oclHashcat-plus accepts the WPA/WPA2 hashes in it's own “hccap” file. Assuming you already captured a 4-way handshake using airodump-ng, Wireshark or tcpdump, the next step will be converting the .cap file to a format oclHashcat-plus will understand. The easiest way is to go to one of these sites for converting:
Upload your .cap and get a .hccap file.
The problem with that is that you upload some sensitive data to a strange place. If you dont mind go for it.
Otherwise here is what they do (in this order):
Download and install the latest Aircrack build here. The list of builds is upside down so the latest can be found at the bottom of the page.
Example working code for wpaclean.
wpaclean <out.cap> <in.cap>
Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.
Example working code aircrack .cap conversion to .hccap
aircrack-ng <out.cap> -J <out.hccap>
Note the -J is a capitol J not lower case j.
A script is provided here to automate this process.
oclHashcat-plus is very flexible, so I'll cover three most common and basic scenarios:
oclHashcat-plus64.exe -m 2500 capture.hccap rockyou.txt pause
NOTE: If your OS is 32 bit, then replace 64 with 32 in the binary name.
Execute the attack using the batch file, which should be changed to suit your needs.
oclhashcat-plus64.exe -m 2500 -a3 capture.hccap ?d?d?d?d?d?d?d?d pause
This will pipe len8 digits only to oclhc-plus, replace the ?d as needed.
Would be wise to first estimate the time it would take to process using a calculator.
TBD: add some example timeframes for common masks / common speed
This is a similar to Dictionary attack, but commands look a bit different:
oclHashcat-plus64.exe -m 2500 -r rules/best64.rule capture.hccap rockyou.txt pause
This will mutate rockyou wordlist with best 64 rules, which come along in oclHashcat-plus distribution.
Change as necessary and remember, the time it will take the attack to finish will increase proportionally with the amount of rules.