Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

More oclHashcat-plus mask attack

oclHaschcat-plus can be configured to do a mask attack either using a combination of a dictionary file and character masking or just strict character masking. The full details of a mask attack are beyond the scope of this article, but you can read more in the oclHashcat wiki. Mask attacks have to be run against a specific amount of characters, so the attack needs to be repeated several times. In my case I ran a 9-character attack against my hccap file.

oclHashcat-plus mask attack

Start a mask attack against a WPA key with the following:

General Form:

cudaHashcat-plus64.exe -m 2500 -a 3 -1 mask hash_file variables for password length 

Example (BackTrack 5 R3):

cudaHashcat-plus64.exe -m 2500 -a 3 -1 ?l?d Ch6-01.hccap ?1?1?1?1?1?1?1?1?1 

What I'm doing here is assuming the passphrase will only contain lowercase letters and numbers, which is a good guess for a start. I'm setting up the keyspace of the mask using ?l for lowercase letters and ?d for numbers. I'm then telling oclHashcat-plus to try every combination of that for a 9-character passphrase.

As you can imagine, that is going to go nowhere fast. In Figure 12 below you can see that a combination of only letter and numbers for a 9-character passphrase yields 101,559,956,668,416 combinations! With my GPU crunching through at 6039 combinations/second the estimated time to completion is greater than 10 years! Note that my GPU is nowhere near as powerful as many of the cracking systems out there today.

oclHashcat mask attack

Figure 12: oclHashcat mask attack

So the mask attack didn't work well for even my easier password, gilbert28, and my full password was not in any of the wordlists I downloaded. My next step would be to do a mixed dictionary-mask attack, basically telling ocl-Hashcat-plus to go through the dictionary and brute force some numbers on the end. When I look at the downloaded wordlist, gilbert is in there. This would take several runs at the attack, starting with one number added to the end, then two, etc..

We know from several site password hacks over the years that many people simply use lowercase letters for their passwords and my gilbert28 is no exception, here is the crack:

oclHashcat-plus mixed dictionary and mask attack

Start a mixed dictionary and mask attack against a WPA key with the following:

General Form:

cudaHashcat-plus64.exe -m 2500 -a 6 hash_file dict_file  mask 

Example (BackTrack 5 R3):

cudaHashcat-plus64.exe -m 2500 -a 6 Ch6-01.hccap passwords2.txt ?d?d 

What this is doing is taking every word in our 172,746 word dictionary and adding every combination of 00-99 to the end

oclHashcat dictionary and mask attack

Figure 13: oclHashcat dictionary and mask attack

Success! oclHascat-plus cracked it in 43 minutes, going through 17,217,340 combinations before coming on to my password. But my password was easier than I realized.

What about the classymoon359 that is the default password for my router? oclHashcat-plus does have a concept where words can be combined from one or more dictionaries. It also employs a nice set of rules that can make all sorts of substitutions for common seemingly clever things people do such as "3" for "E" or "$" for "S".

What I found in many of the wordlists I downloaded however, was that many <6 letter words were not in the dictionary, probably due to the 8 character minimum for WPA. I have to think NETGEAR combined two shorter words for that very reason. Even when I combined dictionaries to combine words, the time estimate for the crack of classymoon359 was around 69 days, and that's with me "giving" the 359 for sake of demonstration, which is not reasonable. Adding those 3 characters to the end of two distinct words would make the crack time rise exponentially.

I'll make the caveat here that I am in no way an expert with oclHashcat-plus—the exact opposite really. My hardware, although beefier than some, is definitely not cutting-edge or even modern. Your mileage may vary.

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

I plan to make available a beta version of the next kamoj add-on - if there is enough interest.N.B: Voxel firmware is a pre-requisite, not an option!I...
I was doing some research and was seeing a lot about issues with the 2.4ghz band not working after a while or having very short range (or poor perform...
Hi There,Update 2020/08/06386 rc2-3 firmware is in this linkhttps://drive.google.com/drive/folders/154vHdrYh_rGP_qFooHgAkzXSJchge7Ue?usp=sharingChange...
No matter what I put for upload/download bandwidth on a new RT-AX88U on Merlin 384.18, it will peg the upload speed at my ISP's maximum speed and ping...
Hi to all!I just installed Pyload and Transmission on my RT-AC86U. Now I have a problem. I have to set the router (192.168.1.1) to go to Internet thro...

Don't Miss These

  • 1
  • 2
  • 3