There are two types of bruteforce attacks – raw bruteforce and dictionary attacks. A raw bruteforce attack means trying every single password within the specified limits, and a dictionary attack means only trying passwords from a dictionary file. With more and more powerful hardware in household computers, it’s becoming possible to do bruteforce attacks which earlier was unthinkable.
In this tutorial, we will try doing dictionary attacks against a handshake file from a wireless network – a realistic target for a real hacker. We will do this with two known tools – Aircrack-ng and Hashcat, which relies respectively on CPU and GPU power. We will be running these tools from windows, even though they are both found in a nix version as well.
1. Download and unzip Aircrack-ng for Windows
2. Open a command prompt and navigate to the aircrack-ng-1.1-win\bin\ folder
For this tutorial we have a handshake file called WPAHandshake.pcap and a dictionary file called passwords.txt. The password file is 14 MB in size and contains about 990.000 passwords. The last password in the file is intentionally the correct one. This is the syntax we will be using for Aircrack: aircrack-ng.exe [handshake file] -w [dictionary file]
3. Type aircrack-ng.exe C:\WPAHandshake.pcap –w C:\Passwords.txt
Aircrack-ng will now start calculating the hashes for each password salted with the ESSID and compare that value with the one used for the clear-text challenge in the handshake file. The Central Processing Unit (CPU) does all these calculations. Ones done we can see that the password test1234 was found in 3:35 min.
Before we can do the test with Hashcat we need to convert the handshake file into the hccap format. This can be done via Hashcats Website
4. Visit the website and upload the file WPAHandshake.pcap
5. Press the Convert bottom and download the hccap file
The newly converted file is named WPAHandshake.hccap for this tutorial. Now we install Hashcat itself to start cracking.
6. Download and unzip oclhashcat-plus
7. Open a command prompt and navigate to the oclHashcat-plus-0.14\ folder
My Graphic card is Nvidia based and runs CUDA. Therefor I’m using cudaHashcat-plus for this process. This is the syntax we will be using for Hashcat: cudaHashcat-plus64.exe [type of hash to crack] [handshake file] [dictionary file]
8. Type cudaHashcat-plus64.exe –hash-type 2500 C:\WPAHandshake.hccap C:\Passwords.txt
The password test1234 is ones again found, but this time in 1:11 min. Which shows that using the GPU is much more effective for this use. The reason for this it that it is much more comparable for doing parallel processing. Further reading can be done here.
For the sake of argument, I should mention that the tests where done on my computer which has a Core2Quad Q6700 8MB 4×2,67GHz Processer and a GeForce GTX 550 Ti graphic card. Also I should mention that both Aircrack and Hashcat also comes with a GUI as well, which might make it easier for some users to work with them.