Word list help

[Dozer951]

Hey guys I'm trying to generate a wordlist for a specific router manufacturer. I know it has 16 characters numbers and upper case letters only. I tried making a word list in crunch but the file is huge. Any ideas on how to cut it down to a reasonable size?

[THCMinister]

With the amount of combinations, the file is going to be insanely large.

[cooper]

That's 3.189.059.870.763.703.892.770.816 unique combinations.

Say you could try a single combination in 1 clock tick on your CPU, which we'll, for argument's sake, peg at about 3.2 GHz.

That would still mean 100.000.000.000.000 seconds of processing time which equates to 3.170.979 years.

Basically, brute-forcing is not going to be the answer. Look at the algorithm used and see if there are any tricks you can use to attack that in an effort to reduce your keyspace.

[digip]

Are you doing the logins on the fly or against a hash file/captured handshake? If going against a file, try OCLhashcat if your GPU supports it, but even at 16 characters will take a while, but not years, more like days depending on the system.

https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

[cooper]

Follow that link, scroll down to "Brute-Force Attack" and click on the 'calculator' link at the end of the second to last line in that paragraph.

What they're basically telling you is that if your keyspace is too large, it's useless.

Since Dozer951 could only claim that the keyspace is any combination of 16 capital letters and numbers, each position in the password has 26 (capitals) + 10 (numbers) = 36 possibilities.

So that makes 36^16 possible passwords, or 7.958.661.109.946.400.884.391.936 (In my first calculation I used 34 instead of 36. My bad).

Let's say you use OCLHashCat and you throw your local gaming rig at it. Yes, that 32-node cluser of machines with 4 NVidia Titan Black Edition video cards each. Don't be modest, I know you have it.

So that makes 32*4x2880 cuda cores clocked at 902 MHz (boost) and of course that liquid nitrogen cooled 6-core i7 which you overclocked to 10 GHz so that's another 32*6*10.000Mhz.

The graphics cards total to 332513280000000Hz and the CPUs to 1920000000000Hz to the overall total is 334433280000000Hz.

Let's assume that a single key can be checked in a single clock tick on both the graphics card as well as the CPU (which I trust we all know to be ludicrous).

To go through the total keyspace with this behemoth would take 23797455534 seconds or 754.6 years.

Good luck with that.

Glad I don't pay your electricity bill.

[i8igmac]

# reaver -i mon0 -b 00:01:02:03:04:05 -vv --dh-small

Try reaver... my first try was success... you ned a decent signal for this attack...

now For cracking the hash...

get the big wpa wordlist I think g0tmilk has download links on his blog... I have seen this work almost everytime... must have gpu power... purehate has good tutorials for proper driver installation...

[Dozer951]

Thanks for the clarification guys. I'am using a handshake but like cooper said it will take years. Unfortunately all Actiontec routers have wps disabled so although I would love to use reaver it wont work. I have heard of reaver pro taking advantage of wps in Actiontec routers with wps not enabled but it sounds to good to be true and I have yet to find any solid evidence of that on the net. I was thinking of telling crunch to ignore characters in sequence higher than 2 so that way instead of wasting time with AAAAAAAAAAAAAAA1 it can do AA%%%%%%%%%%%%%. But then comes the problem of AA22CCDD11FFGGHH I've been trying to figure out how to only get only 3 sets of consecutive numbers allowable per password this might decrease the success rate of the list but it still might work. Size isnt a issue now since i can pass though crunch to pyrit or hashcat but it still might be years. any thoughts as to how I could do this? Or is there a different approach?