Digg Del.icio.us Reddit Facebook Stumble Upon Twitter
 

Table of Contents

Cracking WPA/WPA2 with Oclhc-plus

The .cap and .hccap

oclHashcat-plus accepts the WPA/WPA2 hashes in it's own “hccap” file. Assuming you already captured a 4-way handshake using airodump-ng, Wireshark or tcpdump, the next step will be converting the .cap file to a format oclHashcat-plus will understand. The easiest way is to go to one of these sites for converting:

Upload your .cap and get a .hccap file.

The problem with that is that you upload some sensitive data to a strange place. If you dont mind go for it.

Otherwise here is what they do (in this order):

  1. Run it through “wpaclean” utility
  2. Convert it with “aircrack-ng” using the -J option
To convert your .cap files manually in Backtrack.

Download and install the latest Aircrack build here. The list of builds is upside down so the latest can be found at the bottom of the page.

Example working code for wpaclean. 

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

Example working code aircrack .cap conversion to .hccap 

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

A script is provided here to automate this process.

Preparation

oclHashcat-plus is very flexible, so I'll cover three most common and basic scenarios:

  1. Dictionary attack
  2. Brute-Force attack
  3. Rule-based attack

Dictionary attack

  • Grab some wordlist, like Rockyou.
  • Put it into oclhc-plus folder.
  • Rename your converted capture file “capture.hccap”.
  • Create a batch file “attack.bat”.
  • Open it with a text editor, and paste the following:
oclHashcat-plus64.exe -m 2500 capture.hccap rockyou.txt
pause

NOTE: If your OS is 32 bit, then replace 64 with 32 in the binary name.

Execute the attack using the batch file, which should be changed to suit your needs.

Brute-Force Attack

  • Rename your converted capture file “capture.hccap”.
  • Create a batch file “attack.bat”.
  • Open it with a text editor and paste the following:
oclhashcat-plus64.exe -m 2500 -a3 capture.hccap ?d?d?d?d?d?d?d?d
pause

This will pipe len8 digits only to oclhc-plus, replace the ?d as needed.

Would be wise to first estimate the time it would take to process using a calculator.

TBD: add some example timeframes for common masks / common speed

Rule-based attack

This is a similar to Dictionary attack, but commands look a bit different: 

oclHashcat-plus64.exe -m 2500 -r rules/best64.rule capture.hccap rockyou.txt
pause

This will mutate rockyou wordlist with best 64 rules, which come along in oclHashcat-plus distribution.

Change as necessary and remember, the time it will take the attack to finish will increase proportionally with the amount of rules.

What are rules ?