Questions about wifi hacking

[KGONEPOSTL]

I haven't looked into wifi hacking in over 5 years so bare with me. I don't even know where to start. It has been so heavily confusing catching up. I already did some preliminaring research. I started reading about pyrit, oclhashcat gpu bruteforcing pmk's, cowpatty. What are some good ways to get into my wireless network? I want to crack my network. I'm thinking about bruteforcing or a dictionary attack. Current password is 6 characters long and contains upper case and lower case. I have a mid teir gpu (asus r9 290) if bruteforcing will take too long with those requirement.s

1.) Is bruteforcing mostly out of the question even with a r9 290 gpu? I plan to upgrade to a gtx 980 X2 SLI config in the next month or so.
2.) Dictionary attacks aren't very effective from what I understand. That sucks. Is there a way to make them more effective? This would be ideal.
3.) What other options are there?

I'd like a rundown of effective wpa2 cracking methods to read about basically. Thanks for your help.

Edited December 19, 2015 by KGONEPOSTL

[fugu]

Current password is 6 characters long and contains upper case and lower case.

If Im not mistaken, I think the minimum password length for wpa2 is 8 characters. The maximum is 63 characters long. The total keyspace for wpa2 (including upper/lower/digit/symbol) is about:

$ python -c 'print ( (26+26+10+58)**63 - (26+26+10+58)**8 )'

if you divide that number by the Tries/sec your able to perform, you'll have (about) the number of seconds it'll take to crack it via brute force. That keyspace is pretty big IMO.

[KGONEPOSTL]

If Im not mistaken, I think the minimum password length for wpa2 is 8 characters. The maximum is 63 characters long. The total keyspace for wpa2 (including upper/lower/digit/symbol) is about:

$ python -c 'print ( (26+26+10+58)**63 - (26+26+10+58)**8 )'

if you divide that number by the Tries/sec your able to perform, you'll have (about) the number of seconds it'll take to crack it via brute force. That keyspace is pretty big IMO.

I can't do that math. More importantly I don't know what those numbers represent. Are you saying that I shouldn't brute force because it takes too long?

Edited December 19, 2015 by KGONEPOSTL

[barry99705]

That's every character, plus every CHARACTER, plus every number, plus every usable punctuation to the power of 63 minus the same to the power of 8, which gives you every possible character combination within that keyspace. If you really want to know what this means, check out this page.

https://www.acrylicwifi.com/en/blog/is-a-wpawpa2-wi-fi-network-secure/

[cooper]

What theybtry to tell you is that there are too many passwords to fully bruteforce the bugger. You need to restrict yourself by either discovering or assuming, say, a password length of X with only 1 to 3 numbers in there. Some providers might adhere to a known pattern making it easier.

But if you want to learn the concept, write the correct password in your dictionary, do an attack and see that it works. Now all you have to do when you try this in the field is use a larger dictionary and have the hardware to process it in the time you have.

Also, check out the pixie dust attack against WPS. When the device is vulnerable it's a heck of a lot faster than breaking the WPA2 crypto.

[KGONEPOSTL]

Thank you guys! I'm not the smartest person but I try REALLY hard. I remember when I spent 3 full days and nights trying to get Kali Linux to work right. If you have other ideas of exploits to read about PLEASE let me know. I got A LOT of reading to do.

[vailixi]

If know the ESSID for the access point you will be testing you can always generate a precomputed table. If you have a system with a decent sized CPU you can create all of PMKs ahead of time. It's still going to take the computation time initially but once it's done you are golden. One of the benefits to the precomputed table is if they change the password you might still have the password in your table. The only way to secure your access point against this kind of attack is to change the ESSID. But I think you can do this with the BSSID as well so you gotta change the MAC address. The point is if you make the rainbow table you're likely to get back in when the password has been changed. Of course there's always find an OPN access, one that is vuln to Pixiedust attack, Or a WEP protected access point. But really go for the lowest hanging fruit. That is, unless you really need to hit a specific access point and that is the only way you can gain access to the network. But it's probably not the only way in.

[barry99705]

If know the ESSID for the access point you will be testing you can always generate a precomputed table. If you have a system with a decent sized CPU you can create all of PMKs ahead of time. It's still going to take the computation time initially but once it's done you are golden. One of the benefits to the precomputed table is if they change the password you might still have the password in your table. The only way to secure your access point against this kind of attack is to change the ESSID. But I think you can do this with the BSSID as well so you gotta change the MAC address. The point is if you make the rainbow table you're likely to get back in when the password has been changed. Of course there's always find an OPN access, one that is vuln to Pixiedust attack, Or a WEP protected access point. But really go for the lowest hanging fruit. That is, unless you really need to hit a specific access point and that is the only way you can gain access to the network. But it's probably not the only way in.

That's why you don't use default ssid's, use random character passwords with no real words in it, and change it every now and then. Also never enable wps, what a load of bullshit that was. Freaking worse than wep!

[fugu]

Ok so for correctness my math is wrong. It's actually going to be an even bigger number then I had previously said. My correction is
∑ _{i = 8}⁶³ (26+26+10+58) ⁱ = (26+26+10+58) ⁶³ + (26+26+10+58) ⁶² + (26+26+10+58) ⁶¹ + ⋯ + (26+26+10+58) ⁸

This is the absolute total number of possible passwords in wpa2. And its a big number. I think just the first term in this equation is ~10^130, even running 10,000 password tries a sec could take forever.

Edited December 20, 2015 by fugu

[cooper]

Isn't the wpa2 pwd technically 256^63 since you could be using unicode if you felt like it. Emojis even.

Bottom-line: Don't attempt to try all possibilities.

[fugu]

you could be using unicode if you felt like it.

Yeah that something I didn't even think of. but if you use unicode you password is now limited to 4..31 characters.

#3
$ wpa_passphrase test "ÂÂÂ"
Passphrase must be 8..63 characters
#4
$ wpa_passphrase test "ÂÂÂÂ"
network={
	ssid="test"
	#psk="ÂÂÂÂ"
	psk=8c01c60dabccfc54d59c0b1a8fd4b377749722a56bae9ae45cd5c703eb5a6e35
}
#31
$ wpa_passphrase test "ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ"
network={
	ssid="test"
	#psk="ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ"
	psk=73573d6631649a55785a0db46399664d7195e9310c7d494aefc1d874d15db9be
}
#32
$ wpa_passphrase test "ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ"
Passphrase must be 8..63 characters

∑_{i = 4}³¹ (256)ⁱ = (256)³¹ + (256)³⁰ + (256)²⁹ + ⋯ + (256)⁴

Edited December 20, 2015 by fugu

[KGONEPOSTL]

Hmmm..............forgot how to create a rainbow table. Online services will only charge you like 5 bucks to access theirs right? Might be the way to go for me for my purposes.

[KGONEPOSTL]

I just want to see it work, then work backwards. It's how I roll.

[barry99705]

genpmk -f wordlist.txt -s Linksys -d Linksys-Table

[KGONEPOSTL]

Using pixiewps, any way to get past ap limits? Keep getting locked out.

Edited January 5, 2016 by KGONEPOSTL

[Fallen Archangel]

I'm using the Nvidia GTX960 which is in the same range of your card. When I'm bruteforcing, I have a 15Gb password list with about two billion passwords in it. It takes me about three hours to go through the entire list.

[0phoi5]

I'm using the Nvidia GTX960 which is in the same range of your card. When I'm bruteforcing, I have a 15Gb password list with about two billion passwords in it. It takes me about three hours to go through the entire list.

Damn, I have the same card, didn't realise it performed at that level.

You using Hashcat?

[Fallen Archangel]

Hashcat

Running on Kali with slightly outdated Cuda software, I'm getting around 90,000 per second if I remember correctly. My card is stock too, so you could probably get more with an overclock.

I also have an 8 thread i7-6700, 3.4ghz. I don't remember if it uses cpu any, i know pyrit does, but I only get around 60,000 withe it.

[0phoi5]

Hashcat

Running on Kali with slightly outdated Cuda software, I'm getting around 90,000 per second if I remember correctly. My card is stock too, so you could probably get more with an overclock.

I also have an 8 thread i7-6700, 3.4ghz. I don't remember if it uses cpu any, i know pyrit does, but I only get around 60,000 withe it.

I should probably have a play, then! Haven't run any password hashes since getting the 960, sounds around 30x faster than my last card.

I'd love a Titan, but spending £1k on a card would probably make me weep.

Edited January 6, 2016 by haze1434

[KGONEPOSTL]

Any way to get past ap limit?

[barry99705]

Any way to get past ap limit?

No.

[Fallen Archangel]

No.

I read somewhere you could, flood it with EAPOL request and force it to restart. Never tried it myself though.

Here is a post I found on the forum that seems to be the same issue.

https://forums.hak5.org/index.php?/topic/32494-reaver-ap-rate-limiting-detected-and-automatic-mdk3-solution/

Edited January 9, 2016 by Fallen Archangel

[cooper]

When the AP kicks in the rate limiter, you're done. All you can do now is reset the device and try again, which sucks because you only get, like, 3 attempts and then the thing will block you so you need to get it to restart again. Also, the means by which you get a router to restart are basically the oldest trick in the book and many APs have been hardened against this.

Generally speaking if you've got a somewhat modern AP this isn't going to work. Look into the Pixiedust attack.

[vailixi]

I'm just going to throw it out there since I've been thinking about coming up with a way to do it.

Can't you save the reaver session, down your wireless device, change mac address, resume session, Get like three tries per MAC. So you get X tries and after X failed attempts you change your MAC to one that's not locked out and start again.

Maybe:

Create a array of wireless devices. I mean like just go and grab a could of 10 port USB hubs and fill them up with wireless adapters. So instead of trying 10,000 PINs on a single device you are trying 500 only about 500 per device and your are running the searches concurrently. It would get done in about 5% of the time. I'm sure there's a maximum number of clients you can run before the AP is overwhelmed and starts crashing. But I think 20 or so clients would be fine.

Just a hypothetical but I think it could work on some access points.

Edited January 10, 2016 by vailixi

[barry99705]

Pretty sure the ap won't accept any requests from anything after the limit is reached.