad Emge.

ACM Wi-Fi Workshop Presented By: Chris Rawlings Brad Emge.
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
WLAN Security: Cracking WEP/WPA

WLAN Security: Cracking WEP/WPA
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.

Wireless Networks: Signaling and Security William Tucker CEN 4516: Computer Networks FGCU: Fort Myers, FL: 09/05.
The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
Troubleshooting methods. Module contents  Avaya Wireless tools  Avaya Wireless Client Manager  Avaya Wireless AP Manager  Hardware indicators  Non.

Troubleshooting methods. Module contents  Avaya Wireless tools  Avaya Wireless Client Manager  Avaya Wireless AP Manager  Hardware indicators  Non.
195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.

195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.
Wireless Attacks. Set up the APs Computer IP: 192.168.11.50 Subnet Mask: 255.255.255.0 Router IP address: –

Wireless Attacks. Set up the APs Computer IP: Subnet Mask: Router IP address: –
Computer Networks. Network Connections Ethernet Networks Single wire (or bus) runs to all machines Any computer can send info to another computer Header.

Computer Networks. Network Connections Ethernet Networks Single wire (or bus) runs to all machines Any computer can send info to another computer Header.

Similar presentations

Ads by Google