DGARDENER12 Posted April 4, 2015 Share Posted April 4, 2015 Hi I am quite new to password generation so forgive me if this is a stupid question:) I am trying to generate all possible combinations of WPA keys for BigPond modems in Australia. i have identified the layout of every single key that they generate. they look like this 1234E5678D: and its always the same layout " the first 4 characters are numbers, then the 5th character is a capital letter. then the next 4 are numbers again and the last is a letter" but for the life of me i cannot seem to work out how to generate keys with such specific parameters? any ideas how i would accomplish this? any help would be much appreciated. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 5, 2015 Share Posted April 5, 2015 (edited) Well, let's start with a bit of math first. What's the size of the keyspace here? 10000*26*10000*26 = 67.600.000.000 To create a file containing just those keys would require: 67.600.000.000 * (10+1) = 743.600.000.000 bytes (10 for the combination and 1 for a separator character) So, unless you have 3/4th of a terabyte lying around doing nothing, it wouldn't make a lot of sense to actually _store_ the combinations. My suggestion would be to generate this data on the fly and then process it to achieve your goal. So how would you do that? It's surprisingly easy, actually. You use the GNU parallel program. parallel -j100 try_combination.sh {1}{2}{3}{4}{5}{6}{7}{8}{9}{10} ::: {0..9} ::: {0..9} ::: {0..9} ::: {1..9} ::: {a..z} ::: {0..9} ::: {0..9} ::: {0..9} ::: {0..9} ::: {a..z} The 'try_combination.sh' script is something you're going to have to provide yourself. What this command does is run 100 parallel threads, each of which will execute "try_combination.sh [one_valid_combination]". Replace 'try_combination.sh' with 'echo' to see for yourself. Concurrent threads are great when your machine spends most of its time waiting for something from the outside world to respond to it. When you're basically numberchrunching, as I suspect you're going to be, it makes more sense to reduce the amount of jobs (the -j) from 100 to about the number of cores on your CPU + 1. Edited April 5, 2015 by Cooper Quote Link to comment Share on other sites More sharing options...
digip Posted April 5, 2015 Share Posted April 5, 2015 I could be wrong, but couldn't you use a mask with the fields you know the limits for of each section and feed it to oclhashcat to crack on the fly with your GPU(provided you have CUDA or OpenCL based drivers for your graphics card). Mind you this won't brute force a login prompt, but if you have the captured 4 way handshake, you run it through the conversion set for hashcat so it can read it, and then use your mask to crack it. https://hashcat.net/cap2hccap/ https://hashcat.net/wiki/doku.php?id=mask_attack Quote Link to comment Share on other sites More sharing options...
fugu Posted April 6, 2015 Share Posted April 6, 2015 (edited) crunch-wordlist.sourceforge.net you can make wordlists, or even better you can pipe a wordlist into aircrack; i.e. username$ crunch 10 10 -t %%%%,%%%%, | aircrack-ng -w - -e 00:11:22:33:44:55 test.pcap although, coopers method or digip's method of running in parallel would be much faster Edited April 7, 2015 by fugu Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.