now this video is part of my hashcat course where I show you how to use hashcat and crack various hashes may this be a warning to you and your family while you shouldn't use bad passwords on your Wi-Fi networks don't use your telephone number as an example how long do you think it'll take hackers to crack a 10 digit password on a Wi-Fi network in this example I've got a laptop with a GPU in it I'm going to crack a 10 digit password let's see how long it takes press enter hashcat is starting hashcat allows hackers to crack passwords very very quickly and this is only a laptop notice here it took 4 seconds to crack this password the password in this example is really really bad 0015551234 10 digit Wi-Fi password 4 seconds to crack with a laptop here's another example with a computer we are cracking a 10 digit Wi-Fi password in this example using that computer Computer as you can see hashcat is starting according to this it could take 2 hours to crack this password but actually it took 18 seconds to crack the password which is 800555123 really bad passwords but notice in the worst case scenario it would have taken 2 hours to crack it with a single GPU in that computer and that isn't even the latest GPU on the market today it's only an AMD Radeon RX 6900 XT in this laptop I have a more modern GPU but in the worst case scenario it would have taken 2 hours and 48 minutes to crack a 10 digit password but it didn't take very long it only took 4 seconds to crack that password hashcat- I shows us the GPU running in this laptop as you can see here it's an NVIDIA GeForce RTX 490 laptop GPU now what's interesting is the laptop has a more modern GPU but it only supports 9843 kH/s computer there has an older GPU but it supports 1065.4 kH/s a second so it's faster than the laptop but that also makes sense because this is a laptop constrained by space and that's got a massive GPU in it so just be aware GPUs have different performance levels more modern GPUs are obviously a lot quicker but they can be used by hackers and security researchers and put into farms where many GPUs are combined together to speed this up even more don't use bad passwords now in the real world hackers and researchers will use rigs like the following with many GPUs to speed up the cracking of Wi-Fi passwords or other hashes they may also even use GPUs in the cloud to speed this up in this example over 3 and a half thousand Wi-Fi passwords were cracked very easily by a security researcher this kind of stuff happens all the time moral of the story is don't use bad Wi-Fi passwords don't use your telep t phone number as your Wi-Fi password now people often say this when I demonstrate these kind of attacks no one uses bad passwords TP Link routers like this by default use eight digit passwords never use the default password on a TPL link router always change it to something much more secure use alpha numeric passwords use special characters as part of your password don't use 8-digit passwords or 10 digigit passwords make your password 20 characters in length and mix your characters to make it much harder to crack these kind of demonstrations are not possible if you use better passwords or you use WPA3 in today's world you want to use WPA3 or at least Protected Management Frames or PMF on your Wi-Fi networks don't just use standard WPAv2 you want to use WPAv3 now in this video I'm going to show you how to attack a Wi-Fi network using hashcat and other tools in a a lot of demonstrations out there including some of my demonstrations you need a client to connect to the Wi-Fi network so you need someone with a phone or another device to connect to the Wi-Fi network and you need to capture the four-way handshake by knocking the client off the Wi-Fi network and then when the client reconnects you capture the four-way handshake and then crack the password you don't need to do that any longer with the tools that I'm going to demonstrate in this video you don't even need a client you can simply attack a Wi-Fi network again use WPAv3 to stop these kind of attacks so I'm going to show you an example using a WPAv2 Network I'm attacking my own Wi-Fi networks I have given myself permission to attack them never attack a Wi-Fi network that you don't own or have permission to attack again I've given myself permission to attack my own Wi-Fi networks so that I can demonstrate how hashcat works now if you want to follow along you need a Wi-Fi network that you can test against you also need a laptop or another device with a GPU so that you can leverage the power of a GPU now you don't have to use a GPU you can use a CPU but CPUs are very very slow compared to GPUs so it's much better to use a GPU even if you've got an older GPU just means it's going to take longer to crack the hashes but the principles are the same if you don't have a GPU just use a CPU it's going to take much much longer but you can learn how to use hashcat with just a CPU as an example what you'll also need is Kali Linux or another version of Linux running within a virtual machine or on a dedicated computer in my example I'm using Kali within VMware workstation Pro VMware Workstation Pro is free now so you can download it for free and then download Kali from the Kali website I've covered how to set up Kali in other videos so I'll link them as part of this course I'm not going to cover that here so we're assuming that you've got Kali within a virtual machine you also need a Wi-Fi adapter that supports monitoring and injection mode now in my example I'm using an alpha network adapter I purchased this myself Alpha not sponsoring me to say this but Alpha adapters are fantastic they have given me adapters like this in the past but in this example I'm simply going to use this Wi-Fi adapter it's one that I've purchased one of the disadvantages of this adapter that only supports 2.4 GHz you need to buy another adapter if you want to hack 5 GHz or 6 GHz you need to buy an adapter like this but in my example I'm going to simply attack a 2.4 GHz network using this adapter so what I'll do is plug it into my laptop and when I do that VMware asks me do I want to connect this to the host or to the virtual machine I'm going to connect it to my Kali virtual machine so that adapter will now be available within Kali Linux so as an example I can type iwconfig and as you can see that WLAN0 is available I could also use the command iw dev newer command and you can see that WLAN0 is now available at the moment the mode is managed that is the default we need to change the mode to monitor mode to be able to attack a Wi-Fi network I'm going show you all those steps in this video I'm now going to show you how to download and install hashcat on this laptop as well as the NVIDIA drivers as well as the Cuda toolkit which you need if you want to run hashcat on a device like this and leverage the GPUs or on another device this will often depend on the device that you buy again this computer hasn't got an NVIDIA GPU it's got an AMD GPU so different software would be required but in this example I'm going to show you how to download and install the relevant software for an NVIDIA GPU my team and I have created a PDF which you can download as part of this course information in that PDF includes requirements in our example we're using a Windows 11 computer so PC or laptop you need to run a Kali Linux VM so that you can attack a Wi-Fi network so in this example I have got Kali running within VMware Workstation Pro on this laptop I'll show you in this video how to use the relevant Kali commands to attack a Wi-Fi network now you don't have to use a Kali Linux VM you could have a physical computer that's running Kali natively as an example or another device where you've used to capture the Wi-Fi information so that you can crack the password you need a Wi-Fi network interface card that supports monitor and injection mode and in this example I'm going to use an external adapter and then you need a GPU so could be with OpenCL or CUDA support okay so enough talking let's download hashcat and get started so in the PDF we give you the link to hashcat or you can just search for that so go to hashcat.net/hashcat at the top of the page we can see the latest release of hashcat at the time of this recording version6.2.6 so I'm going to download that and save that to my downloads
directory if you want to get older versions of hashcat scroll down and what you'll find as an example is older releases of hashcat again if you want to use the older method in hashcat you need to download an older version of hashcat to be able to crack older four-way handshakes okay so that software is downloaded so what I'll do here is extract the zip file and just extract it to the default directory and there you go hashcat has now been extracted so what I'll do now is open up a CMD prompt in that directory so what I'm going to do is type the command hashcat -I that will give us information about hashcat notice we told that it failed to initialize the NVIDIA RTC library the CUDA SDK toolkit is not installed or incorrectly installed you need this for proper device support in utilization so it's falling back to OpenCL so what I'll do is cancel that by pressing contrl C and scrolling up we can see that we have an NVIDIA GeForce RTX 4090 in this laptop as well as Intel Arc Graphics so we need the right software to be able to properly use hashcat really easy way once again to check what's going on is hashcat -I and that tells us if we've got any problems again in the PDF that we supplied we show you how to download hashcat you can use 7zip if you want to I didn't do that here but basically we are going to download the software and then run it you could use hashcat --help to see information about hashcat I like I because it shows us the GPUs in the computer with help you sometimes have to wait a while so on the desktop if I type hashcat -I here you can see here it says unsupported AMD runtime version falling back to OpenCL and what this computer has got is an AMD Radeon RX 6900 XT GPU so different GPU in that device once again versus the laptop I'm now going to show you how to download and install the NVIDIA graphics driver as well as the Cuda toolkit if you haven't got an NVIDIA GPU as an example or you aren't interested in this section jump to this timestamp where I'll show you how to start using hashcat so what we need to do is download the NVIDIA graphics driver again in the PDF we've got all the links that you can use to download the software so on the NVIDIA website I'm going to download the NVIDIA app and save that to my downloads directory now while I'm waiting for the driver to download I'm going to download the Cuda toolkit from the NVIDIA website so developer nvidia.com download the toolkit you've got to specify your operating system so in my example it's Windows x64 architecture I'm using Windows 11 I'm going to download a local exe file and this is about 3 gig in size so I'm going to click download to download that software so the Cuda toolkit is downloading in the meantime I'll install the NVIDIA driver so double click on the executable click yes to allow it to make changes now in my example example software is already installed so I'm going to click upgrade to upgrade it I'm going to agree to the license and continue software is now being installed now again in the PDF we give you all the instructions to download the software so have a look at the PDF if you're not sure the driver that we're going to use is the game ready driver so I'm going to select that and click next we're going to optimize games and creative applications and click next we're going to enable the NVIDIA overlay and click next I'm not going to worry about redeeming rewards so I'm going to skip to the app and I'm going to go to drivers and click download to download the driver so this is about 568 meg in size it's now preparing packages so now I can click install to install the driver I'm going to say yes to allow the app to make changes we're going to select a custom installation of the driver we're going to select clean install at the bottom here and then click continue it's now preparing to install the graphics driver okay so laptop is now rebooting okay so my Windows updates have now decided to make a change to the laptop okay laptop is now rebooted so I'll log in okay so it was uninstalling the previous driver so I'm going to click install to install the latest driver click yes to allow the app to make changes go to custom installation we're going to do a clean install click continue it now says preparing to install the graphics driver and there you go installing graphics driver and there you go installation has finished so I can click close I don't need to reinstall the driver so what I can do now is close this and in my case unfortunately the download of the Cuda toolkit got broken because the computer rebooted but fortunately in preparation for this video I previously downloaded the software so this is the Cuda driver so I'll double click on that it's about 3.1 gig in size I'll click yes to allow the app to make changes to the device I'm going to use the temp directory to extract files and click okay files are now being extracted it's now checking system compatibility I obviously want to install the software so I'm going to click continue you need to agree to the license agreements so make sure that you read through that and then click agree and continue I'm going to go for an express installation and click next now it picks up that there's no supported version of Visual Studio installed I'm okay with that so I'm going to click understand and then click next to continue with the installation software is now being installed we now need to click next and as you can see the NVIDIA installer has finished so I can click close so notice the difference now if I go to my hashcat directory open up CMD here and type hashcat -I so uppercase i we are not getting the errors that we got previously now it took it a while to display but there's the command we can see Cuda information Cuda version 12.7 we can see once again that we've got an NVIDIA GeForce RTX 490 GPU in this laptop that's device number one that becomes important because when we run hashcat we may have multiple GPUs in the computer and obviously the CPU we need to tell hashcat which device to use we've got OpenCL platform 1 we can see OpenCL Cuda 12.7.33 notice NVIDIA GeForce 4090 and scrolling down we've got OpenCL platform ID number two device back end is three and here we've got our Arc graphics so I'll clear the screen here and run hashcat again but with --help that gives you help information about hashcat we found that when we ran the main pages for hashcat some of the output was incorrect but help was correct now a lot of output is displayed here here's the command again we can see a whole bunch of options -m is hash -type as an example -v is the version I will cover a bunch of options in this course but please note it's important that you look at the documentation if you're not sure we can see options here as an example are we using CPU are we using GPU for a specific device type etc but that's enough talking I think so now I'm going to show you how to use HCX tools and other tools within Kali Linux to capture that the hash so that it can be cracked again my team and I have created a PDF which you can download which shows you all of these commands in a lot of detail I'm going to demonstrate them now but hopefully between the video and the PDF you will be able to do this yourself and follow along okay so I've connected my Wi-Fi adapter to the computer I'll just show you that process again so I've got my network adapter over here all I'm going to do is plug it into the computer so I'll plug it in and VMware asks me do I want connect it to the host or the virtual machine in my case I'm going to connect it to the virtual machine which means that if I type iwd in ki it's shown as being available it's in managed mode or to use the old command IW config shows me that W land zero is available it's in managed mode the next command we need to use is pseudo system CTL stop network manager. service this basically stops the network
manager service so in kly pseudo systemctl stop network manager service I'll put in my pseudo password and that's now being stopped we want to do the same thing with the WPA supplicant service so we want to stop both those services so here we go pseudo system ETL stop WPA supplicant service so both those Services have now been stopped we then want to use M on NG now again iwd shows us that WLAN Z is currently of type managed we want to change it to monitor mode so we're going to use the command command pseudo mng start wl0 so I'll press enter there and what you'll notice now is it's in monitor mode so if I use the command IW devain notice the interface name has changed to wl0 Monon type is Monitor scrolling up it was previously W land 0 type managed so it's now in monitor mode I'll just clear the screen here and use the old command IW config notice interface name has changed and the mode is Monitor iwd does the same thing we need to have the interface in monitor mode to be able to monitor traffic and capture traffic on the Wi-Fi network now we need to determine the MAC address of the Wi-Fi access point that we're going to attack we could attack all Wi-Fi networks but we don't want to do that we only want to attack a specific Wi-Fi network so the first thing we need to do is get the MAC address and information like the channel so that when we run the hcxdumptool we are limiting the attack to a specific Mac address so we're going to use TCP dump and a Berkeley packet filter or BPF file to limit the network that we attack a lot of demonstrations out there don't show you this or show it to you incorrectly so I'm going to show you this fully so the first thing we want to do is determine the MAC address and other information about the access point that we're going to attack so I'll clear the screen so the command we're going to use is sudo airodump -ng wlan0mon or whatever your interface number is so that will depend on what your interface is and then you need to determine the network that you're going to attack so I'll stop this now because it's already discovered the network this is the network that we want to attack I'm going to attack this TPL link Network that's my own little Network this is the MAC address of the access point that we want to attack and notice the channel we need that information so make a note of this because we're going to need the MAC address as well as the channel when we use the next command so again make sure that you get the MAC address of the access point and the channel that you're going to attack because now we're going to use TCP dump to create a BPF filter we want to filter which network we attack so we're going to create the filter and use that with hcxdumptool we need this BPF file so that we limit which network we attack basically okay so the command is sudo tcpdump copy the rest of the information here but substitute this with the MAC address of your access point so we're basically going to specify that all traffic sent from this access point or any broadcast traffic to or from that access point is going to be captured we need both the access points Mac address as well as the broadcast address because we want to capture all the traffic traffic to the access point or from the access point we want all traffic either to the broadcast address or the specific access points Mac address the -ddd option here outputs the filter in a format suitable for hcxdumptool so make sure that you type this command exactly as it is obviously you could change the file name and you need to change the MAC address of your access point so what I've done here is types sudo tcpdump -s 65535 so all port numbers we are going to capture traffic for a 802.11 radio so Wi-Fi network the Wi-Fi address is this Mac address which is the MAC address of my access point or Mac address being broadcasts -ddd and then we're going to save that information in a file called attack.bpf so if I type ls now notice we've got that file there if I cat that file we'll see some information like the following in the file the moral of the story is we need that file with the hcxdumptool to limit the network that we attack so we're going to use this command sudo hcxdumptool we are using the the wlan0mon interface the channel is channel 5 in this example but in my example if I run airodump -ng again is Channel 8 that's the information you should have copied so Channel 8 for our specific Wi-Fi network we're going to use a because this is a 2.4 GHz Network so we're going
to specify specifically 2.4 GHz so make sure that you type a there if it's 2.4 GHz the filter that we're using is attack.bpf which is the file that we previously created could be any name so just use the --bpf and the file that you've created and we're going to write this or save this information into this pcapngfile called new capture 2 this could be any name that you like okay so sudo hcxdumptool -i is wlan0mon channel in my example is 8 it's 2.4 GHz I'm going to specify a here the BPF filter that we're going to use is attack.bpf we're going to write or save that information to new_capture2.pcapng so I'll press enter there again this could be any name you wanted and notice the tool is now running it's picked up the specific network notice at the top here this is really important we've got R13PS the access point that we're attacking is this TP Link A1D1 Network so in our PDF we give you the information of what that means we basically want to crack our specific Network so in this example it's TPL link C0B4 we need to have either a plus under P so here there's no plus under P to show that we've captured the PMKID information or a plus under three so the number three to show that we've captured the EAPOL handshake once you've done that you can press contrl C to stop the attack take note once again of the Mac remember the Mac access point so the MAC address of the access point scan frequency shows that we on 2.4 GHz
here you should leave this for a while to capture information so you can just leave this for a while now the advantage of this attack is that you don't need a client to connect to the network but I'll just demonstrate what happens if I do connect to it at the moment there's nothing under three but if I connect to that Wi-Fi network from my phone so I'll connect to that now what you'll notice is suddenly plus appears under three EAPOL messages have been captured so the EAPOL handshake was captured I already the PMKID information under P but in this example I captured it all so I'll press contrl C now to finish that so type ls notice we've got this new capture 2 pcap ng file so we've basically captured the information and now all we have to do is crack the hash but just for some housekeeping we'll start the network manager service and the WPA supplicant service once again so I'll paste both those commands in so once again I've started both those services now the important part we need to convert that pcap ng file into the correct format that hashcat expects which is HC 22,000 the 2200 method which I demonstrated only works in older versions of hashcat so when I did my initial demonstration notice I was using the type 22,000 for this specific hash on this laptop but on that computer notice 2500 but I'm using an older version of hashcat 6.2.3 later versions of hashcat don't support this so if you try a hccapx file and it doesn't work because you try to use 2500 on a later release of hashcat then just go back to using say 6.2.3 of hashcat so get an older version of hashcat and then you'll be able to crack that so as an example here it was already cracked so I'll use the show command to show the password for that Wi-Fi network so the command again is sudo hcxpcapngtool to convert this pcapng file to the specific hash that hashcat is expecting so I'll press enter there put in my password and notice it's processed the pcapng file so if I type ls now I've got this hash HC22000 file so what I'll do is browse to that file so open folder here's the file so I'll copy that and now I'm going to go into windows so rather than using Kali within a virtual machine now I'm going to go to my desktop hashcat 626 and I'm going to paste that file I'm going to override the previous file that I had in hashcat so I'm going to replace that now it actually already cracked this file so there's a potfile here so what I'm going to do is delete that file and force hashcat to recrack this hash if I don't do that it'll just tell us that it's already cracked so what I'll do is clear the screen and the command I'm going to use once again is hashcat -a this tells us that we're using a Brute Force attack the device that we're using is device one which is my GPU the type that we're going to use is cracking Wi-Fi networks this is the hash that we're going to crack and here we saying that we are using 10 digits to crack the password so this would imply that we know what what the length of the password is I will show you in other videos how to do a range of digits as an example now before I run that in the PDF we've got information showing you the relevant commands that get used so once again -a3 means Brute Force attack so this is the attack mode -m0 specifies in this example that it's MD5 but that's not what I'm doing here I am doing a WiFi crack so I'm going to crack a Wi-Fi network on the hashcat website they've got this really good document cracking WPA WPA2 with with hashcat and they tell us that 22000 is WPA PMKID plus EAPOL and they tell us that 22000 is a hash line that combines PMKIDs and EAPOL message pairs in a single file having all the different handshake types in a single file is more efficient and saves GPU cycles compared to the older method 2500 so they give you a whole bunch of reasons of why you want to do it this way and then they also give you commands similar to what I've shown you of how to stop the services and do various other things but in our example we are limiting the attack to a specific Wi-Fi network so we're using BPF filters and I'm showing you this in a lot more detail and hopefully makes it much easier to understand so which hash mode are you using what's the name of the file that you're attacking so here has example zero hash and then the mask of what you're using to crack the password in this example we're using a six character password attempt where question mark a includes up case letters lowercase letters digits and special characters you can find the full list of character sets on the hashcat website question ?l a lowercase alphabet ?u uppercase alphabet ?d digits so 0 to 9 and that's the example we're using in this video ?h is 0 to 9 as well as abcdef and then we have uppercase ?s or special characters as listed here and then we've got a which is ?a lowercase alphabet ?u uppercase alphabet ?d digits ?s special characters so if you want to cover all the characters then just use a and then b we've got 0x00 0 to 0xFF so in our example once again hashcat -a3 means Brute Force hash mode here is Wi-Fi cracking so WPAv2 hashes this is the name of the file with the hashes and this is the mask in this case case it's eight digits but in my example I'm using 10 digits and then what's not shown here is device which device are we using in my example I'm using device one which is the NVIDIA GPU in this laptop so in my example we're using hashcat attack mode is Brute Force device is one I'll show you that again in a moment we're using 22000 which is the new way of cracking WPA WPAv2 rather than 2500 this is the name of the file that we're going to crack and in this example we've got 1 2 3 4 5 6 7 8 9 10 digits so I'll press enter hashcat is starting up in this example we're using the NVIDIA GPU s shows us the status but it's actually already cracked it went so fast and there you go it cracked the password already took all of 4 seconds to crack it it's doing 938 KH/s password is shown here didn't take very long so again there is the command the device is one because if I use the command hashcat -I and notice it takes a while for the back end to start up can take it a while if I scroll up here we can see that platform ID1 GPU is the NVIDIA 4090 GPU and scrolling up when I run that command that's the device that was used rather than device two or device three notice these two were skipped this is the one that was used and again took it 4 seconds to crack the password don't use bad passwords like this on your Wi-Fi networks make sure that you use good passwords now again this video is part of my course teaching you hashcat in this video I showed you how to brute force a Wi-Fi password using hashcat I showed you how to install in video software as an example so that you could leverage the GPU in your laptop or your computer I've shown you how you can attack a Wi-Fi password using the new new recommended method from the creators of hashcat so 22000 where we are combining PMKIDs and EAPOL message pairs into a single file to make this more efficient and make it quicker to crack passwords the old method can still be used so 2500 can still be used but you need an older release of hashcat like in this example I'm using 623 so if I type that command again notice it tells me that I need to use the show command to display the password because it's already been cracked this 10 digit hccapx file was already cracked so notice the difference hccapx mode is 2500 in the new version we've got an HC 22000 file and the mode is 22000 so different command in hashcat 2500 is not supported in newer releases of hashcat here's the password that was cracked now in hashcat if a potfile exists it means it's already been cracked so if I delete that pot file and then run it again now it's not going to work because the file is gone so I've got to actually recrack the password so again this is a 10 digit Wi-Fi password I'm using the older method to crack the password according to this it will take 2 hours and 26 minutes but let's see how long it actually takes so I'll press s to get an status update 14 seconds at the moment we can see the candidates that it's using status again and actually it was too quick now it's already cracked it so there's the password once again it took it 19 seconds this time to crack that password using 10 digits 1095 kH/s so in the worst case scenario scrolling up here it would have taken 2 hours and 31 minutes to crack that 10-digit password but it took it 19 seconds in this example on the laptop using the new method in the worst case scenario 10 digit password doesn't even show I think it was 2 hours when I last did it but it was too quick it cracked it in 4 seconds so what I'll do here on the Windows laptop is once again delete the potfile and I'll have to be really quick here and I'll try and crack it again so it's starting up now press s to get a status update it says it would take almost 3 hours to crack but it didn't take that long again it took 4 seconds to crack the password so you can get lucky like I was here I was able to crack the password a lot quicker than initially thought because this is a really bad password number one don't use just digits don't use your telephone number as a password don't use eight characters use much longer characters okay so this is just part of my hashcat course where I show you how to crack hashes using hashcat in this video we covered some Wi-Fi cracking in other videos I'll show you how to crack variable length hashes as well as using other types of hashes like how to crack a zip file etc again only use this for ethical purposes only crack networks and hashers that you're allowed to crack I'm David Bombal and I want to wish you all the very best
2024-12-22 06:37