- In this video, I'm gonna show you how to crack wifi
passwords using the cloud. I'm gonna show you all
the steps in this video, I'm gonna show you how to
set up the Linode server from scratch to getting it working. I'm gonna show you how to
install the relevant drivers, so that you can use the
GPUs on the Linode server. I'm gonna show you the Hashcat commands to crack the passwords. The only piece that I'm not
showing you is how to capture the information from a wifi network. I've shown you how to do
that in separate videos. See the video which I've linked below, where I'll show you how
to capture the information using a wifi adapter. My favorite is an alpha network adapter, but there's various ways to do this to capture the information
from the wifi network so that you can crack the passwords. In this video, I'm simply showing you how to take the captured information and then crack the WPA/WPA2 passwords using GPUs in the cloud. In all the examples here, I'm
using brute force attacks. I'm not using a dictionary, I'm not using a list of passwords, but I could, 'cause
that actually allows me to speed things up, and people use bad passwords. (upbeat rock music) May this be a warning
for you and your family not to use weak passwords. TP-Link routers such as this, have a default password
length of eight digits. If you use that default, look how long it's gonna take
me to crack that password. In this example, I am gonna crack an
eight-digit WPA2 password. I'm using GPUs in the cloud to do this. How long will it take me
to crack that password? Okay, one second, 27
seconds is the estimate. 11 seconds. Okay, that took 14 seconds to crack. It took me 14 seconds to
crack an eight-digit password. Do not use the default
passwords on wifi devices. You may say, "David, that's really dumb. I'm not going to use such dumb passwords," but you'll be surprised what people use. Here's a real-world example. Researchers in Tel Aviv went
out and captured passwords of different wifi networks. The researchers strapped an alpha network adapted to his back, captured a whole bunch
of wifi information. They were able to crack
70% of wifi networks. Because, in this example, a lot of wifi networks were
using telephone numbers as their wifi password. Or they were using
easy-to-guess passwords, or passwords from well-known
database breaches, such as the RockYou database. Here I'm gonna do something similar. I'm gonna crack a 10-digit password, but I'm gonna make some assumptions like the Israeli researcher
that the password probably begins with zero two, which is the dialing code in London. I'm gonna start Hashcat now. Let's see how long it takes
me to crack that password. According to this, maybe 26 seconds. Okay, so how long did that actually take? 11 seconds to crack. 11 seconds to crack a 10-digit password with the assumption that
it starts with zero two. If I didn't use that assumption, let's assume the assumption
is that it starts with zero, not zero two. How long would that take? So only assumption at the moment is that someone's using a telephone number, it starts with zero as
the telephone number. So they could be using their
cell phone or mobile phone, or a landline number as the password. According to this, it'll take four minutes and 29 seconds to crack that password. Hopefully this tells you why you should be using good passwords, not just numeric passwords. I'm gonna show you an example in a moment with alpha numeric, can also be cracked if
it's a poor password. Here I'm cracking a 10-digit
password in a few minutes, either in a few seconds if my assumptions about your password are correct. For example, that you're using zero two. Or, like in this example, it
took one minute 54 seconds to crack a password where I assumed that the password was
starting with a zero. Or, like in this example,
started with zero two. But in this test, I assumed
that it started with zero followed by nine digits. Now, at the end of this video, I'm gonna show you how to do a range, because that's probably the
most common question I get. How do I do a starting range? So from this range to this
range of different characters. So I'll show you that
as an example as well. But before we get there, let's crack a 10-character
password with digits and letters. Now, you may not know
what a password contains, but in this example,
just to speed things up, I'm using digits, lowercase,
and uppercase characters. Not special characters, but
I could add that to the list. I'll go through these
commands in a moment. This is telling me that
it's a brute force attack. Okay. According to this, it's gonna take 7,000 years
to crack this password, but actually it took nine seconds. Nine seconds to crack
a 10-character password with digits and letters, I got lucky here. So if I type show, so same
command again, dash show, that shows me the password. I cracked this password in nine seconds rather than the estimated
7,000 years, I got lucky. Use good passwords, because if you use bad
passwords like that, I could crack your
password in a few seconds. In this example, with
the Israeli researcher, they were able to crack 70% of passwords because people were using weak passwords or passwords in data breaches. They used the RockYou
database to crack passwords. Don't use weak passwords from password breaches as an example. Simple passwords such as, "I love you," or one, two, all the way up to seven. Weak passwords like that
were very easy to crack. Don't just use telephone numbers. 10 digits, very, very easy to crack. Okay, so now I'm gonna show
you how to set this up. You can use the link below to get a hundred dollar 60-day credit, so that you can try this yourself. I want to thank Linode once again for sponsoring this video. I've also put the commands below if you wanna simply see the commands and then use them yourself. First thing you need to do is
register an account on Linode, and then you'll be able to
create a new Linode server. I'm going to use Ubuntu 22 04 LTS. Now, not all regions
support the use of GPUs. As an example, if I select
London and specify GPU, only these places support GPUs. So I could change that as
an example to Frankfurt, but I could also use
one of the other regions as specified over here. Okay, so once I've done that,
I need to choose the size. The 128 gig RTX6000 GPU times
four costs $4,000 a month. I'm not gonna run this the whole time, and you're probably not
going to do that either. You need to look at the price per hour. For some of these attacks,
it only takes a short time. Some attacks will take a lot longer. So you need to decide which
GPU you're going to choose. I'll choose the big one,
it's not always available, but let's see if it's available. In this example, I'll say
wifiGPU1 as my Linode label. You need to specify a password, and then you can say, create Linode. In this example, there's no
availability in this region. So what I might have to do
is choose a different region. I'll try Singapore, a 128 four
GPU, see if that's available. So the other side of the world, but for the files that we uploading, doesn't matter in my example. In this case, you can see
the Linode is starting. So that's good news. So if I open up a new tab
and look at my Linode, you can see this wifiGPU1, which is dedicated 128 gig
RTX6000 GPU times four, is being provisioned in Singapore. And that's what's great about the cloud. I'm setting up a server, literally on the other side
of the world from where I am, and very, very quickly
that becomes available, and I'll be able to access that server. As soon as the server's available, we are gonna SSH to the server. So what I'll do is open a
terminal on my computer, and I'll paste that SSH command in. Can see the server is now booting up. Okay, there you go. The server has now booted, it's running. I'll press Enter to SSH to the server. We have to accept the public key. Put my password in, and there you go. I'm now running a Linode
server in Singapore with four GPUs. Now, Hashcat isn't recognized. So what I need to do is
install the software. I'm gonna use the command sudo apt update to update my references. Okay, so references are updated. Now what I'm gonna do is
type sudo apt install hashcat to install Hashcat on the server. So literally update references
on Ubuntu, install Hashcat. Okay, so Hashcat should now be available. Notice we are told to
use the help command, so dash dash help. Lots of information available
including some examples here, including that dash A
three, means brute force. So we've got Hashcat installed, but this is the important piece. Hashcat dash I shows us that
we only have a CPU available. We could try and crack
passwords using a CPU, but it's gonna be a lot slower. The whole reason to get
the GPUs is it allows us to crack passwords a lot quicker. So on the Linode's website, they tell us that we need to install the NVIDIA CUDA toolkit to
be able to use the GPUs. And they give us the commands on Ubuntu and Debian to do this. And then they tell us what we need to do. For instance, reboot the GPU instance after running the commands, and then we can use this
command to verify the drivers. So this first command is sudo
apt update and apt upgrade. So I'll paste that in. Take the defaults and press Okay. Next step is to install software. I'm not gonna bore you
going through explanations of all the commands when
it comes to, for instance, installing the drivers. In my experience, you can literally just type the commands in
except all the defaults and it'll work. The idea is that you need to get the relevant software installed
to be able to use the GPUs. So you need to install the CUDA toolkit, and you need to install the drivers. Okay, so once we've done that, we need to install the CUDA toolkit. We need to select our platform, which in our case will be Linux. It's X86_64. In our example we're using Ubuntu 22 04. We are gonna use a local
Debian installation, and we are given the commands
to install the CUDA toolkit. In my experience, I literally
just copy these commands and type them in, and they're all worked. So I'll copy and paste the
first command, second command. You could literally just copy all of these and paste them in at the same time, and that worked in my experience, but I'll do them one by one just to make sure that
they all work properly. We're gonna install the Debian package. Next command is actually the command we told to run in the output here, that the key is not installed. So we are gonna install that. Then we are gonna do an update. And then we are gonna install CUDA. Okay, so while that's
installing, just to reiterate, we create the Linode server. Then we have to install the CUDA toolkit. So we have to run these commands. In our example, we're using Ubuntu. So we use those two commands. And then we need to go to
the toolkit download page, and select the operating
system that we're using. So in our example, it's Linux X86_64 bit. We're using Ubuntu 22 04 LTS. We are going to use a local installation, and then once we've done that, we need to reboot the server. Okay, so that's gonna take a while so we'll speed the video up at this point. I'm gonna select the default again, restart the servers, and there
you go, it's now completed. Okay, so I'm gonna restart the server. I've lost my connection,
I'll clear the screen. All I need to do now
is wait for the server to reboot and then I'll be
able to SSH back to the server. Okay, so the server is running again. I'll SSH back to the server,
I'll put my password in. Okay, so previously, when we used the command hashcat dash I, we didn't see the GPUs. But notice now we can see backend devices. We have our CPU, we
have backend device six, which is an RTX 6000 GPU. We have seven, RTX 6000 GPU. Same with eight, and same with nine. So multiple devices are now
available, so that's good. That wasn't visible previously. But on the Linode documentation, we're told to use this
command, nvidia-smi. That shows us that the CUDA
software was installed correctly and we can see details about
the GPUs on the server. Okay, so now we can start using Hashcat to crack the passwords once again. Okay, so I've copied the various captures to a folder on my computer. So notice I've got these HC 22,000 files. That's once again, because of the new way that Hashcat does WPA/WPA2 cracking. So since this version 6.0.0, we need to use this mode, 22,000. And various benefits are shown here. This is the right way to do it these days. Now, if you get an older
version of Hashcat, you can still do it the old way, but this is the way that I've done it, because this is a
recommended way of doing it. They give you again a
whole bunch of reasons to do it this way. In my previous video,
which I've linked below, I once again showed you how
to capture this information and create these files. But for this video, what I
want to do is get these files onto the server in Singapore. So the way I'm gonna do that, is I'm gonna use secure FTP root, and the IP address of my server. Put in my password. Okay, so at the moment, on the server, all I've got is that Debian file. So once again, through SSH
I can see that Debian file. Let's get some of these
files onto the server. So I'll say put that file,
put that file, put this file. So ls, once again, will show us that we've got three files on the server. Now, I do have older format files. So if I installed an
older version of Hashcat, I could break those with an
older version of Hashcat. Won't work with a new version of Hashcat. So again, through SSH, those
are the files on the server. So what I can do is use Hashcat to crack this eight-digit WPA file. So dash M is telling us that
we're gonna use WPA, WPA2, PMKID and EAPOL. So those message pairs
are in a single file. So it combines those two in a single file. Gives us lots of advantages once again. This is the file that
we're gonna gonna crack, which is the file that I've uploaded. We are going to do bruteforce dash three, and this tells Hashcat that
it's gonna be eight digits. I know this is an eight-digit password. I will once again show
you later in the video how to crack a range of numbers. Okay, before I press Enter, I wanna see the devices that we've got, 'cause we've got GPUs running here. Hashcat dash I once again, it's
six, seven, eight, and nine. What I want to do here is use the device six, seven, eight, and nine. So there's our command, let's
see how long this takes. So Hashcat is starting. We told that these are the platforms that we are going to be using. We are not gonna be using device five. Okay, we can use S to see our status. As you can see, Hashcat is running. This is the file that
we are trying to crack. At this point in time,
it's taken two seconds. We're doing an eight-digit
crack of that password. I'll say S to see the status again, we are now at 18 seconds. You can see the candidates
that it's trying to crack. You can see it's using the
different GPUs to do that. It actually already did
that in about 19 seconds. You can see when I set 18 seconds, it had actually cracked
the password already. Let's just do that again
and I'll run it by itself. If I do that, it's gonna tell
me that it's already cracked. So I need to use dash dash show at the end to see the password. And there it is. If I go to this directory,
I can see the potfile, cat hashcat potfile. There is the password that was cracked. So what I'll do is I'll just
move that hashcat potfile to another file called backup. I'll go back to my home directory. And let's clear the screen, 'cause there's a lot of output there. And what I'll do, is
I'll start Hashcat again, doing exactly what I did before. We've got our four GPUs. We're using brute force,
eight digits in this example. I'll press Enter now and I'll do nothing. I'll just let it run. Let's see how long it takes
to crack that password. All I'll do is press S for status. Okay, and there you go. It took Hashcat 19 seconds to crack that eight-digit password. Let this be a warning to you. Don't use weak passwords
like eight-digit passwords. Okay, so let me explain what
the hashcat command is doing. This is hashcat, so we are
running the binary file. This tells us the hashtype. So in the documentation,
we can see dash M hashtype. So 22,000 once again is
WPA/WPA2, PMK, EAPOL, that is the way that we
should be doing it today. Per the Hashcat documentation,
this is the way to do it since version 6.0.0. Older method is not
available with Hashcat. If I try and use 2,500, the old method, we are told that that
method has been deprecated. So you either need to use
an older version of Hashcat if you want to use the old method, or you need to use 22,000. Okay. This is the file that
we uploaded to the server. So we've uploaded various
files to the server. That's the file that we are gonna crack. This tells us that
we're using brute force, so that's our attack mode. Dash A three is brute force. We can see that here,
brute force dash A three. So we're not using a word
list or an association, we are gonna use brute force. This tells Hashcat the number of digits or characters in the password. In this case it's eight digits. I know that's an eight-digit
password because I captured it. Here we can see various
supported attack modes. So brute force dash A three. And with brute force we can
use different characters. Question mark D is digits, L is lowercase, U is uppercase, and various other options. So we can use different characters. So as an example, we
could mix our characters, and I'll show you that in a moment. But in this case, we're
just looking for digits. This tells Hashcat the devices
that we're gonna be using. So hashcat dash I will show
us the devices available. In this case, we're using GPUs. So the GPUs that I want to use are six, seven, eight, and nine. So those are the GPUs in the server. Yours would vary. And this tells us how
crazy we are gonna go. So the workload that
we're using is Nightmare. Insane power consumption, rather than just allowing it
to use the default performance, economic power consumption, we are gonna go Insane to
make it happen more quickly. So again, we are running Hashcat. We are gonna crack WPA/WPA2 passwords. This is the file that we are going to use the cracking against. We are doing brute force, eight digits. We are gonna use four GPUs, and we are gonna go Insane or
Nightmare mode with Hashcat. And if I run that once again, you can see that the
GPUs have been selected. You can see the optimizers
that have been applied. Press S to see status. We can see it's taken
five seconds thus far, 22 seconds to go. Eight digits is what we are using. You can see that four GPUs are being used. It's actually already finished. So if I go back here, took 16 seconds. These are the candidates
across the four GPUs. It already finished all of that. So if I try and run that again, it's gonna tell me to use show, because it's already
cracked that information. So use show, because it's
already cracked the password. So dash dash show, and there
is the password for that file. Okay, so for a 10-digit
one, we are using Hashcat. WPA/WPA2 password is
what we're gonna crack. That's the file. This says brute force. I'm saying zero two
followed by eight digits. We're gonna use four GPUs, and we're gonna go Insane mode basically. That's running now. We can press S to see the status. Just need to give it
some time to start up. You can also create a checkpoint so that you can come back to it, or tell it to finish or quit. Okay, it's already finished. 12 seconds later it managed
to crack that password. It got 41% through the file
and found the password. So that'll tell you how far
it's getting through the file, but we already got the
password in 12 seconds. Okay, so the one that a lot of
people wanna see is a range. How do we do a range? So again, this is what
a lot of people ask me, "David, how do I do brute force? So they dash A three, brute force. We are going to increment. And in this case we're incrementing
from a minimum of eight, so minimum for wifi networks, up to, let's say, a maximum of 18 digits. So we are going from eight to 18. We are gonna use four GPUs and
we're gonna do Insane mode. Let's see how long it takes us to crack the 10-digit password. Now in this case, I
didn't specify any zeros, I just went digits. So simple digits. And what this is gonna try and do is start with eight digits. You can see there, eight digits. We're about 9% through
this in two seconds. So I'll do S again to see the status. 14 seconds, we're about 52% through this. I'll do S again, 75%
through this in 20 seconds. What it's trying to do is
start with eight digits and get through all eight digits. So try and crack the
password with eight digits. Now it's not gonna work, because
this is 10-digit password. So if I do status again, notice it's now gone to nine digits. So eight digits didn't work,
now it's trying nine digits. Progress here has been two seconds. According to this, it'll take
four minutes, 35 seconds, to get through the nine-digit option. As you can see there,
the progress is 0.47%. I'll do S to see progress,
we're at 9% progress now. So it's got through that many
of this number of passwords. So nine-digit passwords. And you can see it's just cycling through all of those passwords. At the moment, we are
told that it's 38 seconds, four minutes to go. Now, all you need to do is wait. We're at 20%, 25%. This is just gonna take time. I'm not gonna bore you. I've already shown you
how to crack this password using some clever stuff,
like putting a zero in front, rather than just assuming
all the digits being unknown. But literally all you need to do now is let that run in the background and let it crack the passwords. It goes very, very quick with four GPUs. As you can see here, it's cycling through those
numbers very, very rapidly. Okay, so four minutes, 43 seconds, it got through nine digits. Press S again, notice it's
trying to do 10 digits. This is gonna take 46
minutes according to this. All you need to do now is
wait for that to complete. Again, I won't bore you waiting for this, because I've already
shown you how to crack it by replacing that with a zero, rather than just assuming
that it's an unknown digit. And again, if I made it zero two there, it would be a lot, lot quicker to crack. So rather than doing it that way, what I could do is say, "Okay,
I know the first two digits in this are gonna be
zero, and let's say two." And let's see how long
that takes to crack. Made a syntax error there,
so that shouldn't be that, it should be zero two like that. So try and use some
intelligence about the numbers rather than just assuming
it could be anything. Let's see how long this takes now. Okay, so almost instant on eight digits, almost instant on nine digits, notice zero seconds,
zero seconds for nine. We are ready at 10 seconds
now, they reckon 26 seconds. We are seven seconds in now on 10 digits. So 21 seconds was already cracked. So let's see how long that took. Took 12 seconds to crack the 10 digit. So dash show, again,
shows me the password. I'll remove that password and do it again, just to make sure that you
followed what I did there. So I'll go to the Hashcat
directory, remove the potfile, go back to my home
directory, and run it again. Okay, so let's see how long it takes. All I've done now is
replace it with zero two. It's an increment from eight
digits up to 18 digits. We're using four GPUs, Insane mode. Not show, because we
want to crack that again. Let's see how long it takes. As you can see, when I put
zero two in the beginning, it takes it like no time
to crack eight digits. So eight digits according
to this is zero seconds. Press S again, we're
already at nine digits. According to that, it would
take two seconds to crack if it was nine digits in length. So nine digits in length, we already finished with nine digits, we're at 10 digits now, five
seconds, 23 seconds to go. 10 seconds, 13 seconds. It really did it at 13 seconds, so- So here I made assumptions of what the telephone number would be, zero two followed by eight
digits, took it seconds to crack. Comments I always get is like, "David, I'm not gonna just use digits, I'm gonna have digits,
letters, et cetera." So again, here I've got digits,
lowercase, and uppercase. So I'm going to increment
from a minimum of 10 up to maximum of 12. This is digits and
letters in the password. And I'm gonna assume it's
digits, lowercase and uppercase. We're gonna do a brute force notice. I've said dash one is that. That's based on the document from Hashcat where you create groupings of characters. So custom character sets. And what I did here, as I said, dash one is that list of characters. So this dash one would
consist of these characters. Or this would consist of full
seven ASCII character set. Have a look at the documentation
on Hashcat's website. I won't bore you too
much, but notice dash one. And here I'm using dash
one in all the options. Let's see what this does. Okay, made a mistake in the
file name, WPA2 rather than WPA. So let's try that again.
Press Enter to start. Hashcat is starting. Okay, you can see it's
gonna take 7,000 years to try and crack this password. It's taken 13 seconds so
far, but still 7,000 years. It's trying a combination of
lowercase digits and uppercase per our instructions. So you can see how that changes. Various options are tried
and we've mixed digits. I didn't use special characters
here, I just used uppercase, lowercase and digits. 42 seconds. Still according to this, it's gonna take 7,000 years. So it's gonna take a long
time to create this video. You can see it's changing. We are so far through
our characters, so 0%. Keeps changing, one minute, three seconds, still going through combinations. So this is an example of
where using mixed characters makes a huge difference in your password. Don't just use digits, don't just use like
lowercase or uppercase. Definitely don't just use
your telephone number. You want to use uppercase,
lowercase, special characters. Mix up your passwords to
make them more complex, and make them much longer. A 30-character password,
it's gonna be a lot better than, say, a 10-character password. It's gonna take exponentially
longer to crack passwords if you make them a lot longer
and if you mix characters, uppercase, lowercase, spatial
characters and so forth. As you can see here,
it's taking a long time. I'll quit that. So I've use WPA rather
than WPA2 in the file name. So let's press Enter now
and see how long it takes to do this time around. We are incrementing from
10 digits or 10 characters up to 12 characters. Digits, letters, uppercase. So at the moment, it tells
us that it's gonna take 7,000 years to crack this. Notice, that's what we
cracking 10 characters, uppercase, lowercase, and digits. We can see the output of
what it's doing there. It actually already cracked it, so it took it nine seconds to crack that. I was very fortunate with this password. So if I do dash dash show, it actually shows me the
password that it found. So the second GPU found
the password over there, took all of nine seconds to crack rather than the thousands of years that it anticipated that it would take. Originally it was gonna take 7,000 years, but it never took that
long, I got lucky again. Moral of the story is, use good passwords. Don't use short passwords,
mix your characters. So uppercase, lowercase,
digits, special characters. Rather have a 30-character
password than a short password. Rather use a phrase. Or as a lot of you have told me, and I agree with this,
use another language. Don't use English as your password. If you can speak another language, then mix your languages in your passwords, because those kind of passwords
are gonna be less likely to be found in password
breaches, such as like RockYou, well-known password databases. So do things to improve the
security of your wifi passwords. This applies to all types of passwords. Make sure that you share
this kind of information with family and friends, that people are aware that
they should use good passwords rather than bad passwords
on their wifi networks. (upbeat rock music)