GPUHASH.me is a GPU-based Wi-Fi wireless networks cracking service for penetration testers and network auditors who need to check the security of their own WPA/WPA2-PSK protected wireless networks.
It is widely known that WPA/WPA2-PSK secured networks are vulnerable to dictionary attacks. But running a respectable-sized dictionary over a WPA network handshake on usual PC can take days or weeks. Our service gives you access to a powerful GPU system that will run your handshake capture against a set of wordlist created specifically for WPA passwords. While this job would take weeks on a contemporary dual-core PC, with our service it takes from 10 minutes to several hours depending on wordlists selected.
Six (not so) easy steps to crack your neighbours' Wi-Fi:
Determine two key parameters of target Access Point (AP): ESSID and BSSID. ESSID is name of target network usually shown in Wi-Fi network list of your wireless device, while BSSID is MAC address of target AP, it represented as six bytes in hexadecimal notation separated by a colon, i.e. 00:3C:B0:A8:12:73
There are numerous ways to determine these key parameters, on Windows 7 and later one could type in cmd shell 'netsh wlan sh networks mode=bssid', for Windows XP you could use Net Stumbler, etc. Please note the ESSID is case-sensitive and may contain trailing spaces.
Sometimes AP owners "hide" they networks (no beacon frames being transmitted), but it usually not a problem, just google how to 'find hidden wifi networks'.
The network security type is also important. If you found WEP secured network it may be cracked in minutes without our GPU assistance. For WPA/WPA2 secured networks proceed to the next step.
Query our worldwide Wi-Fi database. Here you will need your target AP BSSID from step one. To be honest your chances to find Wi-Fi password on this step are very low, but who knows. In case of success, you will get one or more records with ESSID, password and WPS PIN listed. Information in our database might be a bit outdated (of course we are trying to maintain it as actual as possible), but you have to try all listed passwords first. You will need WPS PIN (if any) in step 3.
Check whether target AP prone to WPS bruteforcing. The Reaver software is your friend on this step. You could bruteforce all possible WPS PIN values (you will need good signal and stable connection with target AP and a lot of time for that) or try possible WPS PINs from our database (step 2), try WPS PIN calculators, etc.
WPS bruteforcing is very effective if WPS is active on the target router and target router was not patched against it.
Grab high-quality WPA handshake (please read our article for details). It is better to get 4-way full EAPOL handshake but 2-way handshakes with just two first keyframes are also workable. Also it is better to store one handshake per file. Your file size should be less than 1Mb (actual handshake size is usually less than 1Kb).
Upload your handshake to our system with Common wordlist only (don't check other wordlists/keyspaces on this step).
Your handshake will be checked for validity and if valid your task will be worked out according to current scheduled tasks queue (please note cracking WPA handshakes is very energy intensive task and therefore we will ask you to pay for it). If queue is not empty and you don't want to wait you could increase priority of your task (paid option, but very cheap though). The real-time queue status always accessible on the Tasks page.
If your task was failed vs Common wordlist please refer to table below describing our wordlists and keyspaces. We know default passwords for some routers usually used by ISP. If ESSID of your target listed in this table you have very good chances to find this default password. In the table also shown useful statistics for each wordlist/keyspace which will help you to make your decision. Please note some keyspaces are huge and therefore quite expensive.
For example: it is known that SKYXXXXX and UPCXXXXXX (X — any digit) routers have default password of 8 upper case chars. Our stats shows ~90% of success for these routers, so if your target AP has similar ESSID your chances are quite high.
Also we recommend for all networks: US English, Multilingual, 9 digits, 10 digits.
If you decided which wordlist or keyspace is suitable for your task — upload your file once again with selected wordlist/keyspace and wait while we finish it. Please be patient — huge keyspace may need up to 10 days to finish. We also support multiple wordlist selection but recommend to upload one wordlist/keyspace per task just to save your money. We do not support refund/moneyback in case of success thus all amount your paid will be assumed as donation.
If you can't find your target AP in our table and selected in previous step wordlists/keyspace were failed you have to decide whether you want to continue your attack because your chances to win the lottery are very low at this point and the cost will be very high. You can select any other wordlists/keyspaces and continue. Please note that we always charge you for GPU time spent regardless we found a password or not.
Please note this service is for penetration testing of your own wireless networks only and not for illegal purposes.
We request you not to use this service for cracking others’ passwords and we take no responsibility for that.
Frequently asked questions
Q: What are your dictionary options?
A:We use our custom WPA wordlists which are carefully generated and free of junk and duplicates. Following wordlists (mask keyspaces) are available at the moment:
Well-balanced basic WPA wordlist, includes full 8-digit support and a wide set of common dictionary and alphanumeric passwords. Although it is limited in size, it is capable of fast cracking ~20% of international networks, therefore, we recommend that you always use it first!
Custom Russian language wordlist, includes russian names, surnames, russian words in qwerty and translit
Large US English WPA wordlist, recommended for all international networks in addition to Common 2Gb wordlist (contains a lot of common passwords as well)
Ukraine mobile numbers
Large multilingual Wikipedia wordlist (50 million words) and common words of european and other languages: Croatian, Czech, Danish, Dutch, Finnish, French, German, Italian, Norwegian, Polish, Portugese, Spanish, Swedish, Turkish, Japanese, Brazilian and a few Yiddish words as well
Full set of Russian Mobile numbers
Lot of Chinese words in Pinyin
Combinatorial alpha-numeric wordlist (8-12 chars), contains selected alpha-numeric combinations not based on dictionary words
Full 9-digits range (000000000-999999999)
Full 10-digits range (0000000000-9999999999). Often used as a default WPA password for ISP specific routers: 2WIREXXX, ATTxxx, DJAWEB_XXXXX, INFINITUMXXXX, ONOXXXX.
Full 11-digits range (00000000000-99999999999) Often used as a default WPA password for ISP specific routers: MiFiXXXX XXX, Verizon MIFIXXXX XXXX, VirginMobile MiFiXXXX XXX.
8 HEX lowercase
Full range of 8 hexadecimal lowercase digits (00000000-ffffffff) Often used as a default WPA password for ISP specific routers: belkin.XXXX, belkin.XXX, MGTS_GPON_XXXX, PRIMEHOME-XX.
8 HEX uppercase
Full range of 8 hexadecimal uppercase digits (00000000-FFFFFFFF) Often used as a default WPA password for ISP specific routers: 3Wireless-Modem-XXXX, Belkin.XXXX, Belkin_XXXXX, BELLxxx, Domino-XXXX, E583X-XXXXXX, Orange-XXXX, TAKASHI-XXXXXX, TP-LINK_XXXXXX.
Full range of 8 lowercase letters (aaaaaaaa-zzzzzzzz). Often used as a default WPA password for ISP specific routers: virginmediaXXXXXXX, VMXXXXXX-2G, VMXXXXXX-5G.
Full range of 8 uppercase letters (AAAAAAAA-ZZZZZZZZ). Often used as a default WPA password for ISP specific routers: SKYXXXXX, UPCXXXXXXX.
9 HEX lowercase
Full range of 9 hexadecimal lowercase digits (000000000-fffffffff)
9 HEX uppercase
Full range of 9 hexadecimal uppercase digits (000000000-FFFFFFFFF) Often used as a default WPA password for ISP specific routers: EasyBox-XXXXXX.
10 HEX lowercase
Full range of 10 hexadecimal lowercase digits (0000000000-ffffffffff) Often used as a default WPA password for ISP specific routers: BTHomeHub-xxxx, BTWiFiExtndr-XXX, TELUSXXXX.
10 HEX uppercase
Full range of 10 hexadecimal uppercase digits (0000000000-FFFFFFFFFF) Often used as a default WPA password for ISP specific routers: BigPondXXXXXX, PlusnetWireless-XXXXXX, SpeedTouchXXXXXX, TeliaGatewayXX-XX-XX-XX-XX-XX, TelstraXXXXXX, ThomsonXXXXXX, TNCAPXXXXXX, WLAN1-XXXXXX.
Full 12-digits range (000000000000-999999999999)
8 upper+digits super reduced
Full range of symbols (3467ACDEFGHJKMNPQRTUXY). Often used as a default WPA password for ISP specific routers: ROSTELECOM_XXXX, SAGEMCOM_XXXX.
TP-LINK EasySetupAssistant default passwords. Often used as a default WPA password for ISP specific routers: TP-LINK_XXXXXX.
10 HEX lower reduced
Full range of letters (23456789abcdef). Often used as a default WPA password for ISP specific routers: BTHomeHub2-XXXX, BTHub3, BTHub4, BTHub5.
ELTEX default passwords. Often used as a default WPA password for ISP specific routers: ELTEX-XXXX.
8 lower + digits
Full range of 8 lowercase letters and digits
8 upper + digits
Full range of 8 uppercase letters and digits Often used as a default WPA password for ISP specific routers: AOLBB-XXXXXX, Digicom_XXXX.
EE-BrightBox-xxxxxxx special combinatorial wordlist (three words separated with hypen) Often used as a default WPA password for ISP specific routers: EE-BrightBox-XXXXXX.
RTK-XXXXXX default passwords. Often used as a default WPA password for ISP specific routers: RTK-XXXXXX.
8 upper+digits reduced
Full range of symbols (ABCDEFGHJKMNPQRTUVWXY346789). Often used as a default WPA password for ISP specific routers: TALKTALK-XXXXXX.
Q: Why scheduling tasks is paid option?
A: Cracking WPA handshakes require costly GPU hardware and a lot of energy wasted. We are not able to run your tasks for free.
Q: You accept Bitcoin only, what is it and how to make a payment using Bitcoin?
A: Bitcoin is new digital currency that enables instant payments to anyone, anywhere in the world. Bitcoin uses peer-to-peer technology and strong cryptographic algorithms to operate with no central authority. You can learn more at official bitcoin website: www.bitcoin.org
Q: Should I register to your service to obtain results?
A: No, registering is not necessary. We will give you an ID of your task after uploading so you will be able to get your results without registering. You can optionally fill an 'e-mail' field so we can inform you about change of the status of your task.
Q: What do I do if my capture file is greater than 1MB?
A: You'll need to use Wireshark or something else to export only the handshake to a smaller file. Remember to leave at least one beacon for your target network in there, though, so that the handshake remains associated with the ESSID you're targeting.
Stripping your handshakes with Wireshark:
Open your capture in Wireshark
Enter "eapol || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x08" as filter expression (without quotes) then press "Apply"
Go to File->Save As... menu, enter new file name and select "Displayed" to save filtered packets only
A: Actually, while WPA2 introduced CCMP mode as a replacement for the problematic TKIP, when run with authentication based on Pre-Shared Keys (PSK), it is still vulnerable to dictionary attacks. Our service works against both WPA and WPA2 when PSK is being used.
Q: What kind of information do you collect from me?
A: All we need is a pcap file with a WPA handshake in it, the ESSID of the network (case sensitive), the BSSID of the network (optional) and a proper wordlist selection. You may leave ESSID field blank and we will try to extract it from your capture automatically (note we will run with first ESSID if you have several in one file). The BSSID field is optional and required in such rare cases as you have several handshakes of several networks with the same ESSID in one capture file.
Q: My handshake was rejected, why?
A: There may be several reasons:
Your capture file is duplicated.
Your capture file does not contain at least one valid EAPOL handshake.
Your capture file does contain valid EAPOL handshakes of several networks, but you left ESSID field blank.
The ESSID field you entered does not correspond to network's ESSID (note ESSIDs are case sensitive).
The bug in our software, why not, the service still in beta stage.
Please contact us and we will check your handshake.
Q: I want to download your wordlists.
A: We do not share wordlists.
Q: Your site has awful design and usability!
A: We cracking handshakes, not making nifty webpages.
Q: Are you ugly hackers?
A: No we are not. You are :)
Please note that this service is for penetration testing of your own networks, really.