1

I am trying to achieve a very specific pattern with crunch. The Wireless Router I use has a very specific Pattern used for the default Password generated by my Provider. I want to create a wordlist or at least Pipe it through to aircrack-ng with the following pattern:

xxxx-xxxx-xxxx-xxxx

The x's represent 4 multialpha-numeric characters spaced by dashes. I read through several help sites and the manpage of Crunch but just can't figure out to get to this pattern. Is it even possible? It is very confusing.

I tried using -t ++++-++++-++++-++++ which gave me one result.

Royce Williams
  • 9,128
  • 1
  • 31
  • 55
Nick Müller
  • 13
  • 3
  • If mixed case, this is 62^16, which is ... large, even if it wasn't WPA. Also, what are you feeding the list to? It may be more efficient (faster attack) to use that tool to generate the permutations directly. – Royce Williams Nov 22 '18 at 04:30
  • I am going to pipe crunch to Aircrack-ng. I am aware that this will take a really long time to achieve but my goal is to learn how to create different patterns for future use. The ethical hacking course only covers crunch briefly. – Nick Müller Nov 22 '18 at 09:59

1 Answers1

1

You have to use an externally-specified character set:

$ egrep 'mixalpha-numeric ' charset.lst 
mixalpha-numeric           = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

$ crunch 19 19 -f charset.lst mixalpha-numeric -t @@@@-@@@@-@@@@-@@@@
Crunch will now generate the following amount of data: 2577832796941975552 bytes
2458412930433 MB
2400793877 GB
2344525 TB
2289 PB
Crunch will now generate the following number of lines: 16730961306185695232

I think crunch's math is off a bit there - Wolfram Alpha tells me that 62^16 is 10^28, which is 47672401706823533450263330816 (which is quite a bit bigger - 10^28 combinations)

Either way, it should be obvious that this wordlist, applied to WPA2, will not exhaust in your lifetime.

For faster hashes with smaller keyspaces, generating the candidates on-GPU (with something like hashcat or John the Ripper, which allow you to specify the mask for generation directly on-GPU), would be much faster. But for WPA2 it's probably slow enough that it won't make a difference.

Royce Williams
  • 9,128
  • 1
  • 31
  • 55
  • Thank you very much. This helped me a lot. Instead of creating a charset, I simply chose the charset from rainbowcrack already available in kali. What actually had me confused was that @ was a substitute for lower case characters so i couldn‘t figure out how to define mixalpha-numeric chars. – Nick Müller Nov 22 '18 at 10:05
  • Yeah, they don't make it very clear that you can use it as a general substitution character when you're using a predefined custom character set. – Royce Williams Nov 22 '18 at 16:27