Hello guys,
I have a question. I read on the web that airolib is usefull to speed aircrack pass search and tried it. The problem is that when I'm creating a db from a 25 millions lines file, the --batch takes a lot of hours at 200pmk/s. Instead of lonely aircrack that goes at 1000psw/s. So, where is the speed up?
Thanks

In brute forcing a WPA key aircrack-ng goes thru several processes or steps and each step requires time. If you can remove one of these steps there are fewer steps thus speed is increased.

In one of these steps the ESSID or Network name is used to produce a PMK.
As the ESSID name is known. you could precompute this variable.

Normally PMKs are precomputed for Networks whos names do not change and/or precomputed for Common names used for the ESSID.

PMKS only work for that specific Network Name or ESSID. Any changes even in case invalidate the PMK

For example a PMK computed against "Default" would not work for "default"

Precomputed PMKs are called rainbow tables and can be found for download at internet sites. A list of ESSIDs these rainbow tables are computed against come as a small text file along with the download.

If you are trying to brute force a WPA key and have not already precomputed PMKs against that ESSID, precomputing pmks are a waste of time unless you think in the future the Network might change its WPA key but not its name.

Cracking WPA is really still a matter of social engineering versus equipment.

For equipment you whould use 64 bit windows seven or higher and install two high-end video cards. Use elcomsoft wireless auditor and get video cards supported by this program.

Run numeric strings 8 thru 10 and precompute these files with crunch as text breaking the files down into 200,000 sizes.

Try and avoid passthrus like crunch - aircrack-ng when possible(in elcomsoft it is called a mask attack), as the computer speed slows if the computer must first precompute the password and then check it for validity as the password. Ony use a passthru when the wordlist file is so large as to be impracticable.

There are several good WPA dictionaries available for download. Seach the net. Many of these large dictionaries are available thru torrents. We like the dictionaries produced by g0tmi1k.

Run common passwords and dictionaries made from essidprobes first. See WPA keys in clear text, next run numeric strings 8 to 10 in length and only then turn to large WPA password files.

Musket Teams

Excellent explanation! Thank you so much for the detailed outline of the information. Very easy to understand without a head ache. My apologies I am just excited because I have successfully tested reaver, wash, and getting a handshake is simple. I’ve just never had the patients to use aircrack-ng with wpa/wpa2 or someone to explain the process of what I was reading, to help me better understand why I have to wait for brute force so long. I know your post is from like ages ago. However if correct me if I am wrong. But as far as precomputed pmks, when u go to batch the file, the amount of time for the batch to finish is based off of keys generated from the wordlist and ESSID files, so it obviously will be a lot faster than just a straight brute force with jtr or with crunch. Is this correct how I am seeing this is speeding things up ?!

I have 57,813,822 combinations of password that need to be computed based off the wordlist I used. I have so far computed 1,250,000 pmks in roughly under 2921 secs, so I could more than likely go to bed now and wake up and this would be done. Maybe get a couple rounds in on Destiny2, but definitely a lot faster!

Does anyone know the address to a stock pr3 or pw0 to remove the speed limiter. If so, what values do i put in to get rid of it. If there was one thing I could do, it would be to remove the speed limiter off my stock chip rom image and burn it to another chip

G

Excellent explanation! Thank you so much for the detailed outline of the information. Very easy to understand without a head ache. My apologies I am just excited because I have successfully tested reaver, wash, and getting a handshake is simple. I’ve just never had the patients to use aircrack-ng with wpa/wpa2 or someone to explain the process of what I was reading, to help me better understand why I have to wait for brute force so long. I know your post is from like ages ago. However if correct me if I am wrong. But as far as precomputed pmks, when u go to batch the file, the amount of time for the batch to finish is based off of keys generated from the wordlist and ESSID files, so it obviously will be a lot faster than just a straight brute force with jtr or with crunch. Is this correct how I am seeing this is speeding things up ?!

From what i understand airolib is similar to cowpatty ( im messing around with both) as they both precompute the psk. If so the first precompute is all you need or should take the longest. After that cowpatty would take up to 10 seconds to lokate the password. To precompute the psk you can add a new bssid to the data base. Or delete a old ones, keeping the already computed data. Providing the password was in the database.
PSK preshared key. Provided in a fourwayhand shake known by both AP and device.

This makes sense, thank you so much! :D

When you say pr3 and pw0 are you speaking of cpu or gpu? because the speed will depend on the hardware and availability of the drivers for that hardware. you could try searching for "overclocking 'version of your cpu or gpu' " in google instead of speed limited unlock. Good question tho good sir, made me think a bit!

@BookerScacy