Cracking WPA/WPA2 with oclHashcat

The .cap and .hccap

oclHashcat accepts the WPA/WPA2 hashes in it's own “hccap” file. Assuming you already captured a 4-way handshake using airodump-ng, Wireshark or tcpdump, the next step will be converting the .cap file to a format oclHashcat will understand. The easiest way is to go to one of these sites for converting:

Upload your .cap and get a .hccap file.

The problem with that is that you upload some sensitive data to a strange place. If you dont mind go for it.

Otherwise here is what they do (in this order):

  1. Run it through “wpaclean” utility. NOTE!! Sometimes running wpaclean can damage your capture file. See here for more details:
  2. Convert it with “aircrack-ng” using the -J option
To convert your .cap files manually in Backtrack.

Download and install the latest Aircrack build here. The list of builds is upside down so the latest can be found at the bottom of the page.

Example working code for wpaclean.

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

Example working code aircrack .cap conversion to .hccap

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

A script is provided here to automate this process.


oclHashcat is very flexible, so I'll cover three most common and basic scenarios:

Dictionary attack

  • Grab some wordlist, like Rockyou.
  • Put it into oclHashcat folder.
  • Rename your converted capture file “capture.hccap”.
  • Create a batch file “attack.bat”.
  • Open it with a text editor, and paste the following:
oclHashcat64.exe -m 2500 capture.hccap rockyou.txt

NOTE: If your OS is 32 bit, then replace 64 with 32 in the binary name.

Execute the attack using the batch file, which should be changed to suit your needs.

Brute-Force Attack

  • Rename your converted capture file “capture.hccap”.
  • Create a batch file “attack.bat”.
  • Open it with a text editor and paste the following:
oclHashcat64.exe -m 2500 -a3 capture.hccap ?d?d?d?d?d?d?d?d

This will pipe len8 digits only to oclHashcat, replace the ?d as needed.

Would be wise to first estimate the time it would take to process using a calculator.

TBD: add some example timeframes for common masks / common speed

Rule-based attack

This is a similar to Dictionary attack, but commands look a bit different:

oclHashcat64.exe -m 2500 -r rules/best64.rule capture.hccap rockyou.txt

This will mutate rockyou wordlist with best 64 rules, which come along in oclHashcat distribution.

Change as necessary and remember, the time it will take the attack to finish will increase proportionally with the amount of rules.

What are rules ?