Jump to content

Questions about wifi hacking


Recommended Posts

I haven't looked into wifi hacking in over 5 years so bare with me. I don't even know where to start. It has been so heavily confusing catching up. I already did some preliminaring research. I started reading about pyrit, oclhashcat gpu bruteforcing pmk's, cowpatty. What are some good ways to get into my wireless network? I want to crack my network. I'm thinking about bruteforcing or a dictionary attack. Current password is 6 characters long and contains upper case and lower case. I have a mid teir gpu (asus r9 290) if bruteforcing will take too long with those requirement.s

1.) Is bruteforcing mostly out of the question even with a r9 290 gpu? I plan to upgrade to a gtx 980 X2 SLI config in the next month or so.
2.) Dictionary attacks aren't very effective from what I understand. That sucks. Is there a way to make them more effective? This would be ideal.
3.) What other options are there?

I'd like a rundown of effective wpa2 cracking methods to read about basically. Thanks for your help.

Edited by KGONEPOSTL
Link to post
Share on other sites

Current password is 6 characters long and contains upper case and lower case.

If Im not mistaken, I think the minimum password length for wpa2 is 8 characters. The maximum is 63 characters long. The total keyspace for wpa2 (including upper/lower/digit/symbol) is about:

$ python -c 'print ( (26+26+10+58)**63 - (26+26+10+58)**8 )'
if you divide that number by the Tries/sec your able to perform, you'll have (about) the number of seconds it'll take to crack it via brute force. That keyspace is pretty big IMO.
Link to post
Share on other sites

If Im not mistaken, I think the minimum password length for wpa2 is 8 characters. The maximum is 63 characters long. The total keyspace for wpa2 (including upper/lower/digit/symbol) is about:

$ python -c 'print ( (26+26+10+58)**63 - (26+26+10+58)**8 )'
if you divide that number by the Tries/sec your able to perform, you'll have (about) the number of seconds it'll take to crack it via brute force. That keyspace is pretty big IMO.

I can't do that math. More importantly I don't know what those numbers represent. Are you saying that I shouldn't brute force because it takes too long?

Edited by KGONEPOSTL
Link to post
Share on other sites

That's every character, plus every CHARACTER, plus every number, plus every usable punctuation to the power of 63 minus the same to the power of 8, which gives you every possible character combination within that keyspace. If you really want to know what this means, check out this page.

https://www.acrylicwifi.com/en/blog/is-a-wpawpa2-wi-fi-network-secure/

Link to post
Share on other sites

What theybtry to tell you is that there are too many passwords to fully bruteforce the bugger. You need to restrict yourself by either discovering or assuming, say, a password length of X with only 1 to 3 numbers in there. Some providers might adhere to a known pattern making it easier.

But if you want to learn the concept, write the correct password in your dictionary, do an attack and see that it works. Now all you have to do when you try this in the field is use a larger dictionary and have the hardware to process it in the time you have.

Also, check out the pixie dust attack against WPS. When the device is vulnerable it's a heck of a lot faster than breaking the WPA2 crypto.

Link to post
Share on other sites

If know the ESSID for the access point you will be testing you can always generate a precomputed table. If you have a system with a decent sized CPU you can create all of PMKs ahead of time. It's still going to take the computation time initially but once it's done you are golden. One of the benefits to the precomputed table is if they change the password you might still have the password in your table. The only way to secure your access point against this kind of attack is to change the ESSID. But I think you can do this with the BSSID as well so you gotta change the MAC address. The point is if you make the rainbow table you're likely to get back in when the password has been changed. Of course there's always find an OPN access, one that is vuln to Pixiedust attack, Or a WEP protected access point. But really go for the lowest hanging fruit. That is, unless you really need to hit a specific access point and that is the only way you can gain access to the network. But it's probably not the only way in.

Link to post
Share on other sites

If know the ESSID for the access point you will be testing you can always generate a precomputed table. If you have a system with a decent sized CPU you can create all of PMKs ahead of time. It's still going to take the computation time initially but once it's done you are golden. One of the benefits to the precomputed table is if they change the password you might still have the password in your table. The only way to secure your access point against this kind of attack is to change the ESSID. But I think you can do this with the BSSID as well so you gotta change the MAC address. The point is if you make the rainbow table you're likely to get back in when the password has been changed. Of course there's always find an OPN access, one that is vuln to Pixiedust attack, Or a WEP protected access point. But really go for the lowest hanging fruit. That is, unless you really need to hit a specific access point and that is the only way you can gain access to the network. But it's probably not the only way in.

That's why you don't use default ssid's, use random character passwords with no real words in it, and change it every now and then. Also never enable wps, what a load of bullshit that was. Freaking worse than wep!

Link to post
Share on other sites

Ok so for correctness my math is wrong. It's actually going to be an even bigger number then I had previously said. My correction is
i = 863 (26+26+10+58) i = (26+26+10+58) 63 + (26+26+10+58) 62 + (26+26+10+58) 61 + ⋯ + (26+26+10+58) 8

This is the absolute total number of possible passwords in wpa2. And its a big number. I think just the first term in this equation is ~10^130, even running 10,000 password tries a sec could take forever.

Edited by fugu
Link to post
Share on other sites

Isn't the wpa2 pwd technically 256^63 since you could be using unicode if you felt like it. Emojis even.

Bottom-line: Don't attempt to try all possibilities.

Link to post
Share on other sites

you could be using unicode if you felt like it.

Yeah that something I didn't even think of. but if you use unicode you password is now limited to 4..31 characters.

#3
$ wpa_passphrase test "ÂÂÂ"
Passphrase must be 8..63 characters
#4
$ wpa_passphrase test "ÂÂÂÂ"
network={
	ssid="test"
	#psk="ÂÂÂÂ"
	psk=8c01c60dabccfc54d59c0b1a8fd4b377749722a56bae9ae45cd5c703eb5a6e35
}
#31
$ wpa_passphrase test "ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ"
network={
	ssid="test"
	#psk="ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ"
	psk=73573d6631649a55785a0db46399664d7195e9310c7d494aefc1d874d15db9be
}
#32
$ wpa_passphrase test "ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ"
Passphrase must be 8..63 characters

i = 431 (256)i = (256)31 + (256)30 + (256)29 + ⋯ + (256)4

Edited by fugu
Link to post
Share on other sites
  • 2 weeks later...

I'm using the Nvidia GTX960 which is in the same range of your card. When I'm bruteforcing, I have a 15Gb password list with about two billion passwords in it. It takes me about three hours to go through the entire list.

Damn, I have the same card, didn't realise it performed at that level.

You using Hashcat?

Link to post
Share on other sites

Hashcat

Running on Kali with slightly outdated Cuda software, I'm getting around 90,000 per second if I remember correctly. My card is stock too, so you could probably get more with an overclock.

I also have an 8 thread i7-6700, 3.4ghz. I don't remember if it uses cpu any, i know pyrit does, but I only get around 60,000 withe it.

Link to post
Share on other sites

Hashcat

Running on Kali with slightly outdated Cuda software, I'm getting around 90,000 per second if I remember correctly. My card is stock too, so you could probably get more with an overclock.

I also have an 8 thread i7-6700, 3.4ghz. I don't remember if it uses cpu any, i know pyrit does, but I only get around 60,000 withe it.

I should probably have a play, then! Haven't run any password hashes since getting the 960, sounds around 30x faster than my last card.

I'd love a Titan, but spending £1k on a card would probably make me weep.

Edited by haze1434
Link to post
Share on other sites

No.

I read somewhere you could, flood it with EAPOL request and force it to restart. Never tried it myself though.

Here is a post I found on the forum that seems to be the same issue.

https://forums.hak5.org/index.php?/topic/32494-reaver-ap-rate-limiting-detected-and-automatic-mdk3-solution/

Edited by Fallen Archangel
Link to post
Share on other sites

When the AP kicks in the rate limiter, you're done. All you can do now is reset the device and try again, which sucks because you only get, like, 3 attempts and then the thing will block you so you need to get it to restart again. Also, the means by which you get a router to restart are basically the oldest trick in the book and many APs have been hardened against this.

Generally speaking if you've got a somewhat modern AP this isn't going to work. Look into the Pixiedust attack.

Link to post
Share on other sites

I'm just going to throw it out there since I've been thinking about coming up with a way to do it.

Can't you save the reaver session, down your wireless device, change mac address, resume session, Get like three tries per MAC. So you get X tries and after X failed attempts you change your MAC to one that's not locked out and start again.

Maybe:

Create a array of wireless devices. I mean like just go and grab a could of 10 port USB hubs and fill them up with wireless adapters. So instead of trying 10,000 PINs on a single device you are trying 500 only about 500 per device and your are running the searches concurrently. It would get done in about 5% of the time. I'm sure there's a maximum number of clients you can run before the AP is overwhelmed and starts crashing. But I think 20 or so clients would be fine.

Just a hypothetical but I think it could work on some access points.

Edited by vailixi
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...