Jump to content

WPA password generation


DGARDENER12

Recommended Posts

Hi I am quite new to password generation so forgive me if this is a stupid question:)

I am trying to generate all possible combinations of WPA keys for BigPond modems in Australia. i have identified the layout of every single key that they generate. they look like this 1234E5678D: and its always the same layout " the first 4 characters are numbers, then the 5th character is a capital letter. then the next 4 are numbers again and the last is a letter" but for the life of me i cannot seem to work out how to generate keys with such specific parameters? any ideas how i would accomplish this? any help would be much appreciated. :grin:

Link to comment
Share on other sites

Well, let's start with a bit of math first. What's the size of the keyspace here?

10000*26*10000*26 = 67.600.000.000

To create a file containing just those keys would require:

67.600.000.000 * (10+1) = 743.600.000.000 bytes

(10 for the combination and 1 for a separator character)

So, unless you have 3/4th of a terabyte lying around doing nothing, it wouldn't make a lot of sense to actually _store_ the combinations.

My suggestion would be to generate this data on the fly and then process it to achieve your goal.

So how would you do that? It's surprisingly easy, actually. You use the GNU parallel program.

parallel -j100 try_combination.sh {1}{2}{3}{4}{5}{6}{7}{8}{9}{10} ::: {0..9} ::: {0..9} ::: {0..9} ::: {1..9} ::: {a..z} ::: {0..9} ::: {0..9} ::: {0..9} ::: {0..9} ::: {a..z}

The 'try_combination.sh' script is something you're going to have to provide yourself. What this command does is run 100 parallel threads, each of which will execute "try_combination.sh [one_valid_combination]". Replace 'try_combination.sh' with 'echo' to see for yourself. Concurrent threads are great when your machine spends most of its time waiting for something from the outside world to respond to it. When you're basically numberchrunching, as I suspect you're going to be, it makes more sense to reduce the amount of jobs (the -j) from 100 to about the number of cores on your CPU + 1.

Edited by Cooper
Link to comment
Share on other sites

I could be wrong, but couldn't you use a mask with the fields you know the limits for of each section and feed it to oclhashcat to crack on the fly with your GPU(provided you have CUDA or OpenCL based drivers for your graphics card).

Mind you this won't brute force a login prompt, but if you have the captured 4 way handshake, you run it through the conversion set for hashcat so it can read it, and then use your mask to crack it.

https://hashcat.net/cap2hccap/

https://hashcat.net/wiki/doku.php?id=mask_attack

Link to comment
Share on other sites

crunch-wordlist.sourceforge.net you can make wordlists, or even better you can pipe a wordlist into aircrack; i.e.

username$ crunch 10 10 -t %%%%,%%%%, | aircrack-ng -w - -e 00:11:22:33:44:55 test.pcap

although, coopers method or digip's method of running in parallel would be much faster

Edited by fugu
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...