Aircrack-ng Hashcat

[Lottie Dedinas]

Editedto answer your implicit question: if you want efficient WPA2 cracking on GPU, consider hashcat for the cracking, and hcxtools for conversion to the required format (hccapx). hashcat is superior to some other implementations because it has a rules engine that is implemented directly in-kernel on GPU.

There used to be a CUDA version of aircrack-ng but since oclhashcat became popular, you will need to build from the source to enable the CUDA feature in aircrack-ng. There is little documentation about how to enable it however.

Since I don't have enough "reputation" I cannot comment, but as Aero Wang's answer, you need to download cuda lib and recompile aircrack, I did this many years ago trying on a Nvidia Quattro, the aircrack-ng cuda runs very fast, if I remember well I could get 30000 passwords/sec instead of 5000/sec on a Xeon.But lately I try hashcat and it is better as built-in support for GPU is included, you don't need to recompile.

Hacking WPA/WPA2 passwords with Aircrack-ng: dictionary searching, collaboration with Hashcat, maskprocessor, statsprocessor, John the Ripper, Crunch, hacking in Windows Successfully captured handshake can be hacked by various Tools.

If you manage to configure proprietary video card drivers, then, of course, it is recommended to do a hacking using the Hashcat tool. The speed of searching candidates for passwords will be much higher.

If you want to bust WPA PSK passwords with only processor power, then Aircrack-ng is one of the suitable tools . From the minuses of this tool it can be noted that it does not use a video card. Another big disadvantage is the lack of support for masks, rules and other options brute force. Although the last flaw is leveled by the fact that Aircrack-ng can be paired with other tools that support these same masks, rules, and password generation on the fly.

The maskprocessor tool is part of the hashcat package. Its purpose is to generate candidates for passwords by mask. Using maskprocessor is even easier than hashcat itself, which without the necessary dependencies will not even run on some systems.

The command syntax is very simple:

Crunch is a dictionary generator with passwords in which you can define a standard or specified encoding. Crunch can create a list of words with all sorts of combinations and permutations in accordance with specified criteria. The data that crunch prints can be displayed on the screen, saved to a file or transferred to another tool.

A simple example of use:

I use Linux Kali and yesterday have captured a WPA handshake of my network. I want to crack it's password - but my CPU with aircrack-ng checks only about 2000 keys per second. In my laptop I have got Intel HD Graphics 4600 GPU - I want to use it to cooperate with CPU in cracking password (I read that could make this proccess faster 20 times!). Is there any way to do that? I know about hashcat, but, if I'm not wrong, it is only for NVIDIA or AMD/ATI GPUs.

You are not wrong, you would need a proper GPU to accelerate hashcat. A popular choice as an alternative to hashcat is crunch -wordlist/files/crunch-wordlist/ For which google will give you a bevy of tutorials on the subject. I'm surprised you getting as high as 2000kps given the state of it.

If you would try to crack it with the same hardware today then I would rather recommend an online hash crack website first. Search for online hash crack WPA in your browser the first 2-3 results would do it. These sites are fully legit and they try to crack your pcap with a limited wordlist freely, what is usually good enough for weaker passwords. Some users change the factory default passwords to a even weaker pass (eg. only digits).

Hello everyone,

I'm having a problem with the wpa.cap file created by besside through the Delayed-AP-Attack-Mine payload.

I see the Owl loot saved the besside.log, wpa.cap, and wep.cap files. The log tells me some WPA handshakes were captured and looks like there are no errors.

I followed the readme.md associated with the payload and did an "airacrack-ng -J filebase wpa.cap" and received a success message in creating a hashcat filebase.hccap file for the SSID I'm testing on.

When I run "hashcat -m 2500 filebase.hccap -w /wordlist" (wordlist is not the full name/path) I get an error that mode 2500 has be deprecated and to use mode 22000.

I used mode 22000 and then receive an error messaed of an unmatched separator.

I'm still a little new to some of this but I tried to do some research and so far can't see what I might be doing wrong. If anyone can nudge me in the right direction I'd appreciate it.

Also if it's relevant, could it be I need to do an update/upgrade on the distro and apps installed on the Owl? if that's possible?

Here is some of the input/output from using aircrack-ng and hashcat...

However, besside-ng specifically is one of the "source tools" that should be avoided. The payload is 4 years old and things happen over time, especially fast when in the cyber sec domain. Tools evolve.

I wouldn't do that without specific knowledge and also be prepared that Owl things could break. You could try to build your own ipk:s of tools needed, but in this specific case you won't be more happy using a more recent version of besside-ng if you plan to use Hashcat since it's still something to avoid (according to Hashcat).

For this tutorial we have a handshake file called WPAHandshake.pcap and a dictionary file called passwords.txt. The password file is 14 MB in size and contains about 990.000 passwords. The last password in the file is intentionally the correct one. This is the syntax we will be using for Aircrack: aircrack-ng.exe [handshake file] -w [dictionary file]

Aircrack-ng will now start calculating the hashes for each password salted with the ESSID and compare that value with the one used for the clear-text challenge in the handshake file. The Central Processing Unit (CPU) does all these calculations. Ones done we can see that the password test1234 was found in 3:35 min.

The password test1234 is ones again found, but this time in 1:11 min. Which shows that using the GPU is much more effective for this use. The reason for this it that it is much more comparable for doing parallel processing. Further reading can be done here.

For the sake of argument, I should mention that the tests where done on my computer which has a Core2Quad Q6700 8MB 42,67GHz Processer and a GeForce GTX 550 Ti graphic card. Also I should mention that both Aircrack and Hashcat also comes with a GUI as well, which might make it easier for some users to work with them.

Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite determines the WEP key using two fundamental methods. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The default cracking method is PTW. This is done in two phases. In the first phase, aircrack-ng only uses ARP packets. If the key is not found, then it uses all the packets in the capture. Please remember that not all packets can be used for the PTW method. This Tutorial: Packets Supported for the PTW Attack page provides details. An important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.

The other, older method is the FMS/KoreK method. The FMS/KoreK method incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing. It requires more packets than PTW, but on the other hand is able to recover the passphrase when PTW sometimes fail.

SSE2, AVX, AVX2, and AVX512 support is included to dramatically speed up WPA/WPA2 key processing. With the exception of AVX512, all other instructions are built-in Aircrack-ng, and it will automatically select the fastest available for the CPU. For non-x86 CPUs, SIMD improvements are present as well.

The first method is the PTW method (Pychkine, Tews, Weinmann). The PTW method is fully described in the paper found on this web site. In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir and these may be additionally used to break WEP. The PTW method extends Klein's attack and optimizes it for usage against WEP. It essentially uses enhanced FMS techniques described in the following section. One particularly important constraint is that it only works with arp request/reply packets and cannot be employed against other traffic.

The second method is the FMS/Korek method which incorporates multiple techniques. The Techniques Papers on the links page lists many papers which describe these techniques in more detail and the mathematics behind them.

By using a series of statistical tests called the FMS and Korek attacks, votes are accumulated for likely keys for each key byte of the secret WEP key. Different attacks have a different number of votes associated with them since the probability of each attack yielding the right answer varies mathematically. The more votes a particular potential key value accumulates, the more likely it is to be correct. For each key byte, the screen shows the likely secret key and the number of votes it has accumulated so far. Needless to say, the secret key with the largest number of votes is most likely correct but is not guaranteed. Aircrack-ng will subsequently test the key to confirm it.

Looking at an example will hopefully make this clearer. In the screenshot above, you can see, that at key byte 0 the byte 0xAE has collected some votes, 50 in this case. So, mathematically, it is more likely that the key starts with AE than with 11 (which is second on the same line) which is almost half as possible. That explains why the more data that is available, the greater the chances that aircrack-ng will determine the secret WEP key.

3a8082e126