17

I'm trying to hack my own WPA2 network for learning purposes.

I have the *.cap file generated by aircrack-ng tools after a WPA handshake.

I've tested by including my own password and a bunch of incorrect passwords on a wordlist and aircrack-ng crack successfully. My password is 10 characters length, only uppercase letters and numbers, so I tried generating a wordlist with crunch (10 characters length, uppercase and numbers only):

$ crunch 10 10 -f charset.lst ualpha-numeric -o wordlist.txt

But crunch weight estimation was stunning:

Crunch will now generate the following amount of data: 40217742840692736 bytes
38354628411 MB
37455691 GB
36577 TB
35 PB
Crunch will now generate the following number of lines: 3656158440062976

The wordlist is incredibly big. And I generated the wordlist by having clues about the lenght and characters involved. If I didn't know that It'd be even bigger.

I guess I know believe that bruteforce attacks on non trivial passwords is impossible, at least with pre generated wordlists.

Is there a way to let aircrack-ng incrementally crack the password with a given length and charset?

What other sane options do I have to attack my password?

jviotti
  • 511
  • 2
  • 5
  • 11

5 Answers5

19

I'd look at OCLHashcat, as it let's you brute force with specific character sets and doesn't need to generate the list beforehand.

I'm not sure what you mean by "incrementally" however, if you mean stopping and starting OHC will let you do that.

In terms of cracking WPA2, you've got 3 options.

  1. Dictionary attacks
  2. Reaver attack against WPS (most successful option in majority of cases)
  3. Taking a wrench to the person and beating their password out of them

Ok, perhaps two options if you're not really wanting that password.

Brute force, unless you know a lot about the password and it's incredibly stupid (i.e. you know for certain it's an 8 character set of numbers) is going to be a non-starter.

Don't forget, strictly speaking there "shouldn't" be a way to break the password, so if none of these options seem viable, it just means you've got decent security. There may not be an answer as to how you can do it.

Peleus
  • 3,827
  • 2
  • 18
  • 20
2
john --stdout --incremental:all | aircrack-ng -e ESSID -w - /home/user/input_wpa.cap

Edit the john conf file to change from 8 to 10

Adi
  • 43,808
  • 16
  • 135
  • 167
Anon
  • 29
  • 1
  • 2
    Nice solution. I have "solved" this previously using named pipes to generate wordlists on the fly with john: used mkfifo /tmp/named_pipe ; john --stdout --incremental:all > /tmp/named_pipe & aircrack-ng -e ESSID -w /tmp/named_pipe wpa.cap – Dog eat cat world Aug 29 '14 at 10:25
1

I'm currently developing similar technologies. Aircrack-ng really is brilliant although it does have some limitations.

I have also attempted a brute force on my own wifi using crunch to generate passwords. and my findings are as such:

  • You can pipe crunch directly into Aircrack-ng to eliminate the need to create a .txt file and use it simultaneously saving you processing power to perform calculations, the Syntax for this method in bash is as such:

./crunch <max> <min>(stick to 8 for now)<options>(abcd1234..) can give partial passwo@@@| aircrack-ng -b [bssid] -w - [.cap file]

here you can see the standard format for piping into aircrack-ng and some simple options.

Here is a working copy you can paste into terminal (below), I'll talk you through it a little.

From left to right:

  1. The name of the command crunch, if this doesn't work straight away force execution by starting with ./crunch.
  2. 8 8 is the max and min chars you're going to need as I'm sure you already know.
  3. Then a pipe symbol. This feeds the output directly into the file that aircrack-ng is going to use as a dictionary
  4. Fill in Bssid's as you already know how to do in this format once your handshake has been established.

WORKING COPY:

crunch 8 8 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ -t 97KQA@@@ | aircrack-ng -b 78:54:2E:28:E7:86 -w - thehak-01.cap

THE PROBLEM WITH THIS METHOD:

Using a permutation equation and using an expected 1000 combinations per second (this is what my actual output is) I have calculated that testing each of the generated combinations will take 77.8 years

Ladadadada
  • 5,163
  • 1
  • 24
  • 41
EthicalHacker
  • 39
  • 1
  • 8
    This post is a bit of a mess. I started to edit it into shape but soon got lost with not being able to figure out what belongs together. Can you please clean it up to use code blocks, where appropriate, better formatting, punctuation, and other types of readable grammar? – Scott Pack Oct 29 '13 at 20:37
1

You could try using John the Ripper to generate the passwords and then pipe them to Aircrack-ng. John has a mode called INCREMENTAL where you can define what type of passwords it generates and you dont have to stome them on file as you are piping it to aircrack, and it has resume capabilities.

briankip
  • 113
  • 5
-3

This thread is from a year or two ago but i would recommend using reaver.

reaver -i (your intnerface/wlan0mon) -b (BSSID/MAC address) -vv

Might take a few hours (4 - 12 possibly) but to get pass with wordlist is extremely lucky with wpa2.

If you get rate limiting error try

reaver -i (wlan0mon) -b (Mac address) -d 30 -vv -dh-small

If you still get the Rate Limiting error don't bother, move on. Although, never give up.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Machak8100
  • 11