i8igmac Posted March 3, 2019 Posted March 3, 2019 its been a while since i have messed around, but the time has come that i document what im doing... wash reaver wps pin attacks deauth and capture handshakes hashcat gpu cracking wpa word list's 'couch potato 123' comcast word generator type of password attacks that are router specific. wifi antennas 2.4 ghz and 5.8ghz it looks like nonsense but ill do some automation in my favorite language (ruby) ill do some multi threaded task like clock work to automate almost the hole process. ill start with small simple snippets. if people want to make comments on techniques that have worked for them that are related to wifi cracking/reaver/gpu-cracking. please for example post your reaver commands. if any one has seen mdk3 attacks work to reset routers, make comments on this as well.
i8igmac Posted March 3, 2019 Author Posted March 3, 2019 6 hours ago, Bigbiz said: Mdk3 is awesome. with mdk3 ill run some test maybe tonight to see what router models can be forced to reboot and unlock the wps pin module to allow for further progress of pin attempts... im excited to post some example code and explanation of my techniques.
Just_a_User Posted March 3, 2019 Posted March 3, 2019 3 hours ago, i8igmac said: with mdk3 Looking forward to reading more! BTW Did you already have a play with mdk4? I have been playing with it on my tetra and have had some pretty good results.
i8igmac Posted March 4, 2019 Author Posted March 4, 2019 21 hours ago, Just_a_User said: Looking forward to reading more! BTW Did you already have a play with mdk4? I have been playing with it on my tetra and have had some pretty good results. I forgot there was v4 last night I captured some handshakes and converted to hccapx with hashcat-utils. wordlist suggestions. Phone numbers with crunch I have success before. ill make a mobile raspPi wps-pin-brute/handshake-grabber. A multithreaded automated solution.
Just_a_User Posted March 6, 2019 Posted March 6, 2019 3 hours ago, Bigbiz said: murder death kill? yes
i8igmac Posted March 8, 2019 Author Posted March 8, 2019 Has any one tried wpatools. I had some success with this word list.. The most success I had was with crunch and phone numbers. Old people use there phone for wifi passwords Crunch 10 10 -t 253%%%%%%% | hashcat64.bin 2500 out.hccap Ill make a video of the process this weekend. The hole process, starting from capturing a handshake, gpu cracking, manual configuration of wpa_supplicant config, authenticate with wpa_cli using the passphrase and then a failed attempt to brute force the router admin page...
icarus255 Posted March 11, 2019 Posted March 11, 2019 On 3/8/2019 at 9:00 PM, i8igmac said: The most success I had was with crunch and phone numbers. Old people use there phone for wifi passwords This is not just an old people thing. A lot of ISPs (at least here in Australia anyway) use phone numbers as default wifi passes for the 3G and 4G modems (and many others). And yes I agree, this is a great way to start your brute forcing. On 3/8/2019 at 9:00 PM, i8igmac said: Crunch 10 10 -t 253%%%%%%% | hashcat64.bin 2500 out.hccap You don't need to pipe this through crunch though. You can use hashcat's mask generator 😉 hash64.bin -a 3 -m 2500 TelstraA84A9F.hccapx 253?d?d?d?d?d?d?d (this will generate 7 random numbers following "253" which presumably you know). A lot of the netgear modem/routers use a combination of adjective+noun+XXX (where xxx is 3 random digits) e.g. "luckybanana437". I had a list specific to netgear's factory passes somewhere so let me know if you want me to find it and I will upload it somewhere. Netgear Arlo base stations used this for their camera systems as well 😄 10 random hex chars is another favourite default pass but that can become unmanageable unless you have multiple GPUs or some really neat rules to minimise the cracking time. I guess it's worth mentioning that rockyou.txt gets a few hits every once in a while as well. Most people never change their default passes so bottom line: doing a bit of research at the start will save you a LOT of brute forcing time down the track 😉
i8igmac Posted March 11, 2019 Author Posted March 11, 2019 yah the pipe lol. Wpatools Has a lot of eordlist for default routers like netgear. 1800 numbers also is a default set by the isp I would suggest phone numbers and 1800 numbers first for a quick check.
Bigbiz Posted March 12, 2019 Posted March 12, 2019 My default password on my router consised of 15 numbers id liked to think piping crunch into aircrack would be good way ti crack if u can get around aircracks cpu high usage. I though a 32 Gb ram would speed up the crack, turns out if it only runs at a certain freq. then its like limited to a certain speed. O well back to the drawn board as they say.
i8igmac Posted March 12, 2019 Author Posted March 12, 2019 I have been messing with some ram tweaks. If you had 30 gigs free of ram. Your system can boot to ram with the remaining 2 gigs. Store a 30 gig wordlist in ram, run it in hashcat64.bin... I only have a machine with 8gigs of ram. Ill run some performance test on my machines. A kali or linuxmint bootable usb stick with the boot parameter 'toram'
botjack854 Posted October 31, 2019 Posted October 31, 2019 Id sure appreciate it if you found that netgear router wordlist!! becausein the west usa theres a wholebunch of netgear routers still with that exact password format. thanks either way!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.