Aircrack vs. Hashcat


There are two types of bruteforce attacks – raw bruteforce and dictionary attacks. A raw bruteforce attack means trying every single password within the specified limits, and a dictionary attack means only trying passwords from a dictionary file. With more and more powerful hardware in household computers, it’s becoming possible to do bruteforce attacks which earlier was unthinkable.

In this tutorial, we will try doing dictionary attacks against a handshake file from a wireless network – a realistic target for a real hacker. We will do this with two known tools – Aircrack-ng and Hashcat, which relies respectively on CPU and GPU power. We will be running these tools from windows, even though they are both found in a nix version as well.

1. Download and unzip Aircrack-ng for Windows

2. Open a command prompt and navigate to the aircrack-ng-1.1-win\bin\ folder

For this tutorial we have a handshake file called WPAHandshake.pcap and a dictionary file called passwords.txt. The password file is 14 MB in size and contains about 990.000 passwords. The last password in the file is intentionally the correct one. This is the syntax we will be using for Aircrack: aircrack-ng.exe [handshake file] -w [dictionary file]

3. Type aircrack-ng.exe C:\WPAHandshake.pcap –w C:\Passwords.txt


Aircrack-ng will now start calculating the hashes for each password salted with the ESSID and compare that value with the one used for the clear-text challenge in the handshake file. The Central Processing Unit (CPU) does all these calculations. Ones done we can see that the password test1234 was found in 3:35 min.


Before we can do the test with Hashcat we need to convert the handshake file into the hccap format. This can be done via Hashcats Website

4. Visit the website and upload the file WPAHandshake.pcap

5. Press the Convert bottom and download the hccap file

The newly converted file is named WPAHandshake.hccap for this tutorial. Now we install Hashcat itself to start cracking.

6. Download and unzip oclhashcat-plus

7. Open a command prompt and navigate to the oclHashcat-plus-0.14\ folder

My Graphic card is Nvidia based and runs CUDA. Therefor I’m using cudaHashcat-plus for this process. This is the syntax we will be using for Hashcat: cudaHashcat-plus64.exe [type of hash to crack] [handshake file] [dictionary file]

8. Type cudaHashcat-plus64.exe –hash-type 2500 C:\WPAHandshake.hccap C:\Passwords.txt


The password test1234 is ones again found, but this time in 1:11 min. Which shows that using the GPU is much more effective for this use. The reason for this it that it is much more comparable for doing parallel processing. Further reading can be done here.

For the sake of argument, I should mention that the tests where done on my computer which has a Core2Quad Q6700 8MB 4×2,67GHz Processer and a GeForce GTX 550 Ti graphic card. Also I should mention that both Aircrack and Hashcat also comes with a GUI as well, which might make it easier for some users to work with them.

Share Button



Bookmark the permalink.

4 Responses to Aircrack vs. Hashcat

  1. Simon Bønløkke Madsen says:

    Nice. I actually tried the same last week, i just used Aircrack and Pyrit on Linux…. The time comparison is right, but from my experience, a 14 MB dictionary file is far from enough. I used a 13GB dictionary file with about 1 billion passwords. It looks like your GPU processes about 12500 keys / sec, which will mean that it will take about 22 hours to run through a dictoinary file like that. This still leaves the chance that the password is not even in the list.
    It is doable, but i still think it is a pretty time consuming job unless you use some kind of cluster or the graphic cards that do about 100K / keys / sec.

  2. Hegelund says:

    Hi Simon

    I tried to get Pyrit up and running a long time a go, but was not able to get it compiled right.
    True – in a real penetration testing scenario a 14 MB dictionary file would probably not be enough, but for this tutorial it was more a proof of concept of what the GPU could do compared to the CPU.

  3. ERRATUM: cudaHashcat-Plus64, performed even better than you indicated. You stated, The password test1234 is once again found, but this time in 1:11 min. Which shows that using the GPU is much more effective for this use. This would make cudaHashcat-Plus64 a tad over 3 times faster than Aircrack-ng 1.1. Actually, the time for cudaHashcat-Plus64 was ONLY 49 seconds (starting 2:40:29, ending 2:41:18), which equates to a reduction of 31% (22/71 seconds) over your stated duration of 1 minute 11 seconds. Therefore the actual comparison yielded the following durations: 3 minutes, 35 seconds for Aircrack-ng 1.1, and 49 seconds for cudaHashcat-plus64. Hence, cudaHashcat-Plus64 was MORE THAN 4 TIMES faster than Aircrack-ng 1.1, in this comparison.

Leave a Reply

Your email address will not be published. Required fields are marked *