At a complete loss - mask attack how to
#1
Hi, thanks for your help in advance. I'm just so confused how to get the following attack setup. I've been reading so much and watching how-to videos I'm lost with what to do with all the different ways and some things I can't find answers for.



What I want to achieve is to find the wpa password from my home network using the bruteforce/mask attack which is the most suitable (https://hashcat.net/wiki/doku.php?id=mask_attack) against a WPA file I have the handshake for, this might not be the right method for what I want to do. 


So my questions and what I need clarify is below and I hope this all makes sense.. 

  • is this a good method for what I want to achieve assuming that I don't know the password but do know what characters is in the pw? It is 10 char long with letters and numbers e.g. as648tarzb (I have used another method to find the password with a wordlist which worked).
  • Do I need to make a wordlist with all the possible passwords, then convert them into a has file? Or do I make a text file like rockyou with a-z 1-9 in it?
  • What is the correct hashcat command I want to use to get the password? 
  • Do I need to convert the .cap file to .hc2200 or hccap file? which one?
  • Do I need to define the charset? If the password is 10 characters in length with letters and numbers, where does the '?d?d?d?d?..' length thing come into play or is it used in this attack?
I'm a bit lost trying to write and describe what I want to do so hope it makes sense. 

Overall does anyone have a good tutorial from start to finish to setup this attack which includes how to make hashes.txt, converting the .cap file, make a mask file etc? 

Thank you..
Reply
#2
10 character brute force on a single card will be very difficult. With a large keyspace determined by your initial post you are using all lowercase (26) and digits (10) so you will be accounting for 36^10 = 3,656,158,440,062,976 possible combinations of passwords which is a big number.


When attempting anything which is considered a "slow" hash such as WPA2 it is smarter to do some digging into the device itself. Such as the make and model may already have a default keygen for the wifi password, the mac address might be the default password, or just finding labels for same makes and models to generate an idea of the keyspace.

Around here alot of the default passwords are typically phone numbers which is simply 10 digits. However, if you have specific area codes you can diminish that keyspace by 3 because they will always be fixed. Such as 555xxxxxxx. This leaves you with only 7 digits which can be accomplished in a matter of seconds rather than days.

It is smarter to do smaller more precise attacks than big long attacks. As for your password being a complete jumble of letters and numbers you may want to look up to see if it really is random or perhaps specific positions of characters are locked. For example, in your situation of as648tarzb maybe the 3rd characters is ALWAYS a 6, or perhaps the last characters is always a lowercase letter. By finding out as much information about the possibilities of your target you can shorten your time spent "guessing" and create more attempts if it doesn't work out.

As for creating a wordlist out of a mask, no that is the complete opposite of what a mask attack is. A Mask attack generates your candidates on the fly, so no storage space is wasted.

For your attack, if you want to check out what kind of time frame it would take for you to attempt a lowercase+digit mask attack you can use this which I will explain:

Code:
hashcat  -a 3 -m 22000 -1 ?d?l hash.txt ?1?1?1?1?1?1?1?1?1?1

-a 3 determines your attack mode (3) being mask attack
-m 22000 determines your hashmode (22000)
-1 is for creating a custom character set in this case we are using digits (?d) and lowercase (?l) combined
hash.txt will contain your WPA2 capture converted to hashmode 22000 using hcxtools suite or online converter
After your hash you will have your keyspace (?1) which is 10 characters long as you have mentioned.

Hopefully this gives you some good info.
Reply
#3
Also look at this documentation in regarding creating and manipulation of your captures.

https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Reply
#4
Thanks for your reply sylexe. So to clarify some things after reading your reply and the doco and trying to get this to sink in. I'm also going to go step by step so this all makes sense and I can write down the instructions.

Code:
hashcat  -a 3 -m 22000 -1 ?d?l hash.txt ?1?1?1?1?1?1?1?1?1?1

1. So this command is suitable to try and guess/crack the wifi password using a mask attack and the -a 3 tells hc to use this method.
2. The -m 22000 determines the hash type to use and there many many hash modes (like 900 = MD4 or 22000 = WPA-PCKDF2-PMKID+EAPOL).
3. The -1 ?d?l tells hc to use lowercase alpha and numbers in the attempts - eg abcde...tuvxwyz & 1-9.
4. The ?1?1?1?1?1?1?1?1?1?1 tells hc to use 10 character password length.

Next is the hash.txt file and i'm lost after reading the doco.
1. I can grab the handshake .cap file as normal with airodump-ng? Is this the right method or is there another program I should use?
2. Once I have the .cap I then could put the file through https://www.onlinehashcrack.com/tools-ca...verter.php, and 
(a) Paste the output (like the screenshot below) into a text file and call hashes.txt? Or; 
(b) Take the hash, paste it into a new file and call it file.hc22000?

.png   Capture.PNG (Size: 20.36 KB / Downloads: 1)

Assuming option a is correct, I then run hashcat  -a 3 -m 22000 -1 ?d?l hash.txt ?1?1?1?1?1?1?1?1?1?1, and this will begin the process.  

I just tried the command and it looks to be working as per below! But the time estimated to finish is 467 years -lol.

.png   Capture2.PNG (Size: 42.99 KB / Downloads: 1)

One last question with the mask attack. As I know what the password is and that it has numbers in certain places, can you use the ?1?1?1?1?1?1?1?1?1?1 and make it use numbers in a certain positions (placeholders) like the as648tarzb password? Can this be done and if so how? Also hc says it will take 467 years to find this password. Wow.
Reply