Cracking WPA2 with Hashcat

So for all those who got to see the show at Defcon's wireless village, that talk focused more on the drinking of the Rolling Rock than the cracking of the hashes. 

I said in my ramblings that it was really really really easy. 


Here is a how to...  with some example files for you to follow along with.


First you want to capture some traffic.  I leave the logistics of how up to you. 

For this demo, we will be using a file which I grabbed online from the wireshark wiki.


Now that you have some traffic in the form of a PCAP, fire up wireshark. 

First thing I do is enter "eapol" in the search window.  This confirms we have a handshake.  You can skip this step if you really really want to but remember the whole trust but verify.

Since WPA/2 salts with the SSID, it can help to know what that is.  Using the find menu in wireshark, search for the string SSID.



So the SSID is named "Coherer" which is good because at least it isn't Linksys.

Now here is the hardest part.  You need to convert your pcap file to a hccap file.  Hashcat has a cloud version of the tool which works awesome.  You can run some command line tools as well but the point of the talk was to not use aircrack.


In real life, we all use aircrack so you can use 2 different commands.

I have used this...

aircrack-ng <cap> -J <hccap>

This could work as well...

wpaclean <out> <in>

wpaclean can damage your file so backup if you want to give it a try.


Now you have your hccap file. 

Download the latest version of oclHashcat from here.

Run this below:

cudaHashcat-plus64.exe --hash-type 2500 wpa.hccap dict.txt

For the demo I used a dictionary with 1 word for demo speed but that word is in the rockyou list (entry 922007).

I use cudaHashcat-plus64.exe because I have a nVidia card as well as a 64 bit system.  The base application may change but the flags are the same and the passwords are still weak.


Happy cracking!





Watch the Olympics without the stink of NBC

The BBC coverage of the Olympics is awesome.  However the BBC live streams are not available inside the United States.  How does that tea taste?

Thanks to the magic of tunnelling, we can use request the video stream from a server inside the UK. 

Step 1: Find a weak sever or page with a SQLi....  ok well don't do that.  After all during the Olympics, we should all focus on peace so goto a site like Linode and get a box.  Make sure when you set it up, you choose London.

Step 2: Type: ssh -D 8080 root@<your server/ip>

Step 3: Set up the proxy on your browser.

It is under settings/networking/advanced on the Mac

or just use foxyproxy on Firefox if you are a PC.

Step 4: Watch the Olympics via BBC at

Step 5: Make sure to spoil the results for everyone because you are the gold and the best they can be is silver!



Lessons in LinkedIn Password Cracking

So this past week the password cracking community had some excitement.  Several dumps of hashes were leaked.  One of those was LinkedIN.  This caught my eye since most professionals use this social media service.  I am a fan of passwords ever since I met Matt Weir when he presented about the science of password cracking.  One of his talking points was that people can pick anything as passwords but generally follow a pattern.  How many of us have a capital first letter and end with the number 1?  Password1 is technically a strong password in the eyes of Active Directory.

A few months ago, digininja created a tool Pipal which allows analysis of passwords.  This allowed the community a common metric and analysis tool to run the various password dumps.  Using the various data from previous dumps, I was able to fine tune my hashcat rules to be able to crack over half the LinkedIn hashes.  

Lessons Learned

  1. Start with a good dictionary.  KoreLogic has a group of amazing word lists here.  In addition, SkullSecurity has a list of previously cracked passwords and various wordlists which I also added to my master_wordlist.dic.  To make my master_wordlist.dic I would "cat infile >> master_wordlist.dic".  Make sure to use the double >> or else you wipe over the words already in the master_wordlist.dic.
  2. After adding everything to your list, you need to sort and remove the duplicates.  In Windows it is a pain since your list is too big for Excel and Access just plain stinks to use.  Score 1 for Bash! The command "sort master_wordlist.dic | uniq > master_sorted_wordlist.dic" worked perfectly.
  3. Fire up hashcat and crack!  Don't forget to use some rules and masks!  You don't need a GPU but it helps.  One thing I learned was my Dell Laptop has a nVidia card so check your gear.
  4. Now that I have a cracked list in the hash:plaintext format we need to remove the hash part.  Score 2 for Bash! The command "grep -o '[^:]*$' infile > outfile" will remove the hashes leaving you a file with only plaintext passwords.
  5. At this point you can perform a Pipal analysis or you can run your list through hashcat again using the cracked passwords as your new dictionary and apply the rules and masks.


 You can find the Pipal Analysis of the LinkedIn dump here.  Happy Cracking!



Opening a Beer aka How I became an Apple fan!

When someone told me you could do this I rushed home to try it.  I could not believe how awesomely it worked.

Step 1: Get yourself a beer.  You deserve it.

Step 2: Get your Macbook charger or take the charger from the hipster next to you.

Step 3: Grip it and Rip it!

I expect CNet to include this as an item in the pro column from now on!



Free digital magazines from your Dr.

Going to the Doctor usually involves this process.  You get bothered by the robocaller for 3 days prior to your appointment.  You arrive on time and the doctor is always running late and you have to wait in the germ infested waiting room. 

On the last trip to the doctor, I got stuck in the waiting room and saw the magazine basket.  The magazine basket is a treasure trove of information.  This one had all the labels still on the magazines.  Being a (it kills me to type this but I have iphone, ipad and now an Air) Apple hipster, I love to read magazines on my iPad.  Apple recently released the magazine store which I didn't use.  I prefer Zinio.  Great App and you can get free magazines galore (Maxim subscription until 2089!)  That is a different story however.


Apple has thier magazine store in which they charge cover price for digital copies the magazine.  The publishers have helped out those who still recieve the magazine on paper by allowing them "Free Access to the Digital Version!"

WARNING: This is for informational purposes only.  Check your local laws, YMMV, and hack the planet!

Step 1:  Pick up a germ infested copy of the magazine from the cesspool of the magazine basket.


 Step 2:  Download the magazine app from the magazine app store (or the regular app store since they are the same thing).  Typing this out makes the process that Apple is doing seem even more stupid.  App inside an App! 

You can either pay (don't pay) for the magazine or you can login using your account number.  Look at that postage label with all the information required.  The periodical version of the yellow sticky note with a password on it!

Yes I am showing this hack on the Disney FamilyFun Magazine.

Step 3: Go into the magazine and you will see the options for subscription or the Sign In button.  Go ahead and push that Sign In button.  Do it slowly, do it doucement!

Step 4:  So you pushed that Sign in button and are greeted with the ability to sign in with your user name and password or Login Using Your (possession is 9/10 the law) Account Number from the germ basket.  Highlighted for you is the magic numbers you enter and I thank the publisher for their guidance. 

Step 5:  Enjoy your new periodical.  I for one am super stoked about Chalk Games and ways to Build a Better Munchie.

Sometimes you find that some digital gangster soccer mom has already registered this magazine.  If only there was a way... wait... does it really just ask for the updated Email address for a password reset?  Well time to go to 10 Minute Mail for a throw away temporary spam avoidance email address. 

Just saying!