When using a WiFi Pineapple you can capture a handshake of an AP. Once you have this file download it and convert it here:
https://hashcat.net/cap2hccapx/
For this example the handshake file will be called test.hccapx
You then have to decide what type of attack to use to try and crack the hash. Dictionary or mask. Here is an example command of a dictionary
hashcat -a 0 -m 2500 test.hccapx pass.txt -O
-O will increase speed however not recommended for passwords over 27 characters
pass.txt is the location of your dictionary file. you can download a large database of passwords from here:
https://github.com/danielmiessler/SecLists/tree/master/Passwords
A mask attack takes very long because it is trying to guess the password by using all possible combinations of the criteria you give it. For example for a proof of concept:
I captured a handshake on my home Wifi. Downloaded it and converted it to hccapx.
I then made a file called pass.txt and put the following passwords to guess in it:
testing
password
letmein
guessingyourpassword
ect
realpass
Here is a hybrid example of using a dictionary file above and mask.
hashcat -a 6 -m 2500 test.hccapx pass.txt ?l?l?l?l
https://hashcat.net/wiki/doku.php?id=hashcat
-a means attack mode
-m means hash type
?l means a-z lower case
So the above command will take a password from the pass.txt file and append 4 lower case characters after it a-z lowercase. It will try all variations
Here is a chart on other characters you can try to guess:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?h = 0123456789abcdef
?H = 0123456789ABCDEF
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 – 0xff
As you can image this can take a long time guessing all the possible variations. 4 lower case characters on my i7 7th gen processor took 15 minutes.
So as a proof of concept my wifi password is realpassword so in the pass.txt file I have an entry that is called realpass. Hascat then tries to guess the last 4 characters.
It was successful and it creates a potfile. If you want to test again you will need to delete the pot file located at /home/username/.hashcat (you will need to view hidden files)
When I tried to do 1 uppercase character and 8 lower case characters the processing time is estimated at over 400 years to complete all variations
Reference:
https://laconicwolf.com/2018/09/29/hashcat-tutorial-the-basics-of-cracking-passwords-with-hashcat/
