Posts: 6
Threads: 1
Joined: Aug 2013
Hi Guys
im hoping to work eventually as a penetration tester and im trying to pickup the wireless security side of pentesting
so im experimenting on my own home wireless, WPA2
ive an NVIDIA GTX 550 Ti card
I cracked my own win8 user LM hash in 10 minutes (8characters, upper/lower and number) - pwdump etc
but when trying my WPA2 of a handshake i got from my wireless
using the following syntax:
cudaHashcat-plus64.exe --hash-type 2500 --attack-mode 3 --outfile C:\Users\username\Desktop\capture.hccap.out C:\Users\uername\Desktop\capture.hccap ?u?u?u?u?u?u?u?u?u
now I know my password is 9 digits all uppercase
but it reckons at 12515 H/s it will take more than 10 years to try every combination
can anyone point me in the right direction to optimising this based on the command line I supplied?
there must be quicker ways of bruteforcing this?
many thanks for your help
Posts: 621
Threads: 57
Joined: May 2010
08-26-2013, 03:50 AM
(This post was last modified: 08-26-2013, 03:51 AM by mastercracker.)
(08-26-2013, 12:01 AM)garethgtt Wrote: Hi Guys
im hoping to work eventually as a penetration tester and im trying to pickup the wireless security side of pentesting
so im experimenting on my own home wireless, WPA2
ive an NVIDIA GTX 550 Ti card
I cracked my own win8 user LM hash in 10 minutes (8characters, upper/lower and number) - pwdump etc
but when trying my WPA2 of a handshake i got from my wireless
using the following syntax:
cudaHashcat-plus64.exe --hash-type 2500 --attack-mode 3 --outfile C:\Users\username\Desktop\capture.hccap.out C:\Users\uername\Desktop\capture.hccap ?u?u?u?u?u?u?u?u?u
now I know my password is 9 digits all uppercase
but it reckons at 12515 H/s it will take more than 10 years to try every combination
can anyone point me in the right direction to optimising this based on the command line I supplied?
there must be quicker ways of bruteforcing this?
many thanks for your help
It's a big keyspace and a slow algorithm so there would be not much optimization to do better without more knowledge. First you can try higher -u and -n settings to see what your card can support. Secondly, if for example your password is GARETHGTT and you know that it starts by GARET, you can use the mask GARET?u?u?u?u. This cut downs the keyspace a lot but you need some knowledge of the password. Otherwise, try dictionary attacks. Bruteforcing is really not the best attack type in your case.
Posts: 6
Threads: 1
Joined: Aug 2013
(08-26-2013, 03:50 AM)mastercracker Wrote: (08-26-2013, 12:01 AM)garethgtt Wrote: Hi Guys
im hoping to work eventually as a penetration tester and im trying to pickup the wireless security side of pentesting
so im experimenting on my own home wireless, WPA2
ive an NVIDIA GTX 550 Ti card
I cracked my own win8 user LM hash in 10 minutes (8characters, upper/lower and number) - pwdump etc
but when trying my WPA2 of a handshake i got from my wireless
using the following syntax:
cudaHashcat-plus64.exe --hash-type 2500 --attack-mode 3 --outfile C:\Users\username\Desktop\capture.hccap.out C:\Users\uername\Desktop\capture.hccap ?u?u?u?u?u?u?u?u?u
now I know my password is 9 digits all uppercase
but it reckons at 12515 H/s it will take more than 10 years to try every combination
can anyone point me in the right direction to optimising this based on the command line I supplied?
there must be quicker ways of bruteforcing this?
many thanks for your help
It's a big keyspace and a slow algorithm so there would be not much optimization to do better without more knowledge. First you can try higher -u and -n settings to see what your card can support. Secondly, if for example your password is GARETHGTT and you know that it starts by GARET, you can use the mask GARET?u?u?u?u. This cut downs the keyspace a lot but you need some knowledge of the password. Otherwise, try dictionary attacks. Bruteforcing is really not the best attack type in your case.
Hey thanks for your reply.
my wpa2 key is something like TCVNNGSXN so how could a dictionary attack work against something like that?
I know I can generate a wordlist of every combination, think it requires about 2TB of disk space, I know with aircrack/crunch if I use something like this command line:
crunch 9 9 ABCDEFGHIJKLMNOPQRSTUVWXYZ | aircrack-ng -b 00:0C:F6:55:E6:6C -w - /root/WPA-01.cap
it generates the file and tests it on the fly without using hard disk space
isn't this just bruteforcing though?
if not how can I leverage this using GPU power instead?
Posts: 6
Threads: 1
Joined: Aug 2013
(08-26-2013, 03:50 AM)mastercracker Wrote: First you can try higher -u and -n settings to see what your card can support.
im not sure what you mean by this can you elaborate?
also using an optimal pc with multiple GPU cards how much can I incease the 12515 H/s to?
im quite happy to buy all the cards I need to make this viable as this will be a career move for me
Posts: 2,936
Threads: 12
Joined: May 2012
(08-26-2013, 06:17 AM)garethgtt Wrote: (08-26-2013, 03:50 AM)mastercracker Wrote: First you can try higher -u and -n settings to see what your card can support.
im not sure what you mean by this can you elaborate?
Read the output of --help and read the wiki page on oclHashcat-plus. Then you will understand what -n and -u do.
(08-26-2013, 06:17 AM)garethgtt Wrote: also using an optimal pc with multiple GPU cards how much can I incease the 12515 H/s to?
Nvidia cards suck for hash cracking, get high-end AMD GPUs instead. A single Radeon 7970 can do about 130000 H/s.
Posts: 621
Threads: 57
Joined: May 2010
Quote:my wpa2 key is something like TCVNNGSXN so how could a dictionary attack work against something like that?
I know I can generate a wordlist of every combination, think it requires about 2TB of disk space, I know with aircrack/crunch if I use something like this command line:
crunch 9 9 ABCDEFGHIJKLMNOPQRSTUVWXYZ | aircrack-ng -b 00:0C:F6:55:E6:6C -w - /root/WPA-01.cap
it generates the file and tests it on the fly without using hard disk space
isn't this just bruteforcing though?
if not how can I leverage this using GPU power instead?
If your password is random then yes, there is no point in generating a dictionary for it. You are stuck with bruteforcing the keyspace. It's up to you to decide if that crack is worth the time and money investment.
Posts: 6
Threads: 1
Joined: Aug 2013
Radeon 7970 it is then
what kind of timneframe am I looking at to bruteforce a random 9 digit uppercase Alphabet key then with this card?
what about 2 cards?
Posts: 2,301
Threads: 11
Joined: Jul 2010
according to epixoip's post one 7970 will do 130kH/s
therefore:
>>> (26**9)/130000/60/60/24
483.3959828148148
result in days. Two cards will halve the time.
Posts: 21
Threads: 4
Joined: Jul 2013
08-27-2013, 03:09 AM
(This post was last modified: 08-27-2013, 03:09 AM by jb_bak.)
(08-26-2013, 10:25 PM)undeath Wrote: according to epixoip's post one 7970 will do 130kH/s
therefore:
>>> (26**9)/130000/60/60/24
483.3959828148148
result in days. Two cards will halve the time.
So your saying two 7970s will take over half a year to BF a 9 digit WPA??!?!?!
Posts: 2,936
Threads: 12
Joined: May 2012
yes, two 7970s will take over half a year to brute force a nine-character wpa key comprised of all uppercase letters.
wpa is properly slow.