Cracking WPA with oclHashcat GPU on Windows

Cracking WPA with oclHashcat GPU on Windows 

pt 2

This tutorial shows you how to crack the WPA/WPA2 wireless network key using oclHashcat on Windows with the power of GPU’s. My older Radeon 7670M video card does an average of 20kh (20.000 attempts) per second where an AMD HD7970 videocard can do 142kh (142.000 attempts) per second and 8 x NVidea Titan X cards can do 2.233 kh per second. This makes brute forcing routers with easy default passwords like TP-LINK (default WPS PIN) or the standard UPC broadband routers (8 capital letters) a piece of cake. In the first part of the tutorial we created 26 different wordlists which allows us to distribute the wordlist over multiple PC’s with multiple GPU’s. Off course you can and you will question the cost effectiveness of this setup with it gives us a good understanding of what is a strong password and what isn’t in terms of crackability with GPU’s.
This tutorial starts where part 1 has ended. In part 1 we generated the wordlists using Crunch and we captured the 4 way handshake:
Part 1: https://youtu.be/1NkK1PGLrQA
Converting .pcap to .hccap: https://youtu.be/1hoGVUAo7xA

oclHashcat downloads

First we need to install AMD Catalyst 14.9 (and exactly this version, otherwise oclHashcat won’t work) and download oclHashcat. Windows and Linux versions should work on both 32 and 64 bit.
oclHashcat 1.35 Windows download: http://hashcat.net/wiki/doku.php?id=oclhashcat
AMD Catalyst 14.9: http://www.techpowerup.com/downloads/2405/amd-catalyst-14-9-software-suite-vista-7-8-64-bit/mirrors (or use AMD website)
Update: Together with the release of Hascat 2.0 the developers has decided to make Hashcat and oclHashcat an open source project. The sourcecode is available from GitHub: https://github.com/hashcat/
OclHashcat 2.0 has fixes for the following bugs:

• –increment-max problem: it did not allow to set a value equal to the mask length
• table lookup fix: there was a limit in place which was lifted now
• –remove race condition: hashcat did not always guarantee that all cracked hashes will be removed at the end

The developers also added a new algorithm:

• -m 1431 = base64(sha256(unicode($pass)))

Cracking WPA with oclHashcat

Store the wordlist text file and the .hccap file in the oclHashcat folder and right click the oclHashcat folder and select “Open Command Prompt Here”.

Use the following command to start oclHashcat:
oclHashcat64 -m 2500 -w 3 –gpu-temp-retain=60 –status -o cracked.txt upc.hccap alist.txt

-m 2500 = WPA/WPA2
-w 3 = Workload profile high latency
-o = Output file path for result file
Note: –gpu-temp-retain is AMD only.
When oclHashcat is done take a look at the cracked.txt file which is stored in the oclHashcat folder.

Lesson learned

Now fast GPU’s are available for decent prices and become the standard in consumer laptops and desktops, the average home user has the power to crack passwords which are considered strong and safe by many end users. A password containing 8 numbers can be cracked with great ease within a very reasonable time frame (couple hours with 20kh/sec). When you’re the proud owner of a TP Link router than change the default password as soon as possible. Consider a password of at least 10 characters containing lower- and uppercase letters, digits and special signs.

Video Tutorial: