A series of scripts that automate password cracking wifi handshakes collected from a pwnagotchi.
- What can this project do?
- Usage
- Installation
- Password cracking techniques
- Some thoughts on wifi cracking and pwnagotchi
- Credit
The pwnagotchi automates the process of capturing 4-way handshakes and other crackable material from wifi networks. This project fills in some of the gaps in the full process of wifi hacking after the pwnagotchi is used. Included here are scripts to:
- Copy all pcap files from the pwnagotchi onto your computer
- Convert those pcap files into pmkid/hccapx files that can be used with hashcat
- Keep a list of the pmkid/hccapx files and track if they have been cracked or if attempts to crack failed
- Generate hashcat scripts to run a set of custom designed attacks for WPA/WPA2 password cracking
- Optionally, provision a AWS EC2 P2 instance for running hashcat in the cloud
In short, these scripts will help you crack WPA/WPA2 passwords in the most automated way possible.
These tools were custom made to serve my purposes and as a result these scripts are written for Windows and contain dependencies on Python, Vagrant, Virtual Box, and of course, Hashcat. For example, to convert pcap files into pmkid/hccapx files Vagrant creates a headless Debian Linux VM, which is total overkill for someone already running Linux. To run this project on Linux the bat scripts, Vagrant script, and generate-hashcat-scripts.py would need to be converted.
This project is ONLY to be used for wifi security education in conjunction with a pwnagotchi. Hacking wifi networks you don't own is ILLEGAL and is not endorsed by this project.
- Use your pwnagotchi to collect wifi handshakes.
- Plug your pwnagotchi into your computer and place the device in manual mode. You will see the "MANU" icon on the bottom right of its screen.
- Run
get-files-from-pwnagotchi.batThis will copy the pcap files off of your device and place them in thehandshakes/pcapfolder. - Run
cd vagrantto change into the vagrant folder. Ensure VirtualBox is running and then, runvagrant up. This will create a headless Debian VM that will install and run the tools needed to convert pcap files into crackable pmkid/hccapx files. If this command gets stuck and shows the errorTimed out while waiting for the machine to bootthen ensure VirtualBox is running and the VM was not paused. Runvagrant destroy -fand thenvagrant upto try again. - Once that has finished run
vagrant destroy -fto delete the VM and runcd ..to get back to the root folder. - Run
python generate-hashcat-scripts.pyto generate the bat scripts you will use to run the custom WPA/WPA2 hashcat attacks included in this repo. - Run any of the newly created bat scripts found in the
hashcat/scriptsfolder. There will be one script for each wifi network the pwnagotchi collected crackable data for. Depending on your graphics card, the full attack could take about a day to run per wifi network. - Run
python print-final-results.pyto see a printed list of all the wifi networks that have been cracked so far with their SSIDs and passwords.
- Optionally, at any point run
python get-next-hashcat-script.pyto print some stats of the wifi networks being tracked innetwork-cracked-status.json
Amazon offers 3 kinds of EC2 P2 instances with with 1, 8, or 16 GPUs. This is very valuable because cracking WPA/WPA2 is VERY slow and the more power you can add the better. It's expensive, at roughly $1 an hour per GPU, but using 16 GPUs at once you can run the full attack included in this repo in under 7 hours, when it may take a day and a half with 1 consumer GPU. Here is more of an explanation about running hashcat on AWS P2 instances.
In this repo is the aws folder which contains scripts to help run hashcat on an AWS P2 instance.
move-files-to-aws.batwill copy files to an aws instance. A ssh key namedaws.pemmust be in thesshfolder and the AWS instance id must replace the id included in the file. This file is missing the code to copy wordlists and pmkid/hccapx files.get-files-from-aws.batwill download the hashcat output, potfile, and session files. It also needs a ssh key namedaws.pemin thesshfolder and the AWS instance id must replace the id included in the file.aws-initial-provision.shis a bash script to provision an aws p2 instance and install hashcat.set-nvidia-settings.shis a bash script to set the nvidia settings after hashcat has been installed.
- Windows - This is because bat files are used, but they can be converted to bash scripts to get this running on Linux
- Python 3.x
- Vagrant - Vagrant and Virtual Box are only used to convert pcap files to hccapx/pmkid files
- Virtual Box
- Hashcat v6.2.6
- Word Ninja - pip install wordninja
- Tabulate - pip install tabulate
This project comes with no wordlists, so you will need download them yourself. If you do not download these lists then any wordlist attacks set up for hashcat will fail. All of these wordlists should be placed in the same folder of your choosing. The wordlist folder is configured in the generate-hashcat-scripts.py file.
- known-wpa-passwords.txt - This is your own personal list of your cracked wifi passwords.
- netgear-spectrum.txt - The repo for this list is here
- NAMES.DIC- Any list of all lowercase first names can replace this.
- words_alpha.txt - Any list of all lowercase common words can replace this.
- hashesorg2019
- openwall.net-all.txt
- rockyou - Literally the famous rockyou list. This is the first link I found online to download it.
- Top24Million-WPA-probable-v2.txt
- Top1pt8Billion-WPA-probable-v2.txt
- passphrases.txt - The repo for this list is here.
- Custom-WPA
- Super-WPA
- nerdlist.txt
- Create an SSH key for your pwnagotchi (and optionally your AWS SSH key) and place it in the
sshfolder. The SSH key for the pwnagotchi should be namedid_rsa. The optional AWS SSH key should be namedaws.pem - If your pwnagotchi is not named
pwnagotchichange thepi@pwnagotchi.localname in theget-files-from-pwnagotchi.bat generate-hashcat-scripts.py- Change the value for
fullProjectPathto the FULL path to thispwnagotchi-toolsfolder - Change the value for
fullHashcatPathto the FULL path to your hashcat install folder - Change the value for
fullWordListPathto the FULL path to the folder where all of your wordlists are saved
- Change the value for
I have compiled a comprehensive list of attacks that includes many wordlist attacks, attacks that use the MAC address of the AP, attacks on router default passwords, and many brute force attacks. As passwords evolve this list will get less effective over time so, it is important to keep updating these attacks and to analyze your cracked passwords for new patterns and points of weakness. To help automate the process of using new attacks if you update the attack list in generate-hashcat-scripts.py and then run generate-hashcat-scripts.py new scripts will be generated for any networks listed as waiting in network-cracked-status.json.
| Attack | Keyspace | Notes |
|---|---|---|
| known-wpa-passwords.txt quick-ssid.rule | ~1240 | known-wpa-passwords.txt is your list of cracked wifi passwords. Keyspace is calculated assuming a list of 20 passwords |
| known-wpa-passwords.txt unix-ninja-leetspeak.rule | ~61420 | |
| known-wpa-passwords.txt rockyou-30000.rule | ~600000 | |
| known-wpa-passwords.txt d3ad0ne.rule | ~681980 | |
| nerdlist.txt quick-ssid.rule | 19220 | nerdlist.txt is a small (< 500) list of "nerdy" passwords and references like "hacktheplanet" |
| nerdlist.txt unix-ninja-leetspeak.rule | 9300000 | |
| nerdlist.txt rockyou-30000.rule | 9300000 | |
| nerdlist.txt d3ad0ne.rule | 10570690 | |
| bssid.rule | 225 | The BSSID (MAC Address) of the AP (router) with all combinations of uppercase/lowercase, with/without colons, and with all lengths of chars chopped off the end. |
| ssid-ninja.rule | ~5300 | Uses wordNinjaGenerator.py to generate a wordlist from the ssid Ex: LuckyCoffeeWifi --> Lucky123! Keyspace is generated assuming a wordlist generated from the SSID with 100 words. |
| MYWIFI?d?d?d?d | 10000 | all default passwords for MYWIFI (EE) routers |
| wifi?d?d?d?d | 10000 | Ex: wifi1970 |
| -1 !@$??#~%^&*^^ wifi?d?d?d?1 | 10000 | Ex: wifi123! The charset looks weird because windows cmd chars must be escaped |
| wifi?d?d?d?d?d | 100000 | Ex: wifi12345 |
| ?d?d?d?dwifi | 10000 | Ex: 1989wifi |
| ?d?d?d?d?dwifi | 100000 | Ex: 12345wifi |
| WIFI?d?d?d?d | 10000 | Ex: WIFI2008 |
| -1 !@$??#~%^&*^^ WIFI?d?d?d?1 | 10000 | Ex: WIFI343@ |
| WIFI?d?d?d?d?d | 100000 | Ex: WIFI12345 |
| ?d?d?d?dWIFI | 10000 | Ex: 2006WIFI |
| ?d?d?d?d?dWIFI | 100000 | Ex: 12345WIFI |
| ?l?l?l?lwifi | 456976 | Ex: bookwifi |
| -1 !@$??#~%^&*^^ ?l?l?l?lwifi?1 | 4569760 | Ex: pinkwifi! |
| ?l?l?l?l?lwifi | 11881376 | Ex: trackwifi |
| wifi?l?l?l?l | 456976 | Ex: wificook |
| -1 !@$??#~%^&*^^ wifi?l?l?l?l?1 | 4569760 | Ex: wificafe$ |
| wifi?l?l?l?l?l | 11881376 | Ex: wififrogs |
| ?u?l?l?lWifi | 456976 | Ex: CafeWifi |
| ?u?l?l?l?lWifi | 11881376 | Ex: MarioWifi |
| ?u?u?u?uWIFI | 456976 | Ex: CAFEWIFI |
| -1 !@$??#~%^&*^^ ?u?u?u?uWIFI?1 | 4569760 | Ex: MECHWIFI# |
| ?u?u?u?u?uWIFI | 11881376 | Ex: BULLSWIFI |
| WIFI?u?u?u?u | 456976 | Ex: WIFISHOE |
| -1 !@$??#~%^&*^^ WIFI?u?u?u?u?1 | 4569760 | Ex: WIFIBOAT! |
| WIFI?u?u?u?u?u | 11881376 | Ex: WIFICOACH |
| NAMES.DIC names.rule | 2595058 | Ex: lukewifi2020 |
| words_alpha.txt names.rule | 34789776 | Ex: pizzawifi |
| 4-digit-append.rule | ~1111000 | Uses wordNinjaGenerator.py to append all 1-4 digit number combinations to ssid words Ex: MyCafeWifi --> CafeWifi2020 Keyspace is generated assuming a wordlist generated from the SSID with 100 words. |
| ?d?d?d?d?d?d?d?d | 100000000 | all 8 digit number combos |
| netgear-spectrum.txt ?d?d?d | 573348000 | MANY netgear and other routers have a default password that is a word + word + 1-3 digits. If I could only run 1 attack this is the one I would run. |
| netgear-spectrum.txt ?d | 5733480 | |
| netgear-spectrum.txt ?d?d | 57334800 | |
| openwall.net-all.txt quick-ssid.rule | 68651298 | simple wordlist |
| netgear-spectrum.txt quick-ssid.rule | 9845724 | Ex: breezyapplewifi |
| words_alpha.txt ?d | 3701040 | Ex: seashell1 |
| words_alpha.txt -1 !@$??#~%^&*^^ ?1 | 3701040 | Ex: seashell$ |
| words_alpha.txt -1 !@$??#~%^&*^^ ?d?1 | 37010400 | Ex: seashell1! |
| words_alpha.txt -1 !@$??#~%^&*^^ ?1?d | 37010400 | Ex: seashell!0 |
| words_alpha.txt ?d?d | 37010400 | Ex: seashell69 |
| words_alpha.txt -1 !@$??#~%^&*^^ ?d?d?1 | 370104000 | Ex: seashell92@ |
| words_alpha.txt ?d?d?d | 370104000 | Ex: seashell123 |
| ?l?l?l?l?l?l1! | 308915776 | Ex: slyfox1! |
| ?u?l?l?l?l?l1! | 308915776 | Ex: Slyfox1! |
| ?u?u?u?u?u?u1! | 308915776 | Ex: SLYFOX1! |
| ?d?d?d?d?d?d?d?d?d | 1000000000 | all 9 digit number combos |
| hashesorg2019 | 1279729139 | a modern wordlist with a great hit ratio |
| rockyou.txt quick-ssid.rule | 889352242 | rockyou is a classic wordlist. quick-ssid.rule has rules made for wifi cracking. It's worth noting that rockyou comes from a database dump and online account passwords are often different from wifi passwords. |
| NAMES.DIC rockyou-30000.rule | 828210000 | Ex: j0sh2009 |
| netgear-spectrum.txt unix-ninja-leetspeak.rule | 1760751708 | Ex: br33zyappl3 |
| Top1pt8Billion-WPA-probable-v2.txt | 1800000000 | Top1pt8Billion-WPA-probable-v2.txt is a popular wordlist. It claims to be 'WPA probable' but really they just cut out all passwords less then 8 chars. That doesn't make it wifi probable. |
| Top24Million-WPA-probable-v2.txt quick-ssid.rule | 1487550376 | |
| passphrases.txt passphrases.rule | 1441673030 | This is from the passphrases repo. This SHOULD help with passwords like 'youshallnotpass' and 'maytheforcebewithyou' |
| Custom-WPA | 185866729 | This is a large wordlist. Ex: au7h0rized |
| Super-WPA | 982963903 | This is a large wordlist. Ex: au7h0rized |
| ?h?h?h?h?h?h?h?h | 4294967296 | MANY router default passwords are 8 hex chars (0-9,a-f) |
| ?H?H?H?H?H?H?H?H | 4294967296 | MANY router default passwords are 8 hex chars (0-9,A-F) |
| ?d?d?d?d?d?d?d?d?d?d | 10000000000 | This is, by far, the longest attack, but is covers ALL 10 digit number combos, which includes ALL US phone numbers and area codes. |
| Total: | 33,021,512,190 | At 375 kH/s (GTX 1080) it would take about 24.4 hours to run all attacks. |
Specifically, wifi cracking is the process of obtaining the password to a wifi network. There is tremendous value in getting the wifi password for a network and here are some examples:
- Once you have the wifi password, you can decrypt the encryption the router placed on web traffic of devices connected to that wifi. Most sites will still use
httpsso there is a whole other layer of encryption you will not break, but any sites usinghttpwill have their data sent in the clear. - Once on a network you can scan for other vulnerable devices and interact with them. For example, you could play a video on a chromecast or turn on and off smart switches.
- Once you have the password you can place new devices on the network like a signal owl to monitor devices, monitor traffic, and coordinate other attacks.
- You can have free internet access.
I had passively heard about wifi cracking methods before I started this project from reading articles like these (1, 2, 3). These articles explain that wifi cracking is as easy as capturing the wifi handshake and running a password cracker to get the password. This does little to explain that attempting to crack a WPA/WPA2 password is by far the hardest part of wifi cracking. In my experience the odds of successfully cracking a wifi password is about 40%, so wifi cracking is not as easy as these articles make it out to be. This process is so hard because WPA/WPA2 is very slow to crack and wifi passwords are hard to guess.
WPA/WPA2 is slow to crack and each network is unique, much like if salts were used on a database list of password hashes, so there is no speed benefit to running an attack against several networks at once.
Lets look at how slow it takes to crack WPA/WPA2 compared to other hashes. I used H/s to further show how slow it is to crack WPA/WPA2.
| Hash | Speed (H/s) |
|---|---|
| MD5 | 11,560,200,000 H/s |
| SHA2-256 | 1,478,300,000 H/s |
| WPA2 | 205,800 H/s |
| Hash | Speed (H/s) |
|---|---|
| MD5 | 73,286,500,000 H/s |
| SHA2-256 | 12,275,600,000 H/s |
| WPA2 | 1,316,200 H/s |
Let's say you wanted to run a mask attack in hashcat against a WPA2 handshake for the mask ?d?d?d?d?d?d?d?d?d?d (all 10 digit combos). This attack would take about 13.5 hours to run on a GTX 1060. By comparison, the same 10 digit attack against a SHA2-256 hash would take about 7 seconds to run. Due to the complexity it takes to calculate WPA2, it takes WAY more time to run attacks against it than it takes to run attacks against many other hashes.
Decades of database dumps and hundreds of millions of leaked passwords create a huge sample size to learn from that has given password crackers wordlists, techniques, and strategies to crack passwords used in online accounts. Wifi passwords are often not similar to online account passwords and sample sizes of leaked passwords for home and office wifi routers is MUCH smaller. As a result, most traditional wordlists and cracking strategies designed for online accounts are not useful for wifi passwords.
Many WPA wordlists are just regular wordlists from online accounts with all passwords removed that are under 8 characters because WPA has an 8 character minimum. So, those lists still don't source their data from real wifi passwords and can miss the mark a bit.
It's not all bad news. Wifi passwords are often created to be shared. So, while an online account password might look like this pAri$lover252! a wifi password might look more like this jakeswifi1 because it is shared to guests to give wifi access. In many cases that means wifi passwords are less complex, so they can be easier to crack. However, that also means the wifi passwords that are complex are often complex in ways we don't have enough of a sample size to create wordlists or strategies for.
The other good news is that many wifi networks use the default password provided by the AP (router) and the keyspace for most router default passwords is known. Some of these defaults are super easy to attack, like the ones that are just 8 digits, so in under 10 minutes you can run through all combinations. However, a default password made with 10 lowercase hex characters will take about 2 months to run through all combinations.
When you combine the horrendous cracking speed of WPA/WPA2 that makes running attacks slow and the need to run many attacks because there is not a big enough sample size of leaked wifi passwords to nail down reliable wordlists or strategies it's not a surprise wifi password cracking is pretty tough.
The real advantage of using pwnagotchi is that it can automatically collect data from dozens of wifi networks to get a large sample size and then the lowest hanging fruit from those networks can be cracked. You get the best odds of cracking a few networks without all the waste of manually capturing the wifi handshake just to be unsuccessful at cracking the password. So, I made this project to best automate the process of password cracking batches of handshakes the pwnagotchi has collected.
- Thank you Danie Conradie for writing a nice article on hackaday about this project!
- Thanks to CyrisXD for writing Pwnagetty. I use Pwnagetty to convert pcap files to pmkid/hccapx files. I modified the script so much it hardly looks like the original, but still, thank you CyrisXD.
- I made liberal use of the WPA/WPA2 password cracking techniques from PSKracker by soxrok2212. To discover wordlist words for default passwords soxrok2212 searches for wifi routers on ebay and then looks at the photos to find default passwords written on the serial number sticker. That's brilliant!
- I totally got the idea to use word ninja on the ssid from dizcza's repo.
- I used the hashcat rules and wordlists for complex passwords from initstring's repo.
- The pwnagotchi project was created by evilsocket and hexwaxwing. Unfortunately, very serious allegations that evilsocket domestically abused hexwaxwing have brought to light disturbing behavior I cannot support. As a result, many references to evilsocket on this page have been removed.