A direct WPA Bruteforce Attack

[koloss]

After four months of relentless persistence I finally was able to bruteforce my neighbor WPS pin, After spending days of AP lock and figuring out the precise x:y Values I found that the WPA PSK is 8-digit number(like all other PSKs) but it got me thinking, What if I did a direct bruteforce to PSK.

I don’t know if the AP could actually lock that (hence no new device can connect even with the right pass) but if we talk about 200 tries/day I think it can be cracked in a guaranteed 55 days (11000/200)

I'm newbie at this stuff so please is there a script for that or my theory is stupid-wrong

Thanks

[overwraith]

I wonder if there's a rainbow table for this. Also you should check if this is illegal or not. Probably shouldn't connect to neighbor, that probably would be illegal "usually" unenforcable.

[digininja]

So you spent four months distupting your neighbours wifi, either they are very patient if they knew about it or very annoyed with having problems if they didn't know. If you now start trying to attack it further you are just going to mess them up even more. If you want to practice things like this get yourself your own AP and practice on that, if all you want to do is to see how the tools work then set easy to guess/crack PINs and passwords and then the tools will finish in a short time and you'll see how to use them, if you want a challenge then get someone else to set the values for you and then attack those. I'd leave your neighbour alone if I were you.

[koloss]

I do not want to wreak havoc or steal sensitive info I swear, I just wanted to leech on some fast Internet (which sadly is the same speed as mine, I guess upgrading is both expensive to him and me) all what it got me is an idea of a direct bruteforce attack and it's stuck in my head. I know I would be pissed off to if someone leeches on my crappy connection too and I will leave him alone, Sorry if I caused any problem

[digininja]

You just admitted to attacking wifi without permission with the intent to steal service from your neighbour, I don't know if that is an offence in your country but it is in most places. It certainly isn't condoned on this forum.

Think before you post things like this publicly.

[overwraith]

A much better way of phrasing the question is I set up a wpa network on "my own" router in an attempt to gain the password via capturing a handshake and brute forcing the password... Think please. Not all features of the pineapple are legal if you use them without consent of the target.

[koloss]

There is no point of lying now, I WAS tempted to use his network but I won't try to use it anymore.

I came here only seeking knowledge for my question and I understand if don’t want to help me

Thanks

[overwraith]

I am actually not interested in admonishing you, I am only interested in you not getting in trouble.

[koloss]

Fine

I cracked my router after considerable amount of reaver and mdk3 attacks because of AP locking, after that I found out that the PSK is just an 8 digit long number which I believe a bruteforce to it(where there is no clients or a way to get a handshake) could reduce the time needed, Is there's a way to do that??

Thanks

[digip]

With WPA there is a 4 way handshake. They make tools for brute forcing the handshake. With WPS, there are pin codes, which you could try attacking with things like reaver and wifite, and they do work - but - many routers will freeze up or reboot under load of these attacks, which means rate limiting them and takes a very long time. A new attack out now, is the Pixie Dust attack, which also may work and is an offline WPS method.

WEP, is already broken protocol and can be cracked in less then 5 minutes on most computers.

Knowledge is not a crime, and it's not that we're trying to avoid helping you, it's that we don't condone attacking networks you don't own. In reality whatever you do is on you, we don't have a say one way or the other, but learning is not something we censor here. Stating ignorance in the face of help in itself will find you on the receiving end of a flame war that will only get your threads locked though, so be respectful and understand the rules around here before stating

"I understand if don't want to help me".

[koloss]

I know I'm sorry I started this thread wrong let's just have a clean sheet again.

I acknowledge the ways of cracking you told me about but my question in a hypothetical AP with WPA2 protection and no clients or wps enabled but you know the pass is an 8-digit numerical password(to make the possibilities as low as possible) is there a way to crack it?

[cooper]

8 digit numeric means 99.999.999 possible combinations.

Drop off all variations where the combination has the same number 4 or more times in it and we're down to 96.500.034.

You're limited by the speed at which the router can do a handshake with you, so let's assume it takes a total of 1 second for 1 attempt. At that rate it would take you 4 years to exhaust the keyspace.

When you capture a handshake you can bruteforce this and only be limited by your own hardware, which even with mere-mortal type hardware is likely to go through this set in under a day, particularly with the help of a graphics card.

Going with 8-digit numeric is rather dumb, really. By going with that as opposed to the more typical 8-digit alphanumeric and case sensitive they picked a keyspace of 99.999.999 over a keyspace of 128.063.081.718.016. My ISP uses 11-digit case sensitive alpha numeric which provides a keyspace of 24.986.644.000.165.537.792. Good luck brute forcing that...

[overwraith]

What I was thinking was perhaps rainbow tables, but I don't know I would have to do some research. If you went the rainbow table route you would end up with several terrabytes of used space, but probably pretty snappy cracking. I don't think there is anything precluding their use, there may not be any made though.You also usually need to collect a handshake in order to do offline cracking, which will be faster, upload the handshake to a beefier computer to do the crack.

Edited April 19, 2015 by overwraith

[cooper]

A rainbowtable works when (part of) the algorithm starts from a known state.

The problem with WPA(2) is that it works with a random meaning that you can't precompute the rainbowtable and use it to speed up future decryption attempts.

[overwraith]

Sorry, you can tell how green I am when it comes to wifi hacking. If that's the case, then the only thing I can think of is massive mutltithreading and perhaps increasing the number and or speed of hard drives which contain the phrase lists. Increased cores would also help.

Edited April 19, 2015 by overwraith

[cooper]

Yeah, to crack these problems you need cores. The more the better, the faster the better.

And since the algorithm tends to be dead-simple (so some cheap-ass chip slapped on a board and molded in Chinese plastic can still produce it) your graphics adapter can work stunning miracles with these.

[overwraith]

So if you were going the graphics card route, what software would you reccomend for the actual crack? Is there any out there that fits the bill?

[cooper]

There are several. HashCat, John The Ripper and Pyrit just off the top of my head.

[Mampt0n]

May I recommend HashcatGUI? It's a frontend for oclHashcat produced by the guys on the Hashkiller forums. Very useful, especially when learning and trying to get your head around rules, masks etc

http://www.hashkiller.co.uk/hashcat-gui.aspx

[digip]

Check out the video here for the pixie wps attack -

https://www.kali.org/penetration-testing/pixiewps-reaver-aircrack-ng-updates/