- In this video I'm
gonna show you how to use a brute force attack to crack
a WPA version 2 password. We gonna do that within a few minutes. So within seven minutes, using this laptop behind me, I'm gonna show you how to
crack a WPA version 2 password, random password using brute force and an application called Hashcat. Now, for this to work
you need access to a GPU, in your laptop as an example. So in that laptop I have a GEForce GPU that I can access to do a
brute force attack very, very quickly against a
WPA version 2 password. Please note that the
password that I'm using in this example is a random
password on a TP Link router. This is actually the password
that the router shipped with. One of the problems with TP Link routers, same on this router, is that the default password that the routers are configured with is an eight digit number. That allows us to much more
quickly crack the password using a brute force attack with a GPU. They're not using alphanumeric characters, they're just using numeric characters. They're not using special characters as part of the default password. So if a user uses the default password, and a lot of people do
when they get new routers, we can use a brute force attack with a GPU to very quickly crack the password. This is a terrible weakness
on TP Link routers. It once again took me
less than seven minutes to crack this password using a laptop and a GEForce GPU in the laptop. Now, I'm showing you the
whole process in this video. I'm gonna show you how to
capture the 4-way handshake. I'm gonna show you how
to convert the cap file into a format that Hashcat can understand. I'm gonna show you how to
bring that into windows and use Hashcat within windows to launch the brute force attack
against the password. So use this menu to jump to
a specific topic of interest. If you're not interested in
the 4-way handshake capture, you're just interested in the Hashcat brute force part of the video, then again jump to the
relevant part of the video. Okay. Let's get started. ♪ I've been in your waters ♪ Okay. So once again I'm
controlling that laptop from my Mac using VNC. First thing I need to do is have a wireless network card. So in this example, I'm using an Alfa network adapter. I've connected it to that laptop using its USB port. And what I've done is connected to the Kali virtual machine running on this windows computer. So if I open up a command prompt and type IP address, what you'll notice is wlan0 is available. So in other words the
wireless network adapter has been picked up by Kali Linux. So to simplify this process, I'm gonna use Wifite. And I'm gonna use this command, "sudo wifite wpa kill." I'm only gonna attack WPA networks and I'm gonna kill any
processes that interfere. Have a look at this
video where I explained some of the basics of Wifite. I'm not gonna explain too much about the software in this video. You don't have to use Wifite, you could use other tools. But Wifite just makes it very simple. So first thing I need to
do is decide which network I'm gonna attack. I'm gonna press Control + C to stop Wifite scanning for networks. In this example, I wanna attack this network, TP-Link. So I'm gonna press 1 to start the attack. Now we could run a Pixie Dust attack, but I'm not gonna do that. I'm gonna press Control + C and then C to continue to the next attack. I'm also not gonna run
the null pin attack. Press C to continue. I'm also not gonna run a WPS Pin attack. C to continue. Could also run another attack but I'm not gonna do that. The only attack I'm wanting
to run in this example is the WPA handshake attack. Now, it's discovered clients. I'll try and connect
to the TP-Link router. But I'm getting kicked off the network. That's what we want. It's now captured the handshake and it's tryna run the probable word list against
that captured handshake. Now, in my previous videos, a lot of people complained saying they not gonna be using simple passwords on their wifi networks. But again, in this example, I'm using the default password that the router is configured as. So this specific TP-Link router
has this wireless password. This router has a different password, but it's also only eight
characters in length. So these are the random
passwords that the routers are shipped with. So again, this is the
password on the router. But that wasn't discovered because it's not in this word list. If I type ls, we have this hs directory. And if I go to that directory and type ls you'll notice
there's a cap file. So that's the captured handshake. I'll clear the screen. And once again, there's the captured handshake. That needs to be converted
now into a format that Hashcat can use. So to do that, I'm gonna use user, share, hashcat- Utils. They quite a few tools here but the tool I wanna use is this tool. And I wanna convert our handshake file to a file such as wpa2hccapx. And press enter. Okay. So I should have
remembered to put sudo in. So let's put sudo in to convert that. We can see that the
handshake has been written. So ls now shows us that
we've got this new handshake in this directory. So I'll clear the screen. And once again, there is the new handshake saved in Kali. What I'll do now is open up a folder. So under hs, we've got the file. And what I'm gonna do is make VM way smaller. And I'm gonna copy that file into windows into my Hashcat directory. To actually use Hashcat, I'm gonna open up a command prompt. I'm gonna go to my downloads directory. I'm gonna go to my Hashcat software. DIR shows me the files here. I'll clear the screen. The software that I
wanna use is Hashcat.exe. And I'll use hyphen or dash I to see the GPUs available on this computer. So we can see that
device three is unstable. But we've got CUDA information here. Backend device number one
is a GEForce GTX 1650 Ti. And then we've got OpenCl information. We've got NVIDIA CUDA information here. Device two is once again
the GEForce GTX GPU in the computer. Now, fortunately, we don't have to specify all of those details when running Hashcat. What I'm gonna do is run Hashcat, the executable and the type that we're
going to attack is WPA. You can see all of those
options on the Hashcat Wiki. So we gonna be attacking WPA version 2. The attack is gonna be
a brute force attack. So in the Wiki as an example, they've got a brute
force attack against MD5. That's not what we're using here because we're not using -0, we're using -2,500, so WPA. But it's a brute force attack. And the attack that I wanna launch is against the WPA2 file that we created. And this specifies that Hashcat should use brute force using digits, eight digits in length in this example. So I'll press enter there. Hashcat is starting. We can press S to see the status. We can see that we're using a WPA attack against this file called WPA2. The estimated time to break this is nine minutes. So within 10 minutes, and it's actually gonna be
quicker In this example, Hashcat will crack this WPA2 password. Press S to see the status again. We can see that we already at 5.9% progress. Now, this is one of the
problems that you can have with your GPUs, is that the performance will be reduced because of the temperature being raised. But notice the attack
has lost at 55 seconds. Estimated is 9 minutes 41 seconds. It's already progressed through 8.6% of this number of variations. So at this point, the fans on that laptop are spinning up making a lot of noise. But notice we are now at 11%, after 1 minute and 18 seconds. Now, when going I'm gonna speed
up the video at this point because all it's gonna do now is continue going through all the different variations doing a brute force attack
against that password. It's taken it about 2 minutes 41 seconds to get through a quarter of all of those different options. So it's not taking a lot of time. After five minutes, it's through about 50% of all the combinations. Okay, so there you go. After 6 minutes and 55 seconds, it's cracked the password. It went through 69% of a hundred million combinations. So the 69 millionth combination was the actual password. And if I type this again, it will tell us that it's already got the password. We should use show to
display the password. So if I typed show now, I can see that this is the password for this wireless network. And if I go and look on the access point, there you go. That's the password
using WPA version 2 PSK, encryption is AES. It took Hashcat 6 minutes and 55 seconds to crack that password. Now in windows, you can open up the potfile with, say notepad. And you'll be able to see the actual password, which once again is the password on the
wireless access point. Hashcat is fantastic software, lots of options available. I'll show you in subsequent videos, more about Hashcat. I'll teach you more about
Hashcat If you're interested. Hope you enjoyed this video. If you did, please like it, please subscribe to my YouTube channel. And please click on the
bell to get notifications. I'm David Bombal, wanna wish you all the very best. ♪ I've been in your waters ♪ ♪ I thought you were my love ♪ ♪ I know one thing for sure ♪ ♪ I've never been so close ♪