josh12 Posted November 12, 2011 Share Posted November 12, 2011 my cousin challenged me to crack his WPA PSK secured network , till now i have learned all the basics and everything there is to know how to hack , so all i ask is for some advice , till now i have had no luck cracking it , some dictionary have not worked , some did not find the key , the 13GB FINAL WPA list did not work for me i dont know why i could not copy it to BT5 . do you suggest i capture a 4 way handshake ? and how to deal with the dictionaries . i thought the hard part was learning how to do this type of thing but the most hard part is the dictionary itself. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted November 12, 2011 Share Posted November 12, 2011 The 4 way handshake is very important, you must be able to capture it. Now since your dictionary file, is not too effective. You could use Pyrit to generate tables. "Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK, the protocols that protect today's public WIFI-airspace. Pyrit's implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. The performance gain for real-world-attacks is in the range of three orders of magnitude which urges for re-consideration of the protocol's security. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock, it is currently by far the most powerful attack against one of the world's most used security-protocols." http://code.google.com/p/pyrit/ Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 12, 2011 Author Share Posted November 12, 2011 thanks for replying , it helped A LOT . now i understand and know what to aim to. so "pyrit" is going to try to crack it without the need of a dictionary ? just like gerix/aircrack cracks WEP ? Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 12, 2011 Share Posted November 12, 2011 You need to capture at least 1 of the 4 eapol packets of the WPA handshake to be able to crack it. I spent this week playing with WPA, and I've come to the conclusion that only weak passwords (ie, 12345678, password, etc) are crackable to the average user. I cracked one pw of "12345678", and another one of "guesthouse". Anything past that, you're going to need very very large wordlists and tons of computing power. Even the people with the most powerful computers and largest wordlists are only claiming 19-20% success rates, while the average is more like 10%. Cracking English, German, Russian, and Chinese passwords usually have higher success rates since there are already giant wordlists built up ready to download. Anything else you'd better start making your own wordlist. Some people are still using WPA-TKIP which from what I've read is vulnerable to a man in the middle style attack without having to do dictionary attacks against the handshake. There's a tool in aircrack-ng for doing it but it isn't well maintained and doesn't always work. I'm hoping someone else knows some others for cracking WPA-TKIP. Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 12, 2011 Author Share Posted November 12, 2011 So TKIP is easier to crack than PSK and it does not need a word list ? . i dont know what to do , when i started this i was hoping to learn the basics and i accomplished that , but now another challenge comes along which i hope to finally crack one WPA. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 12, 2011 Share Posted November 12, 2011 I don't know if I would say it's easier to crack than WPA-PSK as WPA-PSK in theory would be easy if you had a good wordlist and computing power, but I think it's more straightforward. And to answer your previous question, cracking WPA and WEP are 2 different things. WEP is vulnerable to statistical attacks whereas WPA handshakes are vulnerable to dictionary attacks. http://www.aircrack-ng.org/doku.php?id=tkiptun-ng Quote Link to comment Share on other sites More sharing options...
digip Posted November 12, 2011 Share Posted November 12, 2011 WPA can only be cracked with brute forcing, or using premade tables. You need the SSID, the 4 way handshake, something the pcap created from the aircrack suite would contain, then run through aircrack, cowpatty, etc, whatever cracking program you use, either with a plaintext wordlist for aircrack, or rainbow tables in cowpatty, or any other number of programs and methods, but generally they all need the SSID and 4 way handshake, and then bruteforce the output, since the key transmitted is salted with the plaintext word and the SSID, brute forcing is the only way to do it. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 12, 2011 Share Posted November 12, 2011 From what I've read (although I've never personally tried it) creating rainbow tables for a specific SSID can take longer than running an actual dictionary attack against the WPA using an average computer. I'm still using a 5 year old machine which puts me out of luck for anything involving cracking pw's : ( If you do try it please report your results regarding what wordlists you used. Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 12, 2011 Author Share Posted November 12, 2011 i used the darkc0de but it did not crack the WPA . my cousin does not know anything about WPA , he just challenged me to crack his WPA which it was set by a internet service provider worker because he set up the router at the same day he got the internet , so he did not create or CHOSE the password himself , he just challenged me to see how much i can do and have learned since i told him i accomplished cracking WEP . - what im planning to do now is go google some torrent world lists and try them out. 1 question that i have is that in some previous world-lists i have seen multiple files.txt WPA.txt WPA2.txt wpa-final.txt , i thought the worldliest was only one file.lst . anyway thanks for the support and i apologize for disrespecting some members of this forum on the previous posts Quote Link to comment Share on other sites More sharing options...
Mad Pierre Posted November 12, 2011 Share Posted November 12, 2011 (edited) I'm doing the same as Well. But on one of my own routers. With a key that I know. Doing it with John, brute force way. Got a Proxmox PC, Running The home CCTV, and Nas. So it's got a little spare horsepower, for my own fun. :). Edited November 12, 2011 by Mad Pierre Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 13, 2011 Share Posted November 13, 2011 After all is said and done, if you want a password cracked that isn't "password" or "12345" you're going to have to fork out 10-17 dollars to a cloud computing service for a 20-26% chance of cracking the key. Anyone have any experience (success) cracking WPA-TKIP? Please do tell who/what/when/where/why : ) Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 13, 2011 Author Share Posted November 13, 2011 (edited) wow , from what i just read , i should just quit on cracking WPA for now becuase as you see in that picture hes been running aircrack for 197 hours ,,,, thanks this gave me an idea on what to do now. I GUESS WHAT I NEED IS a good dictionary( any suggestions) and when i tried to crack it it only took about 20 30 minutes to say it did not find it, so i dont know how the guy was running aircrack for long hours. and again my cousins WPA is set by default , he did not do anything to make it hard to find or anything like that Edited November 13, 2011 by josh12 Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted November 13, 2011 Share Posted November 13, 2011 If you have money, put together several rigs with 3 or 4 Nvidia graphics cards in each and use ElcomSoft distributed software to crack the WPA. Since you don't know how complex the WPA key is, brute forcing is the only option you have. Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 13, 2011 Author Share Posted November 13, 2011 the computer that i have is capable of doing any kind of work , it is made by somebody who i know who is very intelligent , it has 1tb of ram and so and so , but now my only option is what you said BRUTE FORCE Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 13, 2011 Author Share Posted November 13, 2011 (edited) but i still need a wordlist for Elcomsoft Wireless Security Auditor? Edited November 13, 2011 by josh12 Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 13, 2011 Share Posted November 13, 2011 It's possible to crack WPA, in the 11 handshakes I've gotten I was able to break 3 of them. As far as cracking the password by yourself - good luck. You need solid dictionaries, and most dictionaries that are claiming high success rates are custom made and the owners don't want to share. The offensive security dictionary is pretty big, I think like 35 or 40 million words but it's garbage, it wouldn't even crack "12345678". Or run this command - perl -e '$_=0; while($_<10000000000){print "0"x(10-length("$_"))."$_"."\n";$_++};' > numbList0padd.txt Then try to crack the handshakes that are numerical, a lot of them are. Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 13, 2011 Author Share Posted November 13, 2011 (edited) It's possible to crack WPA, in the 11 handshakes I've gotten I was able to break 3 of them. As far as cracking the password by yourself - good luck. You need solid dictionaries, and most dictionaries that are claiming high success rates are custom made and the owners don't want to share. The offensive security dictionary is pretty big, I think like 35 or 40 million words but it's garbage, it wouldn't even crack "12345678". Or run this command - perl -e '$_=0; while($_<10000000000){print "0"x(10-length("$_"))."$_"."\n";$_++};' > numbList0padd.txt Then try to crack the handshakes that are numerical, a lot of them are. sounds interesting , mind telling more?????? please i really wanna finally crack this WPA , its a challenge to myself Edited November 13, 2011 by josh12 Quote Link to comment Share on other sites More sharing options...
zyrax Posted November 13, 2011 Share Posted November 13, 2011 Since you don't know if your cousin have set an "unhackable" password maybe you should try another way. Installing a keylogger on his computer maybe? Quote Link to comment Share on other sites More sharing options...
josh12 Posted November 13, 2011 Author Share Posted November 13, 2011 (edited) all this time till now people have told me to use aircrack and a wordlist , now its getting to a different direction. my cousin does not know anything about the network, but since i told him i was able to crack WEP he told me to see if i could crack his WPA secure network which it was set up by s ISP person what im doing right now is , i opened elcomsoft wireless security.... and i added a WPAPSK hash manualy( i entered the bssid) then i added a wordlist darkc0de now its running . wht else is there to do ? Edited November 13, 2011 by josh12 Quote Link to comment Share on other sites More sharing options...
Malachai Posted December 19, 2011 Share Posted December 19, 2011 i used the darkc0de but it did not crack the WPA . my cousin does not know anything about WPA , he just challenged me to crack his WPA which it was set by a internet service provider worker because he set up the router at the same day he got the internet , so he did not create or CHOSE the password himself , he just challenged me to see how much i can do and have learned since i told him i accomplished cracking WEP . - what im planning to do now is go google some torrent world lists and try them out. 1 question that i have is that in some previous world-lists i have seen multiple files.txt WPA.txt WPA2.txt wpa-final.txt , i thought the worldliest was only one file.lst . anyway thanks for the support and i apologize for disrespecting some members of this forum on the previous posts REALLY!!!! internet service worker... I would have tried his home address, phone , ect... Quote Link to comment Share on other sites More sharing options...
DJ_Toast Posted December 30, 2011 Share Posted December 30, 2011 If the modem is set by isp it usally is 6Characters 8Characters 10Characters 12Characters or 13Characters long with a-z small letters some with numbers to usally not. If you are a pro you can use cloud service yes like some Bitcoin driven service and so on. The Fastest way to actually crack a good WPA WPA2 Network is now with windows. You have to have windows 7 x64 & Back Track 5 preferably and some nice Appz. Capture the handshake with BT5-Aircrack and convert the .CAP to .HCCAP via this site: HashCat CAP converter Then use HashCat to crack the WPA WPA2 hccap file using gpu. HashCat suite you can also do a dictionary attack on the fly using some extra application called MaskProcessor made by the same gye! HashCat MaskProcessor Some adviced hardware only to be able to smell some sucess: 1PCI-E to 16 slots!!!! AMD Radeonâ„¢ HD 7970 - youll need 16 of em!!! Someone getting the picture? It will cost a fortune to crack WPA and WPA2! i will belive a strong a-z 13 character password will take some months with all this hardware! So this is only for the pro's! Best regards to everyone! Quote Link to comment Share on other sites More sharing options...
digip Posted December 30, 2011 Share Posted December 30, 2011 I am not sure what ISP you are using but this is not true. When my service provider came out to activate the connection and install a router/modem combo, he used a random password generator on his laptop to supply the key for the network. The key itself was probably somewhere between 8-10 chars, however it used both alphanumeric and symbols as well as uppercase and lowercase to make up the key. I ended up changing it to something a bit longer but it was secure for the most part before. Many ISP's use a combination of the serial number on the bottom of the device, or the customers phone number. In my area, a lot of peoples DLS routers are passworded with their phone number, supposedly because the customer can't forget their own number...but I wouldn't know anything about that. Quote Link to comment Share on other sites More sharing options...
digip Posted January 2, 2012 Share Posted January 2, 2012 Lucky you, that would be really quick if you had to brute force it, given you know the first 3 numbers (area code) and no chars... In the ones I have found locally, usually only 7 numbers(US), no area code used. Thing is, if you know the local exchange you can prefix the first three, and automate brute the rest to make a wordlist for all telephone numbers in your area really quickly. Most of the ones I have seen, are also Verizon related, so take that and put it in your little black book of things to check. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.