Cracking WPA key with crunch | aircrack (almost fullproof but how speed things up)

Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
so i came up with the following:

# crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

(notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
The "|" ends the crunch command and then we go to the aircrack command:
With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.

It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
Now the real question...

Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
Please notice I only like to use programs preinstalled in kali linux.

Quote:

---

Originally Posted by leevai

Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
so i came up with the following:

# crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

(notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
The "|" ends the crunch command and then we go to the aircrack command:
With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.

It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
Now the real question...

Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
Please notice I only like to use programs preinstalled in kali linux.

---

hi :)
i'm not expert but the process of GPU-cracking is more fast!!
my old-simple example with cuda
https://vimeo.com/62995190

hi
i'm not expert but the process of GPU-cracking is more fast!!
my old-simple example with cuda
https://vimeo.com/62995190

isn't that a method with existing wordlists? I'm looking for fast method to crack 12 digit unknown password with combination of small, caps and numbers and not in dictionary passwords with random combinations.
Tried to watch the vid but unfortunately the quality of the vid is pretty low and can't read much of the screens.. sorry

crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

Quote:

---

Originally Posted by hausoo

crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

---

@thanks +1 to help me to explane.....i've a extraterrestrial language ;);)
@leevay sorry for the quality-video(but it's a partial-web-hosting-problem)..the FONT-VIDEO ,i have uploaded is good-quality!...however if you HAVE "" cuda-enable "" read the response of hausoo's friend ..contains the same question of my video:p
bye

thanks a lot zimmaro!!

Quote:

---

Originally Posted by zimmaro

@thanks +1 to help me to explane.....i've a extraterrestrial language ;);)
@leevay sorry for the quality-video(but it's a partial-web-hosting-problem)..the FONT-VIDEO ,i have uploaded is good-quality!...however if you "" cuda-enable "" read the response of hausoo's friend :p
bye

---

hy haussoo,
thanks for the reply a lot! I did a first check and seems to work fine. tomorrow i will be doing a test on my home pc as it is a much faster computer.

Quote:

---

Originally Posted by hausoo

crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

---

Is it possible this speeds up about 25%? greetz

yes depends on your video card (cuda_cores)

crack 12 digit unknown passwd

crunch 12 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ1234567890 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

crunch+aircrack-ng cpu-only

HTML Code:

---

~# crunch 12 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | aircrack-ng -w - -b xx:xx:xx:xx:xx:xx capture-03.cap
Crunch will now generate the following amount of data: 12018631630886850560 bytes
11461860304724 MB
11193222953 GB
10930881 TB
10674 PB
Crunch will now generate the following number of lines: 16533293572437839872
Opening capture-03.cap
Reading packets, please wait...



                                Aircrack-ng 1.2 beta1


                  [00:00:45] 180855 keys tested (4367.42 k/s)

---

crunch+pyrit cpu+GPU (cuda 334 cores)

Code:

---

~# crunch 12 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | pyrit -r capture-03.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough
Crunch will now generate the following amount of data: 12018631630886850560 bytes
11461860304724 MB
11193222953 GB
10930881 TB
10674 PB
Crunch will now generate the following number of lines: 16533293572437839872
Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file 'capture-03.cap' (1/1)...
Parsed 47 packets (47 802.11-packets), got 1 AP(s)

^CCrunch ending at aaaaaaaajKUl0 23400 PMKs per second.

---

Quote:

---

Originally Posted by leevai

Code:

---

crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

---

(notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

---

This is a great post. Thanks. Especially pointing out the little vB code issue, most people overlook these small details. You could use CODE syntax to fix it.

Quote:

---

Originally Posted by zimmaro

hi :)
i'm not expert but the process of GPU-cracking is more fast!!
my old-simple example with cuda
https://vimeo.com/62995190

---

Agreed. GPU cracking is faster.

Quote:

---

Originally Posted by leevai

Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
so i came up with the following:

# crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

(notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
The "|" ends the crunch command and then we go to the aircrack command:
With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.

It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
Now the real question...

Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
Please notice I only like to use programs preinstalled in kali linux.

---

Hi,

I tried many times to crack wpa with crunch but when i gave the command which you mentioned above is taking to much in reading packets. I mean when data amount is generated in Tera Bites Crunch hangs up in reading packets for a long long time. Can you please guide how to crack my simple password "wifi5214" within 30 minutes.

Do not add the cap letters. Thats going to be much faster in your case.

Quote:

---

Originally Posted by leevai

hi
i'm not expert but the process of GPU-cracking is more fast!!
my old-simple example with cuda
https://vimeo.com/62995190

isn't that a method with existing wordlists? I'm looking for fast method to crack 12 digit unknown password with combination of small, caps and numbers and not in dictionary passwords with random combinations.
Tried to watch the vid but unfortunately the quality of the vid is pretty low and can't read much of the screens.. sorry

---

have a look at the "hashcat". Hashcat uses GPU to crack the WPA. You can use it either with wordlist or bruteforce the combination of any type of digits

30min= super computer gpu cluster gpu farm

one gpu example
Time.Started...: Sat Aug 24 21:32:28 2013 (32 secs)
Time.Estimated.: Fri Apr 9 09:48:35 2021 (7 years, 227 days)

Code:

---

./cudaHashcat-plus.bin -a 3 -m 2500 dd.hccap
cudaHashcat-plus v0.14 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 16 loops, 8 accel
Watchdog: Temperature abort trigger set to 70c
Watchdog: Temperature retain trigger set to 60c
Device #1: GeForce GTX 560, 1023MB, 1620Mhz, 7MCU
Device #1: Kernel ./kernels/4318/m2500.sm_21.64.ptx

[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Session.Name...: cudaHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3)
Hash.Target....: xxx (00:1d:7e:xx:xx:xx <-> 00:23:69:xx:xx:xx)
Hash.Type......: WPA/WPA2
Time.Started...: Sat Aug 24 21:32:28 2013 (32 secs)
Time.Estimated.: Fri Apr  9 09:48:35 2021 (7 years, 227 days)
Speed.GPU.#1...:    24637/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 774144/5533380698112 (0.00%)
Rejected.......: 0/774144 (0.00%)
HWMon.GPU.#1...: -1% Util, 52c Temp, 55% Fan

---

Quote:

---

Originally Posted by leevai

Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
so i came up with the following:

# crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

(notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
The "|" ends the crunch command and then we go to the aircrack command:
With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.

It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
Now the real question...

Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
Please notice I only like to use programs preinstalled in kali linux.

---

Yeah I don't know if anyone pointed this out but it wouldn't make sense to run

Code:

---

crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

---

Instead, run

Code:

---

crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

---

(I just changed the number of characters because WPA has to be at least 8 characters... should save a good amount of time.

Can anyone please help me ??? I dont know how to get the .cap file. I know how to do everything else, except get the handshake file. Please help !!

Quote:

---

Originally Posted by Greevaz

Can anyone please help me ??? I dont know how to get the .cap file. I know how to do everything else, except get the handshake file. Please help !!

---

There is a plethora of information not only on this forum but throughout the web on how to do this.

I would suggest starting at http://www.aircrack-ng.org/doku.php?id=cracking_wpa and then use what ever method you feel comfortable with to crack the .cap (there are also online services for this but to date I have not had any success with them)

If still having difficulties use Google. (Google can be you're best friend)

Rab.

There are several issues is this blog that are not covered.

1. We highly suggust you avoid using aircrack-ng when trying to dycrypt a WPA Password. Aircrack-ng may tell you that it sees a password in your cap file BUT will be unable to crack it. Dig thru the aircrack-ng forums and you will find this issue covered. You cannot trust this program to finds the password so you might throw alot of time at the problem for nothing.

2. What is also not covered is the length of time it takes to brute force a character set like abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789. Even with our high speed 64bit computers running two ATI graphic cards and really high speed 100,000-150,000 this would take years.

3. Lastly is saving your work in stages. You cannot expect to run a computer for months without refreshing it. If you refer to the thread below you will find a method of saving a crunch passthru. However we are unsure it will work with dictionaries as we use different tools.

https://forums.kali.org/showthread.p...st-or-make-one

If you want to crack WPA try a letter frequency approach. Furthermore you need to easily save your work in stages. The tool of choice is elcomsoft/windows 7 64 bit/high speed graphic cards. Use dictionaries wherever possible to save the computer from having to waste time computing in a passthru.

We run the following sequence
length 8 8 numeric Dictionary files broken into 200,000 chunks
length 9 9 numeric Same as 8
length 10 10 numeric Same as 8
Common password - dictionaries
WPA Word lists available thru torrent


MTA/MTB

I've been following this thread and experimenting with crunch and pyrit. I am trying to crack a handshake with a 10 length password of mixed lower case and numbers.

Code:

---

crunch 10 10 abcdefghijklmnopqrstuvwxyz0123456789 | pyrit -r test-01.cap -b 00:00:00:00:00:00 -i - attack_passthrough

---

This is the output I am getting, why is it testing phrases over 10 characters long? I am assuming that when the program is cancelled the output is being overwritten by the PMKs per second? So I can ignore the last two numbers "55". Can crunch/pyrit be trusted to actually find the correct handshake pass phrase?

Code:

---

Crunch will now generate the following amount of data: 40217742840692736 bytes
38354628411 MB
37455691 GB
36577 TB
35 PB
Crunch will now generate the following number of lines: 3656158440062976
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file 'test-01.cap' (1/1)...
Parsed 31 packets (31 802.11-packets), got 1 AP(s)

^CCrunch ending at aaaaq6h76555 PMKs per second.

---

I am planning on resuming the session by looking at the last passphase tested and starting again for example starting from bbbbbbbbbb:

Code:

---

crunch 10 10 abcdefghijklmnopqrstuvwxyz0123456789 -s bbbbbbbbbb | pyrit -r test-01.cap -b 00:00:00:00:00:00 -i - attack_passthrough

---

Study the forum link we give above. Again we go not use this approach as it is too slow however we think this is the command string you would want to use is:

crunch <MinPasswordLength> <MaxPasswordLength> <CharacterSetToBeUsed> -s <StartPoint> -d 4 | pyrit -e <APessid> -i - -o - passthrough | cowpatty -d - -r <Handshake.cap> -s <APessid>

This avoids the aircrack-ng bug and gives you the ability to stop and start the program and ??WE THINK?? you can get CUDA and high-speed graphics cards working.



IF you are referencing:

CCrunch ending at aaaaq6h76555 PMKs per second

as your crunch over 10 in length comment above, this is the intermediate PMK not the primary number set you choose which is 10 in length composed all lower caps and numbers. Study what a pmk is. This will lead you into rainbow tables. Before you jump into precomputing pmks or rainbow tables, note the precomputed pmk only works against a specific salt which is the --essid name of the AP. If they change the essid name all your work becomes worthless SO rainbox tables are normally only computed against common names for APs.

the best & fastest thing to use is hashcat... using it will give u less headache

Quote:

---

Originally Posted by leevai

Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
so i came up with the following:

# crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

(notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
The "|" ends the crunch command and then we go to the aircrack command:
With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.

It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
Now the real question...

Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
Please notice I only like to use programs preinstalled in kali linux.

---

And how is possible?

For this bruteforce calculator:

http://oi57.tinypic.com/fx9wgg.jpg

(Website: http://calc.opensecurityresearch.com/)

If I've 43.000 pmks for second with CUDA of GTX 580, I find the password after many years XD

How is possible that you found your password "hickmin123" with mixalpha-numeric in 30 MINUTES? o_O

When I start :
crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
I get this:
(00:00:31) 14108 keys tested (508.08 k/s)
Is this a good speed (508.08 k/s)?
I have: Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ × 2
and wfi antena tp-link tlwn722n with 150mbps
Please help

Quote:

---

Originally Posted by Alexcreator

When I start :
crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
I get this:
(00:00:31) 14108 keys tested (508.08 k/s)
Is this a good speed (508.08 k/s)?
I have: Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ × 2
and wfi antena tp-link tlwn722n with 150mbps
Please help

---

Well, I wouldn't complain... I can only get 5000 on my crappy machine

Rab.

Sorry mis read your post - it appears that it is the same rate as mine and that is poor by today's standard

Quote:

---

Originally Posted by Alexcreator

When I start :
crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
I get this:
(00:00:31) 14108 keys tested (508.08 k/s)
Is this a good speed (508.08 k/s)?
I have: Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ × 2
and wfi antena tp-link tlwn722n with 150mbps
Please help

---

hi::o
i think
....it's a good speed for YOUR hardware /NO-GPU-METHOD
ONLY for example(not to prove anything) in my hardware-virtualized with NO-GPU(because is virtualized:o) have this:
http://www.imagestime.com/show.php/924265_1.PNG.html

@click_ONTO_zoOM

Quote:

---

Originally Posted by zimmaro

hi::o
i think
....it's a good speed for YOUR hardware /NO-GPU-METHOD
ONLY for example(not to prove anything) in my hardware-virtualized with NO-GPU(because is virtualized:o) have this:
http://www.imagestime.com/show.php/924265_1.PNG.html

@click_ONTO_zoOM

---

And also with CUDA this attack is useless.

Look my screen, also with a password length of 8 this attack is impossible.

Quote:

---

Originally Posted by Pikachu95

And also with CUDA this attack is useless.

Look my screen, also with a password length of 8 this attack is impossible.

---

hi :)
if this is your thinking I respect that!!! But for logic /probability/time/fortune ...is not totally impossible!
&& cuda (for-me)I think it can give you a REALLY GREAT hand in speeding up the process!

Quote:

---

Originally Posted by zimmaro

hi :)
if this is your thinking I respect that!!! But for logic /probability/time/fortune ...is not totally impossible!
&& cuda (for-me)I think it can give you a REALLY GREAT hand in speeding up the process!

---

Is true what I wrote, it's not my thought.

Use this calculator: http://calc.opensecurityresearch.com/ with charset lalpha-numeric.

The bruteforce finish after 1 year!

So, for example, if I put a WPA2 like: Zympo123, you must wait 1 year for crack this password with 83.000 PMKS.

http://s29.postimg.org/pjcidyz5j/fail.gif

And 8 lenght is min., try with 9 or 10 lenght in that calculator :D

Or try also with 8, but with MIXALPHA-NUMERIC.

http://s7.postimg.org/nolo59r0r/fail2.gif

So? What's the solution?

impossible ~= 1 year 39 days ........ecc
impossible ~= 84 years 265 days.....ecc

* ~= in matlab is ""different""

The author of this thread was over optimistic when factoring the time required.

You can try a letter frequency approach. The most frequent are etaoin

etaoin shrdlu cmfwyp vbgkjq xz

Run in this order

etaoin0123456789
etaoinshrdlu0123456789
etaoinshrdlucmfwyp0123456789

You should get the idea.

Do not waste time with lengths over 10 so just do 8-10.

Back when reaver was King we cracked around 100 wifi recievers using reaver and ran a statistical analysis of key types and lengths choosen by users.

Over half were numeric less then 11
Very few were greater then 10 in length
Over half of the numeric were phone numbers
Only 5% were greater then 10 in length.

We have this paper around somewhere maybe we will republish as it was lost when aircrack-ng went down.

The best way to brute force a key is to try and determine the length and key types used. You can then focus your brute force in that area.

You could guess or:

For those that want a more esoteric and focused guess try remote viewing. The Quality Assurance Division of ASN doesnot want you to develope these skills. Google Ed Dames for techniques.

You do not remote view the key you remote view the length of the key, key consituents (type of characters) then turn to your computer to do the brute force. You also need two(2) people to conduct the remote viewing session.

If you find the key longer then 11 and using one computer do not bother. You might get lucky with a dictionary.

If you really need the key try the WPA phishing programs turbn to social engineering using pwnstar. See aircrack-ng forums I think under programs.

Musket Team A/C

Quote:

---

Originally Posted by mmusket33

You can try a letter frequency approach. The most frequent are etaoin

etaoin shrdlu cmfwyp vbgkjq xz

Run in this order

etaoin0123456789
etaoinshrdlu0123456789
etaoinshrdlucmfwyp0123456789

You should get the idea.

Musket Team A/C

---

How would I run this in Elcomsoft Wireless Auditor? I have had difficulty setting this programme up
with a Brute force running custom Char Set.

Rab.

Quote:

---

Originally Posted by mmusket33

Dear Rab,
There is an attack called the mask attack. You will need a version of elcomsoft probably v5.0.252 or v5.1.271 that supports this. If you want to do a letter frequency approach there is a page that allows you to enter the characters you want. Study the help files.

MTC

---

Sorry, yes it is the mask attack I was referring to.

From the help file, which I missed from first time of reading, I am guessing that

In the Mask Attack options under Custom Charset I would enter something like - zwerfalj and in the mask field
I would enter ?1?1?1?1?1?1?1?1 could you confirm please.

If you could also point me to a windows proggy that can precompute a dictionary attack other than oclHashcat I have
used L517 v0.8 in the past (although good it is not user friendly and only allows output upto 2gb if memory serves me right)
but I would like to compute the dictionary based on the starting point of one character for instance (r) which could be eliminated
and the rest to be random up to 8 that would reduce the size of the file and would be more like a lucky dip (hit or Miss) then on failure
I would be able to try another char (w) rather than going thru the complete char set from a to z.

I would just like to add my thanks for responding to this post - I have noticed from previous posts that
you advocate the use of EWSA and I myself like it too.

Rab.

I have now worked out most of the above. It uses a similar format to oclHashcat but I am still interested in a good password generator
for windows

We found the best word generator turned out to be crunch. Google Crunch A Day With Tape. You will need to write the output to file. When loading the dictionaries into elcomsoft, the drop-down menu has a file types entry. Click on the arrow point on the right side and change to all files or your files made with crunch will not be seen. If we remember correctly you can also set the file size with crunch. Keep these files small.
The only thing left is administrative in nature. We make a local area telephone types and 8 to 9 numeric length file in Elcomsoft input the dictionaries and just add handshakes to the file. We have a 10 length dictionary file again adding handshakes, and then large dictionary file. Anytime we get a handshake we stop any ongoing process and run it against the telephone 8 9 numeric first as most of your hits will be telephone numbers-numeric 8,9 and 10.

Hello, mmusket33

Im new BTW, im just starting to learn kali linux and just wondering if my new neighbor is sneaking up to my wifi (eversince they moved my internet slowed down). I manage to get the .hccap and .cap file can u tell me what my passphrase is? my router is Linksys WRT54G.

Im just wondering if it is possible to crack with so little time-i say they moved in our area for 3 days now.

Sorry for inconvenience. Hoping for a reply soon. Thanks.

So far I have notice crunch just being a waste of time, just for the fact that I know that 70% of word list is useless. no one in their right mind is going to use a password that it generates.

example:
aaaaaaaa01
aaaaaaaa02
aaaaaaaa03

Quote:

---

Originally Posted by GlockSmok3

So far I have notice crunch just being a waste of time, just for the fact that I know that 70% of word list is useless. no one in their right mind is going to use a password that it generates.

example:
aaaaaaaa01
aaaaaaaa02
aaaaaaaa03

---

you never know, my friend. Just like there are password for password and there are 12345 as password

Seems that using crunch to generate a wordlist is a bit overkill. I don't know where you get your horsepower, but 10674 petabytes sounds like a bit too much data to be useful as a cracking list. Have you thought about simply mangling a traditional dictionary instead? I couldn't find a tool that would do it, so I wrote one (https://github.com/zeroskill/transmute). If you seed it with a reasonable word list (http://www-01.sil.org/linguistics/wordlists/english/) and give it reasonable options, the resulting list will be a much smaller search space, and is pretty likely to yield a useful result against typical targets. There's always going to be the "CorrectHorseBatteryStaple" users, but low hanging fruit is generally what you're after when trying to penetrate.

Hi, all.

Is there a way to run this but somehow tell the program not to use double letters? I would like to reduce the time needed to try out different combinations by avoiding combinations like bbbbgasd or any combination where two same letters appear one after another. It would seem more logical to me, because in my language we don't have words like that, so any help on how to do this would be appreciated.

Hi,

Can someone help me on how to generate pws /w crunch using only min 8 and max 8 char long letters (char set = 26 english abc lowercase) but each character should appear maximum TWICE.
e.g.
abcdeefg
or
aabcdefg
or
abcdbefg
or
lmnoppqr
or
opqrstsu

etc..