More oclHashcat-plus mask attack
oclHaschcat-plus can be configured to do a mask attack either using a combination of a dictionary file and character masking or just strict character masking. The full details of a mask attack are beyond the scope of this article, but you can read more in the oclHashcat wiki. Mask attacks have to be run against a specific amount of characters, so the attack needs to be repeated several times. In my case I ran a 9-character attack against my hccap file.
oclHashcat-plus mask attack
Start a mask attack against a WPA key with the following:
cudaHashcat-plus64.exe -m 2500 -a 3 -1 mask hash_file variables for password length
Example (BackTrack 5 R3):
cudaHashcat-plus64.exe -m 2500 -a 3 -1 ?l?d Ch6-01.hccap ?1?1?1?1?1?1?1?1?1What I'm doing here is assuming the passphrase will only contain lowercase letters and numbers, which is a good guess for a start. I'm setting up the keyspace of the mask using ?l for lowercase letters and ?d for numbers. I'm then telling oclHashcat-plus to try every combination of that for a 9-character passphrase.
As you can imagine, that is going to go nowhere fast. In Figure 12 below you can see that a combination of only letter and numbers for a 9-character passphrase yields 101,559,956,668,416 combinations! With my GPU crunching through at 6039 combinations/second the estimated time to completion is greater than 10 years! Note that my GPU is nowhere near as powerful as many of the cracking systems out there today.
Figure 12: oclHashcat mask attack
So the mask attack didn't work well for even my easier password, gilbert28, and my full password was not in any of the wordlists I downloaded. My next step would be to do a mixed dictionary-mask attack, basically telling ocl-Hashcat-plus to go through the dictionary and brute force some numbers on the end. When I look at the downloaded wordlist, gilbert is in there. This would take several runs at the attack, starting with one number added to the end, then two, etc..
We know from several site password hacks over the years that many people simply use lowercase letters for their passwords and my gilbert28 is no exception, here is the crack:
oclHashcat-plus mixed dictionary and mask attack
Start a mixed dictionary and mask attack against a WPA key with the following:
cudaHashcat-plus64.exe -m 2500 -a 6 hash_file dict_file mask
Example (BackTrack 5 R3):
cudaHashcat-plus64.exe -m 2500 -a 6 Ch6-01.hccap passwords2.txt ?d?d
What this is doing is taking every word in our 172,746 word dictionary and adding every combination of 00-99 to the end
Figure 13: oclHashcat dictionary and mask attack
Success! oclHascat-plus cracked it in 43 minutes, going through 17,217,340 combinations before coming on to my password. But my password was easier than I realized.
What about the classymoon359 that is the default password for my router? oclHashcat-plus does have a concept where words can be combined from one or more dictionaries. It also employs a nice set of rules that can make all sorts of substitutions for common seemingly clever things people do such as "3" for "E" or "$" for "S".
What I found in many of the wordlists I downloaded however, was that many <6 letter words were not in the dictionary, probably due to the 8 character minimum for WPA. I have to think NETGEAR combined two shorter words for that very reason. Even when I combined dictionaries to combine words, the time estimate for the crack of classymoon359 was around 69 days, and that's with me "giving" the 359 for sake of demonstration, which is not reasonable. Adding those 3 characters to the end of two distinct words would make the crack time rise exponentially.
I'll make the caveat here that I am in no way an expert with oclHashcat-plus—the exact opposite really. My hardware, although beefier than some, is definitely not cutting-edge or even modern. Your mileage may vary.