1 / 33

WPA Cracking && Hashcat .

WPA Cracking && Hashcat. Gareth Kerr – Cyber Security/Rune Security Contact: T7145543@live.tees.ac.uk. Wireless Communication Info. Operates using Radio Frequency(RF) technology IEEE 802.11 is a set of standards for the implementation of wireless LAN networks Otherwise known as Wi-Fi.

canning
Download Presentation

WPA Cracking && Hashcat .

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WPA Cracking && Hashcat. Gareth Kerr – Cyber Security/Rune Security Contact: T7145543@live.tees.ac.uk

  2. Wireless Communication Info • Operates using Radio Frequency(RF) technology • IEEE 802.11 is a set of standards for the implementation of wireless LAN networks • Otherwise known as Wi-Fi. • Operates on the 2.4Ghz and 5Ghz frequency bands • Supports up to 13 channels • Various encryption methods implemented

  3. Kali Linux • Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed. • Download link for Kali - https://www.kali.org/downloads/ • Exploit Database - https://www.exploit-db.com

  4. What’s Aircrack-ng? • Aircrack-ng is a complete suite of tools to assess WiFi network security. • It focuses on different areas of WiFi security: • Monitoring: Packet capture and export of data to text files for further processing by third party tools. • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection. • Testing: Checking WiFi cards and driver capabilities (capture and injection). • Cracking: WEP (Deprecated) and WPA PSK (WPA 1 and 2).

  5. Interface Configuration. (Ifconfig – Iwconfig)

  6. Interface Configuration. (Ifconfig – Iwconfig) • CLI Commands: • ifconfig wlan0 down (Brings the interface WLAN0 down) • iwconfig wlan0 mode monitor (Changes the interface operating mode to monitor) • ifconfig wlan0 up (Brings the interface WLAN0 up) • iwconfig • Airmon-ng check kill (Kills any processes that may be using the wireless card) • DEMO

  7. Mac Spoofing using “Macchanger” • Anatomy of a MAC Address? • 00:00:8f:13:b6:84 VENDOR:UNIQUEID • macchanger --random wlan0 (Changes the Mac to a randomly assigned MAC address) • macchanger -l (Lists all known Mac Vendors) • macchanger --mac=00:00:8f:13:b6:84 wlan0 (Changes to a specific Mac address)

  8. Testing Injection Capability of the Wireless Card. • aireplay-ng -9 -a [BSSID] -a [BSSID] -i [RECIEVING INTERFACE] [INTERFACE TO TEST] • DEMO

  9. Airodump-ng (Sniffing for Local Access Points) • Airodump wlan0 • Deciphering the output

  10. Airodump-ng (Targetted Sniffing) • Now we know the details of the Access Point we wish to target. We can narrow down our output to just this BSSID. • airodump-ng [CHANNEL] [BSSID] [WRITE] [INTERFACE]

  11. Airodump-ng Extended (Targetted Sniffing) • You should notice we now have a new area at the bottom of the output.

  12. Obtaining the WPA Handshake (Hash). • If you are sniffing on a large network. You will find that you may obtain the handshake fairly quickly. You will know when the handshake has been obtained as Airodump-ng will inform you.

  13. Aireplay-ng (Deauthentication) • Aireplay-ng is another tool in the Aircrack protocol suite. The theory behind this is we want to disconnect the device. Then when the client reconnects we capture the handshake. Will a generic user know that this has happened? Probably not. • aireplay-ng --deauth [Deconnection Attempts] -a [AP MAC ADDRESS] -c [MAC ADDRESS TO TARGET] [INTERFACE] • DEMO

  14. “Cleaning” the Capture file. • Since we have a packet capture file (While writing during Airodump-ng). We now need to clean the file. It needs to be in a format which HASHCAT understands. • CLI Commands: • locate cap2hccapx.bin (Locates the binary file) • mv /usr/lib/hashcat-utils/cap2hccapx.bin . (Move file to the directory) • ./cap2hccapx.bin [CAPTURE FILE] [CLEANED FILE NAME] • We should now have a cleaned file. • We will leave this file until later when we crack it.

  15. HASHCAT

  16. Hash Functions

  17. Hashcat Overview • Hashcat is the self-proclaimed world’s fastest password recovery tool. • It support hundreds of hash formats, such as MD5, the SHA family. Unix Crypt formats, Mysql (Many more). • It harnesses the power of GPU’s for accelerated cracking (Cuda), can be used with a CPU however it is much slower. • Hashcat will take the HASH and try to convert it back into the plain text equivalent. • Works on Windows/Linux and MAC OS.

  18. Hashcat Basics - Attack Modes • Hashcat comes with a number of attack modes: •   0 | Straight •   1 | Combination (Using Two Wordlists) •   3 | Brute-force (Using a defined character set) •   6 | Hybrid Wordlist + Mask •   7 | Hybrid Mask + Wordlist

  19. Hashcat Basics - Benchmarking • You can benchmark a hashing algorithm using hashcat. Throughout this tutorial video we will be using MD5 for demonstration purposes.  • -b = Benchmark • -m = Hash Number. e.g. 1700 or 0 or 8900 for scrypt.  • Command: • hashcat -b -m 1700 • Output: • 1 kH/s is 1,000 (one thousand) hashes per second • 1 MH/s is 1,000,000 (one million) hashes per second. • 1 GH/s is 1,000,000,000 (one billion) hashes per second. • 1 TH/s is 1,000,000,000,000 (one trillion) hashes per second. • 1 PH/s is 1,000,000,000,000,000 (one quadrillion) hashes per second. • 1 EH/s is 1,000,000,000,000,000,000 (one quintillion) hashes per second

  20. Hashcat Basics - Arguments • Arguments: • In order for the command to execute. You must provide the appropriate parameters. • Argument 1: • -a (Attack Mode, 0, 1, 3, 6, 7) • Argument 2: • -m (Hash type, Example MD5,WPA) • Argument 3: • Filename | Hash • Argument 4: • Dictionary | Mask | Directory • Complete Command: • Hashcat –a 0 –m 2500 hashes.txt rockyou.txt

  21. Hashcat Basics - Straight Attack Mode (-a 0) • Using the google10000.txt wordlist (Google’s most searched for words). We will run a straight attack against the MD5 Hashing Algorithm. I have compiled pre hashed MD5’s to show the attack modes. • Command: • hashcat -a 0 -m 0 md5hashes.txt google10000.txt • DEMO

  22. Hashcat Basics - Straight Attack Mode – Cracking the WPA Handshake • Using the cleaned hccap file we created earlier, we will use the straight attack mode alongside a wordlist to crack the key. • Command: • hashcat -a 0 -m 0 cleaned google10000.txt • DEMO

  23. Hashcat Basics - Straight Attack Mode & Rules • Using the same attack mode, we will use a rule to alter the wordlist. The rule will be applied to every password in the worlist, hashed and then compared to the hash file. Each rule file will generally contain hundreds or rules. • For example, one rule might change all of the A’s to 4’s, or perhaps all of the S’s to $’s • Wordlist containing the following words: • Password, Hashcat, Is, Awesome. • Rule alters the words: • p4$$word, ha$hcat,is,4we$some • A popular ruleset is the best64.rule, which comes with hashcat. • Command: • hashcat -a 0 -m 0 md5hashes.txt google1000.txt -r /usr/share/hashcat/rules/best64.rule • DEMO

  24. Hashcat Basics – Combinator Attack Mode (-a 1) • The combinator attack mode concatenates wordlists. It will try every variation of the each of the wordlists. • If we had two wordlists: • Wordlist1: Hashcat, Is, Awesome. • Wordlist2: Random, Words, Combinator. • Combined: hashcatrandom, hashcatwords, hashcatcombinator etc. • Command: • hashcat -a 1 -m 0 md5hashes.txt wordlist1.txt wordlist2.txt • DEMO

  25. Hashcat Basics – Combinator Utility • We can also just use the Combinator Utility to create a permanent, combined dictionary. • Commands: • mv /usr/lib/hashcat-utils/combinator.bin . • ./combinator.bin google10000.txt google10000.txt > google10000combined.txt • cat google10000combined.txt • Now we can use this in the straight attack mode, since the dictionary is already combined. • Hashcat -a 0 -m 0 md5hashes.txt google10000combined.txt

  26. Hashcat Basics – Bruteforce (-a 3) • This is by far the slowest and most inefficient way of cracking any password. • Syntax • ?l = abcdefghijklmnopqrstuvwxyz • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ • ?d = 0123456789 • ?h = 0123456789abcdef • ?H = 0123456789ABCDEF • ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ • Can also define custom character sets. Using the -1 [CHARACTERS] • Command: • hashcat -a 3 -m 0 md5hashes.txt -1 ?l?d?s?u ?1?1?1?1?1?1 -w 3

  27. Hashcat Basics – PACK (Password Analysis Toolkit) • Using PACK to analyze datasets, meaning PACK will look for the most common patterns within a password dataset and create a mask. To understand why this is useful we will need to give you an insight into what it actually does.  • So the steps we will be following in sequence are, • analyzing a dataset using statsgen • creating a mask using maskgen • converting the mask to a hcmask file.  • As this takes some time I have prepared the files just for use in this demo.

  28. Hashcat Basics – PACK (Statsgen) • statsgenhashesorgwordlist --minlength=5 --maxlength=6 --hiderare -o hashesorg.masks • Breakdown: • So first we are giving statsgen the dataset, in this case hashesorgwordlist. • Statsgenhashesorgworlist • --minlength=5 --maxlength=6  • Specifying the minimum and maximum length of the passwords we wish to analyse.  • --hiderare • Hiderare just means do not show us statistics which are less than 1% of the data sample.  • -o hashesorg.masks • The last part is just telling hashcat to output the stats to a mask file.

  29. Hashcat Basics – PACK (Maskgen) • Command: • maskgenhashesorg.masks --optindex -o hashesorg.hcmask • Breakdown: • First we are giving statsgen the dataset, in this case hashesorgwordlist. • Maskgenhashesorg.masks • --optindex • Default switch to sort the mask. • ---o hashesorg.hcmask • Output file name, to then be given to hashcat.

  30. Hashcat Basics – Hybrid – Wordlist & Mask • A hybrid attack mode combines the elements we have already learned about, we are taking a wordlist and appliny g mask to it. Effectively concatenating characters to the end of the words. • Command: • hashcat -a 6 -m 0 demohashes.txt google10000.txt hashesorg.hcmask • DEMO

  31. Hashcat Basics – Hybrid – Mask & Wordlist • This attack mode is the opposite of the last, we are appending a wordlist to a Mask. • Command: • Hashcat -a 7 -m 0 md5hashes.txt /usr/share/hashcat/masks/rockyou-1-60.hcmask-O -w 3 • DEMO

  32. ANY QUESTIONS?

  33. Gareth Kerr – Cyber Security/RuneSecurity Contact: T7145543@live.tees.ac.uk

More Related