Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Finding WPA Keys Broadcast In Clear

  1. #1
    Senior Member
    Join Date
    Jul 2013

    Finding WPA Keys Broadcast In Clear has been release for general use.

    The bug when used with kali2.0 and the newer versions of aircrack-ng has been corrected.


    When MTeams associated C-Programmer found essidprobes that were incomplete strings for WPA keys like 7 characters in length - an extensive rewrite of this program resulted. To find the missing characters, crunch was used to fill in the blanks as follows:

    Menu based crunch modules have been included to allow the user to expand ESSIDPROBES using ESSIDPROBE strings as the base words to find any missing characters.

    Specific words can be randomized thru menu driven selections by the user.

    Random characters can be Crunch Character Groups like [0123456789] or selected specific characters like 12Dc just as examples.

    This program can produce large file sizes so care should be used if employed with operating systems having small amounts of storage space such as persistent usb installs of kali2.0.

    To see how the program functions try writing only one(1) character or a specific text string and play with the selections before you make large files based on Crunch Character Groups or large essidprobe text files.

    Users should feel free to suggest other crunch permutations be included. They will be added if possible into latter versions. Any bugs found please advise.

    You can download here with kali or at:


    The most sophisticated ciphers are many times defeated by simple operator error. The German Army High Command(OKW) used enigma in WWII to encrypt messages. The cipher was finally broken when a radio operator sent the same message twice without changing the key settings.

    Wi-Fi managing systems are also prone to operator errors. Musket Teams began seeing WPA keys broadcast in clear text paired with the ESSID name when running airodump-ng. MTeams knew the data pair sent was the WPA key and the station as the code had previously been broken thru other means such as Reaver or brute force. It soon became apparent that two(2) events were occurring. The wifi user was loading the WPA key into the ESSID(AP Name) block of the wifi managing software, The software began probing for a station using the WPA Key as the ESSID(AP Name). Later, when the connection did not work, the user corrected the error by setting up a new connection and leaving the old connection in place. The software then probed the BSSID using both the WPA Key and the ESSID.

    In airodump-ng you might see something like this at the bottom;

    55:44:33:22:11:00 00:11:22:33:44:55 12345678,Wifi_Home


    55:44:33:22:11:00 00:11:22:33:44:55 12345678

    Using the screen to collect this data is not practical. The best way is to access the two(2) .csv files made by airodump-ng when using the -w filename (write a dump file) in the airodump-ng command line. Musket Teams then wrote a small program to strip the kismet.csv file and .csv file of relevant data. The script has a commented help file embedded at the top of the script. It gives you a text file suitable for aircrack-ng, pyrit and elcomsoft. And it produces two(2) reference files to help determine ESSID,BSSID,PROBE pairing. This wordlist file has other uses. Sometimes the user loads the ESSID name into the WPA key block. Hence the WPA key is the AP name. This cannot be determined by the scan BUT the wordlist has all the ESSIDs seen therefore it can quickly determine if the WPA key is the ESSID when run against a handshake using aircrack-ng pyrit or elcomsoft.

    For example:

    aircrack-ng wifi.cap -w essidprobesdic,txt

    Musket Teams
    Attached Files Attached Files
    Last edited by mmusket33; 2016-01-11 at 03:26 AM.

  2. #2
    Senior Member
    Join Date
    Jul 2013
    815 has been withdrawn.

    You can download at


  3. #3
    Junior Member
    Join Date
    Mar 2015
    @mmusket thanks for your tool ,Hi i have try to test this scrypt but it's always ask for .csv file i have it already in root .But the scrypt told me the file is not here !

    I have dumpfile-01.csv and dumpfile-01.kismet.csv in root .

  4. #4
    Senior Member
    Join Date
    Jul 2013
    To Sherubin

    We downloaded the program from datahost and loaded it on three(3) different computers and the program ran fine. All computers were running kali-linux 1.09a fully updated and upgraded.

    MTeams then tried to simulate the failure. We induced your failure when the program was run from a folder off root so just place this program in root and run it as follows ./

    We will be issuing as soon as we are satisfied with the testing. But the changes have to do with making the essidprobesdic.txt file dos friendly and remove the duplicates that still remain. Look back here in a few days if you are interested.

    Write us again if this has not solved your problem and we will retest again.

    Last edited by mmusket33; 2015-03-03 at 11:07 AM.

  5. #5
    Junior Member
    Join Date
    Mar 2015
    Yes thanks musket33 it's run fine from root .

  6. #6
    Senior Member
    Join Date
    Jul 2013
    MTeams has updated to

    This version corrects some duplicate problems and makes the dic file easier to use with aircrack-ng and elcomsoft

    You can download the newer version at:

  7. #7
    Senior Member
    Join Date
    Jul 2013
    WPA Key Fragments Broadcast In Clear Text

    WPA keys in clear text have taken another turn. Our Musket Team C Programmer has found cases where WPA key fragments(i.e. incomplete keys) are being broadcast in clear text. In this case the wifi user is inputting an incomplete WPA key in the ESSID block of the wifi software. When the key doesnot work the user makes another connection and does not remove the older version. The wifi device then probes using both the WPA key Fragment and the essid name.

    These key fragments are easy to discover if they are less then 8 characters in length. However incomplete keys greater then 7 are more difficult to handle.

    A rule of thumb in WPA brute force cracking is that 50% of the keys chosen by users are numeric strings 8 to 10 characters in length. And more then half of these numeric only keys are local telephone numbers.

    You might see something like this in the airodump-ng probes:

    1234567, Wifi Home

    Hence ESSID probes shorter then 8 characters in length that appear to be key fragments might be attacked as follows.

    Most WPA keys are numeric only, 8 to 10 characters in length. If you have elcomsoft and windows use the word attack and check combinations of the string. If not make a series of dictionary files and test it against a handshake.

    For example if you see 1234567, Wifi Home in your probes run crunch

    A simple approach here would be

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234567@ -o File88-01

    crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@ -o File99-01

    crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@@ -o File1010-01

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t @1234567 -o File88-02

    crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" @@1234567 -o File99-02

    crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" @@@1234567 -o File1010-02

    A more complicated approach would be to work thru ALL the positions making small dictionaries

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@234567 -o File88c-01

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12@34567 -o File88c-02

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123@4567 -o File88c-03

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234@567 -o File88c-04

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12345@67 -o File88c-05

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123456@7 -o File88c-06

    crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@2345678 -o File99c-06

    etc etc etc

    All variations are not shown here

    Keys 8 or more in length that do not successfully crack the key thru tools like aircrack-ng might be WPA Key fragments. In such a case the more complicated approach must be employed

    There is a significant social engineering component in successful brute forcing a WPA key. Even if your computer cracking speed is slow, running numeric keys 8 to 10 characters in length against a WPA handshake is possible. If you are given a part of the key the chances of cracking the WPA key increases.

    Mteams are working on an expansion of ESSIDPROBE1-5 to construct these dictionaries automatically. In the meantime if you discover these WPA Fragments in clear text you can try the simple approach above - you might just get lucky.

    Musket Teams

  8. #8
    Senior Member
    Join Date
    Jul 2013
    MTeams run constant airodump-ng scans listening for both WPA handshakes and WPA keys broadcast in clear text.

    airodump-ng -w scanwifi mon0

    We also get e-mails saying clear text WPA keys cannot occur. Here is a typical example received within the last 24 hours. All ESSID, BSSID info and WPA Key has been sterilized. The WPA key broadcast in clear text is 033441345

    CH 5 ][ Elapsed: 8 s ][ 2015-09-28 07:20


    55:44:33:22:11:00 -1 0 0 5 0 5 -1 WEP WEP <length: 0>
    66:44:33:22:11:00 -66 0 2 7 1 6 54e WPA CCMP PSK Wifi Name 1
    77:44:33:22:11:00 -72 0 2 0 0 7 54e WPA2 CCMP PSK Wifi Name 2
    88:44:33:22:11:00 -73 19 14 0 0 5 54e. WPA2 CCMP PSK Wifi Name 3

    BSSID STATION PWR Rate Lost Frames Probe

    55:44:66:00:22:33 00:11:22:33:55:77 -57 0 - 1 148 5
    (not associated) 00:11:22:33:44:99 -73 0 - 1 0 1 Wifi Name 4
    (not associated) 00:11:22:33:44:77 -72 0 - 1 0 1 033441345
    (not associated) 00:11:22:33:55:55 -64 0 - 1 0 1
    (not associated) 00:11:22:33:55:55 -75 0 - 1 0 2
    55:44:33:22:11:00 00:11:22:33:44:55 -1 1e- 0 0 2
    66:44:33:22:11:00 00:11:22:33:44:66 -51 0 - 1e 43 5

    You can quickly check for handshakes by running

    wpaclean scanwifi-01a.cap scanwifi-01.cap


    scanwifi-01a.cap is cleaned file

    scanwifi-01.cap is original file

    This will give a list of WPA handshakes on the screen and can be run anytime even while airodump-ng is collecting data.

    Last edited by mmusket33; 2015-09-28 at 01:21 AM.

  9. #9
    It looks like very good. Thanks for your sharing.

    huawei nexus 6p tasche
    Last edited by basto; 2015-09-29 at 06:33 AM.

  10. #10
    Junior Member
    Join Date
    Mar 2013
    This happened to me, i was scanning away when i noticed what looked like a WPA key on the probe column, so i tested it on the AP and it worked.
    Never seen this before, any idea why it was shown, been scanning again and its not shown second time.

    The only reason that you fail is because you quit....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts