Hashcat Gareth Kerr Cyber SecurityRune Security Contact T7145543liveteesacuk Wireless Communication Info Operates using Radio FrequencyRF technology IEEE 80211 is a set of standards for the implementation of wireless LAN networks ID: 812256
Download The PPT/PDF document "WPA Cracking &&" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
WPA Cracking && Hashcat.
Gareth Kerr – Cyber Security/Rune Security
Contact: T7145543@live.tees.ac.uk
Wireless Communication Info
Operates using Radio Frequency(RF) technology
IEEE 802.11 is a set of standards for the implementation of wireless LAN networks
Otherwise known as Wi-Fi.
Operates on the 2.4Ghz and 5Ghz frequency bands
Supports up to 13 channels
Various encryption methods implemented
Slide3Kali Linux
Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.
Download link for Kali -
https://www.kali.org/downloads/
Exploit Database -
https://www.exploit-db.com
Slide4What’s
Aircrack
-ng?
Aircrack
-ng is a complete suite of tools to assess
WiFi
network security.
It focuses on different areas of
WiFi
security:
Monitoring: Packet capture and export of data to text files for further processing by third party tools.
Attacking: Replay attacks,
deauthentication
, fake access points and others via packet injection.
Testing: Checking
WiFi
cards and driver capabilities (capture and injection).
Cracking: WEP (Deprecated) and WPA PSK (WPA 1 and 2).
Slide5Interface Configuration. (
Ifconfig
–
Iwconfig
)
MODE
Description
Managed
Node connects to a network composed of many Access Points, with roaming.
Ad-HocNetwork composed of only one cell and without Access Point.MasterThe node is the synchronisation master or acts as an Access PointRepeaterThe node forwards packet between other wireless nodesMonitorThe node is not associated with any cell and passively monitor all packets on the frequency
Slide6Interface Configuration. (
Ifconfig
–
Iwconfig
)
CLI Commands:
ifconfig
wlan0 down (Brings the interface WLAN0 down)
iwconfig
wlan0 mode monitor (Changes the interface operating mode to monitor)ifconfig wlan0 up (Brings the interface WLAN0 up)iwconfig Airmon-ng check kill (Kills any processes that may be using the wireless card)DEMO
Slide7Mac Spoofing using “
Macchanger
”
Anatomy of a MAC Address?
00:00:8f
:
13:b6:84
VENDOR:UNIQUEIDmacchanger --random wlan0 (Changes the Mac to a randomly assigned MAC address)macchanger -l (Lists all known Mac Vendors)macchanger --mac=00:00:8f:13:b6:84 wlan0 (Changes to a specific Mac address)
Slide8Testing Injection Capability of the Wireless Card.
aireplay
-ng -9 -a [BSSID] -a [BSSID] -
i
[RECIEVING INTERFACE] [INTERFACE TO TEST]
DEMO
-9
Injection test. Long form is --test.
-a
MAC address of the access point (BSSID). -iwlan1 is interface name of the second card if you want to determine which attacks your card supports. This interfaces acts as an AP and receives packets.interfaceInterface to test injection
Slide9Airodump
-ng (Sniffing for Local Access Points)
Airodump
wlan0
Deciphering the output
BSSID
The MAC address of the AP
PWR
Signal strength. Note - Some Wireless drivers to not report this.
BeaconsNumber of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal qualityDataNumber of data frames received.CH
Channel the AP is operating on. 0-12
MB
Maximum speed for the AP.
ENC
Encryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA2 encryption.
ESSID
The network name. Sometimes hidden
Slide10Airodump
-ng (
Targetted
Sniffing)
Now we know the details of the Access Point we wish to target. We can narrow down our output to just this BSSID.
airodump
-ng [CHANNEL] [BSSID] [WRITE] [INTERFACE]
--channel
Channel the access point is broadcasting on.
--bssid Mac address of the target access point.--write Writes the packet capture to a file.interfaceInterface you wish the use to start the packet capture.
Slide11Airodump
-ng Extended (
Targetted
Sniffing)
You should notice we now have a new area at the bottom of the output.
BSSID
The MAC of the AP the client is associated to.
STATION
The MAC of the client itself.
PWRSignal strength. PACKETS
Number of data frames received.
PROBES
Network names (ESSIDs) this client has probed.
Slide12Obtaining the WPA Handshake (Hash).
If you are sniffing on a large network. You will find that you may obtain the handshake fairly quickly. You will know when the handshake has been obtained as
Airodump
-ng will inform you.
Slide13Aireplay
-ng (
Deauthentication
)
Aireplay
-ng is another tool in the
Aircrack
protocol suite. The theory behind this is we want to disconnect the device. Then when the client reconnects we capture the handshake. Will a generic user know that this has happened? Probably not.
aireplay
-ng --deauth [Deconnection Attempts] -a [AP MAC ADDRESS] -c [MAC ADDRESS TO TARGET] [INTERFACE] DEMO--deauthARP disconnection attack. -aMac address of the target access point.-c
Targetted
MAC address.
interface
Interface you are using.
Slide14“Cleaning” the Capture file.
Since we have a packet capture file (While writing during
Airodump
-ng). We now need to clean the file. It needs to be in a format which HASHCAT understands.
CLI Commands:
locate cap2hccapx.bin (Locates the binary file)
mv /
usr
/lib/
hashcat-utils/cap2hccapx.bin . (Move file to the directory)./cap2hccapx.bin [CAPTURE FILE] [CLEANED FILE NAME]We should now have a cleaned file.We will leave this file until later when we crack it.
Slide15HASHCAT
Slide16Hash Functions
Slide17Hashcat
Overview
Hashcat
is the self-proclaimed world’s fastest password recovery tool.
It support hundreds of hash formats, such as MD5, the SHA family. Unix Crypt formats,
Mysql
(Many more).
It harnesses the power of GPU’s for accelerated cracking (
Cuda
), can be used with a CPU however it is much slower.Hashcat will take the HASH and try to convert it back into the plain text equivalent.Works on Windows/Linux and MAC OS.
Slide18Hashcat
Basics - Attack Modes
Hashcat
comes with a number of attack modes:
0 | Straight
1 | Combination (Using Two Wordlists)
3 | Brute-force (Using a defined character set)
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
Slide19Hashcat
Basics - Benchmarking
You can benchmark a hashing algorithm using
hashcat
. Throughout this tutorial video we will be using MD5 for demonstration purposes.
-b = Benchmark
-m = Hash Number. e.g. 1700 or 0 or 8900 for
scrypt
.
Command:hashcat -b -m 1700Output:1 kH/s is 1,000 (one thousand) hashes per second1 MH/s is 1,000,000 (one million) hashes per second.1 GH/s is 1,000,000,000 (one billion) hashes per second.1 TH/s is 1,000,000,000,000 (one trillion) hashes per second.1 PH/s is 1,000,000,000,000,000 (one quadrillion) hashes per second.1 EH/s is 1,000,000,000,000,000,000 (one quintillion) hashes per second
Slide20Hashcat
Basics - Arguments
Arguments:
In order for the command to execute. You must provide the appropriate parameters.
Argument 1:
-a (Attack Mode, 0, 1, 3, 6, 7)
Argument 2:
-m (Hash type, Example MD5,WPA)
Argument 3:
Filename | HashArgument 4:Dictionary | Mask | DirectoryComplete Command:Hashcat –a 0 –m 2500 hashes.txt rockyou.txt
Slide21Hashcat
Basics - S
traight
Attack Mode (-a 0)
Using the google10000.txt wordlist (Google’s most searched for words). We will run a straight attack against the MD5 Hashing Algorithm. I have compiled pre hashed MD5’s to show the attack modes.
Command:
hashcat
-a 0 -m 0 md5hashes.txt google10000.txt
D
EMO
Slide22Hashcat
Basics - S
traight
Attack Mode – Cracking the WPA Handshake
Using the cleaned
hccap
file we created earlier, we will use the straight attack mode alongside a wordlist to crack the key.
Command:
hashcat
-a 0 -m 0 cleaned google10000.txtDEMO
Slide23Hashcat
Basics - S
traight
Attack Mode & Rules
Using the same attack mode, we will use a rule to alter the wordlist. The rule will be applied to every password in the
worlist
, hashed and then compared to the hash file. Each rule file will generally contain hundreds or rules.
For example, one rule might change all of the A’s to 4’s, or perhaps all of the S’s to $’s
Wordlist containing the following words:
Password, Hashcat, Is, Awesome.Rule alters the words:p4$$word, ha$hcat,is,4we$some A popular ruleset is the best64.rule, which comes with hashcat.Command:hashcat -a 0 -m 0 md5hashes.txt google1000.txt -r /usr/share/hashcat/rules/best64.ruleDEMO
Slide24Hashcat
Basics – Combinator
Attack Mode (-a 1)
The combinator attack mode concatenates wordlists. It will try every variation of the each of the wordlists.
If we had two wordlists:
Wordlist1:
Hashcat
, Is, Awesome.
Wordlist2: Random, Words, Combinator.
Combined: hashcatrandom, hashcatwords, hashcatcombinator etc. Command:hashcat -a 1 -m 0 md5hashes.txt wordlist1.txt wordlist2.txtDEMO
Slide25Hashcat
Basics – Combinator Utility
We can also just use the Combinator Utility to create a permanent, combined dictionary.
Commands:
mv /
usr
/lib/
hashcat-utils
/
combinator.bin ../combinator.bin google10000.txt google10000.txt > google10000combined.txtcat google10000combined.txtNow we can use this in the straight attack mode, since the dictionary is already combined.Hashcat -a 0 -m 0 md5hashes.txt google10000combined.txt
Slide26Hashcat
Basics –
Bruteforce
(-a 3)
This is by far the slowest and most inefficient way of cracking any password.
Syntax
?l =
abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789?h = 0123456789abcdef?H = 0123456789ABCDEF?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~Can also define custom character sets. Using the -1 [CHARACTERS]Command:hashcat -a 3 -m 0 md5hashes.txt -1 ?l?d?s?u ?1?1?1?1?1?1 -w 3
Slide27Hashcat
Basics – PACK (Password Analysis Toolkit)
Using PACK to
analyze
datasets, meaning PACK will look for the most common patterns within a password dataset and create a mask. To understand why this is useful we will need to give you an insight into what it actually does.
So the steps we will be following in sequence are,
analyzing
a dataset using
statsgen
creating a mask using maskgenconverting the mask to a hcmask file. As this takes some time I have prepared the files just for use in this demo.
Slide28Hashcat
Basics – PACK (
Statsgen
)
statsgen
hashesorgwordlist
--
minlength
=5 --maxlength=6 --hiderare -o hashesorg.masksBreakdown:So first we are giving statsgen the dataset, in this case hashesorgwordlist.Statsgen hashesorgworlist --minlength=5 --maxlength=6 Specifying the minimum and maximum length of the passwords we wish to analyse. --hiderareHiderare just means do not show us statistics which are less than 1% of the data sample. -o hashesorg.masksThe last part is just telling hashcat to output the stats to a mask file.
Slide29Hashcat
Basics – PACK (
Maskgen
)
Command:
maskgen
hashesorg.masks
--
optindex -o hashesorg.hcmaskBreakdown:First we are giving statsgen the dataset, in this case hashesorgwordlist.Maskgen hashesorg.masks --optindex Default switch to sort the mask. ---o hashesorg.hcmask Output file name, to then be given to hashcat.
Slide30Hashcat
Basics – Hybrid – Wordlist & Mask
A hybrid attack mode combines the elements we have already learned about, we are taking a wordlist and
appliny
g mask to it. Effectively concatenating characters to the end of the words.
Command:
hashcat
-a 6 -m 0 demohashes.txt google10000.txt
hashesorg.hcmask
DEMO
Slide31Hashcat
Basics – Hybrid – Mask & Wordlist
This attack mode is the opposite of the last, we are appending a wordlist to a Mask.
Command:
Hashcat
-a 7 -m 0 md5hashes.txt /
usr
/share/
hashcat
/masks/rockyou-1-60.hcmask-O -w 3 DEMO
Slide32ANY QUESTIONS?
Slide33Gareth Kerr –
Cyber Security/
RuneSecurity
Contact:
T7145543@live.tees.ac.uk