Jump to content

Effectively Cracking Wpa Psk


Recommended Posts

Hi there,

Quite new to this and have done much reading, but there are a couple of practical questions I can't find answers to on the interweb.

I have the 4 way handshake of an AP, and have had a go at cracking it using a few wordlists, using a wordlist, ESSID and cowpatty, and also by piping the output of john to aircrack in attempt to just brute force it. On a VM on a machine at home I was getting around 600k/s. brought the .cap file to work to test out on an old server running BT5 - and am getting in the region of 5,500k/s! quite surprised! realistically though, is there a more effective method? what about a hybrid dictionary/brute force attack?

A sub question here would be, how can I limit the length of words John produces to be more in line with WPA keys (i.e. minimum 8 chars)

The router in question does not support WPS so Reaver is not an option.

Is this still the way to go, or have I been out of the loop for that long that people are cracking WPA's on their smartphones these days?


Link to comment
Share on other sites

WPA-PSK can be a little tricky. If you want to crack it yourself that's going to require a good dictionary and some good hardware. There are services available online that will try to crack your handshake. The problem is if they can't crack it you still have to pay. Some claim success rates as high as 50% but a lot of factors come into play. My personal success rate in cracking WPA-PSK in the wild is about 20% and that's using the largest dictionary files available at the time.

There are tools that execute MITM style attacks against WPA-TKIP if your router supports that.

I don't use John but you can always create/download your own worldlists which will probably greatly increase the probability of success. Other than that for purposes of practicality you might want to look into some online WPA cracking services.

Link to comment
Share on other sites

If the AP in question, has a long or complex passphrase you can forget about dictionary attacks. I would recommend looking into a WPA cracker that uses Nvidia Cuda.

Link to comment
Share on other sites

  • 3 months later...

Another direction you could go in might be to use Rainbow Tables, if you havent already tried them?

You can either download them, or use the winrtgen tool that comes with Cain and Abel (inb4 Skiddie)

The only problem I see with rainbow tables, is that after a certain length of characters, they become ineffective at cracking. And then you are back to square one!

Link to comment
Share on other sites

Ah, didnt know that, is there a general length where they begin to lose their effectiveness?

Its not just length of effectiveness, its if there is a rainbow table that uses passphrases at the length you need and you don't know ahead of time, how long the passphrase is. Most rainbow tables don't go more than like 8-10 characters, mainly because the size of them gets so huge storage of the tables becomes an issue. Try torrenting a few petabytes of tables for passphrases over 10 characters with every possible SSID known.

And thats the kicker. Thing to note, rainbow tables for WPA keys, require the SSID+Pasphrase in order to create a wpa hash for lookup in the rainbow table. So the tables are made for specific SSID's of all well known DEFAULT router SSID's(ie: Linksys for example). If the SSID of the router you wanted to crack was BobsHomeRouterOfTerror, chances of a rainbow table for it's SSID are slim to none and this is another area where their effectiveness is lost. You would have to create the rainbow tables on your own for specific, custom SSID's, and while that is possible, you would essentially be brute forcing them on the fly, by which you would be better served with a dedicated server and multiple high end CUDA based cards for GPU attacking the passphrase.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...