WPA CRACKING HASHCAT Gareth Kerr Cyber SecurityRune Security
WPA CRACKING && HASHCAT. Gareth Kerr – Cyber Security/Rune Security Contact: T 7145543@live. tees. ac. uk
Wireless Communication Info 1. Operates using Radio Frequency(RF) technology 2. IEEE 802. 11 is a set of standards for the implementation of wireless LAN networks 1. Otherwise known as Wi-Fi. 3. Operates on the 2. 4 Ghz and 5 Ghz frequency bands 4. Supports up to 13 channels 5. Various encryption methods implemented
Kali Linux ■ Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed. – Download link for Kali - https: //www. kali. org/downloads/ – Exploit Database - https: //www. exploit-db. com
What’s Aircrack-ng? 1. Aircrack-ng is a complete suite of tools to assess Wi. Fi network security. 2. It focuses on different areas of Wi. Fi security: 1. Monitoring: Packet capture and export of data to text files for further processing by third party tools. 2. Attacking: Replay attacks, deauthentication, fake access points and others via packet injection. 3. Testing: Checking Wi. Fi cards and driver capabilities (capture and injection). 4. Cracking: WEP (Deprecated) and WPA PSK (WPA 1 and 2).
Interface Configuration. (Ifconfig – Iwconfig) MODE Description Managed Node connects to a network composed of many Access Points, with roaming. Ad-Hoc Network composed of only one cell and without Access Point. Master The node is the synchronisation master or acts as an Access Point Repeater The node forwards packet between other wireless nodes Monitor The node is not associated with any cell and passively monitor all packets on the frequency
Interface Configuration. (Ifconfig – Iwconfig) ■ CLI Commands: – ifconfig wlan 0 down (Brings the interface WLAN 0 down) – iwconfig wlan 0 mode monitor (Changes the interface operating mode to monitor) – ifconfig wlan 0 up (Brings the interface WLAN 0 up) – iwconfig – Airmon-ng check kill (Kills any processes that may be using the wireless card) ■ DEMO
Mac Spoofing using “Macchanger” ■ Anatomy of a MAC Address? ■ 00: 8 f: 13: b 6: 84 VENDOR: UNIQUEID ■ macchanger --random wlan 0 (Changes the Mac to a randomly assigned MAC address) ■ macchanger -l (Lists all known Mac Vendors) ■ macchanger --mac=00: 8 f: 13: b 6: 84 wlan 0 (Changes to a specific Mac address)
Testing Injection Capability of the Wireless Card. ■ aireplay-ng -9 -a [BSSID] -i [RECIEVING INTERFACE] [INTERFACE TO TEST] -9 Injection test. Long form is --test. -a MAC address of the access point (BSSID). -i wlan 1 is interface name of the second card if you want to determine which attacks your card supports. This interfaces acts as an AP and receives packets. interface Interface to test injection ■ DEMO
Airodump-ng (Sniffing for Local Access Points) ■ Airodump wlan 0 ■ Deciphering the output BSSID The MAC address of the AP PWR Signal strength. Note - Some Wireless drivers to not report this. Beacons Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality Data Number of data frames received. CH Channel the AP is operating on. 0 -12 MB Maximum speed for the AP. ENC Encryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA 2 encryption. ESSID The network name. Sometimes hidden
Airodump-ng (Targetted Sniffing) ■ Now we know the details of the Access Point we wish to target. We can narrow down our output to just this BSSID. ■ airodump-ng [CHANNEL] [BSSID] [WRITE] [INTERFACE] --channel Channel the access point is broadcasting on. --bssid Mac address of the target access point. --write Writes the packet capture to a file. interface Interface you wish the use to start the packet capture.
Airodump-ng Extended (Targetted Sniffing) ■ You should notice we now have a new area at the bottom of the output. BSSID The MAC of the AP the client is associated to. STATION The MAC of the client itself. PWR Signal strength. PACKETS Number of data frames received. PROBES Network names (ESSIDs) this client has probed.
Obtaining the WPA Handshake (Hash). ■ If you are sniffing on a large network. You will find that you may obtain the handshake fairly quickly. You will know when the handshake has been obtained as Airodump-ng will inform you.
Aireplay-ng (Deauthentication) ■ Aireplay-ng is another tool in the Aircrack protocol suite. The theory behind this is we want to disconnect the device. Then when the client reconnects we capture the handshake. Will a generic user know that this happened? Probably not. ■ aireplay-ng --deauth [Deconnection Attempts] -a [AP MAC ADDRESS] c [MAC ADDRESS TO TARGET] [INTERFACE] --deauth ARP disconnection attack. -a Mac address of the target access point. -c Targetted MAC address. interface Interface you are using. ■ DEMO
“Cleaning” the Capture file. ■ Since we have a packet capture file (While writing during Airodump-ng). We now need to clean the file. It needs to be in a format which HASHCAT understands. ■ CLI Commands: – locate cap 2 hccapx. bin (Locates the binary file) – mv /usr/lib/hashcat-utils/cap 2 hccapx. bin. (Move file to the directory) –. /cap 2 hccapx. bin [CAPTURE FILE] [CLEANED FILE NAME] ■ We should now have a cleaned file. ■ We will leave this file until later when we crack it.
HASHCAT
Hash Functions
Hashcat Overview ■ Hashcat is the self-proclaimed world’s fastest password recovery tool. ■ It support hundreds of hash formats, such as MD 5, the SHA family. Unix Crypt formats, Mysql (Many more). ■ It harnesses the power of GPU’s for accelerated cracking (Cuda), can be used with a CPU however it is much slower. ■ Hashcat will take the HASH and try to convert it back into the plain text equivalent. ■ Works on Windows/Linux and MAC OS.
Hashcat Basics - Attack Modes ■ Hashcat comes with a number of attack modes: – 0 | Straight – 1 | Combination (Using Two Wordlists) – 3 | Brute-force (Using a defined character set) – 6 | Hybrid Wordlist + Mask – 7 | Hybrid Mask + Wordlist
Hashcat Basics - Benchmarking ■ You can benchmark a hashing algorithm using hashcat. Throughout this tutorial video we will be using MD 5 for demonstration purposes. – -b = Benchmark – -m = Hash Number. e. g. 1700 or 8900 for scrypt. ■ Command: – hashcat -b -m 1700 ■ Output: – 1 k. H/s is 1, 000 (one thousand) hashes per second – 1 MH/s is 1, 000 (one million) hashes per second. – 1 GH/s is 1, 000, 000 (one billion) hashes per second. – 1 TH/s is 1, 000, 000 (one trillion) hashes per second. – 1 PH/s is 1, 000, 000 (one quadrillion) hashes per second. – 1 EH/s is 1, 000, 000 (one quintillion) hashes per second
Hashcat Basics - Arguments ■ Arguments: – ■ Argument 1: – ■ Filename | Hash Argument 4: – ■ -m (Hash type, Example MD 5, WPA) Argument 3: – ■ -a (Attack Mode, 0, 1, 3, 6, 7) Argument 2: – ■ In order for the command to execute. You must provide the appropriate parameters. Dictionary | Mask | Directory Complete Command: – Hashcat –a 0 –m 2500 hashes. txt rockyou. txt
Hashcat Basics - Straight Attack Mode (-a 0) ■ Using the google 10000. txt wordlist (Google’s most searched for words). We will run a straight attack against the MD 5 Hashing Algorithm. I have compiled pre hashed MD 5’s to show the attack modes. ■ Command: – hashcat -a 0 -m 0 md 5 hashes. txt google 10000. txt ■ DEMO
Hashcat Basics - Straight Attack Mode – Cracking the WPA ■ Using the cleaned hccap file we created earlier, we will use the straight Handshake attack mode alongside a wordlist to crack the key. ■ Command: – hashcat -a 0 -m 0 cleaned google 10000. txt ■ DEMO
Hashcat Basics - Straight Attack Mode & Rules ■ Using the same attack mode, we will use a rule to alter the wordlist. The rule will be applied to every password in the worlist, hashed and then compared to the hash file. Each rule file will generally contain hundreds or rules. ■ For example, one rule might change all of the A’s to 4’s, or perhaps all of the S’s to $’s ■ Wordlist containing the following words: – ■ Password, Hashcat, Is, Awesome. Rule alters the words: – p 4$$word, ha$hcat, is, 4 we$some ■ A popular ruleset is the best 64. rule, which comes with hashcat. ■ Command: – ■ hashcat -a 0 -m 0 md 5 hashes. txt google 1000. txt -r /usr/share/hashcat/rules/best 64. rule DEMO
Hashcat Basics – Combinator Attack Mode (-a 1) ■ The combinator attack mode concatenates wordlists. It will try every variation of the each of the wordlists. ■ If we had two wordlists: ■ – Wordlist 1: Hashcat, Is, Awesome. – Wordlist 2: Random, Words, Combinator. – Combined: hashcatrandom, hashcatwords, hashcatcombinator etc. Command: – ■ hashcat -a 1 -m 0 md 5 hashes. txt wordlist 1. txt wordlist 2. txt DEMO
Hashcat Basics – Combinator Utility ■ We can also just use the Combinator Utility to create a permanent, combined dictionary. ■ Commands: ■ – mv /usr/lib/hashcat-utils/combinator. bin. – . /combinator. bin google 10000. txt > google 10000 combined. txt – cat google 10000 combined. txt Now we can use this in the straight attack mode, since the dictionary is already combined. – Hashcat -a 0 -m 0 md 5 hashes. txt google 10000 combined. txt
Hashcat Basics – Bruteforce (-a 3) ■ This is by far the slowest and most inefficient way of cracking any password. ■ Syntax – ? l = abcdefghijklmnopqrstuvwxyz – ? u = ABCDEFGHIJKLMNOPQRSTUVWXYZ – ? d = 0123456789 – ? h = 0123456789 abcdef – ? H = 0123456789 ABCDEF – ? s = «space» !"#$%&'()*+, -. /: ; <=>? @[]^_`{|}~ ■ Can also define custom character sets. Using the -1 [CHARACTERS] ■ Command: – hashcat -a 3 -m 0 md 5 hashes. txt -1 ? l? d? s? u ? 1? 1? 1 -w 3
Hashcat Basics – PACK (Password Analysis Toolkit) ■ Using PACK to analyze datasets, meaning PACK will look for the most common patterns within a password dataset and create a mask. To understand why this is useful we will need to give you an insight into what it actually does. ■ So the steps we will be following in sequence are, ■ – analyzing a dataset using statsgen – creating a mask using maskgen – converting the mask to a hcmask file. As this takes some time I have prepared the files just for use in this demo.
Hashcat Basics – PACK (Statsgen) ■ statsgen hashesorgwordlist --minlength=5 --maxlength=6 --hiderare -o hashesorg. masks ■ Breakdown: – So first we are giving statsgen the dataset, in this case hashesorgwordlist. ■ – --minlength=5 --maxlength=6 ■ – Specifying the minimum and maximum length of the passwords we wish to analyse. --hiderare ■ – Statsgen hashesorgworlist Hiderare just means do not show us statistics which are less than 1% of the data sample. -o hashesorg. masks ■ The last part is just telling hashcat to output the stats to a mask file.
Hashcat Basics – PACK (Maskgen) ■ Command: – ■ maskgen hashesorg. masks --optindex -o hashesorg. hcmask Breakdown: – First we are giving statsgen the dataset, in this case hashesorgwordlist. ■ – --optindex ■ – Maskgen hashesorg. masks Default switch to sort the mask. ---o hashesorg. hcmask ■ Output file name, to then be given to hashcat.
Hashcat Basics – Hybrid – Wordlist & Mask ■ A hybrid attack mode combines the elements we have already learned about, we are taking a wordlist and appliny g mask to it. Effectively concatenating characters to the end of the words. ■ Command: – ■ DEMO hashcat -a 6 -m 0 demohashes. txt google 10000. txt hashesorg. hcmask
Hashcat Basics – Hybrid – Mask & Wordlist ■ This attack mode is the opposite of the last, we are appending a wordlist to a Mask. ■ Command: – ■ DEMO Hashcat -a 7 -m 0 md 5 hashes. txt /usr/share/hashcat/masks/rockyou-1 -60. hcmask-O -w 3
ANY QUESTIONS?
Gareth Kerr – Cyber Security/Rune. Security Contact: T 7145543@live. tees. ac. uk
- Slides: 33