Jump to content

A direct WPA Bruteforce Attack


koloss
 Share

Recommended Posts

After four months of relentless persistence I finally was able to bruteforce my neighbor WPS pin, After spending days of AP lock and figuring out the precise x:y Values I found that the WPA PSK is 8-digit number(like all other PSKs) but it got me thinking, What if I did a direct bruteforce to PSK.

I don’t know if the AP could actually lock that (hence no new device can connect even with the right pass) but if we talk about 200 tries/day I think it can be cracked in a guaranteed 55 days (11000/200)

I'm newbie at this stuff so please is there a script for that or my theory is stupid-wrong

Thanks

Link to comment
Share on other sites

So you spent four months distupting your neighbours wifi, either they are very patient if they knew about it or very annoyed with having problems if they didn't know. If you now start trying to attack it further you are just going to mess them up even more. If you want to practice things like this get yourself your own AP and practice on that, if all you want to do is to see how the tools work then set easy to guess/crack PINs and passwords and then the tools will finish in a short time and you'll see how to use them, if you want a challenge then get someone else to set the values for you and then attack those. I'd leave your neighbour alone if I were you.

Link to comment
Share on other sites

I do not want to wreak havoc or steal sensitive info I swear, I just wanted to leech on some fast Internet (which sadly is the same speed as mine, I guess upgrading is both expensive to him and me) all what it got me is an idea of a direct bruteforce attack and it's stuck in my head. I know I would be pissed off to if someone leeches on my crappy connection too and I will leave him alone, Sorry if I caused any problem


Link to comment
Share on other sites

You just admitted to attacking wifi without permission with the intent to steal service from your neighbour, I don't know if that is an offence in your country but it is in most places. It certainly isn't condoned on this forum.

Think before you post things like this publicly.

Link to comment
Share on other sites

A much better way of phrasing the question is I set up a wpa network on "my own" router in an attempt to gain the password via capturing a handshake and brute forcing the password... Think please. Not all features of the pineapple are legal if you use them without consent of the target.

Link to comment
Share on other sites

Fine

I cracked my router after considerable amount of reaver and mdk3 attacks because of AP locking, after that I found out that the PSK is just an 8 digit long number which I believe a bruteforce to it(where there is no clients or a way to get a handshake) could reduce the time needed, Is there's a way to do that??

Thanks

Link to comment
Share on other sites

With WPA there is a 4 way handshake. They make tools for brute forcing the handshake. With WPS, there are pin codes, which you could try attacking with things like reaver and wifite, and they do work - but - many routers will freeze up or reboot under load of these attacks, which means rate limiting them and takes a very long time. A new attack out now, is the Pixie Dust attack, which also may work and is an offline WPS method.

WEP, is already broken protocol and can be cracked in less then 5 minutes on most computers.

Knowledge is not a crime, and it's not that we're trying to avoid helping you, it's that we don't condone attacking networks you don't own. In reality whatever you do is on you, we don't have a say one way or the other, but learning is not something we censor here. Stating ignorance in the face of help in itself will find you on the receiving end of a flame war that will only get your threads locked though, so be respectful and understand the rules around here before stating

"I understand if don't want to help me".

Link to comment
Share on other sites

I know I'm sorry I started this thread wrong let's just have a clean sheet again.

I acknowledge the ways of cracking you told me about but my question in a hypothetical AP with WPA2 protection and no clients or wps enabled but you know the pass is an 8-digit numerical password(to make the possibilities as low as possible) is there a way to crack it?

Link to comment
Share on other sites

8 digit numeric means 99.999.999 possible combinations.

Drop off all variations where the combination has the same number 4 or more times in it and we're down to 96.500.034.

You're limited by the speed at which the router can do a handshake with you, so let's assume it takes a total of 1 second for 1 attempt. At that rate it would take you 4 years to exhaust the keyspace.

When you capture a handshake you can bruteforce this and only be limited by your own hardware, which even with mere-mortal type hardware is likely to go through this set in under a day, particularly with the help of a graphics card.

Going with 8-digit numeric is rather dumb, really. By going with that as opposed to the more typical 8-digit alphanumeric and case sensitive they picked a keyspace of 99.999.999 over a keyspace of 128.063.081.718.016. My ISP uses 11-digit case sensitive alpha numeric which provides a keyspace of 24.986.644.000.165.537.792. Good luck brute forcing that...

Link to comment
Share on other sites

What I was thinking was perhaps rainbow tables, but I don't know I would have to do some research. If you went the rainbow table route you would end up with several terrabytes of used space, but probably pretty snappy cracking. I don't think there is anything precluding their use, there may not be any made though.You also usually need to collect a handshake in order to do offline cracking, which will be faster, upload the handshake to a beefier computer to do the crack.

Edited by overwraith
Link to comment
Share on other sites

A rainbowtable works when (part of) the algorithm starts from a known state.

The problem with WPA(2) is that it works with a random meaning that you can't precompute the rainbowtable and use it to speed up future decryption attempts.

Link to comment
Share on other sites

Sorry, you can tell how green I am when it comes to wifi hacking. If that's the case, then the only thing I can think of is massive mutltithreading and perhaps increasing the number and or speed of hard drives which contain the phrase lists. Increased cores would also help.

Edited by overwraith
Link to comment
Share on other sites

Yeah, to crack these problems you need cores. The more the better, the faster the better.

And since the algorithm tends to be dead-simple (so some cheap-ass chip slapped on a board and molded in Chinese plastic can still produce it) your graphics adapter can work stunning miracles with these.

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...