Break WiFi networks using Cloud GPUs in seconds

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- In this video, I'm gonna show you how to crack wifi passwords using the cloud. I'm gonna show you all the steps in this video, I'm gonna show you how to set up the Linode server from scratch to getting it working. I'm gonna show you how to install the relevant drivers, so that you can use the GPUs on the Linode server. I'm gonna show you the Hashcat commands to crack the passwords. The only piece that I'm not showing you is how to capture the information from a wifi network. I've shown you how to do that in separate videos. See the video which I've linked below, where I'll show you how to capture the information using a wifi adapter. My favorite is an alpha network adapter, but there's various ways to do this to capture the information from the wifi network so that you can crack the passwords. In this video, I'm simply showing you how to take the captured information and then crack the WPA/WPA2 passwords using GPUs in the cloud. In all the examples here, I'm using brute force attacks. I'm not using a dictionary, I'm not using a list of passwords, but I could, 'cause that actually allows me to speed things up, and people use bad passwords. (upbeat rock music) May this be a warning for you and your family not to use weak passwords. TP-Link routers such as this, have a default password length of eight digits. If you use that default, look how long it's gonna take me to crack that password. In this example, I am gonna crack an eight-digit WPA2 password. I'm using GPUs in the cloud to do this. How long will it take me to crack that password? Okay, one second, 27 seconds is the estimate. 11 seconds. Okay, that took 14 seconds to crack. It took me 14 seconds to crack an eight-digit password. Do not use the default passwords on wifi devices. You may say, "David, that's really dumb. I'm not going to use such dumb passwords," but you'll be surprised what people use. Here's a real-world example. Researchers in Tel Aviv went out and captured passwords of different wifi networks. The researchers strapped an alpha network adapted to his back, captured a whole bunch of wifi information. They were able to crack 70% of wifi networks. Because, in this example, a lot of wifi networks were using telephone numbers as their wifi password. Or they were using easy-to-guess passwords, or passwords from well-known database breaches, such as the RockYou database. Here I'm gonna do something similar. I'm gonna crack a 10-digit password, but I'm gonna make some assumptions like the Israeli researcher that the password probably begins with zero two, which is the dialing code in London. I'm gonna start Hashcat now. Let's see how long it takes me to crack that password. According to this, maybe 26 seconds. Okay, so how long did that actually take? 11 seconds to crack. 11 seconds to crack a 10-digit password with the assumption that it starts with zero two. If I didn't use that assumption, let's assume the assumption is that it starts with zero, not zero two. How long would that take? So only assumption at the moment is that someone's using a telephone number, it starts with zero as the telephone number. So they could be using their cell phone or mobile phone, or a landline number as the password. According to this, it'll take four minutes and 29 seconds to crack that password. Hopefully this tells you why you should be using good passwords, not just numeric passwords. I'm gonna show you an example in a moment with alpha numeric, can also be cracked if it's a poor password. Here I'm cracking a 10-digit password in a few minutes, either in a few seconds if my assumptions about your password are correct. For example, that you're using zero two. Or, like in this example, it took one minute 54 seconds to crack a password where I assumed that the password was starting with a zero. Or, like in this example, started with zero two. But in this test, I assumed that it started with zero followed by nine digits. Now, at the end of this video, I'm gonna show you how to do a range, because that's probably the most common question I get. How do I do a starting range? So from this range to this range of different characters. So I'll show you that as an example as well. But before we get there, let's crack a 10-character password with digits and letters. Now, you may not know what a password contains, but in this example, just to speed things up, I'm using digits, lowercase, and uppercase characters. Not special characters, but I could add that to the list. I'll go through these commands in a moment. This is telling me that it's a brute force attack. Okay. According to this, it's gonna take 7,000 years to crack this password, but actually it took nine seconds. Nine seconds to crack a 10-character password with digits and letters, I got lucky here. So if I type show, so same command again, dash show, that shows me the password. I cracked this password in nine seconds rather than the estimated 7,000 years, I got lucky. Use good passwords, because if you use bad passwords like that, I could crack your password in a few seconds. In this example, with the Israeli researcher, they were able to crack 70% of passwords because people were using weak passwords or passwords in data breaches. They used the RockYou database to crack passwords. Don't use weak passwords from password breaches as an example. Simple passwords such as, "I love you," or one, two, all the way up to seven. Weak passwords like that were very easy to crack. Don't just use telephone numbers. 10 digits, very, very easy to crack. Okay, so now I'm gonna show you how to set this up. You can use the link below to get a hundred dollar 60-day credit, so that you can try this yourself. I want to thank Linode once again for sponsoring this video. I've also put the commands below if you wanna simply see the commands and then use them yourself. First thing you need to do is register an account on Linode, and then you'll be able to create a new Linode server. I'm going to use Ubuntu 22 04 LTS. Now, not all regions support the use of GPUs. As an example, if I select London and specify GPU, only these places support GPUs. So I could change that as an example to Frankfurt, but I could also use one of the other regions as specified over here. Okay, so once I've done that, I need to choose the size. The 128 gig RTX6000 GPU times four costs $4,000 a month. I'm not gonna run this the whole time, and you're probably not going to do that either. You need to look at the price per hour. For some of these attacks, it only takes a short time. Some attacks will take a lot longer. So you need to decide which GPU you're going to choose. I'll choose the big one, it's not always available, but let's see if it's available. In this example, I'll say wifiGPU1 as my Linode label. You need to specify a password, and then you can say, create Linode. In this example, there's no availability in this region. So what I might have to do is choose a different region. I'll try Singapore, a 128 four GPU, see if that's available. So the other side of the world, but for the files that we uploading, doesn't matter in my example. In this case, you can see the Linode is starting. So that's good news. So if I open up a new tab and look at my Linode, you can see this wifiGPU1, which is dedicated 128 gig RTX6000 GPU times four, is being provisioned in Singapore. And that's what's great about the cloud. I'm setting up a server, literally on the other side of the world from where I am, and very, very quickly that becomes available, and I'll be able to access that server. As soon as the server's available, we are gonna SSH to the server. So what I'll do is open a terminal on my computer, and I'll paste that SSH command in. Can see the server is now booting up. Okay, there you go. The server has now booted, it's running. I'll press Enter to SSH to the server. We have to accept the public key. Put my password in, and there you go. I'm now running a Linode server in Singapore with four GPUs. Now, Hashcat isn't recognized. So what I need to do is install the software. I'm gonna use the command sudo apt update to update my references. Okay, so references are updated. Now what I'm gonna do is type sudo apt install hashcat to install Hashcat on the server. So literally update references on Ubuntu, install Hashcat. Okay, so Hashcat should now be available. Notice we are told to use the help command, so dash dash help. Lots of information available including some examples here, including that dash A three, means brute force. So we've got Hashcat installed, but this is the important piece. Hashcat dash I shows us that we only have a CPU available. We could try and crack passwords using a CPU, but it's gonna be a lot slower. The whole reason to get the GPUs is it allows us to crack passwords a lot quicker. So on the Linode's website, they tell us that we need to install the NVIDIA CUDA toolkit to be able to use the GPUs. And they give us the commands on Ubuntu and Debian to do this. And then they tell us what we need to do. For instance, reboot the GPU instance after running the commands, and then we can use this command to verify the drivers. So this first command is sudo apt update and apt upgrade. So I'll paste that in. Take the defaults and press Okay. Next step is to install software. I'm not gonna bore you going through explanations of all the commands when it comes to, for instance, installing the drivers. In my experience, you can literally just type the commands in except all the defaults and it'll work. The idea is that you need to get the relevant software installed to be able to use the GPUs. So you need to install the CUDA toolkit, and you need to install the drivers. Okay, so once we've done that, we need to install the CUDA toolkit. We need to select our platform, which in our case will be Linux. It's X86_64. In our example we're using Ubuntu 22 04. We are gonna use a local Debian installation, and we are given the commands to install the CUDA toolkit. In my experience, I literally just copy these commands and type them in, and they're all worked. So I'll copy and paste the first command, second command. You could literally just copy all of these and paste them in at the same time, and that worked in my experience, but I'll do them one by one just to make sure that they all work properly. We're gonna install the Debian package. Next command is actually the command we told to run in the output here, that the key is not installed. So we are gonna install that. Then we are gonna do an update. And then we are gonna install CUDA. Okay, so while that's installing, just to reiterate, we create the Linode server. Then we have to install the CUDA toolkit. So we have to run these commands. In our example, we're using Ubuntu. So we use those two commands. And then we need to go to the toolkit download page, and select the operating system that we're using. So in our example, it's Linux X86_64 bit. We're using Ubuntu 22 04 LTS. We are going to use a local installation, and then once we've done that, we need to reboot the server. Okay, so that's gonna take a while so we'll speed the video up at this point. I'm gonna select the default again, restart the servers, and there you go, it's now completed. Okay, so I'm gonna restart the server. I've lost my connection, I'll clear the screen. All I need to do now is wait for the server to reboot and then I'll be able to SSH back to the server. Okay, so the server is running again. I'll SSH back to the server, I'll put my password in. Okay, so previously, when we used the command hashcat dash I, we didn't see the GPUs. But notice now we can see backend devices. We have our CPU, we have backend device six, which is an RTX 6000 GPU. We have seven, RTX 6000 GPU. Same with eight, and same with nine. So multiple devices are now available, so that's good. That wasn't visible previously. But on the Linode documentation, we're told to use this command, nvidia-smi. That shows us that the CUDA software was installed correctly and we can see details about the GPUs on the server. Okay, so now we can start using Hashcat to crack the passwords once again. Okay, so I've copied the various captures to a folder on my computer. So notice I've got these HC 22,000 files. That's once again, because of the new way that Hashcat does WPA/WPA2 cracking. So since this version 6.0.0, we need to use this mode, 22,000. And various benefits are shown here. This is the right way to do it these days. Now, if you get an older version of Hashcat, you can still do it the old way, but this is the way that I've done it, because this is a recommended way of doing it. They give you again a whole bunch of reasons to do it this way. In my previous video, which I've linked below, I once again showed you how to capture this information and create these files. But for this video, what I want to do is get these files onto the server in Singapore. So the way I'm gonna do that, is I'm gonna use secure FTP root, and the IP address of my server. Put in my password. Okay, so at the moment, on the server, all I've got is that Debian file. So once again, through SSH I can see that Debian file. Let's get some of these files onto the server. So I'll say put that file, put that file, put this file. So ls, once again, will show us that we've got three files on the server. Now, I do have older format files. So if I installed an older version of Hashcat, I could break those with an older version of Hashcat. Won't work with a new version of Hashcat. So again, through SSH, those are the files on the server. So what I can do is use Hashcat to crack this eight-digit WPA file. So dash M is telling us that we're gonna use WPA, WPA2, PMKID and EAPOL. So those message pairs are in a single file. So it combines those two in a single file. Gives us lots of advantages once again. This is the file that we're gonna gonna crack, which is the file that I've uploaded. We are going to do bruteforce dash three, and this tells Hashcat that it's gonna be eight digits. I know this is an eight-digit password. I will once again show you later in the video how to crack a range of numbers. Okay, before I press Enter, I wanna see the devices that we've got, 'cause we've got GPUs running here. Hashcat dash I once again, it's six, seven, eight, and nine. What I want to do here is use the device six, seven, eight, and nine. So there's our command, let's see how long this takes. So Hashcat is starting. We told that these are the platforms that we are going to be using. We are not gonna be using device five. Okay, we can use S to see our status. As you can see, Hashcat is running. This is the file that we are trying to crack. At this point in time, it's taken two seconds. We're doing an eight-digit crack of that password. I'll say S to see the status again, we are now at 18 seconds. You can see the candidates that it's trying to crack. You can see it's using the different GPUs to do that. It actually already did that in about 19 seconds. You can see when I set 18 seconds, it had actually cracked the password already. Let's just do that again and I'll run it by itself. If I do that, it's gonna tell me that it's already cracked. So I need to use dash dash show at the end to see the password. And there it is. If I go to this directory, I can see the potfile, cat hashcat potfile. There is the password that was cracked. So what I'll do is I'll just move that hashcat potfile to another file called backup. I'll go back to my home directory. And let's clear the screen, 'cause there's a lot of output there. And what I'll do, is I'll start Hashcat again, doing exactly what I did before. We've got our four GPUs. We're using brute force, eight digits in this example. I'll press Enter now and I'll do nothing. I'll just let it run. Let's see how long it takes to crack that password. All I'll do is press S for status. Okay, and there you go. It took Hashcat 19 seconds to crack that eight-digit password. Let this be a warning to you. Don't use weak passwords like eight-digit passwords. Okay, so let me explain what the hashcat command is doing. This is hashcat, so we are running the binary file. This tells us the hashtype. So in the documentation, we can see dash M hashtype. So 22,000 once again is WPA/WPA2, PMK, EAPOL, that is the way that we should be doing it today. Per the Hashcat documentation, this is the way to do it since version 6.0.0. Older method is not available with Hashcat. If I try and use 2,500, the old method, we are told that that method has been deprecated. So you either need to use an older version of Hashcat if you want to use the old method, or you need to use 22,000. Okay. This is the file that we uploaded to the server. So we've uploaded various files to the server. That's the file that we are gonna crack. This tells us that we're using brute force, so that's our attack mode. Dash A three is brute force. We can see that here, brute force dash A three. So we're not using a word list or an association, we are gonna use brute force. This tells Hashcat the number of digits or characters in the password. In this case it's eight digits. I know that's an eight-digit password because I captured it. Here we can see various supported attack modes. So brute force dash A three. And with brute force we can use different characters. Question mark D is digits, L is lowercase, U is uppercase, and various other options. So we can use different characters. So as an example, we could mix our characters, and I'll show you that in a moment. But in this case, we're just looking for digits. This tells Hashcat the devices that we're gonna be using. So hashcat dash I will show us the devices available. In this case, we're using GPUs. So the GPUs that I want to use are six, seven, eight, and nine. So those are the GPUs in the server. Yours would vary. And this tells us how crazy we are gonna go. So the workload that we're using is Nightmare. Insane power consumption, rather than just allowing it to use the default performance, economic power consumption, we are gonna go Insane to make it happen more quickly. So again, we are running Hashcat. We are gonna crack WPA/WPA2 passwords. This is the file that we are going to use the cracking against. We are doing brute force, eight digits. We are gonna use four GPUs, and we are gonna go Insane or Nightmare mode with Hashcat. And if I run that once again, you can see that the GPUs have been selected. You can see the optimizers that have been applied. Press S to see status. We can see it's taken five seconds thus far, 22 seconds to go. Eight digits is what we are using. You can see that four GPUs are being used. It's actually already finished. So if I go back here, took 16 seconds. These are the candidates across the four GPUs. It already finished all of that. So if I try and run that again, it's gonna tell me to use show, because it's already cracked that information. So use show, because it's already cracked the password. So dash dash show, and there is the password for that file. Okay, so for a 10-digit one, we are using Hashcat. WPA/WPA2 password is what we're gonna crack. That's the file. This says brute force. I'm saying zero two followed by eight digits. We're gonna use four GPUs, and we're gonna go Insane mode basically. That's running now. We can press S to see the status. Just need to give it some time to start up. You can also create a checkpoint so that you can come back to it, or tell it to finish or quit. Okay, it's already finished. 12 seconds later it managed to crack that password. It got 41% through the file and found the password. So that'll tell you how far it's getting through the file, but we already got the password in 12 seconds. Okay, so the one that a lot of people wanna see is a range. How do we do a range? So again, this is what a lot of people ask me, "David, how do I do brute force? So they dash A three, brute force. We are going to increment. And in this case we're incrementing from a minimum of eight, so minimum for wifi networks, up to, let's say, a maximum of 18 digits. So we are going from eight to 18. We are gonna use four GPUs and we're gonna do Insane mode. Let's see how long it takes us to crack the 10-digit password. Now in this case, I didn't specify any zeros, I just went digits. So simple digits. And what this is gonna try and do is start with eight digits. You can see there, eight digits. We're about 9% through this in two seconds. So I'll do S again to see the status. 14 seconds, we're about 52% through this. I'll do S again, 75% through this in 20 seconds. What it's trying to do is start with eight digits and get through all eight digits. So try and crack the password with eight digits. Now it's not gonna work, because this is 10-digit password. So if I do status again, notice it's now gone to nine digits. So eight digits didn't work, now it's trying nine digits. Progress here has been two seconds. According to this, it'll take four minutes, 35 seconds, to get through the nine-digit option. As you can see there, the progress is 0.47%. I'll do S to see progress, we're at 9% progress now. So it's got through that many of this number of passwords. So nine-digit passwords. And you can see it's just cycling through all of those passwords. At the moment, we are told that it's 38 seconds, four minutes to go. Now, all you need to do is wait. We're at 20%, 25%. This is just gonna take time. I'm not gonna bore you. I've already shown you how to crack this password using some clever stuff, like putting a zero in front, rather than just assuming all the digits being unknown. But literally all you need to do now is let that run in the background and let it crack the passwords. It goes very, very quick with four GPUs. As you can see here, it's cycling through those numbers very, very rapidly. Okay, so four minutes, 43 seconds, it got through nine digits. Press S again, notice it's trying to do 10 digits. This is gonna take 46 minutes according to this. All you need to do now is wait for that to complete. Again, I won't bore you waiting for this, because I've already shown you how to crack it by replacing that with a zero, rather than just assuming that it's an unknown digit. And again, if I made it zero two there, it would be a lot, lot quicker to crack. So rather than doing it that way, what I could do is say, "Okay, I know the first two digits in this are gonna be zero, and let's say two." And let's see how long that takes to crack. Made a syntax error there, so that shouldn't be that, it should be zero two like that. So try and use some intelligence about the numbers rather than just assuming it could be anything. Let's see how long this takes now. Okay, so almost instant on eight digits, almost instant on nine digits, notice zero seconds, zero seconds for nine. We are ready at 10 seconds now, they reckon 26 seconds. We are seven seconds in now on 10 digits. So 21 seconds was already cracked. So let's see how long that took. Took 12 seconds to crack the 10 digit. So dash show, again, shows me the password. I'll remove that password and do it again, just to make sure that you followed what I did there. So I'll go to the Hashcat directory, remove the potfile, go back to my home directory, and run it again. Okay, so let's see how long it takes. All I've done now is replace it with zero two. It's an increment from eight digits up to 18 digits. We're using four GPUs, Insane mode. Not show, because we want to crack that again. Let's see how long it takes. As you can see, when I put zero two in the beginning, it takes it like no time to crack eight digits. So eight digits according to this is zero seconds. Press S again, we're already at nine digits. According to that, it would take two seconds to crack if it was nine digits in length. So nine digits in length, we already finished with nine digits, we're at 10 digits now, five seconds, 23 seconds to go. 10 seconds, 13 seconds. It really did it at 13 seconds, so- So here I made assumptions of what the telephone number would be, zero two followed by eight digits, took it seconds to crack. Comments I always get is like, "David, I'm not gonna just use digits, I'm gonna have digits, letters, et cetera." So again, here I've got digits, lowercase, and uppercase. So I'm going to increment from a minimum of 10 up to maximum of 12. This is digits and letters in the password. And I'm gonna assume it's digits, lowercase and uppercase. We're gonna do a brute force notice. I've said dash one is that. That's based on the document from Hashcat where you create groupings of characters. So custom character sets. And what I did here, as I said, dash one is that list of characters. So this dash one would consist of these characters. Or this would consist of full seven ASCII character set. Have a look at the documentation on Hashcat's website. I won't bore you too much, but notice dash one. And here I'm using dash one in all the options. Let's see what this does. Okay, made a mistake in the file name, WPA2 rather than WPA. So let's try that again. Press Enter to start. Hashcat is starting. Okay, you can see it's gonna take 7,000 years to try and crack this password. It's taken 13 seconds so far, but still 7,000 years. It's trying a combination of lowercase digits and uppercase per our instructions. So you can see how that changes. Various options are tried and we've mixed digits. I didn't use special characters here, I just used uppercase, lowercase and digits. 42 seconds. Still according to this, it's gonna take 7,000 years. So it's gonna take a long time to create this video. You can see it's changing. We are so far through our characters, so 0%. Keeps changing, one minute, three seconds, still going through combinations. So this is an example of where using mixed characters makes a huge difference in your password. Don't just use digits, don't just use like lowercase or uppercase. Definitely don't just use your telephone number. You want to use uppercase, lowercase, special characters. Mix up your passwords to make them more complex, and make them much longer. A 30-character password, it's gonna be a lot better than, say, a 10-character password. It's gonna take exponentially longer to crack passwords if you make them a lot longer and if you mix characters, uppercase, lowercase, spatial characters and so forth. As you can see here, it's taking a long time. I'll quit that. So I've use WPA rather than WPA2 in the file name. So let's press Enter now and see how long it takes to do this time around. We are incrementing from 10 digits or 10 characters up to 12 characters. Digits, letters, uppercase. So at the moment, it tells us that it's gonna take 7,000 years to crack this. Notice, that's what we cracking 10 characters, uppercase, lowercase, and digits. We can see the output of what it's doing there. It actually already cracked it, so it took it nine seconds to crack that. I was very fortunate with this password. So if I do dash dash show, it actually shows me the password that it found. So the second GPU found the password over there, took all of nine seconds to crack rather than the thousands of years that it anticipated that it would take. Originally it was gonna take 7,000 years, but it never took that long, I got lucky again. Moral of the story is, use good passwords. Don't use short passwords, mix your characters. So uppercase, lowercase, digits, special characters. Rather have a 30-character password than a short password. Rather use a phrase. Or as a lot of you have told me, and I agree with this, use another language. Don't use English as your password. If you can speak another language, then mix your languages in your passwords, because those kind of passwords are gonna be less likely to be found in password breaches, such as like RockYou, well-known password databases. So do things to improve the security of your wifi passwords. This applies to all types of passwords. Make sure that you share this kind of information with family and friends, that people are aware that they should use good passwords rather than bad passwords on their wifi networks. (upbeat rock music)
Info
Channel: David Bombal
Views: 353,120
Rating: undefined out of 5
Keywords: kali linux, hashcat, hashcat gpu, hashcat wifi cracking kali linux, hashcat wifi cracking windows, hashcat brute force, hashcat wpa2, how to hack wifi password, penetration testing, wpa2 cracking, wifi, wifi password hacker, wifi password hacker app, ethical hacking, wifi hacking, hashcat password recovery, hashcat install, hashcat wpa2 brute force, hashcat dictionary attack, hashcat wifi cracking, wireless security, wpa2 hacking, wifi cracking, linode, cloud, cloud gpu
Id: nHDixd-EdEQ
Channel Id: undefined
Length: 29min 49sec (1789 seconds)
Published: Sun Feb 05 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.