velkrosmaak Posted January 30, 2012 Share Posted January 30, 2012 Hi there, Quite new to this and have done much reading, but there are a couple of practical questions I can't find answers to on the interweb. I have the 4 way handshake of an AP, and have had a go at cracking it using a few wordlists, using a wordlist, ESSID and cowpatty, and also by piping the output of john to aircrack in attempt to just brute force it. On a VM on a machine at home I was getting around 600k/s. brought the .cap file to work to test out on an old server running BT5 - and am getting in the region of 5,500k/s! quite surprised! realistically though, is there a more effective method? what about a hybrid dictionary/brute force attack? A sub question here would be, how can I limit the length of words John produces to be more in line with WPA keys (i.e. minimum 8 chars) The router in question does not support WPS so Reaver is not an option. Is this still the way to go, or have I been out of the loop for that long that people are cracking WPA's on their smartphones these days? Thanks! Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted January 30, 2012 Share Posted January 30, 2012 WPA-PSK can be a little tricky. If you want to crack it yourself that's going to require a good dictionary and some good hardware. There are services available online that will try to crack your handshake. The problem is if they can't crack it you still have to pay. Some claim success rates as high as 50% but a lot of factors come into play. My personal success rate in cracking WPA-PSK in the wild is about 20% and that's using the largest dictionary files available at the time. There are tools that execute MITM style attacks against WPA-TKIP if your router supports that. I don't use John but you can always create/download your own worldlists which will probably greatly increase the probability of success. Other than that for purposes of practicality you might want to look into some online WPA cracking services. Quote Link to comment Share on other sites More sharing options...
velkrosmaak Posted February 1, 2012 Author Share Posted February 1, 2012 Thanks for the reply! What are thoughts on the Beck-Tews method on WPA-PSK? Can find very little about it... Quote Link to comment Share on other sites More sharing options...
velkrosmaak Posted February 1, 2012 Author Share Posted February 1, 2012 Thanks for the reply! What are thoughts on the Beck-Tews method on WPA-PSK**? Can find very little about it... WPA-TKIP** EDIT: Correction Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted February 1, 2012 Share Posted February 1, 2012 If the AP in question, has a long or complex passphrase you can forget about dictionary attacks. I would recommend looking into a WPA cracker that uses Nvidia Cuda. Quote Link to comment Share on other sites More sharing options...
TheKingUnderTheHill Posted May 2, 2012 Share Posted May 2, 2012 Another direction you could go in might be to use Rainbow Tables, if you havent already tried them? You can either download them, or use the winrtgen tool that comes with Cain and Abel (inb4 Skiddie) Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted May 3, 2012 Share Posted May 3, 2012 Another direction you could go in might be to use Rainbow Tables, if you havent already tried them? You can either download them, or use the winrtgen tool that comes with Cain and Abel (inb4 Skiddie) The only problem I see with rainbow tables, is that after a certain length of characters, they become ineffective at cracking. And then you are back to square one! Quote Link to comment Share on other sites More sharing options...
TheKingUnderTheHill Posted May 3, 2012 Share Posted May 3, 2012 Ah, didnt know that, is there a general length where they begin to lose their effectiveness? Quote Link to comment Share on other sites More sharing options...
digip Posted May 3, 2012 Share Posted May 3, 2012 (edited) Ah, didnt know that, is there a general length where they begin to lose their effectiveness? Its not just length of effectiveness, its if there is a rainbow table that uses passphrases at the length you need and you don't know ahead of time, how long the passphrase is. Most rainbow tables don't go more than like 8-10 characters, mainly because the size of them gets so huge storage of the tables becomes an issue. Try torrenting a few petabytes of tables for passphrases over 10 characters with every possible SSID known. And thats the kicker. Thing to note, rainbow tables for WPA keys, require the SSID+Pasphrase in order to create a wpa hash for lookup in the rainbow table. So the tables are made for specific SSID's of all well known DEFAULT router SSID's(ie: Linksys for example). If the SSID of the router you wanted to crack was BobsHomeRouterOfTerror, chances of a rainbow table for it's SSID are slim to none and this is another area where their effectiveness is lost. You would have to create the rainbow tables on your own for specific, custom SSID's, and while that is possible, you would essentially be brute forcing them on the fly, by which you would be better served with a dedicated server and multiple high end CUDA based cards for GPU attacking the passphrase. Edited May 3, 2012 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.