1
00:00:00,570 --> 00:00:01,650
Instructor: Welcome back.

2
00:00:01,650 --> 00:00:06,180
So, we have cracked the password with our aircrack tool.

3
00:00:06,180 --> 00:00:07,800
We noticed that the speed was around

4
00:00:07,800 --> 00:00:11,520
three to four hundred keys, or passwords per second.

5
00:00:11,520 --> 00:00:13,560
We saw that it works once we added

6
00:00:13,560 --> 00:00:16,379
the correct password to our file,

7
00:00:16,379 --> 00:00:18,960
and we also saw some of the other options,

8
00:00:18,960 --> 00:00:20,700
such as time left, the percentage,

9
00:00:20,700 --> 00:00:23,490
and the amount of passwords that have been tested.

10
00:00:23,490 --> 00:00:26,460
But, right now let's see how we can crack the password

11
00:00:26,460 --> 00:00:30,030
even faster using the hashcat tool.

12
00:00:30,030 --> 00:00:33,030
So, let me clear the screen from the previous video.

13
00:00:33,030 --> 00:00:35,640
And, what I got on my desktop right now is

14
00:00:35,640 --> 00:00:38,400
I got the rockyou dot txt password list,

15
00:00:38,400 --> 00:00:43,260
and I got the rockyou dot txt with our correct password.

16
00:00:43,260 --> 00:00:45,330
Now, these are the two exact same lists

17
00:00:45,330 --> 00:00:46,650
from the previous video,

18
00:00:46,650 --> 00:00:49,470
Just this one contains the correct password

19
00:00:49,470 --> 00:00:51,924
for our wireless access point.

20
00:00:51,924 --> 00:00:54,720
We're going to run the first one first just to

21
00:00:54,720 --> 00:00:56,460
see the speed that we get and

22
00:00:56,460 --> 00:00:59,970
whether it is any faster than with our aircrack tool.

23
00:00:59,970 --> 00:01:02,070
And then, just to prove that it works,

24
00:01:02,070 --> 00:01:04,833
we're going to run this list the next.

25
00:01:05,730 --> 00:01:07,560
So let's get straight into it,

26
00:01:07,560 --> 00:01:11,550
to run the hashcat help menu, you can simply type hashcat,

27
00:01:11,550 --> 00:01:15,725
and to get even more options on to how you can use hashcat,

28
00:01:15,725 --> 00:01:19,353
you can type hashcat and then dash dash help.

29
00:01:20,790 --> 00:01:23,160
And, here is the help menu.

30
00:01:23,160 --> 00:01:25,440
Down here we got some basic examples

31
00:01:25,440 --> 00:01:27,240
of how we can use hashcat,

32
00:01:27,240 --> 00:01:30,490
and if I scroll a little bit up here

33
00:01:34,500 --> 00:01:37,770
we can see all of our available options.

34
00:01:37,770 --> 00:01:41,220
And, you might be asking what was the thing that I

35
00:01:41,220 --> 00:01:43,110
was scrolling through so much?

36
00:01:43,110 --> 00:01:45,180
Well, these are just different types

37
00:01:45,180 --> 00:01:48,300
of password hashes that you can crack.

38
00:01:48,300 --> 00:01:52,063
You have SHA one SHA two SHA 512, you got Keccak

39
00:01:52,063 --> 00:01:56,070
you got sip hash, you got MD five,

40
00:01:56,070 --> 00:01:59,612
different types of MD five hashes with salt without salt.

41
00:01:59,612 --> 00:02:01,860
That goes for SHA one as well,

42
00:02:01,860 --> 00:02:05,460
and for any other password list that we can find.

43
00:02:05,460 --> 00:02:07,080
Now, you might be wondering, well

44
00:02:07,080 --> 00:02:09,570
which one are we going to use?

45
00:02:09,570 --> 00:02:14,010
In our case, we want to find the WPA password hash,

46
00:02:14,010 --> 00:02:17,100
and it'll be under these network protocols.

47
00:02:17,100 --> 00:02:19,560
And, if I go right here, here it is.

48
00:02:19,560 --> 00:02:24,360
We want to use the WPA EAPOL P B KDF two,

49
00:02:24,360 --> 00:02:27,450
and this has a code of two 500.

50
00:02:27,450 --> 00:02:29,250
Remember that, because that is the number

51
00:02:29,250 --> 00:02:32,010
that we are going to specify in our command.

52
00:02:32,010 --> 00:02:35,390
And, up here we got something under the dash a option,

53
00:02:35,390 --> 00:02:38,880
which is called the attack mode,

54
00:02:38,880 --> 00:02:40,890
and you simply just specify dash A

55
00:02:40,890 --> 00:02:43,140
and then different attack mode.

56
00:02:43,140 --> 00:02:45,840
Down here at the lower part of the help menu

57
00:02:45,840 --> 00:02:48,690
we get which attack modes we have.

58
00:02:48,690 --> 00:02:50,490
Let me just find where it is.

59
00:02:50,490 --> 00:02:52,530
I believe it's somewhere around here.

60
00:02:52,530 --> 00:02:54,540
And, here it is.

61
00:02:54,540 --> 00:02:56,640
I believe these are the attack modes.

62
00:02:56,640 --> 00:02:59,640
So we got the low, which is specified With zero,

63
00:02:59,640 --> 00:03:01,230
even though it says one right here,

64
00:03:01,230 --> 00:03:03,690
the low attack mode is specified

65
00:03:03,690 --> 00:03:07,290
with zero, and the four which is nightmare

66
00:03:07,290 --> 00:03:10,441
is specified with dash A three.

67
00:03:10,441 --> 00:03:14,730
Now, we are going to be running the lowest attack mode

68
00:03:14,730 --> 00:03:17,130
just so we can see how the tool works.

69
00:03:17,130 --> 00:03:19,080
So, the first thing that we must do

70
00:03:19,080 --> 00:03:23,700
is we must type hashcat dash a and then the attack mode.

71
00:03:23,700 --> 00:03:25,080
We are going to use the lowest one,

72
00:03:25,080 --> 00:03:29,820
which is zero, and then dash M for the password hash.

73
00:03:29,820 --> 00:03:33,210
Remember the code for the WPA password hash

74
00:03:33,210 --> 00:03:36,243
is going to be two five oh oh.

75
00:03:37,560 --> 00:03:40,920
After that comes our cap file,

76
00:03:40,920 --> 00:03:43,650
but if you were to try to run this program

77
00:03:43,650 --> 00:03:47,880
with our dot cap file, it would not work.

78
00:03:47,880 --> 00:03:50,850
hashcat works with different cap files.

79
00:03:50,850 --> 00:03:55,560
We must convert this cap file to hc cap X.

80
00:03:55,560 --> 00:03:56,910
How can we do that?

81
00:03:56,910 --> 00:03:59,340
Well, we don't have any tool that we can use

82
00:03:59,340 --> 00:04:02,825
in our Cal Linux, so we must go and do that online.

83
00:04:02,825 --> 00:04:05,970
What I'm going to do is I'm going to open up my Firefox,

84
00:04:05,970 --> 00:04:10,970
and I'm just going to search for cap to hc cap X converter.

85
00:04:11,670 --> 00:04:13,530
Let's wait for this to open.

86
00:04:13,530 --> 00:04:15,810
Open a new tab and type cap

87
00:04:15,810 --> 00:04:19,769
to hc cap and then X.

88
00:04:19,769 --> 00:04:21,540
press enter.

89
00:04:21,540 --> 00:04:23,280
The proxies are refusing connections.

90
00:04:23,280 --> 00:04:26,010
This could be due to our burp suite being the proxy,

91
00:04:26,010 --> 00:04:28,320
so we're just going to remove it real quick,

92
00:04:28,320 --> 00:04:30,690
instead of actually opening it,

93
00:04:30,690 --> 00:04:32,610
I'm just going to go to network settings,

94
00:04:32,610 --> 00:04:33,840
and click right here,

95
00:04:33,840 --> 00:04:35,490
No proxy.

96
00:04:35,490 --> 00:04:38,370
Great. Now I will refresh this page

97
00:04:38,370 --> 00:04:41,580
and I'm going to go to this first link right here,

98
00:04:41,580 --> 00:04:46,020
which is pcap and cap file converter to hc cap x.

99
00:04:46,020 --> 00:04:47,193
Let's click on that.

100
00:04:48,390 --> 00:04:50,010
Let's select our file.

101
00:04:50,010 --> 00:04:51,453
I will click on browse,

102
00:04:53,940 --> 00:04:56,460
and I will find my dot cap file.

103
00:04:56,460 --> 00:04:57,810
Here it is.

104
00:04:57,810 --> 00:05:01,443
So, I will select that one and I will click on upload.

105
00:05:02,700 --> 00:05:04,380
This will upload the file for me,

106
00:05:04,380 --> 00:05:05,820
and as soon as it finishes

107
00:05:05,820 --> 00:05:09,630
I should be able to download the hc cap x file

108
00:05:09,630 --> 00:05:12,240
that we can use with our hashcat tool.

109
00:05:12,240 --> 00:05:14,910
So, let's wait for this to finish.

110
00:05:14,910 --> 00:05:16,170
And, here it is.

111
00:05:16,170 --> 00:05:18,983
I can click down here, download my file,

112
00:05:18,983 --> 00:05:22,350
and I want to save my file.

113
00:05:22,350 --> 00:05:25,170
It will be under here in the download section,

114
00:05:25,170 --> 00:05:27,510
as we can see, it has some weird name.

115
00:05:27,510 --> 00:05:30,630
Nonetheless, let's copy it to our desktop.

116
00:05:30,630 --> 00:05:32,880
For that I'm going to open another terminal,

117
00:05:32,880 --> 00:05:34,680
navigate to downloads,

118
00:05:34,680 --> 00:05:36,340
and I'm going to copy

119
00:05:37,500 --> 00:05:39,780
our hc cap X file

120
00:05:39,780 --> 00:05:42,875
to home Mr. Hacker and then desktop.

121
00:05:42,875 --> 00:05:43,920
(keys typing)

122
00:05:43,920 --> 00:05:46,020
Then, I can exit this out.

123
00:05:46,020 --> 00:05:50,490
And, the next thing that we specify right here is that file.

124
00:05:50,490 --> 00:05:53,430
So, I believe it is called like this.

125
00:05:53,430 --> 00:05:55,260
You can rename it if you want to.

126
00:05:55,260 --> 00:05:57,840
I'm just going to leave it with this long name,

127
00:05:57,840 --> 00:05:59,910
And the last parameter to this function

128
00:05:59,910 --> 00:06:02,495
is going to be the word list that we're going to use.

129
00:06:02,495 --> 00:06:06,660
In our case, this is going to be rockyou dot txt.

130
00:06:06,660 --> 00:06:10,260
First, this is the list without our password.

131
00:06:10,260 --> 00:06:12,570
So, let's go through the options once again,

132
00:06:12,570 --> 00:06:15,030
the attack mode is going to be the lowest.

133
00:06:15,030 --> 00:06:18,840
The dash M option specifies: which password are we cracking?

134
00:06:18,840 --> 00:06:22,685
We're cracking WPA password, so we specify two five oh oh.

135
00:06:22,685 --> 00:06:25,110
Then we specified our cap file

136
00:06:25,110 --> 00:06:26,940
that is converted for hashcat.

137
00:06:26,940 --> 00:06:31,320
And, the last thing we specify is the password list.

138
00:06:31,320 --> 00:06:32,492
So I'm going to run this.

139
00:06:32,492 --> 00:06:33,750
(key clack)

140
00:06:33,750 --> 00:06:36,120
It will tell me that this has been started.

141
00:06:36,120 --> 00:06:39,660
It will initialize this backend run time for our device one,

142
00:06:39,660 --> 00:06:44,370
and it'll probably start brute forcing with my CPU.

143
00:06:44,370 --> 00:06:45,570
And the reason it does that,

144
00:06:45,570 --> 00:06:47,280
is probably because we are running this

145
00:06:47,280 --> 00:06:48,360
over virtual machines,

146
00:06:48,360 --> 00:06:50,400
so it can only detect the CPU.

147
00:06:50,400 --> 00:06:53,160
However, even with CPU cracking, we should still

148
00:06:53,160 --> 00:06:56,880
get faster cracking time than with aircrack.

149
00:06:56,880 --> 00:06:58,380
All we need to do is we need to wait

150
00:06:58,380 --> 00:07:01,074
for this to finish, and as soon as that's done

151
00:07:01,074 --> 00:07:04,530
we should start cracking the password.

152
00:07:04,530 --> 00:07:07,770
And here it is, it started cracking the password.

153
00:07:07,770 --> 00:07:09,780
It will not write anything right here.

154
00:07:09,780 --> 00:07:12,428
However, if we type S for status,

155
00:07:12,428 --> 00:07:16,040
we can check out what progress it currently has.

156
00:07:16,040 --> 00:07:19,740
So we can see some information right here.

157
00:07:19,740 --> 00:07:23,640
And, anytime you press S, you will see the current progress

158
00:07:23,640 --> 00:07:26,313
of this cracking of the password.

159
00:07:27,270 --> 00:07:30,180
It will tell us which file are we using to crack,

160
00:07:30,180 --> 00:07:32,340
which hash name are we using,

161
00:07:32,340 --> 00:07:35,310
the progress and the speed is down here.

162
00:07:35,310 --> 00:07:37,920
It says 600 hashes per second,

163
00:07:37,920 --> 00:07:40,950
and this is equal to 600 passwords per second.

164
00:07:40,950 --> 00:07:43,770
So, we can see it is almost double the amount

165
00:07:43,770 --> 00:07:46,380
that we had with aircrack.

166
00:07:46,380 --> 00:07:47,970
Down here We can see the progress

167
00:07:47,970 --> 00:07:50,190
as to what amount of passwords have

168
00:07:50,190 --> 00:07:52,707
we covered from 14 million passwords

169
00:07:52,707 --> 00:07:55,410
that we have inside of our program.

170
00:07:55,410 --> 00:07:57,270
And, we can see we already passed

171
00:07:57,270 --> 00:07:59,970
a hundred thousand passwords.

172
00:07:59,970 --> 00:08:00,870
In the candidates,

173
00:08:00,870 --> 00:08:04,529
it tells you between which passwords it is currently at.

174
00:08:04,529 --> 00:08:06,570
Now you can wait for this to finish.

175
00:08:06,570 --> 00:08:08,795
However, even though it is currently at 1%,

176
00:08:08,795 --> 00:08:12,000
we're not going to be waiting for all of this to finish.

177
00:08:12,000 --> 00:08:13,410
It will take hours.

178
00:08:13,410 --> 00:08:16,860
We're just going to quit this with Q command,

179
00:08:16,860 --> 00:08:19,530
and then we're going to run the same command

180
00:08:19,530 --> 00:08:21,891
just with our correct file.

181
00:08:21,891 --> 00:08:22,920
(keys typing)

182
00:08:22,920 --> 00:08:25,670
So, I'm going to use rock you with password txt,

183
00:08:25,670 --> 00:08:28,350
and I'm going to run this once again,

184
00:08:28,350 --> 00:08:30,210
just make sure that you added the correct

185
00:08:30,210 --> 00:08:32,039
password to the password list,

186
00:08:32,039 --> 00:08:35,253
and let's see whether it will manage to find it.

187
00:08:36,240 --> 00:08:37,470
And, keep in mind that

188
00:08:37,470 --> 00:08:39,480
if you didn't run this on a virtual machine

189
00:08:39,480 --> 00:08:43,159
and you actually used the GPU to brute force the password,

190
00:08:43,159 --> 00:08:46,723
you could have up to tens of thousands of passwords

191
00:08:46,723 --> 00:08:50,070
per second, and the faster the better.

192
00:08:50,070 --> 00:08:51,586
However, even with this small speed

193
00:08:51,586 --> 00:08:55,770
we managed to find the password while I was talking.

194
00:08:55,770 --> 00:08:58,470
So, we can see it printed it out right here.

195
00:08:58,470 --> 00:09:01,110
Here is the hash, here is the name

196
00:09:01,110 --> 00:09:03,300
of the actual wireless access point,

197
00:09:03,300 --> 00:09:07,260
and here is the password that it managed to find.

198
00:09:07,260 --> 00:09:11,298
So we can see it also did this in less than one second.

199
00:09:11,298 --> 00:09:15,095
While I talked, we got all of these results output,

200
00:09:15,095 --> 00:09:17,237
and this is a second option

201
00:09:17,237 --> 00:09:18,960
as to how you can crack

202
00:09:18,960 --> 00:09:21,450
the password of wireless access points.

203
00:09:21,450 --> 00:09:23,670
Now you can use the hashcat to crack some other

204
00:09:23,670 --> 00:09:24,750
passwords as well.

205
00:09:24,750 --> 00:09:27,030
We saw that there are a bunch of different hash values

206
00:09:27,030 --> 00:09:28,350
that you can use.

207
00:09:28,350 --> 00:09:29,738
However, we learned hashcat

208
00:09:29,738 --> 00:09:33,060
through wireless password cracking.

209
00:09:33,060 --> 00:09:36,510
Great, and that will be about it for wireless cracking.

210
00:09:36,510 --> 00:09:37,980
So, thank you for watching this video,

211
00:09:37,980 --> 00:09:41,613
and this section, and I will see you in the next lecture.