Jump to content

How to make self-pruning word-list?


inadaizz

Recommended Posts

I need a 12 character AZ 09 wordlist. When I try to make one with Crunch on Kali the size is astronomical. It would be nice to be able to have crunch create a list for me that automatically prunes itself to keep a constant size consistent with the passwords per-second. http://lastbit.com/pswcalc.asp is suggesting to try every AZ09  12 digit password would probably take well longer than my lifetime. Regardless if anyone knows how to make a self deleting wordlist I would be interested to learn even if it will not be utilized where I imagined it being used. 

Thanks everyone. 

Link to comment
Share on other sites

I imagined feeding it into aircrack. I don't pipe the data in without storing it bc I'm a nuby and dont know how to. The search terms I've been using to try to accomplish this are not yielding good results. Could you recommend a better search term on how to do this?

 I start my computer engineering degree this fall at uni. So far I only do this as a hobby. 

Link to comment
Share on other sites

Nothing special. I have my own network WPA2/AES with WPS off and I'm seeing what I can do to crack it just for the practice and interest of doing it. The only known advantage I'm giving myself is that I know the only characters used are A-Z and 0-9 and it is exactly 12 characters. I easily captured my own handshake by using airodump and aireplay. The next step in brute forcing is to plug in a wordlist. The wordlist must contain the password to work. To make a wordlist using crunch that had all possibilities of exactly 12 characters AZ09 is measured in petabytes.  I'm trying to find a way to feed the same list of passwords in a far more manageable way. I imagine the list would take ages to compile and the estimated crack time even if I had the list and could use it seems to be longer than a lifetime anyways. 

My goal I want to accomplish is feeding is a wordlist to aircrack where the wordlist continued both creating and deleting itself at roughly the same rate. This way the wordlist could take up minimal space while still covering all possibilities. 

Link to comment
Share on other sites

This should do what you want, it takes the output from crunch and pipes it straight into aircrack-ng so you don't store anything on disk.

crunch 12 12 | aircrack-ng -e test -w - handshake.pcap

 

Link to comment
Share on other sites

36**12=4738381338321616896

36 to the twelve power

26 alphabet plus 10 (0-9) =36

36x36x36x36x36x36x36x36x36x36x36x36=

36 multiply by 36 twelve times

 

with 2 of my computers I can accomplish maybe 35 thousand per second.

36**13/35000= 4873763662273663

4873763662273663 seconds to process this list of passwords with crunch.

36 to the 12'th power devide by 35000 per second... 4873763662273663 seconds for me to complete

 

 

Edited by i8igmac
Link to comment
Share on other sites

the default password I see from Comcast routers is 8 chars long...

My 35000 performance  hash's per second and 86400 seconds in a day

36**8/35000/86400=932 days

36**12/35000/86400=1566925045 days

 

With a cluster of water cooling video cards and extreme over clocking. I could see it possible to crack default comcast 8char password

Link to comment
Share on other sites

didnt is see somewhere in the distant past rainbow tables created to do just this?
maybe I was dreaming again, old age does that to you.

Link to comment
Share on other sites

22 hours ago, kerravon said:

didnt is see somewhere in the distant past rainbow tables created to do just this?
maybe I was dreaming again, old age does that to you.

A while back I was looking into creating a program that would create a rainbowtables-like set of tables, that would handle WPA2/HMAC/SHA1 and I probably could have started making one, but the major problem with it is the keyspace size is way too large. This is referred to as Time Memory Trade Off, so the less time you want it to take, the more memory your tables are going to take up on the hard drive. For WPA2 the keyspace is going to be based on the PASSPHRASE that was used, plus SSID, plus a random number called the ANONCE,  plus a random number called the SNONCE. even if you knew what the passphrase was, and you created a table for ssid and the 2 nonces, it would be really large. My thinking is that it would probably be impractical to create a full set tmto tables to completely crack wpa2.

Link to comment
Share on other sites

maybe if I was retired with funds sitting around...

I would first find a affordable video card, setup a big water pump home built radiator water cooling... try to extreme overclock this test rig...

I posted above with 2 gaming rigs at 35000 hash's per second will take me 932 days... if I can get this to 30 days I will need a rig that can produce 3500031 hash's per second... that's almost 62 more video cards to accomplish this.

Keep in mind, both my gaming machines are not overclocked.

If a cheap video card at 35$ can survive a extreme overclock At this point i would know if its even afforably possable.

Link to comment
Share on other sites

I think the only way right now to make WPA cracking feasible is to work with cloud resources.

First, to the OP, 12 characters is just too long using a alpha-numeric (lowercase) set (as i8igmac noted).

However, I have been working on AWS AMI GPU instances (using spot pricing so it's cheaper) and then taking advantage of Pyrit CUDA while distributing the brute-forcing among 10+ running instances. Further, if you get your hands dirty in trying to understand how the GPU functions, you can tweak this as well to increase speed.

The Pyrit benchmark wasn't very good out of the box (one instance got me to 45K pmks/s), and having 3 running, let's say with 8 character psks, out of lowercase alpha and numeric, you would have 36**8 = 2,820,000,000,000 possible psks. At 45K/s, you get 62,691,331 seconds, which is 1,044,855 minutes, or 43,535 hours, or...1813 days. 

So I've gotten this closer to 100,000 psks/s, and wrote a python script to distribute the crunch output to each instance (not sure if this is the best solution as you use bandwidth to distribute Crunch output, and that adds cost), and also have tried running Pyrit using twisted (python library for async/multi-threading) although I'm not sure if this is helping or not...need to determine how Pyrit runs. But at the end of the day, if I get 15 instances each running 100,000 psks/s, then we have:

100,000 x 15 = 21 days 

With costs (if I did my math right and assuming spot prices are correct) (.70/hr (per instance) x 24 hours x 21 days = $352. Obviously you wouldn't likely run it for the entire 21 days as you would be successful before that...so let's day 1/2 of this on average, or 10.5 days @ $175.

Besides processing power which I'm working on, the other thing that could potentially speed this up is dictionaries. Personally I don't think a dictionary is reliable unless you know the target very well and can generate masks or have a reasonable guess as to a portion of the psk. What I want to do I'd find the best wordlists, aggregate them all, remove all passwords under 8 characters (and my current list is around 25GB)... And this is why I read this OP, because I'd like to efficiently try to remove any words in the wordlist from Crunch, so I'm not just adding a dictionary followed by Crunch... But as I only know python, I'm not sure if there isn't a way to this where generating the words to be checked doesn't slow down the actual hash comparison in Pyrit.

By the way, I still see endless debates over Pyrit vs. OclHashcat. Anyone have experience with both and can explain their preference?

Link to comment
Share on other sites

I like what I see... there is a part of my brain that Will never let this be...

 

on the word list. I have had good success but it could be better... there are a lot of new password dumps that have hit the news... these dumps need to be sorted threw for use with wpa cracking... append the newly unique list to the supa wpa wordlist that already exist online.

I also think when you distribute the process across the network the is a bottle neck. I have not tested this with a good switch but I have split the large list to equal portions and upload to each machine... no network bottle neck...

 

Link to comment
Share on other sites

Short answer: You can pipe crunch into aircrack-ng but crunch is a little faster than aircrack and it will create a temp file where the words go before being fed into aircrack and eventually it will eat up all of your RAM and swap. You can also pipe JTR into aircrack. Something with FPGA support is what you want if you are bruting 12 characters. Otherwise you will never have the keys per second to make it worth while. If you want to spend ton of money on specialized hardware Pico Computing has something for you.

If you look up password cracking or hash cracking sites you will see that people make wordlists. Sometimes they are shorter lists with large rule sets and some are just really big lists. They might be common dictionary words, phone numbers, hashes, account numbers, or any other combination of characters.

 

A dictionary attack would be better than brute force. But brute forcing the password should be your last resort after attempting a WPS PIN search or if you're lucky Pixie dust attack.

Possibly use social engineering to get the password or exploit a machine that connects to it regularly. Possible something you can gain physical access to with ease like a laptop left unattended in the cafeteria while the user is in the rest room.

 

Link to comment
Share on other sites

I tend to prefer OCLHashCat. GPUs are much faster at cracking than most CPUs now, plus it has nice commands.

Note that it's normal for a 12 character AZ-09 wordlist to be a fairly large size on-disk and take a long time to run through (could be a few weeks to a few months).

The best bet for WPA/2 cracking is to find the make/model of the router (aircrack can normally tell you this on it's own), and use your Google-fu to find out the default password standard for the hub you are attacking.

If you suspect the person has amended the password, you'll need to use recon and social engineering to get at least an idea of passwords they might use. They like leather? Try 'BDSM' in the password. Etc.

Not all WPA/2 passwords are crackable in a reasonable amount of time. If all else fails, or you can't wait the couple of months it might take to crack, try a different angle. Social engineer them some more. Call them, pretend to be the manufacturer of their hub. Maybe there's a recall on their model? Or perhaps you're doing a door-to-door survey of the types of hubs people are using and take the opportunity to glance at the password whilst checking which hub they own. In rare cases,  you may even find the hub viewable through a window. I've seen that stupidity before!

Think outside the box :wink:

Edited by haze1434
Link to comment
Share on other sites

i have just watched a hak5 episode that includes a guy/company (not sure of the name) he has cluster of gpu capable of cracking these 8char passwords in 5 hours or so.... not sure how many video cards, 7970's that cost right now $772.66 each

 

he has invested at the time of this video about $30,000

 

maybe he can chime in on the conversation... i would like to chat with him... maybe he can be found on irc?

 

 

 

 

and the second part of the video

 

 

Edited by i8igmac
Link to comment
Share on other sites

  • 2 weeks later...

Use hashcat.  (will do CPU, GPU, or a combo of the two) It will restore if you want to stop it and pick it up again later, and doesn't need a file for a bruteforce.

But a dictionary attack with some rules would be best for a WPA password.  Not too many people will use a big random passwords for WiFi  Its usually pretty easy to remember.

Phone numbers and rockyou.txt have gotten me hundreds of PWs

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...